SV.EMAIL
Unchecked e-mail
This error is detected when unchecked user input is used for email addresses or other parts of emails.
As of release 2023.2, this checker supports Jakarta EE.
Vulnerability and risk
Email addresses are a very common input field for web applications. In some cases these email addresses are used by the application to send email to users or to display email addresses on the web site. Email addresses, like all other user input, are vulnerable to attack via malicious content. For example, an application may send email to a user by invoking the sendmail command directly, using the e-mail string stored for the user. This string, if used unchecked, can contain arbitrary commands that would be run along with sendmail on the application host (thus causing a command injection vulnerability). Also, malicious users can use your web server to send "spam" emails or emails with unwanted content.
Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.
Mitigation and prevention
Prevent e-mail injection attacks from user input by validating any and all input from outside the application (user input, file input, system parameters, etc.). Validation should include length and content. Typically only alphanumeric characters are needed (i.e., A-Za-z, 0-9), but for e-mail addresses '@' and possibly underscores would be acceptable. Any other accepted characters should be escaped. Perform validation at each source of data, such as when each parameter is read from the HTTP request.
Vulnerable code example 1
import javax.servlet.http.*;
import javax.mail.internet.*;
protected void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
try {
// Get system properties
Properties props = System.getProperties();
// Setup mail server
props.put("mail.smtp.host", "my.company.com");
// Get session
Session session = Session.getDefaultInstance(props, null);
// Define message
MimeMessage message = new MimeMessage(session);
message.setFrom(new InternetAddress("admin@my.company.com"));
final String email = req.getParameter("email");
Address addr = new InternetAddress(email);
message.setRecipient(Message.RecipientType.TO, addr);
message.setSubject(subject);
message.setText(text);
// Send message
Transport.send(message);
} catch (AddressException e) {
throw new ServletException(e);
} catch (MessagingException e) {
throw new ServletException(e);
}
}
Klocwork reports an SV.EMAIL defect for line 16, indicating: unvalidated user input is stored in 'email' (line 14), which is used to create address object 'addr' (line 15) that is then used as a recipient's address on line 16.
Vulnerable code example 2
import jakarta.servlet.http.*;
import jakarta.mail.internet.*;
protected void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
try {
// Get system properties
Properties props = System.getProperties();
// Setup mail server
props.put("mail.smtp.host", "my.company.com");
// Get session
Session session = Session.getDefaultInstance(props, null);
// Define message
MimeMessage message = new MimeMessage(session);
message.setFrom(new InternetAddress("admin@my.company.com"));
final String email = req.getParameter("email");
Address addr = new InternetAddress(email);
message.setRecipient(Message.RecipientType.TO, addr);
message.setSubject(subject);
message.setText(text);
// Send message
Transport.send(message);
} catch (AddressException e) {
throw new ServletException(e);
} catch (MessagingException e) {
throw new ServletException(e);
}
}
Klocwork reports an SV.EMAIL defect for line 16, indicating: unvalidated user input is stored in 'email' (line 14), which is used to create address object 'addr' (line 15) that is then used as a recipient's address on line 16.
External guidance
Security training
Application security training materials provided by Secure Code Warrior.
Extension
This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.