From 7b546bc5535e287bf7438200e2b68d6b3f45cb41 Mon Sep 17 00:00:00 2001
From: Maxim Ashin <53023744+MaximAshin@users.noreply.github.com>
Date: Sun, 7 Apr 2024 00:51:03 +0300
Subject: [PATCH] Prototype Pollution (Server Side) + Email Injection (#307)

A client side endpoint that is vulnerable to prototype pollution

---------

Co-authored-by: Tamir Gershberg <47638346+tamirGer@users.noreply.github.com>
---
 README.md                                    |  17 +-
 client/public/assets/css/style.css           |   7 +
 client/src/api/ApiUrl.ts                     |   3 +-
 client/src/api/httpClient.ts                 |  12 ++
 client/src/pages/main/Contact.tsx            |  25 ++-
 client/src/pages/main/Header/Nav.tsx         |   2 +-
 client/src/pages/marketplace/Marketplace.tsx |  65 ++++++-
 client/src/utils/url.js                      |  74 ++++++++
 docker-compose.local.yml                     |  12 ++
 docker-compose.yml                           |  12 ++
 package-lock.json                            | 126 ++++---------
 package.json                                 |   1 +
 src/app.module.ts                            |   3 +
 src/email/email.controller.swagger.desc.ts   |   5 +
 src/email/email.controller.ts                | 137 ++++++++++++++
 src/email/email.module.ts                    |  10 ++
 src/email/email.service.ts                   | 179 +++++++++++++++++++
 src/main.ts                                  |   2 +
 src/utils/url.ts                             |  76 ++++++++
 19 files changed, 668 insertions(+), 100 deletions(-)
 create mode 100644 client/src/utils/url.js
 create mode 100644 src/email/email.controller.swagger.desc.ts
 create mode 100644 src/email/email.controller.ts
 create mode 100644 src/email/email.module.ts
 create mode 100644 src/email/email.service.ts
 create mode 100644 src/utils/url.ts

diff --git a/README.md b/README.md
index fa2c7359..10c20ec0 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ The full API documentation is available via swagger or GraphQL:
 npm ci && npm run build
 
 # build client
-npm ci --prefix public && npm run build --prefix public
+npm ci --prefix client && npm run build --prefix client
 
 #build and start dockers with Postgres DB, nginx and server
 docker-compose --file=docker-compose.local.yml up -d
@@ -177,4 +177,19 @@ Additionally, the endpoint PUT /api/users/one/{email}/photo accepts SVG images,
   3. The endpoint GET `/api/partners/query` is a raw XPATH injection endpoint. You can put whatever you like there. It is not referenced in the frontend, but it is an exposed API endpoint.
   4. Note: All endpoints are vulnerable to error based payloads.
 
+* **Prototype Pollution** - The `/marketplace` endpoint is vulnerable to prototype pollution using the following methods:
+  1. The EP GET `/marketplace?__proto__[Test]=Test` represents the client side vulnerabillity, by parsing the URI (for portfolio filtering) and converting
+  it's parmeters into an object. This means that a requests like `/marketplace?__proto__[TestKey]=TestValue` will lead to a creation of `Object.TestKey`.
+  One can test if an attack was successful by viewing the new property created in the console.
+  This EP also supports prototyp pollution based DOM XSS using a payload such as `__proto__[prototypePollutionDomXss]=data:,alert(1);`.
+  The "legitimate" code tries to use the `prototypePollutionDomXss` parameter as a source for a script tag, so if the exploit is not used via this key it won't work.
+  2. The EP GET `/api/email/sendSupportEmail` represents the server side vulnerabillity, by having a rookie URI parsing mistake (similiar to the client side).
+  This means that a request such as `/api/email/sendSupportEmail?name=Bob%20Dylan&__proto__[status]=222&to=username%40email.com&subject=Help%20Request&content=Help%20me..`
+  will lead to a creation of `uriParams.status`, which is a parameter used in the final JSON response.
+
 * **Date Manipulation** - The `/api/products?date_from={df}&date_to={dt}` endpoint fetches all products that were created between the selected dates. There is no limit on the range of dates and when a user tries to query a range larger than 2 years querying takes a significant amount of time. This EP is used by the frontend in the `/marketplace` page.
+
+* **Email Injection** - The `/api/email/sendSupportEmail` is vulnerable to email injection by supplying tempred recipients.
+  To exploit the EP you can dispatch a request as such `/api/email/sendSupportEmail?name=Bob&to=username%40email.com%0aCc:%20bob@domain.com&subject=Help%20Request&content=I%20would%20like%20to%20request%20help%20regarding`.
+  This will lead to the sending of a mail to both `username@email.com` and `bob@domain.com` (as the Cc).
+  Note: This EP is also vulnerable to `Server side prototype pollution`, as mentioned in this README.
diff --git a/client/public/assets/css/style.css b/client/public/assets/css/style.css
index 30ade4f2..ff50d4b2 100644
--- a/client/public/assets/css/style.css
+++ b/client/public/assets/css/style.css
@@ -573,6 +573,13 @@ section {
   padding-top: 30px;
 }
 
