From 72ae1e51122f58ccfc21fda290c1690896875ca7 Mon Sep 17 00:00:00 2001 From: "sezen.leblay" Date: Tue, 28 Jan 2025 14:02:25 +0100 Subject: [PATCH 01/13] Email HTML Injection detection in IAST Java --- manifests/java.yml | 22 +++++++++++++++++-- .../iast/utils/EmailExamples.java | 15 +++++++++++++ .../system_tests/springboot/AppSecIast.java | 13 +++++++++++ 3 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java diff --git a/manifests/java.yml b/manifests/java.yml index 516ad33e20..7010c076ed 100644 --- a/manifests/java.yml +++ b/manifests/java.yml @@ -79,8 +79,26 @@ tests/: ratpack: missing_feature spring-boot-3-native: missing_feature (GraalVM. Tracing support only) test_email_html_injection.py: - TestEmailHtmlInjection: missing_feature - TestEmailHtmlInjection_StackTrace: missing_feature + TestEmailHtmlInjection: + '*': v1.46.0 + akka-http: missing_feature (No endpoint implemented) + jersey-grizzly2: missing_feature (No endpoint implemented) + play: missing_feature (No endpoint implemented) + ratpack: missing_feature (No endpoint implemented) + resteasy-netty3: missing_feature (No endpoint implemented) + spring-boot-3-native: missing_feature (No endpoint implemented) + vertx3: missing_feature (No endpoint implemented) + vertx4: missing_feature (No endpoint implemented) + TestEmailHtmlInjection_StackTrace: + '*': v1.46.0 + akka-http: missing_feature (No endpoint implemented) + jersey-grizzly2: missing_feature (No endpoint implemented) + play: missing_feature (No endpoint implemented) + ratpack: missing_feature (No endpoint implemented) + resteasy-netty3: missing_feature (No endpoint implemented) + spring-boot-3-native: missing_feature (No endpoint implemented) + vertx3: missing_feature (No endpoint implemented) + vertx4: missing_feature (No endpoint implemented) test_hardcoded_passwords.py: Test_HardcodedPasswords: missing_feature Test_HardcodedPasswords_StackTrace: missing_feature diff --git a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java new file mode 100644 index 0000000000..6716fc266b --- /dev/null +++ b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java @@ -0,0 +1,15 @@ +package com.datadoghq.system_tests.iast.utils; + + +public class EmailExamples { + + public EmailExamples() { + } + + public void insecureEmail(final Object email) { + } + + public void secureEmail(final Object email) { + } + +} diff --git a/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java b/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java index 62754180c8..fd2826c840 100644 --- a/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java +++ b/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java @@ -452,6 +452,19 @@ void scSOverloadedInsecure(final ServletRequest request, final ServletResponse cmdExamples.insecureCmd(sanitized); } + @GetMapping("/email_html_injection/test_insecure") + public void emailHtmlInjectionInsecure(final HttpServletRequest request, final HttpServletResponse response) { + String email = request.getParameter("username"); + EmailExamples emailExamples = new EmailExamples(); + emailExamples.insecureEmail(email); + } + + @GetMapping("/email_html_injection/test_secure") + public void emailHtmlInjectionSecure(final HttpServletRequest request, final HttpServletResponse response) { + String email = request.getParameter("username"); + EmailExamples emailExamples = new EmailExamples(); + emailExamples.secureEmail(email); + } /** * TODO: Ldap is failing to startup in native image this method ensures it's started lazily From 0f081d6d983305c326c65d38109c13d75fb06fc8 Mon Sep 17 00:00:00 2001 From: "sezen.leblay" Date: Tue, 28 Jan 2025 16:51:08 +0100 Subject: [PATCH 02/13] javax --- .../iast/utils/EmailExamples.java | 55 ++++++++++++++++++- .../system_tests/springboot/AppSecIast.java | 10 ++-- 2 files changed, 58 insertions(+), 7 deletions(-) diff --git a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java