Require email domains end in a IANA suffix (#4037)

2019-01-28 17:05:58 -08:00 · 2019-01-28 17:05:58 -08:00 · 3129c57bb8
parent fb7b60f42c
commit 3129c57bb8
7 changed files with 117 additions and 91 deletions
--- a/iana/iana.go
+++ b/iana/iana.go
@ -0,0 +1,32 @@
+package iana
+
+import (
+	"fmt"
+
+	"github.com/weppos/publicsuffix-go/publicsuffix"
+)
+
+// ExtractSuffix returns the public suffix of the domain using only the "ICANN"
+// section of the Public Suffix List database.
+// If the domain does not end in a suffix that belongs to an IANA-assigned
+// domain, ExtractSuffix returns an error.
+func ExtractSuffix(name string) (string, error) {
+	if name == "" {
+		return "", fmt.Errorf("Blank name argument passed to ExtractSuffix")
+	}
+
+	rule := publicsuffix.DefaultList.Find(name, &publicsuffix.FindOptions{IgnorePrivate: true, DefaultRule: nil})
+	if rule == nil {
+		return "", fmt.Errorf("Domain %s has no IANA TLD", name)
+	}
+
+	suffix := rule.Decompose(name)[1]
+
+	// If the TLD is empty, it means name is actually a suffix.
+	// In fact, decompose returns an array of empty strings in this case.
+	if suffix == "" {
+		suffix = name
+	}
+
+	return suffix, nil
+}
--- a/iana/iana_test.go
+++ b/iana/iana_test.go
@ -0,0 +1,65 @@
+package iana
+
+import "testing"
+
+func TestExtractSuffix_Valid(t *testing.T) {
+	testCases := []struct {
+		domain, want string
+	}{
+		// TLD with only 1 rule.
+		{"biz", "biz"},
+		{"domain.biz", "biz"},
+		{"b.domain.biz", "biz"},
+
+		// The relevant {kobe,kyoto}.jp rules are:
+		// jp
+		// *.kobe.jp
+		// !city.kobe.jp
+		// kyoto.jp
+		// ide.kyoto.jp
+		{"jp", "jp"},
+		{"kobe.jp", "jp"},
+		{"c.kobe.jp", "c.kobe.jp"},
+		{"b.c.kobe.jp", "c.kobe.jp"},
+		{"a.b.c.kobe.jp", "c.kobe.jp"},
+		{"city.kobe.jp", "kobe.jp"},
+		{"www.city.kobe.jp", "kobe.jp"},
+		{"kyoto.jp", "kyoto.jp"},
+		{"test.kyoto.jp", "kyoto.jp"},
+		{"ide.kyoto.jp", "ide.kyoto.jp"},
+		{"b.ide.kyoto.jp", "ide.kyoto.jp"},
+		{"a.b.ide.kyoto.jp", "ide.kyoto.jp"},
+
+		// Domain with a private public suffix should return the ICANN public suffix.
+		{"foo.compute-1.amazonaws.com", "com"},
+		// Domain equal to a private public suffix should return the ICANN public
+		// suffix.
+		{"cloudapp.net", "net"},
+	}
+
+	for _, tc := range testCases {
+		got, err := ExtractSuffix(tc.domain)
+		if err != nil {
+			t.Errorf("%q: returned error", tc.domain)
+			continue
+		}
+		if got != tc.want {
+			t.Errorf("%q: got %q, want %q", tc.domain, got, tc.want)
+		}
+	}
+}
+
+func TestExtractSuffix_Invalid(t *testing.T) {
+	testCases := []string{
+		"",
+		"example",
+		"example.example",
+	}
+
+	for _, tc := range testCases {
+		_, err := ExtractSuffix(tc)
+		if err == nil {
+			t.Errorf("%q: expected err, got none", tc)
+		}
+	}
+}
--- a/policy/pa.go
+++ b/policy/pa.go
@ -11,13 +11,13 @@ import (
 	"strings"
 	"sync"