+.marketplace-gem-filter-input {
+  margin-left: 20%;
+  margin-right: 20%;
+  max-width: -webkit-fill-available;
+  margin-top: 15px
+}
+
 .section-title h2 {
   font-size: 32px;
   font-weight: bold;
diff --git a/client/src/api/ApiUrl.ts b/client/src/api/ApiUrl.ts
index 4050fc1b..36bee57a 100644
--- a/client/src/api/ApiUrl.ts
+++ b/client/src/api/ApiUrl.ts
@@ -11,5 +11,6 @@ export enum ApiUrl {
   Spawn = '/api/spawn',
   File = '/api/file',
   NestedJson = '/api/nestedJson',
-  Partners = '/api/partners'
+  Partners = '/api/partners',
+  Email = '/api/email'
 }
diff --git a/client/src/api/httpClient.ts b/client/src/api/httpClient.ts
index ba948a2b..aaed3e1f 100644
--- a/client/src/api/httpClient.ts
+++ b/client/src/api/httpClient.ts
@@ -319,3 +319,15 @@ export function searchPartners(keyword: string): Promise<any> {
     method: 'get'
   });
 }
+
+export function sendSupportEmailRequest(
+  name: string,
+  to: string,
+  subject: string,
+  content: string
+): Promise<any> {
+  return makeApiRequest({
+    url: `${ApiUrl.Email}/sendSupportEmail?name=${name}&to=${to}&subject=${subject}&content=${content}`,
+    method: 'get'
+  });
+}
diff --git a/client/src/pages/main/Contact.tsx b/client/src/pages/main/Contact.tsx
index d26f3c9c..26587e83 100644
--- a/client/src/pages/main/Contact.tsx
+++ b/client/src/pages/main/Contact.tsx
@@ -1,4 +1,5 @@
 import React, { useEffect } from 'react';
+import { sendSupportEmailRequest } from 'src/api/httpClient';
 
 export const Contact = (props: { mapTitle: string | null }) => {
   useEffect(() => {
@@ -10,6 +11,21 @@ export const Contact = (props: { mapTitle: string | null }) => {
     }
   }, []);
 
+  const sendSupportRequestEmailAction = () => {
+    const formName = document.getElementById('name')?.value;
+    const formEmail = document.getElementById('email')?.value;
+    const formSubject = document.getElementById('subject')?.value;
+    const formMessage = document.getElementById('message')?.value || '';
+
+    if (!(formName && formEmail && formSubject)) {
+      return alert(
+        'The email form is incomplete - Please fill out all required sections.'
+      );
+    }
+
+    sendSupportEmailRequest(formName, formEmail, formSubject, formMessage);
+  };
+
   return (
     <section id="contact" className="contact section-bg">
       <div className="container" data-aos="fade-up">
@@ -105,6 +121,7 @@ export const Contact = (props: { mapTitle: string | null }) => {
                 <textarea
                   className="form-control"
                   name="message"
+                  id="message"
                   rows={5}
                   data-rule="required"
                   data-msg="Please write something for us"
@@ -120,7 +137,13 @@ export const Contact = (props: { mapTitle: string | null }) => {
                 </div>
               </div>
               <div className="text-center">
-                <button type="submit">Send Message</button>
+                <button
+                  id="send-email-button"
+                  onClick={() => sendSupportRequestEmailAction()}
+                  type="submit"
+                >
+                  Send Message
+                </button>
               </div>
             </form>
           </div>
diff --git a/client/src/pages/main/Header/Nav.tsx b/client/src/pages/main/Header/Nav.tsx
index 4dd484d4..b9f6995c 100644
--- a/client/src/pages/main/Header/Nav.tsx
+++ b/client/src/pages/main/Header/Nav.tsx
@@ -13,7 +13,7 @@ const menu: Array<MenuItem> = [
   { name: 'Home', path: '/?maptitle=map', newTab: false },
   {
     name: 'Marketplace',
-    path: '/marketplace?videosrc=https://www.youtube-nocookie.com/embed/MPYlxeG-8_w?controls=0',
+    path: '/marketplace?portfolio_query_filter=&videosrc=https://www.youtube-nocookie.com/embed/MPYlxeG-8_w?controls=0',
     newTab: false
   },
   { name: 'Edit user data', path: RoutePath.Userprofile, newTab: false },
diff --git a/client/src/pages/marketplace/Marketplace.tsx b/client/src/pages/marketplace/Marketplace.tsx
index c1f6d2d0..0eae452b 100644
--- a/client/src/pages/marketplace/Marketplace.tsx
+++ b/client/src/pages/marketplace/Marketplace.tsx
@@ -11,6 +11,7 @@ import Testimonials from './Testimonials/Testimonials';
 import ProductView from './ProductView';
 import DateRangePicker from './DatePicker';
 import Partners from './Partners/Partners';
+import splitUriIntoParamsPPVulnerable from '../../utils/url';
 
