eric/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2026-06-27 14:36:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,863 Commits 2 Branches 191 Tags
v1.30.2
Commit Graph

1863 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ralph Slooten
0fb1c79f4b Merge branch 'release/v1.30.2' v1.30.2 2026-06-17 15:36:48 +12:00
Ralph Slooten
bf37405472 Release v1.30.2 2026-06-17 15:36:48 +12:00
Ralph Slooten
f1c325c5c3 Fix formatting 2026-06-17 15:28:20 +12:00
Ralph Slooten
66f066bd97 Chore: Update node dependencies 2026-06-17 15:25:20 +12:00
Ralph Slooten
e6c92ff267 Chore: Update Go dependencies 2026-06-17 15:24:25 +12:00
Ralph Slooten
f2089b9366 Merge branch 'bugfix/GHSA-w4mc-hhc6-xp28' into develop 2026-06-17 15:23:25 +12:00
Ralph Slooten
ba27d695c2 Chore: Update Github Actions dependencies 2026-06-16 21:33:45 +12:00
Ralph Slooten
a88dadbbe1 Security: Fix incomplete SSRF protection in IsInternalIP() detection for IPv6 transition mechanisms (GHSA-w4mc-hhc6-xp28) 2026-06-14 08:09:59 +12:00
Ralph Slooten
fc83f4881a Fix: Adjust header setting order in error response functions (#699) 2026-06-13 08:46:15 +12:00
Ralph Slooten
2db18f671f Chore: Toggle websocket compression using HTTP compression setting 2026-06-12 20:33:59 +12:00
Ralph Slooten
8747cd81f9 Chore: Compress websocket messages once per broadcast to improve performance (#695) 2026-06-11 20:09:42 +12:00
Ralph Slooten
ddfeab89d9 Merge branch 'feature/readyz' into develop 2026-06-11 16:35:35 +12:00
Ralph Slooten
1e549eab06 Test: Add readyz tests 2026-06-11 16:32:14 +12:00
Lyapunov Vadim
deeab9b04c Feature: Add wait support to readyz (#697) 2026-06-11 16:32:10 +12:00
Ralph Slooten
78fa3db33e Don't print allowed CORS origins when there are none (empty) 2026-06-11 16:22:24 +12:00
Ralph Slooten
a68499fa4e Don't print allowed CORS origins when there are none (empty) 2026-05-28 22:07:29 +12:00
Ralph Slooten
5c03d89109 Merge tag 'v1.30.1' into develop 
Release v1.30.1
 2026-05-28 22:00:36 +12:00
Ralph Slooten
16a8f9632c Merge branch 'release/v1.30.1' v1.30.1 2026-05-28 22:00:31 +12:00
Ralph Slooten
84821d13f9 Release v1.30.1 2026-05-28 22:00:30 +12:00
Ralph Slooten
ed26e0a879 Chore: Update caniemail test database 2026-05-28 21:58:51 +12:00
Ralph Slooten
7ddf44822e Chore: Update node dependencies 2026-05-28 21:58:28 +12:00
Ralph Slooten
baf06b0499 Chore: Update Go dependencies 2026-05-28 21:55:04 +12:00
Ralph Slooten
2ce675cc10 Security: Disable GitHub Actions credential persistence for checkout steps 2026-05-28 21:41:18 +12:00
Ralph Slooten
c1c98442df Security: Do not use npm cache to prevent cache poisoning 2026-05-28 21:36:01 +12:00
Ralph Slooten
3fb1b5e59c Chore: Update Github Action workflows 2026-05-28 21:28:47 +12:00
Ralph Slooten
83a183157d Security: Pin Github Actions workflow versions using full commit SHA 2026-05-28 19:55:08 +12:00
Ralph Slooten
5754c821d3 Security: Extend request body size cap to all JSON API endpoints (GHSA-28pq-6qxg-wg5r) 
The fix for GHSA-fpxj-m5q8-fphw only capped POST /api/v1/send.
Four sibling endpoints (SetReadStatus, DeleteMessages, SetMessageTags,
ReleaseMessage) decoded json.NewDecoder(r.Body) with no size limit,
allowing an unauthenticated attacker to drive unbounded memory growth
via a large IDs array.

Apply a 5 MB cap in middleWareFunc so all current and future API
handlers inherit it automatically. POST /api/v1/send is exempt via a
bodyLimitKey context value set in sendAPIAuthMiddleware, preserving
its existing config.MaxMessageSize (default 50 MB) limit.

