will validate method on InternetAddress object remove the CRLF injection issue

Question

I scanned the project with veracode and it is giving issues for CWE ID 93(CRLF injection), This issue is occurring at the bellow line-

InternetAddress[] address = {new InternetAddress(username)};
msg.setRecipients(Message.RecipientType.TO, address);

Veracode is flagging the issue 93 at second line from above code. username is parsed from request object which is string buffer

so one of my colleague suggested me that I should use validate method to remove CRLF characters. Will the validate method on address object remove CRLF delimiters ?

validate() method is method on InternetAddress Object that can check the correctness of the mail address, https://docs.oracle.com/javaee/6/api/javax/mail/internet/InternetAddress.html#validate() — Pavan Divekar, Jun 19 '19 at 09:13
It will not. validate use to check the address only. It throws "AddressException - if the address isn't valid.". — Mayur Jain, Jul 09 '19 at 06:54

score 0 · Answer 1 · answered Jul 09 '19 at 07:27

0

Use ESAPI(The OWASP Enterprise Security API) . Its totally free.

After setup ESAPI below code will resolve the issue.

ESAPI.encoder().decodeForHTML(username)

answered Jul 09 '19 at 07:27

Mayur Jain

149
5

will validate method on InternetAddress object remove the CRLF injection issue

1 Answers1