 interface Props {
   preview: boolean;
@@ -71,6 +72,47 @@ export const Marketplace: FC<Props> = (props: Props) => {
     }
   }, []);
 
+  const searchStringInProductNameOrDescription = (
+    searchString: string,
+    product: Product
+  ) => {
+    searchString = searchString.toLowerCase();
+    return !searchString ||
+      product.name.toLowerCase().includes(searchString) ||
+      product.description.toLowerCase().includes(searchString)
+      ? product
+      : null;
+  };
+
+  // Note: This function is vulnerable to Prototype Pollution
+  const currentUriParams: Record<string, any> = splitUriIntoParamsPPVulnerable(
+    document.location.search
+  );
+
+  const [portfolioQueryFilter, setPortfolioQueryFilter] = useState(
+    currentUriParams &&
+      currentUriParams.hasOwnProperty('portfolio_query_filter')
+      ? currentUriParams['portfolio_query_filter']
+      : ''
+  );
+
+  /*
+  If the 'prototypePollutionDomXss' key is present (which can stem from prototype pollution or just a regular URI parameter)
+  then a <script> element is created with the key's cooresponding value as a source
+  */
+  let scriptElementProrotypePollutionDomXSS;
+  if (currentUriParams.prototypePollutionDomXss) {
+    scriptElementProrotypePollutionDomXSS = document.createElement('script');
+
+    scriptElementProrotypePollutionDomXSS.id =
+      'prototype-pollution-dom-xss-script';
+    scriptElementProrotypePollutionDomXSS.src =
+      currentUriParams.prototypePollutionDomXss;
+    scriptElementProrotypePollutionDomXSS.async = true;
+
+    document.body.appendChild(scriptElementProrotypePollutionDomXSS);
+  }
+
   const handleDateChange = (dateFrom: Date, DateTo: Date) => {
     getProducts(dateFrom, DateTo).then((data) => setProducts(data));
   };
@@ -84,6 +126,16 @@ export const Marketplace: FC<Props> = (props: Props) => {
           <div className="section-title marketplaceTitle">
             <h2>Marketplace</h2>
           </div>
+          <div className="section-title qmarketplaceTitle">
+            <h3>Gem Filter</h3>
+            <input
+              className="form-control marketplace-gem-filter-input"
+              id="portfolio-query-filter"
+              placeholder="Filter for gems easily"
+              defaultValue={portfolioQueryFilter || ''}
+              onChange={(e) => setPortfolioQueryFilter(e ? e.target.value : '')}
+            />
+          </div>
           {props.preview || (
             <div className="row">
               <DateRangePicker onDatesChange={handleDateChange} />
@@ -101,9 +153,16 @@ export const Marketplace: FC<Props> = (props: Props) => {
           )}
           <div className="row portfolio-container">
             {products &&
-              products.map((product, i) => (
-                <ProductView product={product} key={i} />
-              ))}
+              products.map((product, i) =>
+                searchStringInProductNameOrDescription(
+                  portfolioQueryFilter,
+                  product
+                ) ? (
+                  <ProductView product={product} key={i} />
+                ) : (
+                  <></>
+                )
+              )}
           </div>
         </div>
         {props.preview && (
diff --git a/client/src/utils/url.js b/client/src/utils/url.js
new file mode 100644
index 00000000..de26bfe9
--- /dev/null
+++ b/client/src/utils/url.js
@@ -0,0 +1,74 @@
+// Taken from PortSwigger's prototype pollution labs
+// VULNERABLE TO PROTOTYPE POLLUTION!
+var splitUriIntoParamsPPVulnerable = (params, coerce) => {
+  if (params.charAt(0) === '?') {
+    params = params.substring(1);
+  }
+
+  var obj = {},
+    coerce_types = { true: !0, false: !1, null: null };
+
+  if (!params) {
+    return obj;
+  }
+
+  params
+    .replace(/\+/g, ' ')
+    .split('&')
+    .forEach(function (v) {
+      var param = v.split('='),
+        key = decodeURIComponent(param[0]),
+        val,
+        cur = obj,
+        i = 0,
+        keys = key.split(']['),
+        keys_last = keys.length - 1;
+
+      if (/\[/.test(keys[0]) && /\]$/.test(keys[keys_last])) {
+        keys[keys_last] = keys[keys_last].replace(/\]$/, '');
+        keys = keys.shift().split('[').concat(keys);
+        keys_last = keys.length - 1;
+      } else {
+        keys_last = 0;
+      }
+
+      if (param.length === 2) {
+        val = decodeURIComponent(param[1]);
+
+        if (coerce) {
+          val =
+            val && !isNaN(val) && +val + '' === val
+              ? +val // number
+              : val === 'undefined'
+              ? undefined // undefined
+              : coerce_types[val] !== undefined
+              ? coerce_types[val] // true, false, null
+              : val; // string
+        }
+
+        if (keys_last) {
+          for (; i <= keys_last; i++) {
+            key = keys[i] === '' ? cur.length : keys[i];
+            cur = cur[key] =
+              i < keys_last
+                ? cur[key] || (keys[i + 1] && isNaN(keys[i + 1]) ? {} : [])
+                : val;
+          }
+        } else {
+          if (Object.prototype.toString.call(obj[key]) === '[object Array]') {
+            obj[key].push(val);
+          } else if ({}.hasOwnProperty.call(obj, key)) {
+            obj[key] = [obj[key], val];
+          } else {
+            obj[key] = val;
+          }
+        }
+      } else if (key) {
+        obj[key] = coerce ? undefined : '';
+      }
+    });
+
+  return obj;
+};
+
+export default splitUriIntoParamsPPVulnerable;
diff --git a/docker-compose.local.yml b/docker-compose.local.yml
index c42f2bdd..caba2d0a 100644
--- a/docker-compose.local.yml
+++ b/docker-compose.local.yml
@@ -42,3 +42,15 @@ services:
         max-size: '10m'
     depends_on:
       - db
+
+  mailcatcher:
+    image: sj26/mailcatcher
+    container_name: mailcatcher
+    restart: always
+    ports:
+      - '1080:1080'
+      - '1025:1025'
+    logging:
+      options:
+        max-file: '5'
+        max-size: '10m'
diff --git a/docker-compose.yml b/docker-compose.yml
index 372c2b5e..836d3d2e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -101,6 +101,18 @@ services:
       retries: 3
     depends_on:
       - keycloak-db
+  
+  mailcatcher:
+    image: sj26/mailcatcher
+    container_name: mailcatcher
+    restart: always
+    ports:
+      - '1080:1080'
+      - '1025:1025'
+    logging:
+      options:
+        max-file: '5'
+        max-size: '10m'
 
