SV.EMAIL

Unchecked e-mail

This error is detected when unchecked user input is used for email addresses or other parts of emails.

As of release 2023.2, this checker supports Jakarta EE.

Vulnerability and risk

Email addresses are a very common input field for web applications. In some cases these email addresses are used by the application to send email to users or to display email addresses on the web site. Email addresses, like all other user input, are vulnerable to attack via malicious content. For example, an application may send email to a user by invoking the sendmail command directly, using the e-mail string stored for the user. This string, if used unchecked, can contain arbitrary commands that would be run along with sendmail on the application host (thus causing a command injection vulnerability). Also, malicious users can use your web server to send "spam" emails or emails with unwanted content.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Prevent e-mail injection attacks from user input by validating any and all input from outside the application (user input, file input, system parameters, etc.). Validation should include length and content. Typically only alphanumeric characters are needed (i.e., A-Za-z, 0-9), but for e-mail addresses '@' and possibly underscores would be acceptable. Any other accepted characters should be escaped. Perform validation at each source of data, such as when each parameter is read from the HTTP request.

Vulnerable code example 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
     import javax.servlet.http.*;
     import javax.mail.internet.*;
     protected void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
         try {
             // Get system properties
             Properties props = System.getProperties();
             // Setup mail server
             props.put("mail.smtp.host", "my.company.com");
             // Get session
             Session session = Session.getDefaultInstance(props, null);
             // Define message
             MimeMessage message = new MimeMessage(session);
             message.setFrom(new InternetAddress("admin@my.company.com"));
             final String email = req.getParameter("email");
             Address addr = new InternetAddress(email);
             message.setRecipient(Message.RecipientType.TO, addr);
             message.setSubject(subject);
             message.setText(text);
             // Send message
             Transport.send(message);
         } catch (AddressException e) {
             throw new ServletException(e);
         } catch (MessagingException e) {
             throw new ServletException(e);
         }
     }

Klocwork reports an SV.EMAIL defect for line 16, indicating: unvalidated user input is stored in 'email' (line 14), which is used to create address object 'addr' (line 15) that is then used as a recipient's address on line 16.

Vulnerable code example 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
     import jakarta.servlet.http.*;
     import jakarta.mail.internet.*;
     protected void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
         try {
             // Get system properties
             Properties props = System.getProperties();
             // Setup mail server
             props.put("mail.smtp.host", "my.company.com");
             // Get session
             Session session = Session.getDefaultInstance(props, null);
             // Define message
             MimeMessage message = new MimeMessage(session);
             message.setFrom(new InternetAddress("admin@my.company.com"));
             final String email = req.getParameter("email");
             Address addr = new InternetAddress(email);
             message.setRecipient(Message.RecipientType.TO, addr);
             message.setSubject(subject);
             message.setText(text);
             // Send message
             Transport.send(message);
         } catch (AddressException e) {
             throw new ServletException(e);
         } catch (MessagingException e) {
             throw new ServletException(e);
         }
     }

Klocwork reports an SV.EMAIL defect for line 16, indicating: unvalidated user input is stored in 'email' (line 14), which is used to create address object 'addr' (line 15) that is then used as a recipient's address on line 16.

External guidance

• CWE-472: External Control of Assumed-Immutable Web Parameter
• OWASP A7:2017 Cross-Site Scripting (XSS)
• OWASP A4:2021 Insecure Design
• STIG-ID:APP3570 Application vulnerable to Command Injection

Security training

Application security training materials provided by Secure Code Warrior.

• Using Input From Untrusted Sources Training Video - Test your skills with a training example
• Cross Site Scripting Training Video - Test your skills with a training example

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.