fix: use HMAC for proxied HTML iframe content

AI-Assisted: OpenCode (Claude Haiku 4.5)
Signed-off-by: Christoph Wurst <1374172+ChristophWurst@users.noreply.github.com>

Author: ChristophWurst

lib/Controller/ProxyController.php

@@ -11,10 +11,15 @@
 namespace OCA\Mail\Controller;
 
 use Exception;
+use OCA\Mail\Html\ProxyHmacGenerator;
 use OCA\Mail\Http\ProxyDownloadResponse;
+use OCA\Mail\Service\MailManager;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Db\DoesNotExistException;
+use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\UserRateLimit;
+use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\Http\Client\IClientService;
 use OCP\Http\Client\LocalServerException;
@@ -24,26 +29,36 @@
 use Psr\Http\Client\ClientExceptionInterface;
 use Psr\Log\LoggerInterface;
 use function file_get_contents;
+use function hash_equals;
 
 #[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
 class ProxyController extends Controller {
 	private IURLGenerator $urlGenerator;
 	private ISession $session;
 	private IClientService $clientService;
 	private LoggerInterface $logger;
+	private ProxyHmacGenerator $hmacGenerator;
+	private MailManager $mailManager;
+	private ?string $userId;
 
 	public function __construct(string $appName,
 		IRequest $request,
 		IURLGenerator $urlGenerator,
 		ISession $session,
 		IClientService $clientService,
-		LoggerInterface $logger) {
+		ProxyHmacGenerator $hmacGenerator,
+		LoggerInterface $logger,
+		MailManager $mailManager,
+		?string $userId) {
 		parent::__construct($appName, $request);
 		$this->request = $request;
 		$this->urlGenerator = $urlGenerator;
 		$this->session = $session;
 		$this->clientService = $clientService;
 		$this->logger = $logger;
+		$this->hmacGenerator = $hmacGenerator;
+		$this->mailManager = $mailManager;
+		$this->userId = $userId;
 	}
 
 	/**
@@ -89,10 +104,10 @@ public function redirect(string $src): TemplateResponse {
 	 *       The caching should also already happen in a cronjob so that the sender of the
 	 *       mail does not know whether the mail has been opened.
 	 *
-	 * @return ProxyDownloadResponse
+	 * @return Response|ProxyDownloadResponse
 	 */
 	#[UserRateLimit(limit: 50, period: 60)]
-	public function proxy(string $src): ProxyDownloadResponse {
+	public function proxy(string $src, ?int $id, ?string $hmac): Response {
 		// close the session to allow parallel downloads
 		$this->session->close();
 
@@ -102,6 +117,20 @@ public function proxy(string $src): ProxyDownloadResponse {
 			return new ProxyDownloadResponse($content, $src, 'application/octet-stream');
 		}
 
+		// HMAC check
+		if ($this->userId === null || $id === null || $hmac === null) {
+			return new Response(Http::STATUS_BAD_REQUEST);
+		}
+		try {
+			$this->mailManager->getMessage($this->userId, $id);
+		} catch (DoesNotExistException $e) {
+			return new Response(Http::STATUS_BAD_REQUEST);
+		}
+		if (!hash_equals($this->hmacGenerator->generate($id, $src), $hmac)) {
+			$this->logger->info('Proxied email content blocked due to invalid HMAC');
+			return new Response(Http::STATUS_UNAUTHORIZED);
+		}
+
 		$client = $this->clientService->newClient();
 		try {
 			$response = $client->get($src);

lib/Html/ProxyHmacGenerator.php

@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Html;
+
+use OCP\IConfig;
+use OCP\Security\ICrypto;
+
+class ProxyHmacGenerator {
+
+	public function __construct(
+		private IConfig $config,
+		private ICrypto $crypto,
+	) {
+	}
+
+	public function generate(int $id, string $src): string {
+		return bin2hex($this->crypto->calculateHMAC(
+			$src,
+			implode('|', [
+				$this->config->getSystemValueString('secret'),
+				$id,
+			]),
+		));
+	}
+
+}

lib/Model/IMAPMessage.php

@@ -349,9 +349,7 @@ public function jsonSerialize() {
 	 * @return string
 	 */
 	public function getHtmlBody(int $id): string {
-		return $this->htmlService->sanitizeHtmlMailBody($this->htmlMessage, [
-			'id' => $id,
-		], function ($cid) {
+		return $this->htmlService->sanitizeHtmlMailBody($this->htmlMessage, $id, function ($cid) {
 			$match = array_filter($this->inlineAttachments,
 				static fn ($a) => $a['cid'] === $cid);
 			$match = array_shift($match);

lib/Service/Html.php

@@ -16,6 +16,7 @@
 use HTMLPurifier_HTMLDefinition;
 use HTMLPurifier_URIDefinition;
 use HTMLPurifier_URISchemeRegistry;
+use OCA\Mail\Html\ProxyHmacGenerator;
 use OCA\Mail\Service\HtmlPurify\CidURIScheme;
 use OCA\Mail\Service\HtmlPurify\TransformHTMLLinks;
 use OCA\Mail\Service\HtmlPurify\TransformImageSrc;
@@ -39,10 +40,14 @@ class Html {
 
 	/** @var IRequest */
 	private $request;
+	private ProxyHmacGenerator $hmacGenerator;
 
-	public function __construct(IURLGenerator $urlGenerator, IRequest $request) {
+	public function __construct(IURLGenerator $urlGenerator,
+		IRequest $request,
+		ProxyHmacGenerator $hmacGenerator) {
 		$this->urlGenerator = $urlGenerator;
 		$this->request = $request;
+		$this->hmacGenerator = $hmacGenerator;
 	}
 
 	/**
@@ -102,7 +107,7 @@ public function parseMailBody(string $body): array {
 		];
 	}
 
