nodemailer security vulnerability

[srihakum]

The version of node module nodemailer is quite old and affected by the below mentioned security vulnerability. Fix is required on Loopback 3 as well

CVE-2020-7769:
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

Scanning the latest shows that we're pulling in [email protected], which is old than recommended! Looking at the code in that old version (https://github.com/nodemailer/nodemailer/blob/533b94593f133cf353bca4b2648c1fb8326b7d0e/lib/sendmail-transport/index.js) the problem is still there.

[dhmlau]

@srihakum, thanks for reporting this. Would you like to submit a PR? Thanks.

[bajtos]

Please note: if your application is not using LoopBack's built-in Email model & the email connector, then I believe you are not affected by this vulnerability - the vulnerable code is invoked only when you are sending an email.

As the first step, we need you to compile a list of breaking changes made by nodemailer since the version 4 used by LoopBack now, so that we can asses the impact on LoopBack users if we upgrade to the latest version 6, and post the list as a comment in this issue. I would start looking here: https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md

[jannyHou]

The related breaking changes would be:

• Start using dns.resolve() instead of dns.lookup() for resolving SMTP hostnames. Might be breaking change on some environments so upgrade with care. link

• SMTPConnection: use removeListener instead of removeAllListeners (xr0master) [ddc4af15] Using removeListener should fix memory leak with Node.js streams. link

[jannyHou]

released as 3.28.0 🎉