Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Email HTML Injection detection in IAST #8205

Open
wants to merge 70 commits into
base: master
Choose a base branch
from
Open

Email HTML Injection detection in IAST #8205

wants to merge 70 commits into from
+887 −16

Conversation

sezen-datadog
Copy link
Contributor

@sezen-datadog sezen-datadog commented Jan 15, 2025
edited by jira bot
Loading

What Does This Do

Controls the mails to detect tainted content for javax mail methods, in particular, Transport.send

Motivation

Email HTML injection is a vulnerability where user input is included in the content of an email without proper validation and sanitization. This vulnerability can have severe consequences as it opens the door for various attacks, including phishing, social engineering exploits, and the exploitation of email client vulnerabilities.

This modification provides a control of the body of the email that is meant to be sent. If an injection occurred in the mail body and no sanitization has taken place, the sink will raise an alert.

Jira ticket: APPSEC-56330

@sezen-datadog sezen-datadog added type: enhancement comp: asm iast Application Security Management (IAST) inst: java Core Java language instrumentation labels Jan 15, 2025
@smola smola removed the inst: java Core Java language instrumentation label Jan 15, 2025
@jandro996
Copy link
Member

jandro996 commented Jan 15, 2025
edited
Loading

Nice work @sezen-datadog! you are in the right direction, we can discuss offline the caveats if you want 😃

My comments related to the new iast module can be extended if we need an Object instead of an String

Just in case no one had shared with you before, this is an interesting document when we need to implement new iast vulnerabilities

https://datadoghq.atlassian.net/wiki/spaces/APS/pages/3643539583/Adding+New+Vulnerability+Types+A+Practical+Guide

sezen-datadog and others added 3 commits January 16, 2025 14:53
@sezen-datadog @jandro996
Update dd-java-agent/instrumentation/javax-mail/src/main/java/datadog…
14458ed 
…/trace/instrumentation/javax/mail/JavaxMailInstrumentation.java

Co-authored-by: Alejandro González García <[email protected]>
@sezen-datadog @jandro996
Update dd-java-agent/instrumentation/javax-mail/src/main/java/datadog…
b548721 
…/trace/instrumentation/javax/mail/JavaxMailInstrumentation.java

Co-authored-by: Alejandro González García <[email protected]>
@sezen-datadog
advice class added for easier debugging
4182134
@sezen-datadog
Copy link
Contributor Author

setContext and setText of Part
mimebodypart

StringEscapeUtilsCallsite

@sezen-datadog sezen-datadog marked this pull request as ready for review January 28, 2025 08:23
@sezen-datadog sezen-datadog marked this pull request as draft January 28, 2025 10:07
@sezen-datadog sezen-datadog marked this pull request as ready for review January 28, 2025 12:11
manuel-alvarez-alvarez
manuel-alvarez-alvarez reviewed Jan 31, 2025
View reviewed changes
...ang-2/src/main/java/datadog/trace/instrumentation/commonslang/StringEscapeUtilsCallSite.java Outdated
result,
input,
false,
VulnerabilityMarks.XSS_MARK | VulnerabilityMarks.EMAIL_HTML_INJECTION_MARK);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we could define a mark like:

public static final int HTML_ESCAPED_MARK = XSS_MARK | EMAIL_HTML_INJECTION_MARK;

Anytime we escape for HTML we have to escape both, and the list of vulnerabilities might grow in the future.

manuel-alvarez-alvarez
manuel-alvarez-alvarez reviewed Jan 31, 2025
View reviewed changes
dd-java-agent/instrumentation/javax-mail/src/test/groovy/JavaxMailInstrumentationTest.groovy

where:
mimetype | content
"html" | "<html><body>Hello, Content!</body></html>"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you try with non html mime types?, in that case we should not call the module.

manuel-alvarez-alvarez
manuel-alvarez-alvarez reviewed Jan 31, 2025
View reviewed changes
...-tests/iast-util/src/testFixtures/groovy/datadog/smoketest/AbstractIastSpringBootTest.groovy Outdated

then:
hasTainted { tainted ->
tainted.value == messageText
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what you are testing here (the request parameter is also tainted with the value, so probably you want to assert something else in here).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah

@sezen-datadog sezen-datadog marked this pull request as draft February 3, 2025 08:07
@sezen-datadog sezen-datadog marked this pull request as ready for review February 4, 2025 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mariovido Mariovido Mariovido left review comments

@jandro996 jandro996 jandro996 left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez left review comments

@smola smola smola left review comments

@ValentinZakharov ValentinZakharov Awaiting requested review from ValentinZakharov ValentinZakharov is a code owner automatically assigned from DataDog/asm-java

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
comp: asm iast Application Security Management (IAST) type: enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sezen-datadog @jandro996 @smola @manuel-alvarez-alvarez @Mariovido