Email HTML Injection detection in IAST Java (#3906)

Co-authored-by: Mario Vidal Domínguez <[email protected]>
DataDog · Feb 6, 2025 · 473c7e5 · 473c7e5
1 parent 6b9449a
commit 473c7e5
Show file tree

Hide file tree

Showing 16 changed files with 337 additions and 3 deletions.
diff --git a/manifests/java.yml b/manifests/java.yml
@@ -79,8 +79,26 @@ tests/:
             ratpack: missing_feature
             spring-boot-3-native: missing_feature (GraalVM. Tracing support only)
         test_email_html_injection.py:
-          TestEmailHtmlInjection: missing_feature
-          TestEmailHtmlInjection_StackTrace: missing_feature
+          TestEmailHtmlInjection:
+            '*': v1.47.0
+            akka-http: missing_feature (No endpoint implemented)
+            jersey-grizzly2: missing_feature (No endpoint implemented)
+            play: missing_feature (No endpoint implemented)
+            ratpack: missing_feature (No endpoint implemented)
+            resteasy-netty3: missing_feature (No endpoint implemented)
+            spring-boot-3-native: missing_feature (No endpoint implemented)
+            vertx3: missing_feature (No endpoint implemented)
+            vertx4: missing_feature (No endpoint implemented)
+          TestEmailHtmlInjection_StackTrace:
+            '*': v1.47.0
+            akka-http: missing_feature (No endpoint implemented)
+            jersey-grizzly2: missing_feature (No endpoint implemented)
+            play: missing_feature (No endpoint implemented)
+            ratpack: missing_feature (No endpoint implemented)
+            resteasy-netty3: missing_feature (No endpoint implemented)
+            spring-boot-3-native: missing_feature (No endpoint implemented)
+            vertx3: missing_feature (No endpoint implemented)
+            vertx4: missing_feature (No endpoint implemented)
         test_hardcoded_passwords.py:
           Test_HardcodedPasswords: missing_feature
           Test_HardcodedPasswords_StackTrace: missing_feature

diff --git a/utils/build/docker/java/akka-http/pom.xml b/utils/build/docker/java/akka-http/pom.xml
@@ -96,6 +96,26 @@
             <artifactId>spray-json_2.13</artifactId>
             <version>1.3.6</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.mail</groupId>
+            <artifactId>javax.mail-api</artifactId>
+            <version>1.6.2</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.activation</groupId>
+            <artifactId>activation</artifactId>
+            <version>1.1.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.mail</groupId>
+            <artifactId>javax.mail</artifactId>
+            <version>1.6.2</version>
+        </dependency>
     </dependencies>
 
     <build>

diff --git a/utils/build/docker/java/iast-common/pom.xml b/utils/build/docker/java/iast-common/pom.xml
@@ -34,6 +34,30 @@
             <version>6.0.8</version>
             <optional>true</optional>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>javax.mail</groupId>
+            <artifactId>javax.mail-api</artifactId>
+            <version>1.6.2</version>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>javax.activation</groupId>
+            <artifactId>activation</artifactId>
+            <version>1.1.1</version>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.mail</groupId>
+            <artifactId>javax.mail</artifactId>
+            <version>1.6.2</version>
+            <optional>true</optional>
+        </dependency>
     </dependencies>
 