 volumes:
   letsencrypt:
diff --git a/package-lock.json b/package-lock.json
index b6d20b99..14bdf793 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -951,36 +951,6 @@
             "strip-ansi": "^7.0.1"
           }
         },
-        "string-width-cjs": {
-          "version": "npm:string-width@4.2.3",
-          "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
-          "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
-          "requires": {
-            "emoji-regex": "^8.0.0",
-            "is-fullwidth-code-point": "^3.0.0",
-            "strip-ansi": "^6.0.1"
-          },
-          "dependencies": {
-            "ansi-regex": {
-              "version": "5.0.1",
-              "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
-              "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="
-            },
-            "emoji-regex": {
-              "version": "8.0.0",
-              "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
-              "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="
-            },
-            "strip-ansi": {
-              "version": "6.0.1",
-              "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
-              "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
-              "requires": {
-                "ansi-regex": "^5.0.1"
-              }
-            }
-          }
-        },
         "strip-ansi": {
           "version": "7.1.0",
           "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz",
@@ -989,21 +959,6 @@
             "ansi-regex": "^6.0.1"
           }
         },
-        "strip-ansi-cjs": {
-          "version": "npm:strip-ansi@6.0.1",
-          "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
-          "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
-          "requires": {
-            "ansi-regex": "^5.0.1"
-          },
-          "dependencies": {
-            "ansi-regex": {
-              "version": "5.0.1",
-              "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
-              "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="
-            }
-          }
-        },
         "wrap-ansi": {
           "version": "8.1.0",
           "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz",
@@ -1013,54 +968,6 @@
             "string-width": "^5.0.1",
             "strip-ansi": "^7.0.1"
           }
-        },
-        "wrap-ansi-cjs": {
-          "version": "npm:wrap-ansi@7.0.0",
-          "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz",
-          "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==",
-          "requires": {
-            "ansi-styles": "^4.0.0",
-            "string-width": "^4.1.0",
-            "strip-ansi": "^6.0.0"
-          },
-          "dependencies": {
-            "ansi-regex": {
-              "version": "5.0.1",
-              "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
-              "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="
-            },
-            "ansi-styles": {
-              "version": "4.3.0",
-              "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
-              "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
-              "requires": {
-                "color-convert": "^2.0.1"
-              }
-            },
-            "emoji-regex": {
-              "version": "8.0.0",
-              "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
-              "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="
-            },
-            "string-width": {
-              "version": "4.2.3",
-              "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
-              "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
-              "requires": {
-                "emoji-regex": "^8.0.0",
-                "is-fullwidth-code-point": "^3.0.0",
-                "strip-ansi": "^6.0.1"
-              }
-            },
-            "strip-ansi": {
-              "version": "6.0.1",
-              "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
-              "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
-              "requires": {
-                "ansi-regex": "^5.0.1"
-              }
-            }
-          }
         }
       }
     },
@@ -8957,6 +8864,11 @@
       "integrity": "sha512-5GFldHPXVG/YZmFzJvKK2zDSzPKhEp0+ZR5SVaoSag9fsL5YgHbUHDfnG5494ISANDcK4KwPXAx2xqVEydmd7w==",
       "dev": true
     },
+    "nodemailer": {
+      "version": "6.9.12",
+      "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-6.9.12.tgz",
+      "integrity": "sha512-pnLo7g37Br3jXbF0bl5DekBJihm2q+3bB3l2o/B060sWmb5l+VqeScAQCBqaQ+5ezRZFzW5SciZNGdRDEbq89w=="
+    },
     "nodemon": {
       "version": "2.0.21",
       "resolved": "https://registry.npmjs.org/nodemon/-/nodemon-2.0.21.tgz",
@@ -11141,6 +11053,16 @@
         "strip-ansi": "^6.0.1"
       }
     },
+    "string-width-cjs": {
+      "version": "npm:string-width@4.2.3",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "requires": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      }
+    },
     "string.prototype.trimend": {
       "version": "1.0.6",
       "resolved": "https://registry.npmjs.org/string.prototype.trimend/-/string.prototype.trimend-1.0.6.tgz",
@@ -11174,6 +11096,14 @@
         "ansi-regex": "^5.0.1"
       }
     },
+    "strip-ansi-cjs": {
+      "version": "npm:strip-ansi@6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "requires": {
+        "ansi-regex": "^5.0.1"
+      }
+    },
     "strip-bom": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/strip-bom/-/strip-bom-3.0.0.tgz",
@@ -12291,6 +12221,16 @@
         "strip-ansi": "^6.0.0"
       }
     },
+    "wrap-ansi-cjs": {
+      "version": "npm:wrap-ansi@7.0.0",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz",
+      "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==",
+      "requires": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      }
+    },
     "wrappy": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
diff --git a/package.json b/package.json
index 689b0394..9f624640 100644
--- a/package.json
+++ b/package.json
@@ -58,6 +58,7 @@
     "libxmljs": "^0.19.7",
     "mercurius": "^12.2.0",
     "node-jwk": "^0.1.0",
+    "nodemailer": "^6.9.12",
     "pg": "^8.9.0",
     "raw-body": "^2.5.2",
     "reflect-metadata": "^0.1.13",
diff --git a/src/app.module.ts b/src/app.module.ts
index e5d3b71a..06c93041 100644
--- a/src/app.module.ts
+++ b/src/app.module.ts
@@ -17,6 +17,7 @@ import { AppService } from './app.service';
 import { UsersService } from './users/users.service';
 import { AppResolver } from './app.resolver';
 import { PartnersModule } from './partners/partners.module';
+import { EmailModule } from './email/email.module';
 
