From c65458c1540d5f2139fd66b812f028181b7e11d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E0=A4=95=E0=A4=BE=E0=A4=B0=E0=A4=A4=E0=A5=8B=E0=A4=AB?=
 =?UTF-8?q?=E0=A5=8D=E0=A4=AB=E0=A5=87=E0=A4=B2=E0=A4=B8=E0=A5=8D=E0=A4=95?=
 =?UTF-8?q?=E0=A5=8D=E0=A4=B0=E0=A4=BF=E0=A4=AA=E0=A5=8D=E0=A4=9F=E2=84=A2?=
 <netroy@users.noreply.github.com>
Date: Fri, 19 Aug 2022 12:45:22 +0200
Subject: [PATCH] [N8N-4355] Use safer templating for UserManagement emails
 (#3893)

---
 package-lock.json                             |  1 +
 packages/cli/package.json                     |  1 +
 .../email/UserManagementMailer.ts             | 70 +++++++++----------
 3 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index ec93b76c04..72b3f9e3a2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -53645,6 +53645,7 @@
         "fast-glob": "^3.2.5",
         "flatted": "^3.2.4",
         "google-timezones-json": "^1.0.2",
+        "handlebars": "4.7.7",
         "inquirer": "^7.0.1",
         "json-diff": "^0.5.4",
         "jsonschema": "^1.4.1",
diff --git a/packages/cli/package.json b/packages/cli/package.json
index 0073b99c9f..eb681cd6ac 100644
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -129,6 +129,7 @@
     "fast-glob": "^3.2.5",
     "flatted": "^3.2.4",
     "google-timezones-json": "^1.0.2",
+    "handlebars": "4.7.7",
     "inquirer": "^7.0.1",
     "json-diff": "^0.5.4",
     "jsonschema": "^1.4.1",
diff --git a/packages/cli/src/UserManagement/email/UserManagementMailer.ts b/packages/cli/src/UserManagement/email/UserManagementMailer.ts
index 5fa51319b6..bf2ef3fd60 100644
--- a/packages/cli/src/UserManagement/email/UserManagementMailer.ts
+++ b/packages/cli/src/UserManagement/email/UserManagementMailer.ts
@@ -1,7 +1,8 @@
-/* eslint-disable import/no-cycle */
-import { existsSync, readFileSync } from 'fs';
-import { IDataObject } from 'n8n-workflow';
+import Handlebars from 'handlebars';
+import { existsSync } from 'fs';
+import { readFile } from 'fs/promises';
 import { join as pathJoin } from 'path';
+// eslint-disable-next-line import/no-cycle
 import { GenericHelpers } from '../..';
 import * as config from '../../../config';
 import {
@@ -12,35 +13,33 @@ import {
 } from './Interfaces';
 import { NodeMailer } from './NodeMailer';
 
-// TODO: make function fully async (remove sync functions)
-async function getTemplate(configKeyName: string, defaultFilename: string) {
-	const templateOverride = (await GenericHelpers.getConfigValue(
-		`userManagement.emails.templates.${configKeyName}`,
-	)) as string;
+type Template = HandlebarsTemplateDelegate<unknown>;
+type TemplateName = 'invite' | 'passwordReset';
 
-	let template;
-	if (templateOverride && existsSync(templateOverride)) {
-		template = readFileSync(templateOverride, {
-			encoding: 'utf-8',
-		});
-	} else {
-		template = readFileSync(pathJoin(__dirname, `templates/${defaultFilename}`), {
-			encoding: 'utf-8',
-		});
+const templates: Partial<Record<TemplateName, Template>> = {};
+
+async function getTemplate(
+	templateName: TemplateName,
+	defaultFilename = `${templateName}.html`,
+): Promise<Template> {
+	let template = templates[templateName];
+	if (!template) {
+		const templateOverride = (await GenericHelpers.getConfigValue(
+			`userManagement.emails.templates.${templateName}`,
+		)) as string;
+
+		let markup;
+		if (templateOverride && existsSync(templateOverride)) {
+			markup = await readFile(templateOverride, 'utf-8');
+		} else {
+			markup = await readFile(pathJoin(__dirname, `templates/${defaultFilename}`), 'utf-8');
+		}
+		template = Handlebars.compile(markup);
+		templates[templateName] = template;
 	}
 	return template;
 }
 
-function replaceStrings(template: string, data: IDataObject) {
-	let output = template;
-	const keys = Object.keys(data);
-	keys.forEach((key) => {
-		const regex = new RegExp(`\\{\\{\\s*${key}\\s*\\}\\}`, 'g');
-		output = output.replace(regex, data[key] as string);
-	});
-	return output;
-}
-
 export class UserManagementMailer {
 	private mailer: UserManagementMailerImplementation | undefined;
 
@@ -58,13 +57,13 @@ export class UserManagementMailer {
 	}
 
 	async invite(inviteEmailData: InviteEmailData): Promise<SendEmailResult> {
-		let template = await getTemplate('invite', 'invite.html');
-		template = replaceStrings(template, inviteEmailData);
+		if (!this.mailer) return Promise.reject();
 
-		const result = await this.mailer?.sendMail({
+		const template = await getTemplate('invite');
+		const result = await this.mailer.sendMail({
 			emailRecipients: inviteEmailData.email,
 			subject: 'You have been invited to n8n',
-			body: template,
+			body: template(inviteEmailData),
 		});
 
 		// If mailer does not exist it means mail has been disabled.
@@ -72,14 +71,13 @@ export class UserManagementMailer {
 	}
 
 	async passwordReset(passwordResetData: PasswordResetData): Promise<SendEmailResult> {
-		let template = await getTemplate('passwordReset', 'passwordReset.html');
-		template = replaceStrings(template, passwordResetData);
+		if (!this.mailer) return Promise.reject();
 
-		// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-		const result = await this.mailer?.sendMail({
+		const template = await getTemplate('passwordReset');
+		const result = await this.mailer.sendMail({
 			emailRecipients: passwordResetData.email,
 			subject: 'n8n password reset',
-			body: template,
+			body: template(passwordResetData),
 		});
 
 		// If mailer does not exist it means mail has been disabled.