-	"github.com/weppos/publicsuffix-go/publicsuffix"
 	"golang.org/x/net/idna"
 	"golang.org/x/text/unicode/norm"

 	"github.com/letsencrypt/boulder/core"
 	berrors "github.com/letsencrypt/boulder/errors"
 	"github.com/letsencrypt/boulder/features"
+	"github.com/letsencrypt/boulder/iana"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/reloader"
 )
@ -289,7 +289,7 @@ func (pa *AuthorityImpl) WillingToIssue(id core.AcmeIdentifier) error {
 	}

 	// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
-	icannTLD, err := extractDomainIANASuffix(domain)
+	icannTLD, err := iana.ExtractSuffix(domain)
 	if err != nil {
 		return errNonPublic
 	}
@ -342,7 +342,7 @@ func (pa *AuthorityImpl) WillingToIssueWildcard(ident core.AcmeIdentifier) error
 		// The base domain is the wildcard request with the `*.` prefix removed
 		baseDomain := strings.TrimPrefix(rawDomain, "*.")
 		// Names must end in an ICANN TLD, but they must not be equal to an ICANN TLD.
-		icannTLD, err := extractDomainIANASuffix(baseDomain)
+		icannTLD, err := iana.ExtractSuffix(baseDomain)
 		if err != nil {
 			return errNonPublic
 		}
@ -481,31 +481,6 @@ func (pa *AuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, regID int
 	return shuffled, shuffledCombos, nil
 }

-// ExtractDomainIANASuffix returns the public suffix of the domain using only the "ICANN"
-// section of the Public Suffix List database.
-// If the domain does not end in a suffix that belongs to an IANA-assigned
-// domain, ExtractDomainIANASuffix returns an error.
-func extractDomainIANASuffix(name string) (string, error) {
-	if name == "" {
-		return "", fmt.Errorf("Blank name argument passed to ExtractDomainIANASuffix")
-	}
-
-	rule := publicsuffix.DefaultList.Find(name, &publicsuffix.FindOptions{IgnorePrivate: true, DefaultRule: nil})
-	if rule == nil {
-		return "", fmt.Errorf("Domain %s has no IANA TLD", name)
-	}
-
-	suffix := rule.Decompose(name)[1]
-
-	// If the TLD is empty, it means name is actually a suffix.
-	// In fact, decompose returns an array of empty strings in this case.
-	if suffix == "" {
-		suffix = name
-	}
-
-	return suffix, nil
-}
-
 // ChallengeTypeEnabled returns whether the specified challenge type is enabled
 func (pa *AuthorityImpl) ChallengeTypeEnabled(t string, regID int64) bool {
 	pa.blacklistMu.RLock()
--- a/policy/pa_test.go
+++ b/policy/pa_test.go
@ -401,68 +401,6 @@ func TestChallengesForWildcard(t *testing.T) {
 	test.AssertEquals(t, challenges[0].Type, core.ChallengeTypeDNS01)
 }