 @Module({
   imports: [
@@ -37,6 +38,8 @@ import { PartnersModule } from './partners/partners.module';
       graphiql: true,
       autoSchemaFile: true,
     }),
+    PartnersModule,
+    EmailModule,
   ],
   controllers: [AppController],
   providers: [
diff --git a/src/email/email.controller.swagger.desc.ts b/src/email/email.controller.swagger.desc.ts
new file mode 100644
index 00000000..7d947a42
--- /dev/null
+++ b/src/email/email.controller.swagger.desc.ts
@@ -0,0 +1,5 @@
+export const SWAGGER_DESC_SEND_EMAIL = `Send a mail from 'no-reply@brokencrystals.com' to any other email`;
+
+export const SWAGGER_DESC_GET_EMAILS = `Get all emails on the mail server as a JSON response`;
+
+export const SWAGGER_DESC_DELTE_EMAILS = `Deletes all the emails on the mail server`;
diff --git a/src/email/email.controller.ts b/src/email/email.controller.ts
new file mode 100644
index 00000000..241b5e8d
--- /dev/null
+++ b/src/email/email.controller.ts
@@ -0,0 +1,137 @@
+import { FastifyReply } from 'fastify';
+import {
+  Controller,
+  Delete,
+  Get,
+  Header,
+  HttpStatus,
+  Logger,
+  Query,
+  Res,
+} from '@nestjs/common';
+import { ApiOperation, ApiQuery, ApiTags } from '@nestjs/swagger';
+import { EmailService } from './email.service';
+import {
+  SWAGGER_DESC_DELTE_EMAILS,
+  SWAGGER_DESC_GET_EMAILS,
+  SWAGGER_DESC_SEND_EMAIL,
+} from './email.controller.swagger.desc';
+import splitUriIntoParamsPPVulnerable from '../utils/url';
+import { boolean } from 'webidl-conversions';
+
+@Controller('/api/email')
+@ApiTags('Emails controller')
+export class EmailController {
+  private readonly logger = new Logger(EmailController.name);
+
+  constructor(private emailService: EmailService) {}
+
+  readonly BC_EMAIL_ADDRESS = 'no-reply@brokencrystals.com';
+
+  @Get('/sendSupportEmail')
+  @ApiQuery({
+    name: 'name',
+    example: 'Bob Dylan',
+    required: true,
+  })
+  @ApiQuery({
+    name: 'to',
+    example: 'username@email.com',
+    required: true,
+  })
+  @ApiQuery({
+    name: 'subject',
+    example: 'Help Request',
+    required: true,
+  })
+  @ApiQuery({
+    name: 'content',
+    example: 'I would like to request help regarding..',
+    required: true,
+  })
+  @ApiOperation({
+    description: SWAGGER_DESC_SEND_EMAIL,
+  })
+  @Header('Content-Type', 'application/json')
+  async sendSupportEmail(
+    @Query('name') name: string,
+    @Query('to') to: string,
+    @Query('subject') subject: string,
+    @Query('content') content: string,
+    @Query() query,
+    @Res({ passthrough: true }) res: FastifyReply,
+  ) {
+    this.logger.log('Sending a support Email');
+
+    // This is defined here intentionally so we don't override responseJson.status after the prototype pollution has occurred
+    let responseJson = {
+      message: {},
+      status: HttpStatus.OK,
+    };
+
+    // "Accidentally" forgot this here while coding... Oops.
+    // A server side prototype pollution can be found in the `name` param
+    // You can create a fake `status` variable and return a tempered response
+    let rawQuery = '';
+    for (const queryKey of Object.keys(query)) {
+      if (query[queryKey].includes('proto')) {
+        rawQuery += `&${queryKey}=${query[queryKey]}`;
+      } else {
+        rawQuery += encodeURI(`&${queryKey}=${query[queryKey]}`);
+      }
+    }
+    // Remove the inital '&'
+    rawQuery = `?${rawQuery.substring(1)}`;
+    this.logger.debug(`Raw query ${rawQuery}`);
+
+    // "Use" the status code
+    let uriParams: any = splitUriIntoParamsPPVulnerable(rawQuery);
