Block unsafe Unicode characters in the local part

Author: JoshData

README.md

@@ -16,7 +16,7 @@ Key features:
   to end users).
 * (optionally) Checks deliverability: Does the domain name resolve? And you can override the default DNS resolver.
 * Supports internationalized domain names and (optionally)
-  internationalized local parts.
+  internationalized local parts, but blocks unsafe characters.
 * Normalizes email addresses (super important for internationalized
   addresses! see below).
 
@@ -172,12 +172,28 @@ The second sort of internationalization is internationalization in the
 *local* part of the address (before the @-sign). In non-internationalized
 email addresses, only English letters, numbers, and some punctuation
 (`._!#$%&'^``*+-=~/?{|}`) are allowed. In internationalized email address
-local parts, all Unicode characters are allowed by this library, although
-it's possible that not all characters will be allowed by all mail systems.
-
-To deliver email to addresses with Unicode, non-English characters, your mail
+local parts, a wider range of Unicode characters are allowed.
+
+A surprisingly large number of Unicode characters are not safe to display,
+especially when the email address is concatenated with other text, so this
+library tries to protect you by not permitting resvered, non-, private use,
+formatting (which can be used to alter the display order of characters),
+whitespace, and control characters, and combining characters
+as the first character (so that they cannot combine with something outside
+of the email address string). See https://qntm.org/safe and https://trojansource.codes/
+for relevant prior work. (Other than whitespace, these are checks that
+you should be applying to nearly all user inputs in a security-sensitive
+context.)
+
+These character checks are performed after Unicode normalization (see below),
+so you are only fully protected if you replace all user-provided email addresses
+with the normalized email address string returned by this library. This does not
+guard against the well known problem that many Unicode characters look alike
+(or are identical), which can be used to fool humans reading displayed text.
+
+Email addresses with these non-ASCII characters require that your mail
 submission library and the mail servers along the route to the destination,
-including your own outbound mail server, must all support the
+including your own outbound mail server, all support the
 [SMTPUTF8 (RFC 6531)](https://tools.ietf.org/html/rfc6531) extension.
 Support for SMTPUTF8 varies. See the `allow_smtputf8` parameter.
 

email_validator/__init__.py

@@ -368,8 +368,35 @@ def validate_email_local_part(local, allow_smtputf8=True, allow_empty_local=Fals
         # so we'll return the normalized local part in the return value.
         local = unicodedata.normalize("NFC", local)
 
+        # Check for unsafe characters.
+        # Some of this may be redundant with the range U+0080 to U+10FFFF that is checked
+        # by DOT_ATOM_TEXT_UTF8.
+        for i, c in enumerate(local):
+            category = unicodedata.category(c)
+            if category[0] in ("L", "N", "P", "S"):
+                # letters, numbers, punctuation, and symbols are permitted
+                pass
+            elif category[0] == "M":
+                # combining character in first position would combine with something
+                # outside of the email address if concatenated to the right, but are
+                # otherwise permitted
+                if i == 0:
+                    raise EmailSyntaxError("The email address contains an initial invalid character (%s)."
+                                           % unicodedata.name(c, repr(c)))
+            elif category[0] in ("Z", "C"):
+                # spaces and line/paragraph characters (Z) and
+                # control, format, surrogate, private use, and unassigned code points (C)
+                raise EmailSyntaxError("The email address contains an invalid character (%s)."
+                                       % unicodedata.name(c, repr(c)))
+            else:
+                # All categories should be handled above, but in case there is something new
+                # in the future.
+                raise EmailSyntaxError("The email address contains a character (%s; category %s) that may not be safe."
+                                       % (unicodedata.name(c, repr(c)), category))
+
         # Try encoding to UTF-8. Failure is possible with some characters like
-        # surrogate code points.
+        # surrogate code points, but those are checked above. Still, we don't
+        # want to have an unhandled exception later.
         try:
             local.encode("utf8")
         except ValueError:

tests/test_main.py

@@ -278,12 +278,19 @@ def test_email_invalid_reserved_domain(email_input):
     # print(f'({email_input!r}, {str(exc_info.value)!r}),')
     assert "is a special-use or reserved name" in str(exc_info.value)
 
+
 @pytest.mark.parametrize(
     'email_input',
     [
         ('white space@test'),
         ('\n@test'),
-        ('\uD800@test'), # surrogate (Cs)
+        ('\u2005@test'),  # four-per-em space (Zs)
+        ('\u009C@test'),  # string terminator (Cc)
+        ('\u200B@test'),  # zero-width space (Cf)
+        ('\u202Dforward-\u202Ereversed@test'),  # BIDI (Cf)
+        ('\uD800@test'),  # surrogate (Cs)
+        ('\uE000@test'),  # private use (Co)
+        ('\uFDEF@test'),  # unassigned (Cn)
     ],
 )
 def test_email_unsafe_character(email_input):
@@ -292,6 +299,7 @@ def test_email_unsafe_character(email_input):
         validate_email(email_input, test_environment=True)
     assert "invalid character" in str(exc_info.value)
 
+
 def test_email_test_domain_name_in_test_environment():
     validate_email("anything@test", test_environment=True)
     validate_email("anything@mycompany.test", test_environment=True)