test(smtp): add custom header security coverage ⬜

NeaByteLab · NeaByteLab · commit 8057743e523f · 2026-03-24T22:14:25.000+07:00
- Add acceptance test for safe custom headers
- Add rejection tests for invalid names and CRLF header injection
- Add rejection tests for reserved header overrides including mixed-case names
diff --git a/tests/smtp/Message.test.ts b/tests/smtp/Message.test.ts
@@ -7,6 +7,21 @@ const smtpMessage = new SMTP.SmtpMessage({
   secure: false
 })
 
+Deno.test('SmtpMessage accepts safe custom headers', () => {
+  const formattedMessage = smtpMessage.formatMessage({
+    from: 'sender@example.com',
+    to: 'receiver@example.com',
+    subject: 'Header',
+    text: 'body',
+    headers: {
+      'X-Security-Test': 'safe-value',
+      'X-Trace_Id': 'trace-123'
+    }
+  })
+  assertMatch(formattedMessage, /X-Security-Test: safe-value/)
+  assertMatch(formattedMessage, /X-Trace_Id: trace-123/)
+})
+
 Deno.test('SmtpMessage formats multipart html and text', () => {
   const formattedMessage = smtpMessage.formatMessage({
     from: 'sender@example.com',
@@ -32,6 +47,108 @@ Deno.test('SmtpMessage formats plain text message', () => {
   assertMatch(formattedMessage, /hello/)
 })
 
+Deno.test('SmtpMessage rejects custom header names with invalid characters', () => {
+  assertThrows(
+    () =>
+      smtpMessage.formatMessage({
+        from: 'sender@example.com',
+        to: 'receiver@example.com',
+        subject: 'Header',
+        text: 'body',
+        headers: {
+          'Bad Header': 'value'
+        }
+      }),
+    Error,
+    'contains invalid characters'
+  )
+})
+
+Deno.test('SmtpMessage rejects custom header names with line breaks', () => {
+  assertThrows(
+    () =>
+      smtpMessage.formatMessage({
+        from: 'sender@example.com',
+        to: 'receiver@example.com',
+        subject: 'Header',
+        text: 'body',
+        headers: {
+          'X-Test\r\nBcc': 'value'
+        }
+      }),
+    Error,
+    'contains invalid characters'
+  )
+})
+
+Deno.test('SmtpMessage rejects custom header values with line breaks', () => {
+  assertThrows(
+    () =>
+      smtpMessage.formatMessage({
+        from: 'sender@example.com',
+        to: 'receiver@example.com',
+        subject: 'Header',
+        text: 'body',
+        headers: {
+          'X-Test': 'ok\r\nBcc: victim@example.com'
+        }
+      }),
+    Error,
+    'value contains line break characters'
+  )
+})
+
+Deno.test('SmtpMessage rejects empty custom header names', () => {
+  assertThrows(
+    () =>
+      smtpMessage.formatMessage({
+        from: 'sender@example.com',
+        to: 'receiver@example.com',
+        subject: 'Header',
+        text: 'body',
+        headers: {
+          '   ': 'value'
+        }
+      }),
+    Error,
+    'name cannot be empty'
+  )
+})
+
+Deno.test('SmtpMessage rejects reserved custom header names', () => {
+  assertThrows(
+    () =>
+      smtpMessage.formatMessage({
+        from: 'sender@example.com',
+        to: 'receiver@example.com',
+        subject: 'Header',
+        text: 'body',
+        headers: {
+          Subject: 'Injected subject'
+        }
+      }),
+    Error,
+    'reserved and cannot be overridden'
+  )
+})
+
+Deno.test('SmtpMessage rejects reserved headers case-insensitively', () => {
+  assertThrows(
+    () =>
+      smtpMessage.formatMessage({
+        from: 'sender@example.com',
+        to: 'receiver@example.com',
+        subject: 'Header',
+        text: 'body',
+        headers: {
+          'mImE-vErSiOn': '2.0'
+        }
+      }),
+    Error,
+    'reserved and cannot be overridden'
+  )
+})
+
 Deno.test('SmtpMessage throws when embedded cid is invalid', () => {
   assertThrows(
     () =>
