英文:
How to use org.owasp.encoder.Encode in Java?
问题
public static void sendEmail(String to, String cc, String subject, String content) throws IOException {
LOG.info(ESAPIValidation.sanitizeParam((String.format("EmailUtil.sendEMail() \n To: %s\n Subjet: %s \n Content: %s", to, subject, content))));
String host = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_MAIL_HOST);
String port = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_MAIL_PORT);
String from = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_MAIL_FROM);
String defaultToAdd = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_DEFAULT_MAIL);
String emailSystemPrefix = ApplicationUtil.getProperty(ApplicationConstants.EMAIL_PREFIX);
if (StringUtil.isNullOrEmpty(emailSystemPrefix)) {
emailSystemPrefix = "";
} else {
emailSystemPrefix = emailSystemPrefix + " - ";
}
Properties properties = System.getProperties();
properties.setProperty("mail.smtp.host", host);
properties.setProperty("mail.smtp.port", port);
Session session = Session.getDefaultInstance(properties);
try {
MimeMessage message = new MimeMessage(session);
message.setFrom(new InternetAddress(from));
addToList(message, to);
addCCList(message, cc);
if(cc == null || (cc != null && !cc.equals(defaultToAdd)))
addCCList(message, defaultToAdd);
content = addFooter(content);
message.setSubject(emailSystemPrefix + subject);
message.setContent(content.replace("textarea", "div"), "text/html; charset=utf-8");
Transport.send(message);
} catch (AddressException addressException) {
LOG.warn("EmailUtil.triggerDBFailureMail() AddressException ", addressException);
} catch (MessagingException messageException) {
LOG.warn("EmailUtil.triggerDBFailureMail() MessagingException ", messageException);
}
}
在这段代码中,我遇到了 Veracode 问题:
> 未正确中和 CRLF 序列('CRLF 注入')(CWE ID 93)
问题出现在:
message.setSubject(emailSystemPrefix + subject);
我尝试使用 org.owasp.encoder.Encode 来解决这个问题,但我不知道 Encode 类的用法。是否可以有人简要介绍一下 Encode 类的实现,它在哪里使用,以及它解决了什么问题?
英文:
public static void sendEmail(String to, String cc, String subject, String content) throws IOException {
LOG.info(ESAPIValidation.sanitizeParam((String.format("EmailUtil.sendEMail() \n To: %s\n Subjet: %s \n Content: %s", to, subject, content))));
String host = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_MAIL_HOST);
String port = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_MAIL_PORT);
String from = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_MAIL_FROM);
String defaultToAdd = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_DEFAULT_MAIL);
String emailSystemPrefix = ApplicationUtil.getProperty(ApplicationConstants.EMAIL_PREFIX);
if (StringUtil.isNullOrEmpty(emailSystemPrefix)) {
emailSystemPrefix = "";
} else {
emailSystemPrefix = emailSystemPrefix + " - ";
}
Properties properties = System.getProperties();
properties.setProperty("mail.smtp.host", host);
properties.setProperty("mail.smtp.port", port);
Session session = Session.getDefaultInstance(properties);
try {
MimeMessage message = new MimeMessage(session);
message.setFrom(new InternetAddress(from));
addToList(message, to);
addCCList(message, cc);
if(cc == null || (cc != null && !cc.equals(defaultToAdd)))
addCCList(message, defaultToAdd);
content = addFooter(content);
message.setSubject(emailSystemPrefix + subject);
message.setContent(content.replace("textarea", "div"), "text/html; charset=utf-8");
Transport.send(message);
} catch (AddressException addressException) {
LOG.warn("EmailUtil.triggerDBFailureMail() AddressException ", addressException);
} catch (MessagingException messageException) {
LOG.warn("EmailUtil.triggerDBFailureMail() MessagingException ", messageException);
}
}
Here in this code, I'm getting Veracode issue:
> Improper Neutralization of CRLF Sequences('CRLF Injection')(CWE ID 93)
on
message.setSubject(emailSystemPrefix + subject);
I'm trying to use org.owasp.encoder.Encode to resolve the same, but I do not know the usage of Encode class. Can anybody please brief about implementation of Encode class, where is it used, what is resolved with it?
答案1
得分: 0
你可以在文档中了解有关 Encode 类的信息。
> Encode -- 用于上下文编码的流畅接口。
>
> 每个上下文编码方法都有两个版本。第一个版本接受一个字符串参数,并将编码后的版本作为字符串返回。第二个版本将编码后的版本直接写入 Writer。
>
> 请务必阅读并理解方法所编码的上下文。对于不正确的上下文进行编码可能会导致暴露跨站脚本漏洞。
以及CRLF 注入
> 术语 CRLF 指的是回车符 (ASCII 13,\r) 和换行符 (ASCII 10,\n)。它们用于表示一行的终止,在当今流行的操作系统中处理方式不同。例如:在 Windows 中,CR 和 LF 都需要来表示一行的结尾,而在 Linux/UNIX 中只需要 LF。在 HTTP 协议中,CR-LF 序列始终用于终止一行。
>
> 当用户设法将 CRLF 提交到应用程序中时,就会发生 CRLF 注入攻击。这通常通过修改 HTTP 参数或 URL 来实现。
英文:
You can read about Encode class in docs
> Encode -- fluent interface for contextual encoding.
>
> There are two versions of each contextual encoding method. The first takes a String argument and returns the encoded version as a String. The second version writes the encoded version directly to a Writer.
>
> Please make sure to read and understand the context that the method encodes for. Encoding for the incorrect context will likely lead to exposing a cross-site scripting vulnerability.
And CRLF Injection
> The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
>
> A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
专注分享java语言的经验与见解,让所有开发者获益!
评论