+    if (uriParams?.status) {
+      responseJson.status = uriParams.status;
+    }
+
+    const mailSubject = `Support email regarding "${subject}"`;
+    const mailBody = `Hi ${name},\nWe recieved your email and just wanted to let you know we're on it!\n\nYour original inquiry was:\n**********************\n${content}\n**********************`;
+    let didSucceed = await this.emailService.sendRawEmail(
+      this.BC_EMAIL_ADDRESS,
+      to,
+      mailSubject,
+      mailBody,
+    );
+
+    if (didSucceed) {
+      responseJson.message = `Email sent to "${name} <${to}>" successfully`;
+      res.status(HttpStatus.OK);
+    } else {
+      responseJson.message = `Failed sending a support email. Or your exploit just ain't cutting it... Level up.`;
+      res.status(HttpStatus.INTERNAL_SERVER_ERROR);
+    }
+
+    return JSON.stringify(responseJson);
+  }
+
+  @Get('/getEmails')
+  @ApiOperation({
+    description: SWAGGER_DESC_GET_EMAILS,
+  })
+  @ApiQuery({
+    name: 'withSource',
+    example: 'true',
+    required: true,
+  })
+  async getEmails(@Query('withSource') withSource: any) {
+    withSource = withSource === 'true';
+    
+    this.logger.log(`Getting Emails (withSource=${withSource})`);
+    return await this.emailService.getEmails(withSource);
+  }
+
+  @Delete('/deleteEmails')
+  @ApiOperation({
+    description: SWAGGER_DESC_DELTE_EMAILS,
+  })
+  async deleteEmails() {
+    this.logger.log('Deleting Emails');
+    return await this.emailService.deleteEmails();
+  }
+}
diff --git a/src/email/email.module.ts b/src/email/email.module.ts
new file mode 100644
index 00000000..e0ed64b5
--- /dev/null
+++ b/src/email/email.module.ts
@@ -0,0 +1,10 @@
+import { Module } from '@nestjs/common';
+import { EmailController } from './email.controller';
+import { EmailService } from './email.service';
+
+@Module({
+  imports: [],
+  controllers: [EmailController],
+  providers: [EmailService],
+})
+export class EmailModule {}
diff --git a/src/email/email.service.ts b/src/email/email.service.ts
new file mode 100644
index 00000000..03a934d8
--- /dev/null
+++ b/src/email/email.service.ts
@@ -0,0 +1,179 @@
+const axios = require('axios');
+
+import { HttpStatus, Injectable, Logger } from '@nestjs/common';
+import { forEach } from 'lodash';
+import { json } from 'sequelize';
+const nodemailer = require('nodemailer');
+
+@Injectable()
+export class EmailService {
+  private readonly logger = new Logger(EmailService.name);
+
+  private readonly smtpServerDetails = {
+    host: 'mailcatcher',
+    port: 1025,
+    secure: false,
+    auth: {
+      user: 'mailcatcher',
+      pass: 'mailcatcher',
+    },
+  };
+
+  private readonly transporter = nodemailer.createTransport(
+    this.smtpServerDetails,
+  );
+
+  private readonly MAIL_CATCHER_MESSAGES_URL =
+    'http://mailcatcher:1080/messages';
+
+  async sendRawEmail(
+    from: string,
+    to: string,
+    subject: string,
+    body: string,
+  ): Promise<boolean> {
+    this.logger.debug(`Sending mail from "${from}" to "${to}"`);
+    this.logger.debug(
+      `Mail subject is (trimmed): "${subject.substring(0, 64)}"`,
+    );
+    this.logger.debug(`Mail body is (trimmed): "${body.substring(0, 64)}"`);
+
+    const mailOptions = this.createMailOptionsForEmailInjetion(
+      from,
+      to,
+      subject,
+      body,
+    );
+
+    let response = await this.transporter.sendMail(mailOptions);
+
+    if (response.err) {
+      this.logger.debug(`Failed sending email. Error: ${response.err}`);
+      return false;
+    }
+
+    this.logger.debug(`Email sent successfully!`);