index 6716fc266b..766ee23456 100644 --- a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java +++ b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java @@ -1,15 +1,64 @@ package com.datadoghq.system_tests.iast.utils; +import javax.mail.Message; +import javax.mail.MessagingException; +import javax.mail.Session; +import javax.mail.Transport; +import javax.mail.URLName; +import javax.mail.Provider; +import javax.mail.Address; +import javax.mail.internet.MimeMessage; +import java.util.Properties; + public class EmailExamples { public EmailExamples() { } - public void insecureEmail(final Object email) { - } + public void mail(final String emailContent) { + Session session = Session.getDefaultInstance(new Properties()); + Provider provider = + new Provider( + Provider.Type.TRANSPORT, "smtp", MockTransport.class.getName(), "MockTransport", "1.0"); + session.setProvider(provider); + Message email = new MimeMessage(session); + email.setContent(emailContent, "text/html"); + + MockTransport.send(email); - public void secureEmail(final Object email) { } + + private class MockTransport extends Transport { + public MockTransport(Session session, URLName urlname) { + super(session, urlname); + } + + public MockTransport() { + this(Session.getInstance(new Properties()), null); + } + + public MockTransport(Session session) { + this(session, null); + } + + public static Transport newInstance(Session session) { + return new MockTransport(session, null); + } + + public void sendMessage(Message msg, Address[] addresses) throws MessagingException { + this.notifyTransportListeners(1, addresses, new Address[0], new Address[0], msg); + + } + + @Override + public void connect() { + this.setConnected(true); + this.notifyConnectionListeners(1); + } + + public synchronized void connect(String host, int port, String user, String password) + throws MessagingException {} + } } diff --git a/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java b/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java index fd2826c840..5b960ee035 100644 --- a/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java +++ b/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java @@ -21,6 +21,8 @@ import java.io.IOException; import java.util.Hashtable; +import org.apache.commons.lang3.StringEscapeUtils; + @RestController @RequestMapping("/iast") public class AppSecIast { @@ -38,6 +40,7 @@ public class AppSecIast { private final HardcodedSecretExamples hardcodedSecretExamples; private final ReflectionExamples reflectionExamples; private final DeserializationExamples deserializationExamples; + private final EmailExamples emailExamples; public AppSecIast(final DataSource dataSource) { @@ -52,6 +55,7 @@ public AppSecIast(final DataSource dataSource) { this.hardcodedSecretExamples = new HardcodedSecretExamples(); this.reflectionExamples = new ReflectionExamples(); this.deserializationExamples = new DeserializationExamples(); + this.emailExamples = new EmailExamples(); } @RequestMapping("/hardcoded_secrets/test_insecure") @@ -455,15 +459,13 @@ void scSOverloadedInsecure(final ServletRequest request, final ServletResponse @GetMapping("/email_html_injection/test_insecure") public void emailHtmlInjectionInsecure(final HttpServletRequest request, final HttpServletResponse response) { String email = request.getParameter("username"); - EmailExamples emailExamples = new EmailExamples(); - emailExamples.insecureEmail(email); + emailExamples.mail(email); } @GetMapping("/email_html_injection/test_secure") public void emailHtmlInjectionSecure(final HttpServletRequest request, final HttpServletResponse response) { String email = request.getParameter("username"); - EmailExamples emailExamples = new EmailExamples(); - emailExamples.secureEmail(email); + emailExamples.mail(StringEscapeUtils.escapeHtml3(email)); } /** From aa73ee837fe0a6b6cc365e130f44eb9ff08ddd99 