🐛 Fix obfuscate-email crashing on malformed email or dotless domain (#9120)

The viewer-side `obfuscate-email` helper used by `anonymize-member` when building share-link bundles called `clojure.string/split` on the raw email input and then on the extracted domain. Two failure modes: 1. When the stored email had no `@` (legacy data, LDAP-sourced UIDs, direct DB inserts, or fixtures that bypassed `::sm/email`), destructuring left `domain` bound to `nil` and the follow-up `(str/split nil "." 2)` raised `NullPointerException`. Because `obfuscate-email` runs inside `get-view-only-bundle`, the exception aborted the whole RPC response for share-link viewers, not just the field. 2. When the stored email used a single-label domain (`alice@localhost`), `(str/split "localhost" "." 2)` returned `["localhost"]`; destructuring bound `rest` to `nil` and the final `(str name "@****." rest)` produced a dangling-dot output `"****@****."` (nil coerces to empty in `str`). Guard both split calls with `(or x "")` so the chain is nil-safe, and emit the trailing `.<tld>` segment only when `rest` is present. Add three `deftest` groups covering the happy path, dotless domains, and malformed inputs (nil / empty / no-`@`), plus a CHANGES.md entry under the 2.17.0 Unreleased bugs-fixed section. Signed-off-by: Andrey Antukh <niwi@niwi.nz> Co-authored-by: Andrey Antukh <niwi@niwi.nz>
2026-04-25 11:18:36 +00:00 · 2026-04-24 02:09:49 -05:00 · 2026-04-24 02:09:49 -05:00 · 6c7843f4b6
commit 6c7843f4b6
parent 8aacda2249
3 changed files with 33 additions and 3 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -50,6 +50,7 @@

 ### :bug: Bugs fixed

+- Fix `get-view-only-bundle` crashing when a share-link viewer encounters a team member whose email lacks `@` (NullPointerException in `obfuscate-email`) or whose domain has no `.` (previously produced a dangling-dot `****@****.`); now the viewer-side obfuscation is nil-safe and omits the trailing dot when the domain has no TLD
 - Remove `corepack` from the MCP local launcher so it runs on Node.js 25+, where corepack is no longer bundled [Github #8877](https://github.com/penpot/penpot/issues/8877)
 - Fix Copy as SVG: emit a single valid SVG document when multiple shapes are selected, and publish `image/svg+xml` to the clipboard so the paste target works in Inkscape and other SVG-native tools [Github #838](https://github.com/penpot/penpot/issues/838)
 - Reset profile submenu state when the account menu closes (by @eureka0928) [Github #8947](https://github.com/penpot/penpot/issues/8947)
--- a/backend/src/app/rpc/commands/viewer.clj
+++ b/backend/src/app/rpc/commands/viewer.clj
@ -28,19 +28,25 @@
      (update :pages-index select-keys allowed)))

 (defn obfuscate-email
+  "Obfuscate the `email` for share-link members so the viewer only sees a
+   partially redacted address. Accepts any string shape (including nil,
+   missing `@`, or a domain with no `.`) and falls back to a fully-masked
+   result rather than throwing — the function is called while building the
+   view-only bundle for anonymous viewers, so an NPE here would abort the
+   entire share-link response."
  [email]
  (let [[name domain]
-        (str/split email "@" 2)
+        (str/split (or email "") "@" 2)

        [_ rest]
-        (str/split domain "." 2)
+        (str/split (or domain "") "." 2)

        name
        (if (> (count name) 3)
          (str (subs name 0 1) (apply str (take (dec (count name)) (repeat "*"))))
          "****")]

-    (str name "@****." rest)))
+    (str name "@****" (when rest (str "." rest)))))

 (defn anonymize-member
  [member]
--- a/backend/test/backend_tests/rpc_viewer_test.clj
+++ b/backend/test/backend_tests/rpc_viewer_test.clj
@ -9,6 +9,7 @@
   [app.common.uuid :as uuid]
   [app.db :as db]
   [app.rpc :as-alias rpc]
+   [app.rpc.commands.viewer :as viewer]
   [backend-tests.helpers :as th]
   [clojure.test :as t]
   [datoteka.fs :as fs]))
@ -16,6 +17,28 @@
 (t/use-fixtures :once th/state-init)
 (t/use-fixtures :each th/database-reset)

+(t/deftest obfuscate-email-happy-path
+  (t/is (= "a****@****.com" (viewer/obfuscate-email "alice@example.com")))
+  (t/is (= "a****@****.example.com" (viewer/obfuscate-email "alice@sub.example.com")))
+  (t/is (= "****@****.com" (viewer/obfuscate-email "bob@bar.com"))))
+
+(t/deftest obfuscate-email-handles-domain-without-dot
+  ;; `localhost`-style domains have no `.`; the previous implementation produced
+  ;; a dangling-dot output like "a****@****." — now the trailing `.` is only
+  ;; emitted when there actually is a TLD segment to append.
+  (t/is (= "a****@****" (viewer/obfuscate-email "alice@localhost")))
+  (t/is (= "****@****" (viewer/obfuscate-email "x@y"))))
+
+(t/deftest obfuscate-email-handles-malformed-input
+  ;; These shapes must not throw — `obfuscate-email` runs while building the
+  ;; view-only bundle for share-link viewers and an NPE here aborts the whole
+  ;; RPC response. The previous implementation called `clojure.string/split`
+  ;; on `nil` for the `no-@` case, raising NullPointerException.
+  (t/is (= "****@****" (viewer/obfuscate-email nil)))
+  (t/is (= "****@****" (viewer/obfuscate-email "")))
+  (t/is (= "r***@****" (viewer/obfuscate-email "root")))       ; no `@`, count > 3
+  (t/is (= "****@****" (viewer/obfuscate-email "bob"))))       ; no `@`, count <= 3
+
 (t/deftest retrieve-bundle
  (let [prof     (th/create-profile* 1 {:is-active true})
        prof2    (th/create-profile* 2 {:is-active true})