+    return true;
+  }
+
+  private createMailOptionsForEmailInjetion(
+    from: string,
+    to: string,
+    subject: string,
+    body: string,
+  ) {
+    to = to.replace('\n', '%0A');
+    this.logger.debug(`Creating vulnerable mailOptions. "to" param is: ${to}`);
+
+    let parsedSubject: any = subject;
+    let parsedFrom: any = from;
+    let parsedTo: any = to;
+    let parsedCc: any = [];
+    let parsedBcc: any = [];
+
+    // This is intentional to support email injection
+    if (
+      to.toLowerCase().includes('%0a') ||
+      to.toLowerCase().includes('%0d%0a')
+    ) {
+      parsedSubject = /Subject:(.+?)(?=%0A)/i.exec(to);
+      parsedSubject = parsedSubject ? parsedSubject[1] : subject;
+
+      parsedFrom = /From:(.+?)(?=%0A)/i.exec(to);
+      parsedFrom = parsedFrom ? parsedFrom[1] : from;
+
+      parsedTo = /(.+?)(?=%0A)/i.exec(to);
+      parsedTo = parsedTo ? parsedTo[1] : to;
+
+      parsedCc = /Cc:(.+?)(?=%0A)/i.exec(to) || /Cc:(.*)/i.exec(to);
+      parsedCc = parsedCc ? parsedCc[1] : null;
+
+      parsedBcc = /Bcc:(.+?)(?=%0A)/i.exec(to) || /Bcc:(.*)/i.exec(to);
+      parsedBcc = parsedBcc ? parsedBcc[1] : null;
+    }
+
+    this.logger.debug(
+      `parsedFrom: ${parsedFrom} | parsedTo: ${parsedTo} | parsedCc: ${parsedCc} | parsedBcc: ${parsedBcc}`,
+    );
+
+    // Build final raw email
+    let rawContent = '';
+    if (parsedSubject) {
+      rawContent += `Subject: ${parsedSubject}\n`;
+    }
+    if (parsedFrom) {
+      rawContent += `From: ${parsedFrom}\n`;
+    }
+    if (parsedTo) {
+      rawContent += `To: ${parsedTo}\n`;
+    }
+    if (parsedCc) {
+      rawContent += `Cc: ${parsedCc}\n`;
+    }
+    if (parsedBcc) {
+      rawContent += `Bcc: ${parsedBcc}\n`;
+    }
+
+    rawContent += `\n${body}\n`;
+
+    let mailOptions = {
+      envelope: {
+        from: parsedFrom,
+        to: parsedTo,
+        cc: parsedCc ? [parsedCc] : [],
+        bcc: parsedCc ? [parsedCc] : [],
+      },
+      raw: rawContent,
+    };
+
+    return mailOptions;
+  }
+
+  async getEmails(withSource): Promise<json> {
+    this.logger.debug(`Fetching all emails from MailCatcher`);
+
+    let emails = await axios
+      .get(this.MAIL_CATCHER_MESSAGES_URL)
+      .then((res) =>
+        res.status == HttpStatus.OK
+          ? res.data
+          : { error: 'Failed to get emails' },
+      );
+
+    if (withSource) {
+      this.logger.debug(`Fetching sources of Emails`);
+      for (let email of emails) {
+        email['source'] = await this.getEmailSource(email['id']);
+      }
+    }
+
+    return emails;
+  }
+
+  private async getEmailSource(emailId): Promise<string> {
+    let sourceUrl = `${this.MAIL_CATCHER_MESSAGES_URL}/${emailId}.source`;
+
+    return await axios
+      .get(sourceUrl)
+      .then((res) =>
+        res.status == HttpStatus.OK
+          ? res.data
+          : { error: 'Failed to get emails' },
+      )
+      .catch((err) =>
+        this.logger.debug(
+          `Failed to fetch email source with id ${emailId} via "${sourceUrl}". Error: ${err}`,
+        ),
+      );
+  }
+
+  async deleteEmails(): Promise<Boolean> {
+    this.logger.debug(`Deleting all emails from MailCatcher`);
+
+    return await axios
+      .get(this.MAIL_CATCHER_MESSAGES_URL, {
+        method: 'DELETE',
+      })
+      .then((res) => res.status == HttpStatus.OK);
+  }
+}
diff --git a/src/main.ts b/src/main.ts
index ea86fd5f..ed440724 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -210,6 +210,8 @@ async function bootstrap() {
 
