Improper Neutralization of Special Elements used in a Command

ID

scala.smtp.scala_smtp_rule_smtpclient

Severity

high

Resource

Smtp

Language

Scala

Description

Simple Mail Transfer Protocol (SMTP) is a the text based protocol used for email delivery. Like with HTTP, headers are separate by new line separator. If kuser input is place in a header line, the application should remove or replace new line characters (CR / LF). You should use a safe wrapper such as Apache Common Email and Simple Java Mail which filter special characters that can lead to header injection.

Rationale

Simple Mail Transfer Protocol (SMTP) is a the text based protocol used for email delivery. Like with HTTP, headers are separate by new line separator. If kuser input is place in a header line, the application should remove or replace new line characters (CR / LF). You should use a safe wrapper such as Apache Common Email and Simple Java Mail which filter special characters that can lead to header injection.

The following code illustrates a vulnerable pattern detected by this rule:

  props.put("mail.smtp.auth", "true")
  props.put("mail.smtp.starttls.enable", "true")
  props.put("mail.smtp.host", "smtp.gmail.com")
  props.put("mail.smtp.port", "587")
  val session = Session.getInstance(props, new Authenticator () {
  })
  val message = new MimeMessage(session)
  message.setFrom(new InternetAddress("source@gmail.com"))
  // VULNERABLE: Improper Neutralization of Special Elements used in a Command
  message.setSubject(input1) //Injectable API

  // VULNERABLE: Improper Neutralization of Special Elements used in a Command
  message.addHeader("ABC", input2) //Injectable API (value parameter)

  // VULNERABLE: Improper Neutralization of Special Elements used in a Command
  message.addHeader(input3, "aa") //Injectable API (key parameter)

  // VULNERABLE: Improper Neutralization of Special Elements used in a Command
  message.setDescription(input4)
  // VULNERABLE: Improper Neutralization of Special Elements used in a Command
  message.setDisposition(input5)
  message.setText("This is just a test 2.")
  Transport.send(message)
  new FileDataSource("/path/traversal/here/" + input6)
  System.out.println("Done")
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References