0

I did SAST scan of my code on Veracode platform and I got this vulnerability in Java mail functionality which I am using to send mails from my application. The following is the vulnerability that is coming - Improper Neutralization of CRLF Sequences('CRLF Injection') (CWE ID 93).

message.setSubject(subjectOfEmail);

I have heard that we can use ESAPI library but I cannot find an appropriate validation function for this. Someone please help me re-mediate this issue so that is does not come up in the scan again.

Shaan Anshu
  • 51
  • 3
  • 12

3 Answers3

1

Check out this page on the Veracode Help Centre that lists out the validation libraries that will remediate certain flaw classes:

https://help.veracode.com/reader/DGHxSJy3Gn3gtuSIN2jkRQ/y52kZojXR27Y8XY51KtvvA

There are a whole slew of ESAPI libraries that will remediate CWSE 93 flaws, including 

org.owasp.esapi.Encoder.encodeForHTML
Jon Janego
  • 56
  • 1
0

If all you are looking to prevent in this case is header injection issue (which is what CWE ID 93 is related to), then look at ESAPI's org.owasp.esapi.StringUtilities class. In particular the static method stripControls() is probably exactly what you need. Using Encoder.encodeForHTML() will probably encode for more than what you want since it assumes an HTML context. (Of course, you may want that if you are concerned about preventing XSS on the Subject headers of certain web email clients. Generally those clients should already have that protection built into them though, so if you encode it, it could end up being encoded twice and not render correctly.)

Keep in mind that if you use StringUtilities.stripControls(), that you Veracode's SAST engine may still flag your code for the CWE though as I am not sure that it recognizes that class' method as removing the taint flag in this particular case. (But you can always mention it as a mitigation comment.)

Kevin W. Wall
  • 1,347
  • 7
  • 7
0

Use ESAPI's decodeForHTML() method like below sample.

ESAPI.encoder().decodeForHTML(subjectOfEmail)

Mayur Jain
  • 149
  • 5