Mon Sep 17 00:00:00 2001 From: "sezen.leblay" Date: Tue, 28 Jan 2025 16:58:31 +0100 Subject: [PATCH 03/13] javax --- .../system_tests/iast/utils/EmailExamples.java | 4 ++-- utils/build/docker/java/spring-boot/pom.xml | 12 ++++++++++++ .../system_tests/springboot/AppSecIast.java | 5 +++-- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java index 766ee23456..a466112a48 100644 --- a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java +++ b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java @@ -16,7 +16,7 @@ public class EmailExamples { public EmailExamples() { } - public void mail(final String emailContent) { + public void mail(final String emailContent) throws MessagingException { Session session = Session.getDefaultInstance(new Properties()); Provider provider = new Provider( @@ -30,7 +30,7 @@ public void mail(final String emailContent) { } - private class MockTransport extends Transport { + private static class MockTransport extends Transport { public MockTransport(Session session, URLName urlname) { super(session, urlname); } diff --git a/utils/build/docker/java/spring-boot/pom.xml b/utils/build/docker/java/spring-boot/pom.xml index 14e2d0cb97..5cb1e1b6b5 100644 --- a/utils/build/docker/java/spring-boot/pom.xml +++ b/utils/build/docker/java/spring-boot/pom.xml @@ -199,6 +199,18 @@ kinesis 2.17.85 + + + org.apache.commons + commons-lang3 + 3.17.0 + + + javax.mail + javax.mail-api + 1.6.2 + + diff --git a/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java b/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java index 5b960ee035..b5c9a6904a 100644 --- a/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java +++ b/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java @@ -9,6 +9,7 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; +import javax.mail.MessagingException; import javax.naming.Context; import javax.naming.NamingException; import javax.naming.directory.InitialDirContext; @@ -457,13 +458,13 @@ void scSOverloadedInsecure(final ServletRequest request, final ServletResponse } @GetMapping("/email_html_injection/test_insecure") - public void emailHtmlInjectionInsecure(final HttpServletRequest request, final HttpServletResponse response) { + public void emailHtmlInjectionInsecure(final HttpServletRequest request, final HttpServletResponse response) throws MessagingException { String email = request.getParameter("username"); emailExamples.mail(email); } @GetMapping("/email_html_injection/test_secure") - public void emailHtmlInjectionSecure(final HttpServletRequest request, final HttpServletResponse response) { + public void emailHtmlInjectionSecure(final HttpServletRequest request, final HttpServletResponse response) throws MessagingException { String email = request.getParameter("username"); emailExamples.mail(StringEscapeUtils.escapeHtml3(email)); } From 5a6fc9f251fb5af9286a4e8b16aa6505f6cecbb5 Mon Sep 17 00:00:00 2001 From: "sezen.leblay" Date: Wed, 29 Jan 2025 09:58:35 +0100 Subject: [PATCH 04/13] javax --- .../com/datadoghq/system_tests/springboot/AppSecIast.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java b/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java index b5c9a6904a..7b144e125d 100644 --- a/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java +++ b/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java @@ -457,16 +457,16 @@ void scSOverloadedInsecure(final ServletRequest request, final ServletResponse cmdExamples.insecureCmd(sanitized); } - @GetMapping("/email_html_injection/test_insecure") + @PostMapping("/email_html_injection/test_insecure") public void emailHtmlInjectionInsecure(final HttpServletRequest request, final HttpServletResponse response) throws MessagingException { String email = request.getParameter("username"); emailExamples.mail(email); } - @GetMapping("/email_html_injection/test_secure") + @PostMapping("/email_html_injection/test_secure") public