eric/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2026-06-28 06:56:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,872 Commits 2 Branches 191 Tags
1289635f716c93a761af388870ec4dbbf3929fdc
Commit Graph

462 Commits

Author SHA1 Message Date
Ralph Slooten
9d09cb1e28 Fix: Handle MaxBytesError in SendMessageHandler and return JSON error response 2026-06-27 21:16:30 +12:00
Ralph Slooten
c57325e475 Feature: Add link check rate limiting and caching mechanism 2026-06-25 20:30:18 +12:00
Ralph Slooten
9dbb092447 Fix: Refactor Web UI configuration definitions in Swagger documentation 2026-06-19 21:51:55 +12:00
Ralph Slooten
7da82df24d Fix: Update Swagger response definitions for MessageHeadersResponse (#703) 2026-06-19 21:45:42 +12:00
Ralph Slooten
fc83f4881a Fix: Adjust header setting order in error response functions (#699) 2026-06-13 08:46:15 +12:00
Ralph Slooten
2db18f671f Chore: Toggle websocket compression using HTTP compression setting 2026-06-12 20:33:59 +12:00
Ralph Slooten
8747cd81f9 Chore: Compress websocket messages once per broadcast to improve performance (#695) 2026-06-11 20:09:42 +12:00
Ralph Slooten
a68499fa4e Don't print allowed CORS origins when there are none (empty) 2026-05-28 22:07:29 +12:00
Ralph Slooten
5754c821d3 Security: Extend request body size cap to all JSON API endpoints (GHSA-28pq-6qxg-wg5r) 
The fix for GHSA-fpxj-m5q8-fphw only capped POST /api/v1/send.
Four sibling endpoints (SetReadStatus, DeleteMessages, SetMessageTags,
ReleaseMessage) decoded json.NewDecoder(r.Body) with no size limit,
allowing an unauthenticated attacker to drive unbounded memory growth
via a large IDs array.

Apply a 5 MB cap in middleWareFunc so all current and future API
handlers inherit it automatically. POST /api/v1/send is exempt via a
bodyLimitKey context value set in sendAPIAuthMiddleware, preserving
its existing config.MaxMessageSize (default 50 MB) limit.