-	public function sanitizeHtmlMailBody(string $mailBody, array $messageParameters, Closure $mapCidToAttachmentId): string {
+	public function sanitizeHtmlMailBody(string $mailBody, int $id, Closure $mapCidToAttachmentId): string {
 		$config = HTMLPurifier_Config::createDefault();
 
 		// Append target="_blank" to all link (a) elements
@@ -130,7 +135,16 @@ public function sanitizeHtmlMailBody(string $mailBody, array $messageParameters,
 
 		/** @var HTMLPurifier_URIDefinition $uri */
 		$uri = $config->getDefinition('URI');
-		$uri->addFilter(new TransformURLScheme($messageParameters, $mapCidToAttachmentId, $this->urlGenerator, $this->request), $config);
+		$uri->addFilter(
+			new TransformURLScheme(
+				$id,
+				$mapCidToAttachmentId,
+				$this->urlGenerator,
+				$this->request,
+				$this->hmacGenerator,
+			),
+			$config
+		);
 
 		$uriSchemeRegistry = HTMLPurifier_URISchemeRegistry::instance();
 		$uriSchemeRegistry->register('cid', new CidURIScheme());

lib/Service/HtmlPurify/TransformURLScheme.php

@@ -15,6 +15,7 @@
 use HTMLPurifier_URI;
 use HTMLPurifier_URIFilter;
 use HTMLPurifier_URIParser;
+use OCA\Mail\Html\ProxyHmacGenerator;
 use OCP\IRequest;
 use OCP\IURLGenerator;
 
@@ -33,17 +34,20 @@ class TransformURLScheme extends HTMLPurifier_URIFilter {
 	 */
 	private $mapCidToAttachmentId;
 
-	/** @var array */
-	private $messageParameters;
+	private int $id;
 
-	public function __construct(array $messageParameters,
+	private ProxyHmacGenerator $hmacGenerator;
+
+	public function __construct(int $id,
 		Closure $mapCidToAttachmentId,
 		IURLGenerator $urlGenerator,
-		IRequest $request) {
-		$this->messageParameters = $messageParameters;
+		IRequest $request,
+		ProxyHmacGenerator $hmacGenerator) {
+		$this->id = $id;
 		$this->mapCidToAttachmentId = $mapCidToAttachmentId;
 		$this->urlGenerator = $urlGenerator;
 		$this->request = $request;
+		$this->hmacGenerator = $hmacGenerator;
 	}
 
 	/**
@@ -56,7 +60,6 @@ public function __construct(array $messageParameters,
 	 */
 	#[\Override]
 	public function filter(&$uri, $config, $context) {
-
 		if ($uri->scheme === null) {
 			$uri->scheme = 'https';
 		}
@@ -71,10 +74,14 @@ public function filter(&$uri, $config, $context) {
 			if (is_null($attachmentId)) {
 				return true;
 			}
-			$this->messageParameters['attachmentId'] = $attachmentId;
 
-			$imgUrl = $this->urlGenerator->linkToRouteAbsolute('mail.messages.downloadAttachment',
-				$this->messageParameters);
+			$imgUrl = $this->urlGenerator->linkToRouteAbsolute(
+				'mail.messages.downloadAttachment',
+				[
+					'id' => $this->id,
+					'attachmentId' => $attachmentId,
+				],
+			);
 			$parser = new HTMLPurifier_URIParser();
 			$uri = $parser->parse($imgUrl);
 		}
@@ -88,23 +95,23 @@ public function filter(&$uri, $config, $context) {
 	 * @return HTMLPurifier_URI
 	 */
 	private function filterHttpFtp(&$uri, $context) {
-		$originalURL = urlencode($uri->scheme . '://' . $uri->host);
+		$originalURL = $uri->scheme . '://' . $uri->host;
 
 		// Add the port if it's not a default port
 		if ($uri->port !== null
 			&& !($uri->scheme === 'http' && $uri->port === 80)
 			&& !($uri->scheme === 'https' && $uri->port === 443)
 			&& !($uri->scheme === 'ftp' && $uri->port === 21)) {
-			$originalURL = $originalURL . urlencode(':' . $uri->port);
+			$originalURL = $originalURL . ':' . $uri->port;
 		}
 
-		$originalURL = $originalURL . urlencode($uri->path);
+		$originalURL = $originalURL . $uri->path;
 
 		if ($uri->query !== null) {
-			$originalURL = $originalURL . urlencode('?' . $uri->query);
+			$originalURL = $originalURL . '?' . $uri->query;
 		}
 		if ($uri->fragment !== null) {
-			$originalURL = $originalURL . urlencode('#' . $uri->fragment);
+			$originalURL = $originalURL . '#' . $uri->fragment;
 		}
 
 		// Get the HTML attribute
@@ -116,12 +123,19 @@ private function filterHttpFtp(&$uri, $context) {
 			return $uri;
 		}
 
+		$proxyUrl = $this->urlGenerator->linkToRoute('mail.proxy.proxy', [
+			'id' => $this->id,
+			'hmac' => $this->hmacGenerator->generate($this->id, $originalURL),
+			'src' => $originalURL
+		]);
+		$parsedProxyUrl = parse_url($proxyUrl);
+		/** @var array{path: string, query: string} $parsedProxyUrl */
 		return new \HTMLPurifier_URI(
 			$this->request->getServerProtocol(),
 			null, $this->request->getServerHost(),
 			null,
-			$this->urlGenerator->linkToRoute('mail.proxy.proxy'),
-			'src=' . $originalURL . '&requesttoken=' . \OCP\Server::get(\OCP\ISession::class)->get('requesttoken'),
+			$parsedProxyUrl['path'],
+			$parsedProxyUrl['query'],
 			null
 		);
 	}