🔒 Prevented homograph attacks with punycode domains on member signin (#24457)

mike182uk · web-flow · commit 1f7f3e771a83 · 2025-07-21T13:14:05.000+01:00
ref https://linear.app/ghost/issue/ENG-2462 Added normalization to email addresses for member signup / signin to prevent homograph attacks with punycode domains. This change should be backwards compatible with existing members using emails with unicode characters
diff --git a/ghost/core/core/server/services/members/members-api/controllers/RouterController.js b/ghost/core/core/server/services/members/members-api/controllers/RouterController.js
@@ -4,6 +4,7 @@ const sanitizeHtml = require('sanitize-html');
 const {BadRequestError, NoPermissionError, UnauthorizedError, DisabledFeatureError, NotFoundError} = require('@tryghost/errors');
 const errors = require('@tryghost/errors');
 const {isEmail} = require('@tryghost/validator');
+const normalizeEmail = require('../utils/normalize-email');
 
 const messages = {
     emailRequired: 'Email is required.',
@@ -585,6 +586,23 @@ module.exports = class RouterController {
             });
         }
 
+        // Normalize email to prevent homograph attacks
+        let normalizedEmail;
+
+        try {
+            normalizedEmail = normalizeEmail(email);
+
+            if (normalizedEmail !== email) {
+                logging.info(`Email normalized from ${email} to ${normalizedEmail} for magic link`);
+            }
+        } catch (err) {
+            logging.error(`Failed to normalize [${email}]: ${err.message}`);
+
+            throw new errors.BadRequestError({
+                message: tpl(messages.invalidEmail)
+            });
+        }
+
         if (honeypot) {
             logging.warn('Honeypot field filled, this is likely a bot');
 
@@ -606,9 +624,9 @@ module.exports = class RouterController {
 
         try {
             if (emailType === 'signup' || emailType === 'subscribe') {
-                await this._handleSignup(req, referrer);
+                await this._handleSignup(req, normalizedEmail, referrer);
             } else {
-                await this._handleSignin(req, referrer);
+                await this._handleSignin(req, normalizedEmail, referrer);
             }
 
             res.writeHead(201);
@@ -626,7 +644,7 @@ module.exports = class RouterController {
         }
     }
 
-    async _handleSignup(req, referrer = null) {
+    async _handleSignup(req, normalizedEmail, referrer = null) {
         if (!this._allowSelfSignup()) {
             if (this._settingsCache.get('members_signup_access') === 'paid') {
                 throw new errors.BadRequestError({
@@ -640,14 +658,14 @@ module.exports = class RouterController {
         }
 
         const blockedEmailDomains = this._settingsCache.get('all_blocked_email_domains');
-        const emailDomain = req.body.email.split('@')[1]?.toLowerCase();
+        const emailDomain = normalizedEmail.split('@')[1]?.toLowerCase();
         if (emailDomain && blockedEmailDomains.includes(emailDomain)) {
             throw new errors.BadRequestError({
                 message: tpl(messages.blockedEmailDomain)
             });
         }
 
-        const {email, emailType} = req.body;
+        const {emailType} = req.body;
 
         const tokenData = {
             labels: req.body.labels,
@@ -657,13 +675,13 @@ module.exports = class RouterController {
             attribution: await this._memberAttributionService.getAttribution(req.body.urlHistory)
         };
 
-        return await this._sendEmailWithMagicLink({email, tokenData, requestedType: emailType, referrer});
+        return await this._sendEmailWithMagicLink({email: normalizedEmail, tokenData, requestedType: emailType, referrer});
     }
 
-    async _handleSignin(req, referrer = null) {
-        const {email, emailType} = req.body;
+    async _handleSignin(req, normalizedEmail, referrer = null) {
+        const {emailType} = req.body;
 
-        const member = await this._memberRepository.get({email});
+        const member = await this._memberRepository.get({email: normalizedEmail});
 
         if (!member) {
             throw new errors.BadRequestError({
@@ -672,7 +690,7 @@ module.exports = class RouterController {
         }
 
         const tokenData = {};
-        return await this._sendEmailWithMagicLink({email, tokenData, requestedType: emailType, referrer});
+        return await this._sendEmailWithMagicLink({email: normalizedEmail, tokenData, requestedType: emailType, referrer});
     }
 