void emailHtmlInjectionSecure(final HttpServletRequest request, final HttpServletResponse response) throws MessagingException { String email = request.getParameter("username"); - emailExamples.mail(StringEscapeUtils.escapeHtml3(email)); + emailExamples.mail(StringEscapeUtils.escapeHtml4(email)); } /** From 4c93aa51ed6c2bd6774e8405ed7d885c7bb161c9 Mon Sep 17 00:00:00 2001 From: "sezen.leblay" Date: Wed, 29 Jan 2025 14:02:57 +0100 Subject: [PATCH 05/13] post returns 200 finally --- .../iast/utils/EmailExamples.java | 39 +++--------------- .../iast/utils/mock/MockTransport.java | 40 +++++++++++++++++++ utils/build/docker/java/spring-boot/pom.xml | 10 +++++ 3 files changed, 55 insertions(+), 34 deletions(-) create mode 100644 utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/mock/MockTransport.java diff --git a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java index a466112a48..73d04181f2 100644 --- a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java +++ b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java @@ -1,12 +1,11 @@ package com.datadoghq.system_tests.iast.utils; +import com.datadoghq.system_tests.iast.utils.mock.MockTransport; + import javax.mail.Message; import javax.mail.MessagingException; import javax.mail.Session; -import javax.mail.Transport; -import javax.mail.URLName; import javax.mail.Provider; -import javax.mail.Address; import javax.mail.internet.MimeMessage; import java.util.Properties; @@ -17,48 +16,20 @@ public EmailExamples() { } public void mail(final String emailContent) throws MessagingException { + System.setProperty("mail.transport.protocol", "smtp"); Session session = Session.getDefaultInstance(new Properties()); + session.getProperties().put("mail.transport.protocol", "smtp"); Provider provider = new Provider( Provider.Type.TRANSPORT, "smtp", MockTransport.class.getName(), "MockTransport", "1.0"); session.setProvider(provider); Message email = new MimeMessage(session); email.setContent(emailContent, "text/html"); + email.setRecipient(Message.RecipientType.TO, new javax.mail.internet.InternetAddress("abc@datadoghq.com")); MockTransport.send(email); } - private static class MockTransport extends Transport { - public MockTransport(Session session, URLName urlname) { - super(session, urlname); - } - - public MockTransport() { - this(Session.getInstance(new Properties()), null); - } - - public MockTransport(Session session) { - this(session, null); - } - - public static Transport newInstance(Session session) { - return new MockTransport(session, null); - } - - public void sendMessage(Message msg, Address[] addresses) throws MessagingException { - this.notifyTransportListeners(1, addresses, new Address[0], new Address[0], msg); - - } - - @Override - public void connect() { - this.setConnected(true); - this.notifyConnectionListeners(1); - } - - public synchronized void connect(String host, int port, String user, String password) - throws MessagingException {} - } } diff --git a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/mock/MockTransport.java b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/mock/MockTransport.java new file mode 100644 index 0000000000..751481d4d2 --- /dev/null +++ b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/mock/MockTransport.java @@ -0,0 +1,40 @@ +package com.datadoghq.system_tests.iast.utils.mock; +import javax.mail.Message; +import javax.mail.MessagingException; +import javax.mail.Session; +import javax.mail.Transport; +import javax.mail.URLName; +import javax.mail.Address; +import java.util.Properties; + +public class MockTransport extends Transport { + public MockTransport(Session session, URLName urlname) { + super(session, urlname); + } + + public MockTransport() { + this(Session.getInstance(new Properties()), null); + } + + public MockTransport(Session session) { + this(session, null); + } + + public