Haraka Mail Server DoS via __proto__ prototype pollution in email headers

# Root Cause Analysis: CVE-2026-34752

## Summary

CVE-2026-34752 is a Denial of Service vulnerability in the haraka-email-message library (v1.2.0 and earlier). The vulnerability occurs in the `Header.parse()` method when processing email headers with the key `__proto__`. Due to unsafe property assignment using `this.headers[key]`, accessing `this.headers['__proto__']` returns `Object.prototype` instead of a normal array. This causes the subsequent `this.headers[key][method](value)` call (where method is "push") to fail with a TypeError, as `Object.prototype.push` is not a function. This uncaught exception can crash the entire application.

## Impact

- **Package**: haraka-email-message
- **Affected Versions**: 1.2.0 and earlier (bundled with Haraka@3.1.3)
- **Fixed Versions**: 1.3.2 (latest as of March 2026)
- **Risk Level**: High
- **Consequences**: 
  - Application crash/DoS via prototype pollution
  - Uncaught TypeError terminates Node.js process
  - In Haraka SMTP server context: single-process mode causes full server crash, cluster mode kills worker processes

## Root Cause

The vulnerability exists in `lib/header.js` (in v1.2.0 bundled in `index.js`) in the `_add_header()` function at lines 150-151:

```javascript
_add_header (key, value, method) {
    this.headers[key] = this.headers[key] || [];
    this.headers[key][method](value);
}
```

When `key` is `__proto__`:
1. `this.headers['__proto__']` returns `Object.prototype` (the object's prototype chain)
2. `Object.prototype` is truthy, so the `|| []` short-circuit is not executed
3. `this.headers['__proto__']` evaluates to `Object.prototype`
4. `Object.prototype['push'](value)` is called, but `Object.prototype.push` is `undefined`/not a function
5. TypeError is thrown: "this.headers[key][method] is not a function"

The `Header.parse()` method calls `_add_header(key, val, "push")` for each header line parsed, making it the attack vector for converting malicious email documents into internal structures.

**Fix**: The patched version uses `Object.create(null)` for the headers object or validates/sanitizes header keys to prevent prototype pollution.

## Reproduction Steps

The reproduction script `repro/reproduction_steps.sh`:

1. Installs the vulnerable haraka-email-message@1.2.0 package
2. Creates a Node.js harness that imports the library
3. First tests normal headers to confirm baseline functionality
4. Then tests malicious headers containing `__proto__: crash`
5. Confirms the TypeError is thrown as expected

**Execution**:
```bash
./repro/reproduction_steps.sh
```

**Expected Evidence**:
- Normal headers parse successfully
- Malicious headers with `__proto__` key cause TypeError: "this.headers[key][method] is not a function"
- Crash evidence saved to `artifacts/crash_evidence.json`

## Evidence

**Log Files**:
- `logs/npm_install.log` - Package installation log
- `logs/exploit.log` - Exploit execution log showing the crash

**Key Excerpt from exploit.log**:
```
[+] Test 2: Parsing malicious headers with __proto__ key...
[+] This triggers the prototype pollution vulnerability in _add_header()
[+] CRASH CONFIRMED!
[+] Error type: TypeError
[+] Error message: this.headers[key][method] is not a function
[+] This matches the expected vulnerability behavior
```

**Crash Evidence** (artifacts/crash_evidence.json):
```json
{
  "vulnerability": "CVE-2026-34752",
  "library": "haraka-email-message",
  "version": "1.2.0",
  "entrypoint": "Header.parse()",
  "trigger": "__proto__ header key",
  "error": {
    "type": "TypeError",
    "message": "this.headers[key][method] is not a function"
  }
}
```

**Environment**:
- Node.js version: v18.x (from container)
- Library version: haraka-email-message@1.2.0
- OS: Linux (container environment)

## Recommendations / Next Steps

**Fix Approach**:
1. Use `Object.create(null)` instead of `{}` for the `this.headers` object to create a prototype-less object
2. Sanitize all header keys to reject or escape `__proto__`, `constructor`, and `prototype` keys
3. Use a Map instead of plain objects for header storage

**Upgrade Guidance**:
- Upgrade to haraka-email-message@1.3.2 or later
- If using Haraka SMTP server, upgrade to v3.1.4 or later which includes the patched library

**Testing Recommendations**:
1. Add unit tests for prototype pollution attempts in header parsing
2. Test with malicious header keys: `__proto__`, `constructor`, `prototype`
3. Implement input validation for all user-controlled data that becomes object keys

## Additional Notes

**Idempotency**: The reproduction script is fully idempotent. It creates a fresh test directory `/tmp/haraka_lib_test` each run and cleans up after itself.

**Edge Cases Tested**:
- Normal email headers: Parse successfully
- Malicious `__proto__` header: Confirmed crash

**Limitations**:
- The reproduction demonstrates the library-level vulnerability in isolation
- In a real Haraka SMTP server deployment, the exploit would require sending an actual email via SMTP with the malicious header
- The impact in production depends on process configuration (single vs cluster mode)