DataDog · sezen-datadog · Jan 28, 2025 · Jan 28, 2025 · Jan 28, 2025 · Jan 29, 2025
@@ -79,8 +79,26 @@ tests/:
             ratpack: missing_feature
             spring-boot-3-native: missing_feature (GraalVM. Tracing support only)
         test_email_html_injection.py:
-          TestEmailHtmlInjection: missing_feature
-          TestEmailHtmlInjection_StackTrace: missing_feature
+          TestEmailHtmlInjection:
+            '*': v1.46.0
+            akka-http: missing_feature (No endpoint implemented)
+            jersey-grizzly2: missing_feature (No endpoint implemented)
+            play: missing_feature (No endpoint implemented)
+            ratpack: missing_feature (No endpoint implemented)
+            resteasy-netty3: missing_feature (No endpoint implemented)
+            spring-boot-3-native: missing_feature (No endpoint implemented)
+            vertx3: missing_feature (No endpoint implemented)
+            vertx4: missing_feature (No endpoint implemented)
+          TestEmailHtmlInjection_StackTrace:
+            '*': v1.46.0
+            akka-http: missing_feature (No endpoint implemented)
+            jersey-grizzly2: missing_feature (No endpoint implemented)
+            play: missing_feature (No endpoint implemented)
+            ratpack: missing_feature (No endpoint implemented)
+            resteasy-netty3: missing_feature (No endpoint implemented)
+            spring-boot-3-native: missing_feature (No endpoint implemented)
+            vertx3: missing_feature (No endpoint implemented)
+            vertx4: missing_feature (No endpoint implemented)
         test_hardcoded_passwords.py:
           Test_HardcodedPasswords: missing_feature
           Test_HardcodedPasswords_StackTrace: missing_feature

@@ -0,0 +1,31 @@
+package com.datadoghq.system_tests.iast.utils;
+
+import com.datadoghq.system_tests.iast.utils.mock.MockTransport;
+
+import javax.mail.Message;
+import javax.mail.MessagingException;
+import javax.mail.Session;
+import javax.mail.Provider;
+import javax.mail.internet.InternetAddress;
+import javax.mail.internet.MimeMessage;
+import java.util.Properties;
+
+
+public class EmailExamples {
+
+    public void mail(final String emailContent) throws MessagingException {
+        Session session = Session.getDefaultInstance(new Properties());
+        Provider provider =
+                new Provider(
+                        Provider.Type.TRANSPORT, "smtp", MockTransport.class.getName(), "MockTransport", "1.0");
+        session.setProvider(provider);
+        Message email = new MimeMessage(session);
+        email.setContent(emailContent, "text/html");
+        email.setRecipient(Message.RecipientType.TO, new InternetAddress("[email protected]"));
+
+        MockTransport.send(email);
+
+    }
+
+
+}
@@ -0,0 +1,26 @@
+package com.datadoghq.system_tests.iast.utils.mock;
+import javax.mail.Message;
+import javax.mail.MessagingException;
+import javax.mail.Session;
+import javax.mail.Transport;
+import javax.mail.URLName;
+import javax.mail.Address;
+
+public class MockTransport extends Transport {
+        public MockTransport(Session session, URLName urlname) {
+            super(session, urlname);
+        }
+
+        public void sendMessage(Message msg, Address[] addresses) throws MessagingException {
+            this.notifyTransportListeners(1, addresses, new Address[0], new Address[0], msg);
+
+        }
+
+        @Override
+        public void connect() {
+            this.setConnected(true);
+            this.notifyConnectionListeners(1);
+        }
+
+        public synchronized void connect(String host, int port, String user, String password) {}
+    }
@@ -199,6 +199,28 @@
             <artifactId>kinesis</artifactId>
             <version>2.17.85</version>
         </dependency>
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.mail</groupId>
+            <artifactId>javax.mail-api</artifactId>
+            <version>1.6.2</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.activation</groupId>
+            <artifactId>activation</artifactId>
+            <version>1.1.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.mail</groupId>
+            <artifactId>javax.mail</artifactId>
+            <version>1.6.2</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>

@@ -9,6 +9,7 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
+import javax.mail.MessagingException;
 import javax.naming.Context;
 import javax.naming.NamingException;
 import javax.naming.directory.InitialDirContext;
@@ -21,6 +22,8 @@
 import java.io.IOException;
 import java.util.Hashtable;
 
+import org.apache.commons.lang3.StringEscapeUtils;
+
 @RestController
 @RequestMapping("/iast")
 public class AppSecIast {
@@ -38,6 +41,7 @@ public class AppSecIast {
     private final HardcodedSecretExamples hardcodedSecretExamples;
     private final ReflectionExamples reflectionExamples;
     private final DeserializationExamples deserializationExamples;
+    private final EmailExamples emailExamples;
 
 
     public AppSecIast(final DataSource dataSource) {
@@ -52,6 +56,7 @@ public AppSecIast(final DataSource dataSource) {
         this.hardcodedSecretExamples = new HardcodedSecretExamples();
         this.reflectionExamples = new ReflectionExamples();
         this.deserializationExamples = new DeserializationExamples();
+        this.emailExamples = new EmailExamples();
     }
 
     @RequestMapping("/hardcoded_secrets/test_insecure")
@@ -452,6 +457,17 @@ void scSOverloadedInsecure(final ServletRequest request,  final ServletResponse
         cmdExamples.insecureCmd(sanitized);
     }
 
+    @PostMapping("/email_html_injection/test_insecure")
+    void emailHtmlInjectionInsecure(final HttpServletRequest request) throws MessagingException {
+        String email = request.getParameter("username");
+        emailExamples.mail(email);
+    }
+
+    @PostMapping("/email_html_injection/test_secure")
+    void emailHtmlInjectionSecure(final HttpServletRequest request) throws MessagingException {
+        String email = request.getParameter("username");
+        emailExamples.mail(StringEscapeUtils.escapeHtml4(email));
+    }
 
     /**
      * TODO: Ldap is failing to startup in native image this method ensures it's started lazily