Ignore spoofable Reply-To address in Service Desk

Service Desk allows creating issues by sending an email to a special address. Previously, the issue author email was taken from the Reply-To email header, if present. The problem is that Reply-To is easily spoofed even in common email clients like Gmail. We therefore ignore it, and use the From address instead. Changelog: security

Ignore spoofable Reply-To address in Service Desk
Service Desk allows creating issues by sending an email to a special address. Previously, the issue author email was taken from the Reply-To email header, if present. The problem is that Reply-To is easily spoofed even in common email clients like Gmail. We therefore ignore it, and use the From address instead. Changelog: security
1be6d168 · Magdalena Frankiewicz · f97bd34f · 1be6d168 · 1be6d168 · 1be6d168
Commit 1be6d168 authored Feb 01, 2022 by Magdalena Frankiewicz
3 changed files
--- a/lib/gitlab/email/handler/service_desk_handler.rb
+++ b/lib/gitlab/email/handler/service_desk_handler.rb
@@ -177,7 +177,7 @@ module Gitlab
        end

        def from_address
-          (mail.reply_to || []).first || mail.from.first || mail.sender
+          mail.from.first || mail.sender
        end

        def can_handle_legacy_format?

--- a/spec/fixtures/emails/service_desk_reply_to_sender_and_from.eml
+++ b/spec/fixtures/emails/service_desk_reply_to_sender_and_from.eml
+Delivered-To: incoming+email-test-project_id-issue-@appmail.adventuretime.ooo
+Return-Path: <jake@adventuretime.ooo>
+Received: from iceking.adventuretime.ooo ([unix socket]) by iceking (Cyrus v2.2.13-Debian-2.2.13-19+squeeze3) with LMTPA; Thu, 13 Jun 2013 17:03:50 -0400
+Received: from mail-ie0-x234.google.com (mail-ie0-x234.google.com [IPv6:2607:f8b0:4001:c03::234]) by iceking.adventuretime.ooo (8.14.3/8.14.3/Debian-9.4) with ESMTP id r5DL3nFJ016967 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <incoming+gitlabhq/gitlabhq@appmail.adventuretime.ooo>; Thu, 13 Jun 2013 17:03:50 -0400
+Received: by mail-ie0-f180.google.com with SMTP id f4so21977375iea.25 for <incoming+email-test-project_id-issue-@appmail.adventuretime.ooo>; Thu, 13 Jun 2013 14:03:48 -0700
+Received: by 10.0.0.1 with HTTP; Thu, 13 Jun 2013 14:03:48 -0700
+Date: Thu, 13 Jun 2013 17:03:48 -0400
+From: Finn the Human <finn@adventuretime.ooo>
+Reply-To: Finn the Hooman <hooman@adventuretime.ooo>
+Sender: Jake the Dog <jake@adventuretime.ooo>
+To: support@adventuretime.ooo
+Delivered-To: support@adventuretime.ooo
+Message-ID: <CADkmRc+rNGAGGbV2iE5p918UVy4UyJqVcXRO2=otppgzduJSg@mail.gmail.com>
+Subject: The message subject! @all
+Mime-Version: 1.0
+Content-Type: text/plain;
+ charset=ISO-8859-1
+Content-Transfer-Encoding: 7bit
+X-Sieve: CMU Sieve 2.2
+X-Received: by 10.0.0.1 with SMTP id n7mr11234144ipb.85.1371157428600; Thu,
+ 13 Jun 2013 14:03:48 -0700 (PDT)
+X-Scanned-By: MIMEDefang 2.69 on IPv6:2001:470:1d:165::1
+
+Service desk stuff!
+
+```
+a = b
+```
--- a/spec/lib/gitlab/email/handler/service_desk_handler_spec.rb
+++ b/spec/lib/gitlab/email/handler/service_desk_handler_spec.rb
@@ -478,6 +478,20 @@ RSpec.describe Gitlab::Email::Handler::ServiceDeskHandler do
      end
    end

+    context 'when there is a reply-to address, a sender address, and a from address' do
+      let(:email_raw) { email_fixture('emails/service_desk_reply_to_sender_and_from.eml') }
+
+      it 'ignores the reply-to and prefers the from address' do
+        setup_attachment
+
+        expect { receiver.execute }.to change { Issue.count }.by(1)
+
+        new_issue = Issue.last
+
+        expect(new_issue.external_author).to eq('finn@adventuretime.ooo')
+      end
+    end
+
    context 'when service desk is not enabled for project' do
      before do
        allow(Gitlab::ServiceDesk).to receive(:enabled?).and_return(false)