   * [Partners](#/Partners%20controller) — operations with partners
 
+  * [Emails](#/Emails%20controller) — operations with emails
+
 
   `,
     )
diff --git a/src/utils/url.ts b/src/utils/url.ts
new file mode 100644
index 00000000..c09825b6
--- /dev/null
+++ b/src/utils/url.ts
@@ -0,0 +1,76 @@
+// Taken from PortSwigger's prototype pollution labs
+// VULNERABLE TO PROTOTYPE POLLUTION!
+var splitUriIntoParamsPPVulnerable = (params, coerce=undefined) => {
+  if (params.charAt(0) === '?') {
+    params = params.substring(1);
+  }
+
+  var obj = {},
+    coerce_types = { true: !0, false: !1, null: null };
+
+  if (!params) {
+    return obj;
+  }
+
+  params
+    .replace(/\+/g, ' ')
+    .split('&')
+    .forEach(function (v) {
+      var param = v.split('='),
+        key = decodeURIComponent(param[0]),
+        val,
+        cur = obj,
+        i = 0,
+        keys = key.split(']['),
+        keys_last = keys.length - 1;
+
+      if (/\[/.test(keys[0]) && /\]$/.test(keys[keys_last])) {
+        keys[keys_last] = keys[keys_last].replace(/\]$/, '');
+        keys = keys.shift().split('[').concat(keys);
+        keys_last = keys.length - 1;
+      } else {
+        keys_last = 0;
+      }
+
+      if (param.length === 2) {
+        val = decodeURIComponent(param[1]);
+
+        if (coerce) {
+          val =
+            val && !isNaN(val) && +val + '' === val
+              ? +val // number
+              : val === 'undefined'
+              ? undefined // undefined
+              : coerce_types[val] !== undefined
+              ? coerce_types[val] // true, false, null
+              : val; // string
+        }
+
+        if (keys_last) {
+          for (; i <= keys_last; i++) {
+            //@ts-ignore
+            key = keys[i] === '' ? cur.length : keys[i];
+            cur = cur[key] =
+              i < keys_last
+                ? //@ts-ignore
+                  cur[key] || (keys[i + 1] && isNaN(keys[i + 1]) ? {} : [])
+                : val;
+          }
+        } else {
+          if (Object.prototype.toString.call(obj[key]) === '[object Array]') {
+            obj[key].push(val);
+          } else if ({}.hasOwnProperty.call(obj, key)) {
+            obj[key] = [obj[key], val];
+          } else {
+            obj[key] = val;
+          }
+        }
+      } else if (key) {
+        obj[key] = coerce ? undefined : '';
+      }
+    });
+
+  return obj;
+};
+
+export default splitUriIntoParamsPPVulnerable;