"""Email client header-injection / address-validation regression tests.""" from __future__ import annotations import pytest from notify_bridge_core.notifications.email.client import ( EmailClient, SmtpConfig, _strip_header, _validate_email, _to_html, ) def test_strip_header_removes_crlf() -> None: out = _strip_header("Subject\r\nBcc: attacker@example.com") assert "\r" not in out assert "\n" not in out # The injected "Bcc:" line is folded to a single header line; the SMTP # server will treat it as part of the subject text, not a header. assert "Bcc:" in out # value preserved as plain text def test_strip_header_removes_bare_lf() -> None: out = _strip_header("Hello\nWorld") assert "\n" not in out def test_strip_header_handles_non_string() -> None: assert _strip_header(None) == "" def test_validate_email_rejects_crlf() -> None: with pytest.raises(ValueError): _validate_email("user@example.com\r\nBcc: x@y") def test_validate_email_rejects_no_at() -> None: with pytest.raises(ValueError): _validate_email("not-an-email") def test_validate_email_rejects_empty() -> None: with pytest.raises(ValueError): _validate_email("") def test_validate_email_accepts_normal() -> None: assert _validate_email("user@example.com") == "user@example.com" def test_to_html_escapes_brackets() -> None: out = _to_html("") assert "