Also fix TestAPIv1SendMaxMessageSize, which was broken by a Go 1.26
change: json.Decoder now wraps reader errors in *json.SyntaxError
rather than returning *http.MaxBytesError directly, causing the
errors.As check to miss it and return 400 instead of 413. Reading
the body with io.ReadAll before decoding surfaces the raw error,
restoring correct 413 behaviour on Go 1.25 and 1.26.
 2026-05-28 19:41:32 +12:00
Ralph Slooten
fdf3cde030 Explicitly ignore errors on search text extraction 2026-05-26 16:47:55 +12:00
Ralph Slooten
24f898ac67 Chore: Change log level to Info for database vacuuming message (#688) 2026-05-26 16:46:42 +12:00
Ralph Slooten
93d2222d62 Chore: Enhance schema application logging (#688) 2026-05-24 11:40:39 +12:00
Ralph Slooten
67a7ca83ff Update comments for clarity 
Resolves #687
 2026-05-20 18:01:11 +12:00
Olle Jonsson
4e150d81e4 Fix the Build & release badge (#685) 2026-05-18 20:26:54 +12:00
Ralph Slooten
2cc5168e97 Merge tag 'v1.30.0' into develop 
Release v1.30.0
 2026-05-14 16:59:31 +12:00
Ralph Slooten
af8756a32c Merge branch 'release/v1.30.0' v1.30.0 2026-05-14 16:59:29 +12:00
Ralph Slooten
a9058f40db Release v1.30.0 2026-05-14 16:59:29 +12:00
Ralph Slooten
3b65ee936a Chore: Update caniemail test database 2026-05-14 16:40:11 +12:00
Ralph Slooten
bb81b62357 Chore: Update node dependencies 2026-05-14 16:38:54 +12:00
Ralph Slooten
e27d30bda7 Chore: Update Go dependencies 2026-05-14 16:37:56 +12:00
Ralph Slooten
cae0f638af Enhance sendmail functionality with message size limit and input validation 2026-05-14 16:36:27 +12:00
Ralph Slooten
786f263d32 Chore: Add message ingest max-message-size flag and refactor message handling 2026-05-14 16:24:58 +12:00
Ralph Slooten
8041eac509 Cleanup 2026-05-14 16:23:29 +12:00
Ralph Slooten
b7e4146dbf Chore: Add message dump max-message-size flag and refactor message handling 2026-05-14 16:23:21 +12:00
Ralph Slooten
5ec074208c Use httpClient for HTTP requests in loadIDs and saveMessages functions 2026-05-14 15:13:52 +12:00
Ralph Slooten
b82960928a Fix typo 2026-05-14 15:13:43 +12:00
Ralph Slooten
4ab532b9aa Security: Fix concurrent map read & write in proxy CSS rewriter (GHSA-w4vj-r5pg-3722) 2026-05-14 15:02:07 +12:00
Ralph Slooten
35079d182c Security: Fix for path traversal & arbitrary file write in mailpit dump --http via attacker-controlled message IDs (GHSA-qx5x-85p8-vg4j) 
This fix also adds HTTP data limits to prevent excessively large files being transmitted by an attacker-controlled server (fake Mailpit).
 2026-05-14 15:02:07 +12:00
Ralph Slooten
04c779994b Security: Block internal IP access by default in HTML check (GHSA-j3fj-qppj-fmmc) 
This addresses an incomplete fix for GHSA-6jxm-fv7w-rw5j which did not restrict access to internal IP addresses.
 2026-05-14 15:02:07 +12:00
Ralph Slooten
bcd1bc71ee Security: Include CGNAT (Carrier-Grade NAT) in internal IP checks (GHSA-j3fj-qppj-fmmc) 
CGNAT (Carrier-Grade NAT) is a technique used by ISPs to conserve IPv4 addresses. Instead of assigning a unique public IP to every customer, the ISP places many customers behind a shared NAT, then gives them all addresses from the reserved 100.64.0.0/10 range (RFC 6598) on their internal network.

This means traffic from multiple customers exits through a small pool of public IPs - a second layer of NAT on top of whatever NAT the customer's own router does (hence "double NAT").
 2026-05-14 15:01:36 +12:00
Ralph Slooten
136bdde953 Security: Set a default 50MB p/m limit to prevent DoS via unlimited SMTP DATA and /api/v1/send body sizes (GHSA-fpxj-m5q8-fphw) 
This is a configurable limit (in MB's) which can optionally be disabled by setting it to 0.
 2026-05-12 17:22:00 +12:00
Ralph Slooten
499a543963 Feature: New loading indicator, reduce flash during message transitions (#682) 2026-05-12 15:27:12 +12:00