feat: sanitize inbox name (#11597)

Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>
2025-06-09 14:46:12 +05:30
parent 9b43a0f72b
commit 25f947223d
7 changed files with 180 additions and 48 deletions
--- a/app/controllers/oauth_callback_controller.rb
+++ b/app/controllers/oauth_callback_controller.rb
@@ -71,6 +71,7 @@ class OauthCallbackController < ApplicationController
  def create_channel_with_inbox
    ActiveRecord::Base.transaction do
      channel_email = Channel::Email.create!(email: users_data['email'], account: account)
+
      account.inboxes.create!(
        account: account,
        channel: channel_email,
--- a/app/mailers/agent_notifications/conversation_notifications_mailer.rb
+++ b/app/mailers/agent_notifications/conversation_notifications_mailer.rb
@@ -4,7 +4,8 @@ class AgentNotifications::ConversationNotificationsMailer < ApplicationMailer

    @agent = agent
    @conversation = conversation
-    subject = "#{@agent.available_name}, A new conversation [ID - #{@conversation.display_id}] has been created in #{@conversation.inbox&.name}."
+    inbox_name = @conversation.inbox&.sanitized_name
+    subject = "#{@agent.available_name}, A new conversation [ID - #{@conversation.display_id}] has been created in #{inbox_name}."
    @action_url = app_account_conversation_url(account_id: @conversation.account_id, id: @conversation.display_id)
    send_mail_with_liquid(to: @agent.email, subject: subject) and return
  end
--- a/app/mailers/conversation_reply_mailer.rb
+++ b/app/mailers/conversation_reply_mailer.rb
@@ -104,7 +104,7 @@ class ConversationReplyMailer < ApplicationMailer
  end

  def business_name
-    @inbox.business_name || @inbox.name
+    @inbox.business_name || @inbox.sanitized_name
  end

  def from_email
--- a/app/models/inbox.rb
+++ b/app/models/inbox.rb
@@ -47,8 +47,6 @@ class Inbox < ApplicationRecord

  # Not allowing characters:
  validates :name, presence: true
-  validates :name, if: :check_channel_type?, format: { with: %r{^^\b[^/\\<>@]*\b$}, multiline: true,
-                                                       message: I18n.t('errors.inboxes.validations.name') }
  validates :account_id, presence: true
  validates :timezone, inclusion: { in: TZInfo::Timezone.all_identifiers }
  validates :out_of_office_message, length: { maximum: Limits::OUT_OF_OFFICE_MESSAGE_MAX_LENGTH }
@@ -99,6 +97,16 @@ class Inbox < ApplicationRecord
    update_account_cache
  end

+  # Sanitizes inbox name for balanced email provider compatibility
+  # ALLOWS: /'._- and Unicode letters/numbers/emojis
+  # REMOVES: Forbidden chars (\<>@") + spam-trigger symbols (!#$%&*+=?^`{|}~)
+  def sanitized_name
+    return default_name_for_blank_name if name.blank?
+
+    sanitized = apply_sanitization_rules(name)
+    sanitized.blank? && email? ? display_name_from_email : sanitized
+  end
+
  def sms?
    channel_type == 'Channel::Sms'
  end
@@ -178,6 +186,22 @@ class Inbox < ApplicationRecord

  private

+  def default_name_for_blank_name
+    email? ? display_name_from_email : ''
+  end
+
+  def apply_sanitization_rules(name)
+    name.gsub(/[\\<>@"!#$%&*+=?^`{|}~]/, '')            # Remove forbidden chars
+        .gsub(/[\x00-\x1F\x7F]/, ' ')                   # Replace control chars with spaces
+        .gsub(/\A[[:punct:]]+|[[:punct:]]+\z/, '')      # Remove leading/trailing punctuation
+        .gsub(/\s+/, ' ')                               # Normalize spaces
+        .strip
+  end
+
+  def display_name_from_email
+    channel.email.split('@').first.parameterize.titleize
+  end
+
  def dispatch_create_event
    return if ENV['ENABLE_INBOX_EVENTS'].blank?