2

This code:

    InternetAddress[] myAdrs = getAdrs(message.getToAddresses());
    for (int i = 0; i < myAdrs.length; i++) {
        String s = myAdrs[i].getAddress();
        s = s.replace("\r","").replace("\n","").replace("%0A","").replace("%0a","").replace("%0D","").replace("%0d","");
        InternetAddress adr = new InternetAddress( s, false );
        // --> Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE ID 93)
        lMessage.addRecipient(Message.RecipientType.TO, adr);
    }

still gives me the CWE ID 93 although I removed any unwanted strings in s with s=s.replace(\r.... In the examples i found one the web the s=s.replace should be the solution but still i have this flaw? Whats do I miss? Any hints would be very appreciated!

Dan
  • 41
  • 2
  • 7
  • Recent versions of JavaMail should protect against CRLF injection in addresses. Have you tested this to determine that CRLF injection is actually possible? Or is this just a false positive from some static analysis tool? – Bill Shannon Nov 28 '17 at 20:16
  • Thanks for reply. Yes I think it is a "false positive" as I cannot insert any InternetAdress[] with crlf's. And anyway - if there were any, I would remove them in the code.... So everything should be fine? But since client "sees" this report it would be very good to have the flaw eliminated! Any hint how to get rid of this flaw definitely? – Dan Nov 30 '17 at 11:10
  • No idea. What tool are you using to detect these flaws? Maybe its rules are based on old versions of JavaMail? – Bill Shannon Nov 30 '17 at 22:47

1 Answers1

1

I faced such situations when Veracode doesn't accept handmade solutions like usage of StringEscapeUtils and simple replace methods. Try ESAPI library. Veracode usually accepts ESAPI as trusted tool to defeat vulnerabilities. For example:

//need to handle ValidationException
String s = ESAPI.validator().getValidInput("User Email", myAdrs[i].getAddress(), "Email", 255, true);
InternetAddress adr = new InternetAddress( s, false );

And put regex to test your email to validation.properties (or other file you specify in ESAPI.properties file as Validator.ConfigurationFile=validation.properties) file as Validation.Email property. For example:

Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,6}$
Vitaliy Borisok
  • 822
  • 3
  • 11
  • 21