     /**
diff --git a/ghost/core/core/server/services/members/members-api/utils/normalize-email.js b/ghost/core/core/server/services/members/members-api/utils/normalize-email.js
@@ -0,0 +1,31 @@
+const punycode = require('punycode/');
+
+/**
+ * Normalizes email addresses by converting Unicode domains to ASCII (punycode)
+ * This prevents homograph attacks where Unicode characters are used to spoof
+ * domains
+ *
+ * @param {string} email The email address to normalize
+ * @returns {string} The normalized email address
+ * @throws {Error} When punycode conversion fails
+ */
+function normalizeEmail(email) {
+    if (!email || typeof email !== 'string') {
+        return null;
+    }
+
+    const atIndex = email.lastIndexOf('@');
+
+    if (atIndex === -1) {
+        return email;
+    }
+
+    const localPart = email.substring(0, atIndex);
+    const domainPart = email.substring(atIndex + 1);
+
+    const asciiDomain = punycode.toASCII(domainPart);
+
+    return `${localPart}@${asciiDomain}`;
+}
+
+module.exports = normalizeEmail;
diff --git a/ghost/core/test/e2e-api/members/__snapshots__/send-magic-link.test.js.snap b/ghost/core/test/e2e-api/members/__snapshots__/send-magic-link.test.js.snap
@@ -1,5 +1,23 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
+exports[`sendMagicLink Homograph attack prevention should prevent homograph attacks by normalizing unicode domains 1: [body] 1`] = `
+Object {
+  "errors": Array [
+    Object {
+      "code": null,
+      "context": null,
+      "details": null,
+      "ghostErrorCode": null,
+      "help": null,
+      "id": StringMatching /\\[a-f0-9\\]\\{8\\}-\\[a-f0-9\\]\\{4\\}-\\[a-f0-9\\]\\{4\\}-\\[a-f0-9\\]\\{4\\}-\\[a-f0-9\\]\\{12\\}/,
+      "message": "No member exists with this e-mail address. Please sign up first.",
+      "property": null,
+      "type": "BadRequestError",
+    },
+  ],
+}
+`;
+
 exports[`sendMagicLink Throws an error when logging in to a email that does not exist (invite only) 1: [body] 1`] = `
 Object {
   "errors": Array [
diff --git a/ghost/core/test/e2e-api/members/send-magic-link.test.js b/ghost/core/test/e2e-api/members/send-magic-link.test.js
@@ -413,5 +413,49 @@ describe('sendMagicLink', function () {
                 .expectStatus(201);
         });
     });
-});
 
+    describe('Homograph attack prevention', function () {
+        it('should prevent homograph attacks by normalizing unicode domains', async function () {
+            const asciiEmail = 'user@example.com';
+
+            await membersAgent.post('/api/send-magic-link')
+                .body({
+                    email: asciiEmail,
+                    emailType: 'signup'
+                })
+                .expectStatus(201);
+
+            const unicodeEmail = 'user@exаmple.com'; // Using Cyrillic 'а'
+
+            await membersAgent.post('/api/send-magic-link')
+                .body({
+                    email: unicodeEmail,
+                    emailType: 'signin'
+                })
+                .expectStatus(400)
+                .matchBodySnapshot({
+                    errors: [{
+                        id: anyErrorId,
+                        message: 'No member exists with this e-mail address. Please sign up first.'
+                    }]
+                });
+        });
+
+        it('should normalize unicode domains for signup', async function () {
+            const unicodeEmail = 'user@tëst.com';
+
+            await membersAgent.post('/api/send-magic-link')
+                .body({
+                    email: unicodeEmail,
+                    emailType: 'signup'
+                })
+                .expectStatus(201);
+
+            const mail = mockManager.assert.sentEmail({
+                to: 'user@xn--tst-jma.com' // Punycode version
+            });
+
+            should.exist(mail);
+        });
+    });
+});
diff --git a/ghost/core/test/unit/server/services/members/members-api/utils/normalize-email.test.js b/ghost/core/test/unit/server/services/members/members-api/utils/normalize-email.test.js
@@ -0,0 +1,53 @@
+const should = require('should');
+const normalizeEmail = require('../../../../../../../core/server/services/members/members-api/utils/normalize-email');
+
+describe('normalizeEmail', function () {
+    it('should normalize unicode domains to punycode', function () {
+        normalizeEmail('test@еxample.com').should.equal('test@xn--xample-2of.com');
+        normalizeEmail('user@tëst.org').should.equal('user@xn--tst-jma.org');
+        normalizeEmail('foo@bär.baz').should.equal('foo@xn--br-via.baz');
+    });
+
+    it('should preserve ASCII domains unchanged', function () {
+        normalizeEmail('user@example.com').should.equal('user@example.com');
+        normalizeEmail('admin@test.org').should.equal('admin@test.org');
+        normalizeEmail('foo@bar.baz').should.equal('foo@bar.baz');
+    });
+
+    it('should preserve unicode in the local part of the email', function () {
+        normalizeEmail('üser@example.com').should.equal('üser@example.com');
+        normalizeEmail('tëst@test.org').should.equal('tëst@test.org');
+        normalizeEmail('用户@example.com').should.equal('用户@example.com');
+    });
+
+    it('should handle already punycoded domains', function () {
+        normalizeEmail('test@xn--tst-jma.com').should.equal('test@xn--tst-jma.com');
+        normalizeEmail('user@xn--br-via.baz').should.equal('user@xn--br-via.baz');
+    });
+
+    it('should preserve the case of the email address', function () {
+        normalizeEmail('User@Example.COM').should.equal('User@Example.COM');
+        normalizeEmail('Admin@TEST.org').should.equal('Admin@TEST.org');
+    });
+
+    it('should handle edge cases gracefully', function () {
+        should.not.exist(normalizeEmail(null));
+        should.not.exist(normalizeEmail(undefined));
+        should.not.exist(normalizeEmail(''));
+        normalizeEmail('invalid-email').should.equal('invalid-email');
+        normalizeEmail('@example.com').should.equal('@example.com');
+        normalizeEmail('user@').should.equal('user@');
+    });
+
+    it('should handle non-string inputs', function () {
+        should.not.exist(normalizeEmail(123));
+        should.not.exist(normalizeEmail({}));
+        should.not.exist(normalizeEmail([]));
+        should.not.exist(normalizeEmail(true));
+    });
+
+    it('should handle multiple @ symbols by using the last one', function () {
+        normalizeEmail('user@name@example.com').should.equal('user@name@example.com');
+        normalizeEmail('user@name@tëst.com').should.equal('user@name@xn--tst-jma.com');
+    });
+});