-func TestExtractDomainIANASuffix_Valid(t *testing.T) {
-	testCases := []struct {
-		domain, want string
-	}{
-		// TLD with only 1 rule.
-		{"biz", "biz"},
-		{"domain.biz", "biz"},
-		{"b.domain.biz", "biz"},
-
-		// The relevant {kobe,kyoto}.jp rules are:
-		// jp
-		// *.kobe.jp
-		// !city.kobe.jp
-		// kyoto.jp
-		// ide.kyoto.jp
-		{"jp", "jp"},
-		{"kobe.jp", "jp"},
-		{"c.kobe.jp", "c.kobe.jp"},
-		{"b.c.kobe.jp", "c.kobe.jp"},
-		{"a.b.c.kobe.jp", "c.kobe.jp"},
-		{"city.kobe.jp", "kobe.jp"},
-		{"www.city.kobe.jp", "kobe.jp"},
-		{"kyoto.jp", "kyoto.jp"},
-		{"test.kyoto.jp", "kyoto.jp"},
-		{"ide.kyoto.jp", "ide.kyoto.jp"},
-		{"b.ide.kyoto.jp", "ide.kyoto.jp"},
-		{"a.b.ide.kyoto.jp", "ide.kyoto.jp"},
-
-		// Domain with a private public suffix should return the ICANN public suffix.
-		{"foo.compute-1.amazonaws.com", "com"},
-		// Domain equal to a private public suffix should return the ICANN public
-		// suffix.
-		{"cloudapp.net", "net"},
-	}
-
-	for _, tc := range testCases {
-		got, err := extractDomainIANASuffix(tc.domain)
-		if err != nil {
-			t.Errorf("%q: returned error", tc.domain)
-			continue
-		}
-		if got != tc.want {
-			t.Errorf("%q: got %q, want %q", tc.domain, got, tc.want)
-		}
-	}
-}
-
-func TestExtractDomainIANASuffix_Invalid(t *testing.T) {
-	testCases := []string{
-		"",
-		"example",
-		"example.example",
-	}
-
-	for _, tc := range testCases {
-		_, err := extractDomainIANASuffix(tc)
-		if err == nil {
-			t.Errorf("%q: expected err, got none", tc)
-		}
-	}
-}
-
 // TestMalformedExactBlacklist tests that loading a JSON policy file with an
 // invalid exact blacklist entry will fail as expected.
 func TestMalformedExactBlacklist(t *testing.T) {
--- a/ra/ra.go
+++ b/ra/ra.go
@ -23,6 +23,7 @@ import (
 	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
 	bgrpc "github.com/letsencrypt/boulder/grpc"
+	"github.com/letsencrypt/boulder/iana"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
 	"github.com/letsencrypt/boulder/probs"
@ -385,6 +386,9 @@ func validateEmail(address string) error {
 			"invalid contact domain. Contact emails @%s are forbidden",
 			domain)
 	}
+	if _, err := iana.ExtractSuffix(domain); err != nil {
+		return berrors.InvalidEmailError("email domain name does not end in a IANA suffix")
+	}
 	return nil
 }

--- a/ra/ra_test.go
+++ b/ra/ra_test.go
@ -365,6 +365,18 @@ func TestValidateContacts(t *testing.T) {

 	err = ra.validateContacts(context.Background(), &[]string{forbidden})
 	test.AssertError(t, err, "Forbidden email")
+
+	err = ra.validateContacts(context.Background(), &[]string{"mailto:admin@localhost"})
+	test.AssertError(t, err, "Forbidden email")
+
+	err = ra.validateContacts(context.Background(), &[]string{"mailto:admin@example.not.a.iana.suffix"})
+	test.AssertError(t, err, "Forbidden email")
+
+	err = ra.validateContacts(context.Background(), &[]string{"mailto:admin@1.2.3.4"})
+	test.AssertError(t, err, "Forbidden email")
+
+	err = ra.validateContacts(context.Background(), &[]string{"mailto:admin@[1.2.3.4]"})
+	test.AssertError(t, err, "Forbidden email")
 }

 func TestNewRegistration(t *testing.T) {
--- a/test/integration-test.py
+++ b/test/integration-test.py
@ -418,7 +418,7 @@ def random_domain():
    return "rand.%x.xyz" % random.randrange(2**32)

 def test_expiration_mailer():
-    email_addr = "integration.%x@boulder" % random.randrange(2**16)
+    email_addr = "integration.%x@letsencrypt.org" % random.randrange(2**16)
    cert, _ = auth_and_issue([random_domain()], email=email_addr)
    # Check that the expiration mailer sends a reminder
    expiry = datetime.datetime.strptime(cert.body.get_notAfter(), '%Y%m%d%H%M%SZ')