Merge commit from fork

Bekacru · claude · web-flow · commit a63eee12a1a2 · 2026-06-11T10:23:30.000-07:00
`defaultNormalizer` validated the email on the ASCII `@` before any Unicode
normalization. A character that is a homoglyph of `@` — e.g. U+FF20 FULLWIDTH
COMMERCIAL AT — passed the single-`@` check, but can be canonicalized to an
ASCII `@` by a downstream address parser (NFKC), splitting the address into
multiple recipients (CWE-180: validate before canonicalize).

Apply `String.prototype.normalize("NFKC")` before validation so any such
homoglyph becomes a real `@` and is rejected by the existing checks. Behaviour
on legitimate addresses is unchanged. Adds regression tests covering U+FF20 and
U+FE6B.

Co-authored-by: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/core/src/lib/actions/signin/send-token.ts b/packages/core/src/lib/actions/signin/send-token.ts
@@ -91,10 +91,16 @@ export async function sendToken(
   }
 }
 
-function defaultNormalizer(email?: string) {
+export function defaultNormalizer(email?: string) {
   if (!email) throw new Error("Missing email from request body.")
 
-  const trimmedEmail = email.toLowerCase().trim()
+  // Apply Unicode NFKC normalization *before* validation. Without this, a
+  // character that is a homoglyph of `@` (e.g. U+FF20 FULLWIDTH COMMERCIAL AT)
+  // passes the single-`@` check below, but can later be canonicalized to an
+  // ASCII `@` by a downstream address parser, splitting the address into
+  // multiple recipients. Normalizing first ensures any such homoglyph is
+  // turned into a real `@` and rejected by the checks below.
+  const trimmedEmail = email.normalize("NFKC").toLowerCase().trim()
 
   // Reject email addresses with quotes to prevent address parser confusion
   // This prevents attacks like "attacker@evil.com"@victim.com
diff --git a/packages/core/test/email-normalizer.test.ts b/packages/core/test/email-normalizer.test.ts
@@ -0,0 +1,49 @@
+import { describe, it, expect } from "vitest"
+import { defaultNormalizer } from "../src/lib/actions/signin/send-token"
+
+describe("defaultNormalizer", () => {
+  it("normalizes a valid email", () => {
+    expect(defaultNormalizer("Foo@Example.com")).toBe("foo@example.com")
+    expect(defaultNormalizer("  foo@example.com  ")).toBe("foo@example.com")
+  })
+
+  it("keeps the first domain when the domain part is comma-separated", () => {
+    expect(defaultNormalizer("foo@example.com,evil.com")).toBe(
+      "foo@example.com"
+    )
+  })
+
+  it("throws on a missing email", () => {
+    expect(() => defaultNormalizer(undefined)).toThrow()
+    expect(() => defaultNormalizer("")).toThrow()
+  })
+
+  it("rejects quotes (address parser confusion)", () => {
+    expect(() => defaultNormalizer('"foo@evil.com"@example.com')).toThrow(
+      "Invalid email address format."
+    )
+  })
+
+  it("rejects multiple ASCII @ symbols", () => {
+    expect(() => defaultNormalizer("foo@evil.com@example.com")).toThrow(
+      "Invalid email address format."
+    )
+  })
+
+  // Regression test for GHSA-7rqj-j65f-68wh:
+  // U+FF20 (FULLWIDTH COMMERCIAL AT) is a homoglyph of `@` that normalizes to
+  // ASCII `@` under NFKC. It must be canonicalized before validation so the
+  // address cannot smuggle a second `@` past the single-`@` check.
+  it("rejects a Unicode homoglyph of @ (U+FF20)", () => {
+    expect(() =>
+      defaultNormalizer("attacker@evil.com＠victim.company.com")
+    ).toThrow("Invalid email address format.")
+  })
+
+  it("rejects other fullwidth/homoglyph @ characters", () => {
+    // U+FE6B SMALL COMMERCIAL AT also normalizes to `@` under NFKC.
+    expect(() =>
+      defaultNormalizer("attacker@evil.com﹫victim.company.com")
+    ).toThrow("Invalid email address format.")
+  })
+})