     <build>

diff --git a/...r/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java b/...r/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java
@@ -0,0 +1,31 @@
+package com.datadoghq.system_tests.iast.utils;
+
+import com.datadoghq.system_tests.iast.utils.mock.MockTransport;
+
+import javax.mail.Message;
+import javax.mail.MessagingException;
+import javax.mail.Session;
+import javax.mail.Provider;
+import javax.mail.internet.InternetAddress;
+import javax.mail.internet.MimeMessage;
+import java.util.Properties;
+
+
+public class EmailExamples {
+
+    public void mail(final String emailContent) throws MessagingException {
+        Session session = Session.getDefaultInstance(new Properties());
+        Provider provider =
+                new Provider(
+                        Provider.Type.TRANSPORT, "smtp", MockTransport.class.getName(), "MockTransport", "1.0");
+        session.setProvider(provider);
+        Message email = new MimeMessage(session);
+        email.setContent(emailContent, "text/html");
+        email.setRecipient(Message.RecipientType.TO, new InternetAddress("[email protected]"));
+
+        MockTransport.send(email);
+
+    }
+
+
+}
diff --git a/...a/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/mock/MockTransport.java b/...a/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/mock/MockTransport.java
@@ -0,0 +1,26 @@
+package com.datadoghq.system_tests.iast.utils.mock;
+import javax.mail.Message;
+import javax.mail.MessagingException;
+import javax.mail.Session;
+import javax.mail.Transport;
+import javax.mail.URLName;
+import javax.mail.Address;
+
+public class MockTransport extends Transport {
+        public MockTransport(Session session, URLName urlname) {
+            super(session, urlname);
+        }
+
+        public void sendMessage(Message msg, Address[] addresses) throws MessagingException {
+            this.notifyTransportListeners(1, addresses, new Address[0], new Address[0], msg);
+
+        }
+
+        @Override
+        public void connect() {
+            this.setConnected(true);
+            this.notifyConnectionListeners(1);
+        }
+
+        public synchronized void connect(String host, int port, String user, String password) {}
+    }
diff --git a/utils/build/docker/java/jersey-grizzly2/pom.xml b/utils/build/docker/java/jersey-grizzly2/pom.xml
@@ -89,6 +89,26 @@
             <artifactId>jackson-databind</artifactId>
             <version>2.12.3</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.mail</groupId>
+            <artifactId>javax.mail-api</artifactId>
+            <version>1.6.2</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.activation</groupId>
+            <artifactId>activation</artifactId>
+            <version>1.1.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.mail</groupId>
+            <artifactId>javax.mail</artifactId>
+            <version>1.6.2</version>
+        </dependency>
     </dependencies>
 
     <build>

diff --git a/utils/build/docker/java/parametric/pom.xml b/utils/build/docker/java/parametric/pom.xml
@@ -55,6 +55,26 @@
             <artifactId>opentelemetry-api</artifactId>
             <version>${opentelemetry.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.mail</groupId>
+            <artifactId>javax.mail-api</artifactId>
+            <version>1.6.2</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.activation</groupId>
+            <artifactId>activation</artifactId>
+            <version>1.1.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.mail</groupId>
+            <artifactId>javax.mail</artifactId>
+            <version>1.6.2</version>
+        </dependency>
     </dependencies>
 
     <build>

diff --git a/utils/build/docker/java/play/pom.xml b/utils/build/docker/java/play/pom.xml
@@ -81,6 +81,26 @@
             <artifactId>hsqldb</artifactId>
             <version>2.7.1</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.mail</groupId>
+            <artifactId>javax.mail-api</artifactId>
+            <version>1.6.2</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.activation</groupId>
+            <artifactId>activation</artifactId>
+            <version>1.1.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.mail</groupId>
+            <artifactId>javax.mail</artifactId>
+            <version>1.6.2</version>
+        </dependency>
     </dependencies>
 
     <build>

diff --git a/utils/build/docker/java/ratpack/pom.xml b/utils/build/docker/java/ratpack/pom.xml
@@ -66,6 +66,26 @@
             <artifactId>jackson-core</artifactId>
             <version>LATEST</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.mail</groupId>
+            <artifactId>javax.mail-api</artifactId>
+            <version>1.6.2</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.activation</groupId>
+            <artifactId>activation</artifactId>
+            <version>1.1.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.mail</groupId>
+            <artifactId>javax.mail</artifactId>
+            <version>1.6.2</version>
+        </dependency>
     </dependencies>
 