static Transport newInstance(Session session) { + return new MockTransport(session, null); + } + + public void sendMessage(Message msg, Address[] addresses) throws MessagingException { + this.notifyTransportListeners(1, addresses, new Address[0], new Address[0], msg); + + } + + @Override + public void connect() { + this.setConnected(true); + this.notifyConnectionListeners(1); + } + + public synchronized void connect(String host, int port, String user, String password) + throws MessagingException {} + } \ No newline at end of file diff --git a/utils/build/docker/java/spring-boot/pom.xml b/utils/build/docker/java/spring-boot/pom.xml index 5cb1e1b6b5..6cbed5c0ac 100644 --- a/utils/build/docker/java/spring-boot/pom.xml +++ b/utils/build/docker/java/spring-boot/pom.xml @@ -210,6 +210,16 @@ javax.mail-api 1.6.2 + + javax.activation + activation + 1.1.1 + + + com.sun.mail + javax.mail + 1.6.2 + From 147a6a6a529fffe31f3559a7eff568c9ddc09274 Mon Sep 17 00:00:00 2001 From: "sezen.leblay" Date: Wed, 29 Jan 2025 14:15:44 +0100 Subject: [PATCH 06/13] cleanup --- .../system_tests/iast/utils/EmailExamples.java | 2 -- .../iast/utils/mock/MockTransport.java | 16 +--------------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java index 73d04181f2..0d61990b1a 100644 --- a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java +++ b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java @@ -16,9 +16,7 @@ public EmailExamples() { } public void mail(final String emailContent) throws MessagingException { - System.setProperty("mail.transport.protocol", "smtp"); Session session = Session.getDefaultInstance(new Properties()); - session.getProperties().put("mail.transport.protocol", "smtp"); Provider provider = new Provider( Provider.Type.TRANSPORT, "smtp", MockTransport.class.getName(), "MockTransport", "1.0"); diff --git a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/mock/MockTransport.java b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/mock/MockTransport.java index 751481d4d2..6645e0f5a7 100644 --- a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/mock/MockTransport.java +++ b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/mock/MockTransport.java @@ -5,25 +5,12 @@ import javax.mail.Transport; import javax.mail.URLName; import javax.mail.Address; -import java.util.Properties; public class MockTransport extends Transport { public MockTransport(Session session, URLName urlname) { super(session, urlname); } - public MockTransport() { - this(Session.getInstance(new Properties()), null); - } - - public MockTransport(Session session) { - this(session, null); - } - - public static Transport newInstance(Session session) { - return new MockTransport(session, null); - } - public void sendMessage(Message msg, Address[] addresses) throws MessagingException { this.notifyTransportListeners(1, addresses, new Address[0], new Address[0], msg); @@ -35,6 +22,5 @@ public void connect() { this.notifyConnectionListeners(1); } - public synchronized void connect(String host, int port, String user, String password) - throws MessagingException {} + public synchronized void connect(String host, int port, String user, String password) {} } \ No newline at end of file From 591187b27458345d8ea50ec9d32cae7b30d14825 Mon Sep 17 00:00:00 2001 From: "sezen.leblay" Date: Wed, 29 Jan 2025 16:51:11 +0100 Subject: [PATCH 07/13] cleanup --- .../datadoghq/system_tests/iast/utils/EmailExamples.java | 6 ++---- .../com/datadoghq/system_tests/springboot/AppSecIast.java | 4 ++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java index 0d61990b1a..d088251911 100644 --- a/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java +++ b/utils/build/docker/java/iast-common/src/main/java/com/datadoghq/system_tests/iast/utils/EmailExamples.java @@ -6,15 +6,13 @@ import javax.mail.MessagingException; import javax.mail.Session; import javax.mail.Provider; +import