Email HTML Injection detection in IAST #8205
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sezen-datadog
added
type: enhancement
comp: asm iast
jandro996
reviewed
Jan 15, 2025
internal-api/src/main/java/datadog/trace/api/iast/VulnerabilityMarks.java
Outdated
Show resolved
Hide resolved
jandro996
reviewed
Jan 15, 2025
internal-api/src/main/java/datadog/trace/api/iast/sink/EmailInjectionModule.java
Outdated
Show resolved
Hide resolved
jandro996
reviewed
Jan 15, 2025
dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/EmailInjectionModuleImpl.java
Outdated
Show resolved
Hide resolved
jandro996
reviewed
Jan 15, 2025
...ax-mail/src/main/java/datadog/trace/instrumentation/javax/mail/JavaxMailInstrumentation.java
Show resolved
Hide resolved
|
Nice work @sezen-datadog! you are in the right direction, we can discuss offline the caveats if you want 😃 My comments related to the new iast module can be extended if we need an Object instead of an String Just in case no one had shared with you before, this is an interesting document when we need to implement new iast vulnerabilities |
jandro996
reviewed
Jan 16, 2025
...ax-mail/src/main/java/datadog/trace/instrumentation/javax/mail/JavaxMailInstrumentation.java
Outdated
Show resolved
Hide resolved
jandro996
reviewed
Jan 16, 2025
...ax-mail/src/main/java/datadog/trace/instrumentation/javax/mail/JavaxMailInstrumentation.java
Show resolved
Hide resolved
jandro996
reviewed
Jan 16, 2025
...ax-mail/src/main/java/datadog/trace/instrumentation/javax/mail/JavaxMailInstrumentation.java
Outdated
Show resolved
Hide resolved
…/trace/instrumentation/javax/mail/JavaxMailInstrumentation.java Co-authored-by: Alejandro González García <[email protected]>
…/trace/instrumentation/javax/mail/JavaxMailInstrumentation.java Co-authored-by: Alejandro González García <[email protected]>
|
setContext and setText of Part StringEscapeUtilsCallsite |
| result, | ||
| input, | ||
| false, | ||
| VulnerabilityMarks.XSS_MARK | VulnerabilityMarks.EMAIL_HTML_INJECTION_MARK); |
There was a problem hiding this comment.
I wonder if we could define a mark like:
public static final int HTML_ESCAPED_MARK = XSS_MARK | EMAIL_HTML_INJECTION_MARK;Anytime we escape for HTML we have to escape both, and the list of vulnerabilities might grow in the future.
|
|
||
| where: | ||
| mimetype | content | ||
| "html" | "<html><body>Hello, Content!</body></html>" |
There was a problem hiding this comment.
Can you try with non html mime types?, in that case we should not call the module.
|
|
||
| then: | ||
| hasTainted { tainted -> | ||
| tainted.value == messageText |
There was a problem hiding this comment.
Not sure what you are testing here (the request parameter is also tainted with the value, so probably you want to assert something else in here).
| } | ||
|
|
||
| apply from: "$rootDir/gradle/java.gradle" | ||
| apply plugin: 'call-site-instrumentation' |
There was a problem hiding this comment.
We are not using call sites in the module right?
| } | ||
|
|
||
| apply from: "$rootDir/gradle/java.gradle" | ||
| apply plugin: 'call-site-instrumentation' |
There was a problem hiding this comment.