Also fix TestAPIv1SendMaxMessageSize, which was broken by a Go 1.26
change: json.Decoder now wraps reader errors in *json.SyntaxError
rather than returning *http.MaxBytesError directly, causing the
errors.As check to miss it and return 400 instead of 413. Reading
the body with io.ReadAll before decoding surfaces the raw error,
restoring correct 413 behaviour on Go 1.25 and 1.26.
 2026-05-28 19:41:32 +12:00
Ralph Slooten
4ab532b9aa Security: Fix concurrent map read & write in proxy CSS rewriter (GHSA-w4vj-r5pg-3722) 2026-05-14 15:02:07 +12:00
Ralph Slooten
136bdde953 Security: Set a default 50MB p/m limit to prevent DoS via unlimited SMTP DATA and /api/v1/send body sizes (GHSA-fpxj-m5q8-fphw) 
This is a configurable limit (in MB's) which can optionally be disabled by setting it to 0.
 2026-05-12 17:22:00 +12:00
Ralph Slooten
499a543963 Feature: New loading indicator, reduce flash during message transitions (#682) 2026-05-12 15:27:12 +12:00
Ralph Slooten
8b4c9d1267 Update AppAbout.vue: Enhance version notification display for stable and development builds 2026-05-10 10:41:38 +12:00
Ralph Slooten
4502cdc358 Handle error in writePump when sending ping messages 2026-05-09 17:06:14 +12:00
Ralph Slooten
fbb63c89dd Chore: Simplify writePump by using WriteMessage and remove unnecessary newline handling 2026-05-09 17:05:22 +12:00
Ralph Slooten
71bd44bbb5 Chore: Ensure websocket connection is closed on client unregistration 2026-05-09 17:02:48 +12:00
Ralph Slooten
b997fff7eb Chore: Refactor Hub to use atomic clientCount for safe concurrent client tracking 2026-05-09 17:01:47 +12:00
Ralph Slooten
10430f7dce Chore: Improve iframe height adjustment with optional chaining 2026-05-05 17:41:17 +12:00
Ralph Slooten
878c68bb49 Chore: Replace lithammer/shortuuid with custom shortuuid implementation and update tests 2026-05-05 17:09:55 +12:00
Ralph Slooten
3b2423bdf1 Chore: Remove gorilla/mux dependency and replace with stdlib routing 2026-05-05 16:47:51 +12:00
Ralph Slooten
9dd1e99f52 Fixes for eslint validation 2026-03-29 17:40:43 +13:00
Ralph Slooten
dc9b8d54b7 Security: Add sandbox attribute to message iframe for extra later of security (already protected via CSP headers) 
Note that this does not provide any additional security as such as the CSP headers do this, however it is another barrier when it comes to bypass attempts.
 2026-03-28 08:01:51 +13:00
Ralph Slooten
b8cc1bc415 Fix typo 2026-03-26 07:47:20 +13:00
Ralph Slooten
9c2359eee5 Feature: Add filter functionality to message headers tab 
This implementation is based on, and resolves, #626
 2026-03-22 17:40:54 +13:00
Ralph Slooten
7b22d6a5f9 Fix: Refactor webhook delay & rate limit logic to ignore endpoint response times & prevent hardcoded 1000 message limit when set to 0 (#656) 2026-03-16 22:29:45 +13:00
Ralph Slooten
70037e96f4 Chore: Update Content-Disposition header to use inline display and escape filename 2026-03-10 12:03:35 +13:00
Ralph Slooten
140633718c Chore: Limit subject length to 100 characters in browser notifications 2026-03-10 11:31:21 +13:00
Ralph Slooten
f40911c580 Security: Escape ContentID in HTML replacement to prevent regex injection 2026-03-10 11:27:47 +13:00
Ralph Slooten
3073ef9afe Chore: Replace localStorage retrieval with a dedicated function for default release addresses 2026-03-10 11:20:33 +13:00
Ralph Slooten
804d49b7ca Chore: Set margin & padding to HTML screenshot to prevent transparent top/left border 2026-03-10 11:09:28 +13:00
Ralph Slooten
7d29dff5e7 Security: Enhance HTML sanitization in screenshot generation 2026-03-10 10:24:40 +13:00
Ralph Slooten
bc8a737d4f Chore: Simplify HTML decoding function in screenshot generation using DOMParser 2026-03-10 10:04:47 +13:00
Ralph Slooten
b99be839a0 Security: Enhance HTML sanitization in message view 2026-03-10 10:02:10 +13:00
Ralph Slooten
a72d42c8d4 Chore: Set timeout for HTTP client in webhook Send function 2026-03-09 12:34:50 +13:00
Ralph Slooten
f8052e1d56 Security: Limit proxy requests to 50MB to prevent OOM attacks 2026-03-09 12:31:17 +13:00
Ralph Slooten
267bf8b639 Security: Enhance CORS origin handling to respect host:port distinctions 2026-03-09 12:30:56 +13:00
Ralph Slooten
bb6bdf629d Chore: Refactor events websocket middleware 2026-03-09 11:20:45 +13:00
Ralph Slooten
a0a4ebb943 Chore: Refactor API send authentication logic 2026-03-09 11:08:19 +13:00
Ville Skyttä
2afc52c6fe Chore: Refactor code with go fix 
Done with `go fix ./...` using go 1.26.0.
 2026-03-03 16:03:28 +13:00
Ralph Slooten
7bb330a07a Chore: Use last release + git hash in Docker edge versions 2026-03-02 22:38:38 +13:00
Ralph Slooten
10ad4df8cc Security: Prevent Server-Side Request Forgery (SSRF) via Link Check API ([GHSA-mpf7-p9x7-96r3](https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3)) 
By default all internal HTTP requests are now blocked, unless mailpit is started with the `--allow-internal-http-requests` flag (env  `MP_ALLOW_INTERNAL_HTTP_REQUESTS=true`).
 2026-02-24 14:22:02 +13:00
Ralph Slooten
08ed46fc46 Use const instead of let 2026-02-21 22:43:51 +13:00
Ralph Slooten
c8caa29e24 Fix: Enable "Mark all read" button (Inbox) when new message is received 2026-02-09 15:38:11 +13:00
Ralph Slooten
7d314d2b50 Chore: Add CORS error logging and update error messages for failed CORS requests 2026-02-08 11:19:54 +13:00
Ralph Slooten
9d2f30787a Fix spelling 2026-02-08 11:17:17 +13:00
Ralph Slooten
e6fd638067 Detect if copy to clipboard is supported 2026-02-01 16:09:49 +13:00
Ralph Slooten
e2b1b2d0fe Code cleanup 2026-02-01 15:58:31 +13:00
Ralph Slooten
9b4ec97483 Minor UI tweaks 2026-02-01 15:44:13 +13:00
Ralph Slooten
dd74d46880 Feature: Option to display/hide attachment information in message view in web UI including checksums, content type & disposition 
Resolves #625
 2026-02-01 15:34:06 +13:00
Ralph Slooten
0bfbb4cc5f Feature: Include message attachment checksums (MD5, SHA1 & SHA254) in API message summary 2026-02-01 15:34:05 +13:00