如何在Java中使用org.owasp.encoder.Encode?

huangapple 未分类评论45阅读模式
英文:

How to use org.owasp.encoder.Encode in Java?

问题

public static void sendEmail(String to, String cc, String subject, String content) throws IOException {
    LOG.info(ESAPIValidation.sanitizeParam((String.format("EmailUtil.sendEMail() \n To: %s\n Subjet: %s \n  Content: %s", to, subject, content))));
    String host = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_MAIL_HOST);
    String port = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_MAIL_PORT);
    String from = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_MAIL_FROM);
    String defaultToAdd = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_DEFAULT_MAIL);
    String emailSystemPrefix = ApplicationUtil.getProperty(ApplicationConstants.EMAIL_PREFIX);

    if (StringUtil.isNullOrEmpty(emailSystemPrefix)) {
        emailSystemPrefix = "";
    } else {
        emailSystemPrefix =  emailSystemPrefix  + " - "; 
    }

    Properties properties = System.getProperties();
    properties.setProperty("mail.smtp.host", host);
    properties.setProperty("mail.smtp.port", port);
    Session session = Session.getDefaultInstance(properties);

    try {
        MimeMessage message = new MimeMessage(session);
        message.setFrom(new InternetAddress(from));

        addToList(message, to);

        addCCList(message, cc);
        if(cc == null || (cc != null && !cc.equals(defaultToAdd)))
        addCCList(message, defaultToAdd);

        content = addFooter(content);
        message.setSubject(emailSystemPrefix + subject);
        message.setContent(content.replace("textarea", "div"), "text/html; charset=utf-8");
        Transport.send(message);

    } catch (AddressException addressException) {
        LOG.warn("EmailUtil.triggerDBFailureMail() AddressException ", addressException);
    } catch (MessagingException messageException) {
        LOG.warn("EmailUtil.triggerDBFailureMail() MessagingException ", messageException);
    }
}

在这段代码中,我遇到了 Veracode 问题:

> 未正确中和 CRLF 序列('CRLF 注入')(CWE ID 93)

问题出现在:

message.setSubject(emailSystemPrefix + subject);

我尝试使用 org.owasp.encoder.Encode 来解决这个问题,但我不知道 Encode 类的用法。是否可以有人简要介绍一下 Encode 类的实现,它在哪里使用,以及它解决了什么问题?

英文:
public static void sendEmail(String to, String cc, String subject, String content) throws IOException {
	LOG.info(ESAPIValidation.sanitizeParam((String.format("EmailUtil.sendEMail() \n To: %s\n Subjet: %s \n  Content: %s", to, subject, content))));
	String host = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_MAIL_HOST);
	String port = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_MAIL_PORT);
	String from = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_MAIL_FROM);
	String defaultToAdd = ApplicationUtil.getProperty(ApplicationConstants.AL_WS_DEFAULT_MAIL);
	String emailSystemPrefix = ApplicationUtil.getProperty(ApplicationConstants.EMAIL_PREFIX);

	if (StringUtil.isNullOrEmpty(emailSystemPrefix)) {
		emailSystemPrefix = "";
	} else {
		emailSystemPrefix =  emailSystemPrefix  + " - "; 
	}

	Properties properties = System.getProperties();
	properties.setProperty("mail.smtp.host", host);
	properties.setProperty("mail.smtp.port", port);
	Session session = Session.getDefaultInstance(properties);

	try {
		MimeMessage message = new MimeMessage(session);
		message.setFrom(new InternetAddress(from));

		addToList(message, to);
		
		addCCList(message, cc);
		if(cc == null || (cc != null && !cc.equals(defaultToAdd)))
		addCCList(message, defaultToAdd);

		content = addFooter(content);
		message.setSubject(emailSystemPrefix + subject);
		message.setContent(content.replace("textarea", "div"), "text/html; charset=utf-8");
		Transport.send(message);

	} catch (AddressException addressException) {
		LOG.warn("EmailUtil.triggerDBFailureMail() AddressException ", addressException);
	} catch (MessagingException messageException) {
		LOG.warn("EmailUtil.triggerDBFailureMail() MessagingException ", messageException);
	}
}

Here in this code, I'm getting Veracode issue:

> Improper Neutralization of CRLF Sequences('CRLF Injection')(CWE ID 93)

on

message.setSubject(emailSystemPrefix + subject);

I'm trying to use org.owasp.encoder.Encode to resolve the same, but I do not know the usage of Encode class. Can anybody please brief about implementation of Encode class, where is it used, what is resolved with it?

答案1

得分: 0

你可以在文档中了解有关 Encode 类的信息。
> Encode -- 用于上下文编码的流畅接口。
>
> 每个上下文编码方法都有两个版本。第一个版本接受一个字符串参数,并将编码后的版本作为字符串返回。第二个版本将编码后的版本直接写入 Writer。
>
> 请务必阅读并理解方法所编码的上下文。对于不正确的上下文进行编码可能会导致暴露跨站脚本漏洞。

以及CRLF 注入
> 术语 CRLF 指的是回车符 (ASCII 13,\r) 和换行符 (ASCII 10,\n)。它们用于表示一行的终止,在当今流行的操作系统中处理方式不同。例如:在 Windows 中,CR 和 LF 都需要来表示一行的结尾,而在 Linux/UNIX 中只需要 LF。在 HTTP 协议中,CR-LF 序列始终用于终止一行。
>
> 当用户设法将 CRLF 提交到应用程序中时,就会发生 CRLF 注入攻击。这通常通过修改 HTTP 参数或 URL 来实现。

英文:

You can read about Encode class in docs
> Encode -- fluent interface for contextual encoding.
>
> There are two versions of each contextual encoding method. The first takes a String argument and returns the encoded version as a String. The second version writes the encoded version directly to a Writer.
>
> Please make sure to read and understand the context that the method encodes for. Encoding for the incorrect context will likely lead to exposing a cross-site scripting vulnerability.

And CRLF Injection
> The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They’re used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
>
> A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.

huangapple
  • 本文由 发表于 2020年7月27日 13:04:31
  • 转载请务必保留本文链接:https://java.coder-hub.com/63108987.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定