     <build>

diff --git a/utils/build/docker/java/resteasy-netty3/pom.xml b/utils/build/docker/java/resteasy-netty3/pom.xml
@@ -87,7 +87,26 @@
             <artifactId>jackson-core</artifactId>
             <version>2.17.1</version>
         </dependency>
-
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.mail</groupId>
+            <artifactId>javax.mail-api</artifactId>
+            <version>1.6.2</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.activation</groupId>
+            <artifactId>activation</artifactId>
+            <version>1.1.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.mail</groupId>
+            <artifactId>javax.mail</artifactId>
+            <version>1.6.2</version>
+        </dependency>
     </dependencies>
 
     <build>

diff --git a/utils/build/docker/java/spring-boot-3-native/pom.xml b/utils/build/docker/java/spring-boot-3-native/pom.xml
@@ -54,6 +54,26 @@
             <artifactId>javax.servlet-api</artifactId>
             <version>4.0.1</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.mail</groupId>
+            <artifactId>javax.mail-api</artifactId>
+            <version>1.6.2</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.activation</groupId>
+            <artifactId>activation</artifactId>
+            <version>1.1.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.mail</groupId>
+            <artifactId>javax.mail</artifactId>
+            <version>1.6.2</version>
+        </dependency>
     </dependencies>
 
     <build>

diff --git a/utils/build/docker/java/spring-boot/pom.xml b/utils/build/docker/java/spring-boot/pom.xml
@@ -199,6 +199,26 @@
             <artifactId>kinesis</artifactId>
             <version>2.17.85</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.mail</groupId>
+            <artifactId>javax.mail-api</artifactId>
+            <version>1.6.2</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.activation</groupId>
+            <artifactId>activation</artifactId>
+            <version>1.1.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.mail</groupId>
+            <artifactId>javax.mail</artifactId>
+            <version>1.6.2</version>
+        </dependency>
     </dependencies>
 
     <dependencyManagement>

diff --git a/...cker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java b/...cker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java
@@ -9,6 +9,7 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
+import javax.mail.MessagingException;
 import javax.naming.Context;
 import javax.naming.NamingException;
 import javax.naming.directory.InitialDirContext;
@@ -21,6 +22,8 @@
 import java.io.IOException;
 import java.util.Hashtable;
 
+import org.apache.commons.lang3.StringEscapeUtils;
+
 @RestController
 @RequestMapping("/iast")
 public class AppSecIast {
@@ -38,6 +41,7 @@ public class AppSecIast {
     private final HardcodedSecretExamples hardcodedSecretExamples;
     private final ReflectionExamples reflectionExamples;
     private final DeserializationExamples deserializationExamples;
+    private final EmailExamples emailExamples;
 
 
     public AppSecIast(final DataSource dataSource) {
@@ -52,6 +56,7 @@ public AppSecIast(final DataSource dataSource) {
         this.hardcodedSecretExamples = new HardcodedSecretExamples();
         this.reflectionExamples = new ReflectionExamples();
         this.deserializationExamples = new DeserializationExamples();
+        this.emailExamples = new EmailExamples();
     }
 
     @RequestMapping("/hardcoded_secrets/test_insecure")
@@ -452,6 +457,17 @@ void scSOverloadedInsecure(final ServletRequest request,  final ServletResponse
         cmdExamples.insecureCmd(sanitized);
     }
 
+    @PostMapping("/email_html_injection/test_insecure")
+    void emailHtmlInjectionInsecure(final HttpServletRequest request) throws MessagingException {
+        String email = request.getParameter("username");
+        emailExamples.mail(email);
+    }
+
+    @PostMapping("/email_html_injection/test_secure")
+    void emailHtmlInjectionSecure(final HttpServletRequest request) throws MessagingException {
+        String email = request.getParameter("username");
+        emailExamples.mail(StringEscapeUtils.escapeHtml4(email));
+    }
 
     /**
      * TODO: Ldap is failing to startup in native image this method ensures it's started lazily