javax.mail.internet.InternetAddress; import javax.mail.internet.MimeMessage; import java.util.Properties; public class EmailExamples { - public EmailExamples() { - } - public void mail(final String emailContent) throws MessagingException { Session session = Session.getDefaultInstance(new Properties()); Provider provider = @@ -23,7 +21,7 @@ public void mail(final String emailContent) throws MessagingException { session.setProvider(provider); Message email = new MimeMessage(session); email.setContent(emailContent, "text/html"); - email.setRecipient(Message.RecipientType.TO, new javax.mail.internet.InternetAddress("abc@datadoghq.com")); + email.setRecipient(Message.RecipientType.TO, new InternetAddress("abc@datadoghq.com")); MockTransport.send(email); diff --git a/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java b/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java index 7b144e125d..eabe9f6465 100644 --- a/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java +++ b/utils/build/docker/java/spring-boot/src/main/java/com/datadoghq/system_tests/springboot/AppSecIast.java @@ -458,13 +458,13 @@ void scSOverloadedInsecure(final ServletRequest request, final ServletResponse } @PostMapping("/email_html_injection/test_insecure") - public void emailHtmlInjectionInsecure(final HttpServletRequest request, final HttpServletResponse response) throws MessagingException { + void emailHtmlInjectionInsecure(final HttpServletRequest request) throws MessagingException { String email = request.getParameter("username"); emailExamples.mail(email); } @PostMapping("/email_html_injection/test_secure") - public void emailHtmlInjectionSecure(final HttpServletRequest request, final HttpServletResponse response) throws MessagingException { + void emailHtmlInjectionSecure(final HttpServletRequest request) throws MessagingException { String email = request.getParameter("username"); emailExamples.mail(StringEscapeUtils.escapeHtml4(email)); } From 78cc17883c72451e5217c533c5a82c8f992392d7 Mon Sep 17 00:00:00 2001 From: "sezen.leblay" Date: Thu, 30 Jan 2025 10:15:44 +0100 Subject: [PATCH 08/13] pom change --- utils/build/docker/java/iast-common/pom.xml | 20 +++++++++++++++++++ utils/build/docker/java/spring-boot/pom.xml | 22 --------------------- 2 files changed, 20 insertions(+), 22 deletions(-) diff --git a/utils/build/docker/java/iast-common/pom.xml b/utils/build/docker/java/iast-common/pom.xml index aa5db23f23..558e9068bf 100644 --- a/utils/build/docker/java/iast-common/pom.xml +++ b/utils/build/docker/java/iast-common/pom.xml @@ -34,6 +34,26 @@ 6.0.8 true + + org.apache.commons + commons-lang3 + 3.17.0 + + + javax.mail + javax.mail-api + 1.6.2 + + + javax.activation + activation + 1.1.1 + + + com.sun.mail + javax.mail + 1.6.2 + diff --git a/utils/build/docker/java/spring-boot/pom.xml b/utils/build/docker/java/spring-boot/pom.xml index 6cbed5c0ac..14e2d0cb97 100644 --- a/utils/build/docker/java/spring-boot/pom.xml +++ b/utils/build/docker/java/spring-boot/pom.xml @@ -199,28 +199,6 @@ kinesis 2.17.85 - - - org.apache.commons - commons-lang3 - 3.17.0 - - - javax.mail - javax.mail-api - 1.6.2 - - - javax.activation - activation - 1.1.1 - - - com.sun.mail - javax.mail - 1.6.2 - - From 0908d1120aa31f66d756b8eb18987347dad4c862 Mon Sep 17 00:00:00 2001 From: "sezen.leblay" Date: Thu, 30 Jan 2025 10:41:33 +0100 Subject: [PATCH 09/13] pom change --- utils/build/docker/java/spring-boot/pom.xml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/utils/build/docker/java/spring-boot/pom.xml b/utils/build/docker/java/spring-boot/pom.xml index 14e2d0cb97..212234b216 100644 --- a/utils/build/docker/java/spring-boot/pom.xml +++ b/utils/build/docker/java/spring-boot/pom.xml @@ -199,6 +199,26 @@ kinesis 2.17.85 + + org.apache.commons + commons-lang3 + 3.17.0 + + + javax.mail + javax.mail-api + 1.6.2 + + + javax.activation + activation + 1.1.1 + + + com.sun.mail + javax.mail + 1.6.2 + From 0c99bca076cf3763d711aa49b61c9eacdc11cd81 Mon Sep 17 00:00:00 2001 From: "sezen.leblay" Date: Thu, 30 Jan 2025 11:49:44 +0100 Subject: [PATCH 10/13] pom change --- utils/build/docker/java/akka-http/pom.xml | 20 ++++++++++++++++++ utils/build/docker/java/iast-common/pom.xml | 4 ++++ .../build/docker/java/jersey-grizzly2/pom.xml | 20 ++++++++++++++++++ utils/build/docker/java/parametric/pom.xml | 20 ++++++++++++++++++ utils/build/docker/java/play/pom.xml | 20 ++++++++++++++++++ utils/build/docker/java/ratpack/pom.xml | 20 ++++++++++++++++++ .../build/docker/java/resteasy-netty3/pom.xml | 21 ++++++++++++++++++- .../docker/java/spring-boot-3-native/pom.xml | 20 ++++++++++++++++++ utils/build/docker/java/vertx3/pom.xml | 20 ++++++++++++++++++ utils/build/docker/java/vertx4/pom.xml | 20 ++++++++++++++++++ 10 files changed, 184 insertions(+), 1 deletion(-) diff --git a/utils/build/docker/java/akka-http/pom.xml b/utils/build/docker/java/akka-http/pom.xml index 6489065085..46b3a3f9af 100644 --- a/utils/build/docker/java/akka-http/pom.xml +++ b/utils/build/docker/java/akka-http/pom.xml @@ -96,6 +96,26 @@ spray-json_2.13 1.3.6 + + org.apache.commons + commons-lang3 + 3.17.0 + + + javax.mail + javax.mail-api + 1.6.2 + + + javax.activation + activation + 1.1.1 + + + com.sun.mail + javax.mail + 1.6.2 + diff --git a/utils/build/docker/java/iast-common/pom.xml b/utils/build/docker/java/iast-common/pom.xml index 558e9068bf..a26dc2d1aa 100644 --- a/utils/build/docker/java/iast-common/pom.xml +++ b/utils/build/docker/java/iast-common/pom.xml @@ -38,21 +38,25 @@ org.apache.commons commons-lang3 3.17.0 + true javax.mail javax.mail-api 1.6.2 + true javax.activation activation 1.1.1 + true com.sun.mail javax.mail 1.6.2 + true diff --git a/utils/build/docker/java/jersey-grizzly2/pom.xml b/utils/build/docker/java/jersey-grizzly2/pom.xml index 4972445c28..faf80c2758 100644 --- a/utils/build/docker/java/jersey-grizzly2/pom.xml +++ b/utils/build/docker/java/jersey-grizzly2/pom.xml @@ -89,6 +89,26 @@ jackson-databind 2.12.3 + + org.apache.commons + commons-lang3 + 3.17.0 + + + javax.mail + javax.mail-api + 1.6.2 + + + javax.activation + activation + 1.1.1 + + + com.sun.mail + javax.mail + 1.6.2 + diff --git a/utils/build/docker/java/parametric/pom.xml b/utils/build/docker/java/parametric/pom.xml index 711b011fd2..3ca801a4fa 100644 --- a/utils/build/docker/java/parametric/pom.xml +++ b/utils/build/docker/java/parametric/pom.xml @@ -55,6 +55,26 @@ opentelemetry-api ${opentelemetry.version} + + org.apache.commons + commons-lang3 + 3.17.0 + + + javax.mail + javax.mail-api + 1.6.2 + + + javax.activation + activation + 1.1.1 + + + com.sun.mail + javax.mail + 1.6.2 + diff --git a/utils/build/docker/java/play/pom.xml b/utils/build/docker/java/play/pom.xml index f26eaa1ca2..45e397169a 100644 --- a/utils/build/docker/java/play/pom.xml +++ b/utils/build/docker/java/play/pom.xml @@ -81,6 +81,26 @@ hsqldb 2.7.1 + + org.apache.commons + commons-lang3 + 3.17.0 + + + javax.mail + javax.mail-api + 1.6.2 + + + javax.activation + activation + 1.1.1 + + + com.sun.mail + javax.mail + 1.6.2 + diff --git a/utils/build/docker/java/ratpack/pom.xml b/utils/build/docker/java/ratpack/pom.xml index 2d738d1d92..2dfe32f183 100644 --- a/utils/build/docker/java/ratpack/pom.xml +++ b/utils/build/docker/java/ratpack/pom.xml @@ -66,6 +66,26 @@ jackson-core LATEST + + org.apache.commons + commons-lang3 + 3.17.0 + + + javax.mail + javax.mail-api + 1.6.2 + + + javax.activation + activation + 1.1.1 + + + com.sun.mail + javax.mail + 1.6.2 + diff --git a/utils/build/docker/java/resteasy-netty3/pom.xml b/utils/build/docker/java/resteasy-netty3/pom.xml index b37f014641..92a701e748 100644 --- a/utils/build/docker/java/resteasy-netty3/pom.xml +++ b/utils/build/docker/java/resteasy-netty3/pom.xml @@ -87,7 +87,26 @@ jackson-core 2.17.1 - + + org.apache.commons + commons-lang3 + 3.17.0 + + + javax.mail + javax.mail-api + 1.6.2 + + + javax.activation + activation + 1.1.1 + + + com.sun.mail + javax.mail + 1.6.2 + diff --git a/utils/build/docker/java/spring-boot-3-native/pom.xml b/utils/build/docker/java/spring-boot-3-native/pom.xml index 1aa10676f7..ed432c1164 100644 --- a/utils/build/docker/java/spring-boot-3-native/pom.xml +++ b/utils/build/docker/java/spring-boot-3-native/pom.xml @@ -54,6 +54,26 @@ javax.servlet-api 4.0.1 + + org.apache.commons + commons-lang3 + 3.17.0 + + + javax.mail + javax.mail-api + 1.6.2 + + + javax.activation + activation + 1.1.1 + + + com.sun.mail + javax.mail + 1.6.2 + diff --git a/utils/build/docker/java/vertx3/pom.xml b/utils/build/docker/java/vertx3/pom.xml index 70854dcf2b..ae2167ecde 100644 --- a/utils/build/docker/java/vertx3/pom.xml +++ b/utils/build/docker/java/vertx3/pom.xml @@ -75,6 +75,26 @@ okhttp 3.0.0 + + org.apache.commons + commons-lang3 + 3.17.0 + + + javax.mail + javax.mail-api + 1.6.2 + + + javax.activation + activation + 1.1.1 + + + com.sun.mail + javax.mail + 1.6.2 + diff --git a/utils/build/docker/java/vertx4/pom.xml b/utils/build/docker/java/vertx4/pom.xml index 7762cfb024..4042ac4acb 100644 --- a/utils/build/docker/java/vertx4/pom.xml +++ b/utils/build/docker/java/vertx4/pom.xml @@ -75,6 +75,26 @@ okhttp 3.0.0 + + org.apache.commons + commons-lang3 + 3.17.0 + + + javax.mail + javax.mail-api + 1.6.2 + + + javax.activation + activation + 1.1.1 + + + com.sun.mail + javax.mail + 1.6.2 + From fbfe5e29f97bcb73da7df542422f1e9d02920ba1 Mon Sep 17 00:00:00 2001 From: Sezen Leblay Date: Wed, 5 Feb 2025 14:30:31 +0100 Subject: [PATCH 11/13] Update manifests/java.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Mario Vidal Domínguez <60353145+Mariovido@users.noreply.github.com> --- manifests/java.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/java.yml b/manifests/java.yml index d36454c494..f071bed211 100644 --- a/manifests/java.yml +++ b/manifests/java.yml @@ -90,7 +90,7 @@ tests/: vertx3: missing_feature (No endpoint implemented) vertx4: missing_feature (No endpoint implemented) TestEmailHtmlInjection_StackTrace: - '*': v1.46.0 + '*': v1.47.0 akka-http: missing_feature (No endpoint implemented) jersey-grizzly2: missing_feature (No endpoint implemented) play: missing_feature (No endpoint implemented) From 9d7dd4af6900f9579b1c72183c21a0bd2a6ae6c4 Mon Sep 17 00:00:00 2001 From: Sezen Leblay Date: Wed, 5 Feb 2025 14:30:36 +0100 Subject: [PATCH 12/13] Update manifests/java.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Mario Vidal Domínguez <60353145+Mariovido@users.noreply.github.com> --- manifests/java.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/java.yml b/manifests/java.yml index f071bed211..97d0074736 100644 --- a/manifests/java.yml +++ b/manifests/java.yml @@ -80,7 +80,7 @@ tests/: spring-boot-3-native: missing_feature (GraalVM. Tracing support only) test_email_html_injection.py: TestEmailHtmlInjection: - '*': v1.46.0 + '*': v1.47.0 akka-http: missing_feature (No endpoint implemented) jersey-grizzly2: missing_feature (No endpoint implemented) play: missing_feature (No endpoint implemented) From 3b6f67308ef79607c95b734a82e96354cf26a2b2 Mon Sep 17 00:00:00 2001 From: "sezen.leblay" Date: Wed, 5 Feb 2025 14:42:59 +0100 Subject: [PATCH 13/13] dependencies --- .../docker/java_otel/spring-boot/pom.xml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/utils/build/docker/java_otel/spring-boot/pom.xml b/utils/build/docker/java_otel/spring-boot/pom.xml index 14e2d0cb97..212234b216 100644 --- a/utils/build/docker/java_otel/spring-boot/pom.xml +++ b/utils/build/docker/java_otel/spring-boot/pom.xml @@ -199,6 +199,26 @@ kinesis 2.17.85 + + org.apache.commons + commons-lang3 + 3.17.0 + + + javax.mail + javax.mail-api + 1.6.2 + + + javax.activation + activation + 1.1.1 + + + com.sun.mail + javax.mail + 1.6.2 +