16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
87 lines
2.8 KiB
Plaintext
87 lines
2.8 KiB
Plaintext
== Why is this an issue?
|
|
|
|
This rule raises an issue when:
|
|
|
|
* a JavaMail's ``++javax.mail.Session++`` is created with a ``++Properties++`` object having no ``++mail.smtp.ssl.checkserveridentity++`` or ``++mail.smtps.ssl.checkserveridentity++`` not configured to ``++true++``
|
|
* a Apache Common Emails's ``++org.apache.commons.mail.SimpleEmail++`` is used with ``++setSSLOnConnect(true)++`` or ``++setStartTLSEnabled(true)++`` or ``++setStartTLSRequired(true)++`` without a call to ``++setSSLCheckServerIdentity(true)++``
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,java]
|
|
----
|
|
Email email = new SimpleEmail();
|
|
email.setSmtpPort(465);
|
|
email.setAuthenticator(new DefaultAuthenticator(username, password));
|
|
email.setSSLOnConnect(true); // Noncompliant; setSSLCheckServerIdentity(true) should also be called before sending the email
|
|
email.send();
|
|
----
|
|
|
|
[source,java]
|
|
----
|
|
Properties props = new Properties();
|
|
props.put("mail.smtp.host", "smtp.gmail.com");
|
|
props.put("mail.smtp.socketFactory.port", "465");
|
|
props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory"); // Noncompliant; Session is created without having "mail.smtp.ssl.checkserveridentity" set to true
|
|
props.put("mail.smtp.auth", "true");
|
|
props.put("mail.smtp.port", "465");
|
|
Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator() {
|
|
protected PasswordAuthentication getPasswordAuthentication() {
|
|
return new PasswordAuthentication("username@gmail.com", "password");
|
|
}
|
|
});
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,java]
|
|
----
|
|
Email email = new SimpleEmail();
|
|
email.setSmtpPort(465);
|
|
email.setAuthenticator(new DefaultAuthenticator(username, password));
|
|
email.setSSLOnConnect(true);
|
|
email.setSSLCheckServerIdentity(true); // Compliant
|
|
email.send();
|
|
----
|
|
|
|
[source,java]
|
|
----
|
|
Properties props = new Properties();
|
|
props.put("mail.smtp.host", "smtp.gmail.com");
|
|
props.put("mail.smtp.socketFactory.port", "465");
|
|
props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
|
|
props.put("mail.smtp.auth", "true");
|
|
props.put("mail.smtp.port", "465");
|
|
props.put("mail.smtp.ssl.checkserveridentity", true); // Compliant
|
|
Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator() {
|
|
protected PasswordAuthentication getPasswordAuthentication() {
|
|
return new PasswordAuthentication("username@gmail.com", "password");
|
|
}
|
|
});
|
|
----
|
|
|
|
== Resources
|
|
|
|
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
* https://cwe.mitre.org/data/definitions/297[MITRE, CWE-297] - Improper Validation of Certificate with Host Mismatch
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Enable server identity validation on this SMTP SSL connection
|
|
|
|
|
|
=== Highlighting
|
|
|
|
Instantiation of the Session/Connection object
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|