fix: some security vulnerabilities (#4143)

## About the changes
This should address:
https://github.com/Unleash/unleash/security/code-scanning/1,
https://github.com/Unleash/unleash/security/code-scanning/49 and
https://github.com/Unleash/unleash/security/code-scanning/52

Refs:
-
https://securitylab.github.com/research/github-actions-untrusted-input/
-
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1.1

---------

Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai>

.github/workflows/notify_enterprise.yaml

@@ -24,12 +24,6 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
-      - run: |
-          echo "github.event.head_commit.committer.name: ${{ github.event.head_commit.committer.name }}"
-          echo "github.event.head_commit.committer.email: ${{ github.event.head_commit.committer.email }}"
-          echo "github.actor: ${{ github.actor }}"
-          echo "github.event.commits[0].author.name ${{ github.event.commits[0].author.name }}"
-          echo "github.event.commits[0].author.email ${{ github.event.commits[0].author.email }}"
       - name: Trigger sync
         uses: actions/github-script@v6
         with:

src/lib/util/is-email.ts

@@ -5,11 +5,19 @@ const matcher =
 
 /**
  * Loosely validate an email address.
+ * Max length of an email address is 320 characters: 64 for the local part + 1 for the @ +
+ * 255 for the domain part.
+ * See https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3.1.1
+ *
+ * Being a bit extra cautious here and limiting the max length to 500 characters, which prevents
+ * [Regular expression Denial of Service - ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) attacks
+ * due to polynomial regular expression used on uncontrolled data.
  *
  * @param {string} string
  * @return {boolean}
  */
 function isEmail(value: string): boolean {
+    if (value.length > 500) return false;
     return matcher.test(value);
 }