81 lines
2.8 KiB
Plaintext
81 lines
2.8 KiB
Plaintext
== Why is this an issue?
|
|
|
|
This rule raises an issue when:
|
|
|
|
* a JavaMail's ``++javax.mail.Session++`` is created with a ``++Properties++`` object having no ``++mail.smtp.ssl.checkserveridentity++`` or ``++mail.smtps.ssl.checkserveridentity++`` not configured to ``++true++``
|
|
* a Apache Common Emails's ``++org.apache.commons.mail.SimpleEmail++`` is used with ``++setSSLOnConnect(true)++`` or ``++setStartTLSEnabled(true)++`` or ``++setStartTLSRequired(true)++`` without a call to ``++setSSLCheckServerIdentity(true)++``
|
|
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,java]
|
|
----
|
|
Email email = new SimpleEmail();
|
|
email.setSmtpPort(465);
|
|
email.setAuthenticator(new DefaultAuthenticator(username, password));
|
|
email.setSSLOnConnect(true); // Noncompliant; setSSLCheckServerIdentity(true) should also be called before sending the email
|
|
email.send();
|
|
----
|
|
|
|
[source,java]
|
|
----
|
|
Properties props = new Properties();
|
|
props.put("mail.smtp.host", "smtp.gmail.com");
|
|
props.put("mail.smtp.socketFactory.port", "465");
|
|
props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory"); // Noncompliant; Session is created without having "mail.smtp.ssl.checkserveridentity" set to true
|
|
props.put("mail.smtp.auth", "true");
|
|
props.put("mail.smtp.port", "465");
|
|
Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator() {
|
|
protected PasswordAuthentication getPasswordAuthentication() {
|
|
return new PasswordAuthentication("username@gmail.com", "password");
|
|
}
|
|
});
|
|
----
|
|
|
|
|
|
=== Compliant solution
|
|
|
|
[source,java]
|
|
----
|
|
Email email = new SimpleEmail();
|
|
email.setSmtpPort(465);
|
|
email.setAuthenticator(new DefaultAuthenticator(username, password));
|
|
email.setSSLOnConnect(true);
|
|
email.setSSLCheckServerIdentity(true); // Compliant
|
|
email.send();
|
|
----
|
|
|
|
[source,java]
|
|
----
|
|
Properties props = new Properties();
|
|
props.put("mail.smtp.host", "smtp.gmail.com");
|
|
props.put("mail.smtp.socketFactory.port", "465");
|
|
props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
|
|
props.put("mail.smtp.auth", "true");
|
|
props.put("mail.smtp.port", "465");
|
|
props.put("mail.smtp.ssl.checkserveridentity", true); // Compliant
|
|
Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator() {
|
|
protected PasswordAuthentication getPasswordAuthentication() {
|
|
return new PasswordAuthentication("username@gmail.com", "password");
|
|
}
|
|
});
|
|
----
|
|
|
|
== Resources
|
|
|
|
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
* https://cwe.mitre.org/data/definitions/297[MITRE, CWE-297] - Improper Validation of Certificate with Host Mismatch
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
include::highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|