Header injection vulnerability in address object

[tmazeika]

Please fill the following questionnaire about your issue:

1. What kind of issue are you reporting?

• A bug in Nodemailer
• A bug in a plugin of Nodemailer (eg. issues with nodemailer-sendgrid)
• Feature request
• Looking for help to resolve some kind of problem with Nodemailer

2. Are you listed as a sponsor of Nodemailer project (see Sponsors button above)?

• Yes. Sponsors get priority support
• No. Unless it is a bug in Nodemailer you might find support from public forums like StackOverflow.

3. State your problem here:

I've got a pretty standard sendMail call here in an HTTP handler:

await transporter.sendMail({
  from: '...',
  to: '...',
  replyTo: {
    name,
    address,
  },
  subject: 'My Subject',
  text: message,
});

An address that contains line-breaks can add arbitrary SMTP headers. In my mind, the reason for using an address object is to avoid having to deal with escaping odd names and addresses (like would be necessary with `${name} <${address}>`); therefore, it is expected that name and address don't have to be sanitized. Otherwise, it's not just an address object, but an "address plus maybe arbitrary headers," which is not something anyone would want to have. I'm not sure what other fields are vulnerable. This was discovered by @lol768.

[andris9]

Thank you for the report. I verified this to be correct, so I fixed the issue and released nodemailer@6.6.1