Same as with jakarta, I think the plugin is not needed
manuel-alvarez-alvarez
approved these changes
Feb 5, 2025
svc-squareup-copybara
pushed a commit
to cashapp/misk
that referenced
this pull request
Mar 6, 2025
| Package | Type | Package file | Manager | Update | Change | |---|---|---|---|---|---| | [com.datadoghq:dd-trace-api](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.1` -> `1.47.0` | | [com.datadoghq:dd-trace-ot](https://github.com/datadog/dd-trace-java) | dependencies | misk/gradle/libs.versions.toml | gradle | minor | `1.46.1` -> `1.47.0` | | [software.amazon.awssdk:sdk-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:sqs](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:dynamodb-enhanced](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:dynamodb](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:aws-core](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:bom](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | | [software.amazon.awssdk:auth](https://aws.amazon.com/sdkforjava) | dependencies | misk/gradle/libs.versions.toml | gradle | patch | `2.30.33` -> `2.30.34` | --- ### Release Notes <details> <summary>datadog/dd-trace-java (com.datadoghq:dd-trace-api)</summary> ### [`v1.47.0`](https://github.com/DataDog/dd-trace-java/releases/tag/v1.47.0): 1.47.0 ##### Components ##### Application Security Management (IAST) - 🐛 Exclude com.stripe.net.HttpURLConnectionClient to solve IAST SSRF vulnerability false positives ([#​8483](DataDog/dd-trace-java#8483) - [@​jandro996](https://github.com/jandro996)) - 🐛 Add exclusion to solve IAST weak randomness vulnerability false positives ([#​8462](DataDog/dd-trace-java#8462) - [@​jandro996](https://github.com/jandro996)) - ✨ Fix weak randomness false positive in Kafka client ([#​8408](DataDog/dd-trace-java#8408) - [@​smola](https://github.com/smola)) - ✨ Fix location for SSRF with Kong Unirest ([#​8407](DataDog/dd-trace-java#8407) - [@​smola](https://github.com/smola)) - ✨ Exclude IBM Instana from IAST ([#​8406](DataDog/dd-trace-java#8406) - [@​smola](https://github.com/smola)) - 🐛 Fix org.json iast instrumentation test for latest dependency ([#​8347](DataDog/dd-trace-java#8347) - [@​jandro996](https://github.com/jandro996)) - ✨ Configuration to Disable APM Tracing ([#​8219](DataDog/dd-trace-java#8219) - [@​jandro996](https://github.com/jandro996)) - ✨ Address cookie vulnerability cardinality issues ([#​8210](DataDog/dd-trace-java#8210) - [@​jandro996](https://github.com/jandro996)) - ✨ Email HTML Injection detection in IAST ([#​8205](DataDog/dd-trace-java#8205) - [@​sezen-datadog](https://github.com/sezen-datadog)) ##### Application Security Management (WAF) - 🐛✨ Ensure usr.exists tag is not overridden when UsernameNotFoundException is thrown ([#​8376](DataDog/dd-trace-java#8376) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - 🐛✨ Ensure usr.exists tag is not overridden by auto instrumentation ([#​8374](DataDog/dd-trace-java#8374) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Update appsec metrics with event_rules_version tag ([#​8354](DataDog/dd-trace-java#8354) - [@​sezen-datadog](https://github.com/sezen-datadog)) - ✨ Update metrics: appsec.waf.requests ([#​8353](DataDog/dd-trace-java#8353) - [@​Mariovido](https://github.com/Mariovido)) - ✨ Improve ASM support in vert.x 5.0 ([#​8285](DataDog/dd-trace-java#8285) - [@​manuel-alvarez-alvarez](https://github.com/manuel-alvarez-alvarez)) - ✨ Update metrics: appsec.waf.updates and appsec.waf.init ([#​8280](DataDog/dd-trace-java#8280) - [@​Mariovido](https://github.com/Mariovido)) - ✨ Configuration to Disable APM Tracing ([#​8219](DataDog/dd-trace-java#8219) - [@​jandro996](https://github.com/jandro996)) ##### Build & Tooling - 🐛 Do not generate Muzzle references for primitive arrays in method body ([#​8361](DataDog/dd-trace-java#8361) - [@​amarziali](https://github.com/amarziali)) - 📖 Improve dev env setup documentation for Windows ([#​8180](DataDog/dd-trace-java#8180) - [@​lucaspimentel](https://github.com/lucaspimentel)) ##### Continuous Integration Visibility - ✨ Add support for skip-EFD tagging ([#​8487](DataDog/dd-trace-java#8487) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix an NPE in Gradle Android instrumentation ([#​8484](DataDog/dd-trace-java#8484) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Consider modified tests when applying fail-fast tests ordering ([#​8474](DataDog/dd-trace-java#8474) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement tests reordering for TestNG ([#​8467](DataDog/dd-trace-java#8467) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix Gradle Launcher instrumentation to not interfere with Gradle Test Kit ([#​8465](DataDog/dd-trace-java#8465) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🧹 Use separate TestEventHandlers per framework in CI Vis instrumentations ([#​8451](DataDog/dd-trace-java#8451) - [@​daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Remove warning log when JUnit 4 test method cannot be retrieved ([#​8445](DataDog/dd-trace-java#8445) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - 🐛 Fix Scalatest tracing for tests that are reported asynchronously ([#​8444](DataDog/dd-trace-java#8444) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement attempt to fix tests ([#​8393](DataDog/dd-trace-java#8393) - [@​daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement test disabling ([#​8377](DataDog/dd-trace-java#8377) - [@​daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Update CODEOWNERS parser to not log errors on comments with leading whitespace ([#​8349](DataDog/dd-trace-java#8349) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Request Test Management tests list ([#​8345](DataDog/dd-trace-java#8345) - [@​daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Receive test management settings from CIVis settings request ([#​8331](DataDog/dd-trace-java#8331) - [@​daniel-mohedano](https://github.com/daniel-mohedano)) - ✨ Implement quarantined tests tagging ([#​8326](DataDog/dd-trace-java#8326) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Implement tests quarantining ([#​8320](DataDog/dd-trace-java#8320) - [@​nikita-tkachenko-datadog](https://github.com/nikita-tkachenko-datadog)) - ✨ Add tag to specify if the user is setting DD_SERVICE ([#​8318](DataDog/dd-trace-java#8318) - [@​daniel-mohedano](https://github.com/daniel-mohedano)) ##### Crash tracking - ✨ Only fork jps when required ([#​8419](DataDog/dd-trace-java#8419) - [@​mcculls](https://github.com/mcculls)) - 🐛 Use Java home of the crashed process to launch crash uploader ([#​8348](DataDog/dd-trace-java#8348) - [@​jbachorik](https://github.com/jbachorik)) ##### Data Streams Monitoring - 🐛 Fix error happening when sqs message attributes are readonly ([#​8473](DataDog/dd-trace-java#8473) - [@​vandonr](https://github.com/vandonr)) - 🐛 Fix bug on proto schema extraction ([#​8403](DataDog/dd-trace-java#8403) - [@​vandonr](https://github.com/vandonr)) - 🐛 Fix service name overrides in consumers ([#​8387](DataDog/dd-trace-java#8387) - [@​piochelepiotr](https://github.com/piochelepiotr)) ##### Database Monitoring - ✨ Add DBMTracePreparedStatements to tracer configuration log ([#​8508](DataDog/dd-trace-java#8508) - [@​cecile75](https://github.com/cecile75)) ##### Dynamic Instrumentation - ✨ Look in another location for grpc service methods ([#​8468](DataDog/dd-trace-java#8468) - [@​evanchooly](https://github.com/evanchooly)) - 🐛 Fix Exception Replay with Lambda proxy classes ([#​8452](DataDog/dd-trace-java#8452) - [@​jpbempel](https://github.com/jpbempel)) - ✨ Add code origin support for spring-webmvc ([#​8416](DataDog/dd-trace-java#8416) - [@​evanchooly](https://github.com/evanchooly)) - ✨ Add support for scanning jar from loaded class ([#​8370](DataDog/dd-trace-java#8370) - [@​jpbempel](https://github.com/jpbempel)) - 🐛 Disable capture of entry values ([#​8369](DataDog/dd-trace-java#8369) - [@​jpbempel](https://github.com/jpbempel)) - 🐛 Fix CodeOrigin for `@Trace` annotation ([#​8344](DataDog/dd-trace-java#8344) - [@​jpbempel](https://github.com/jpbempel)) - 🐛 Fix equals/hashCode for CodeOrigin probe ([#​8319](DataDog/dd-trace-java#8319) - [@​jpbempel](https://github.com/jpbempel)) - ✨ Add code origin support to kafka message listeners ([#​8301](DataDog/dd-trace-java#8301) - [@​evanchooly](https://github.com/evanchooly)) ##### Metrics - ✨ Create metric: appsec.waf.error ([#​8381](DataDog/dd-trace-java#8381) - [@​sezen-datadog](https://github.com/sezen-datadog)) - ✨ Create metric: appsec.rasp.error ([#​8364](DataDog/dd-trace-java#8364) - [@​sezen-datadog](https://github.com/sezen-datadog)) ##### Profiling - ✨ Bump ddprof library to 1.22.0 ([#​8463](DataDog/dd-trace-java#8463) - [@​jbachorik](https://github.com/jbachorik)) - IBM J9 8u361 corresponds to OpenJDK 8u362 by [@​jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#187 - Fix compatibility with musl libc 1.2.4 by [@​jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#189 - Modify version extraction by [@​jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#179 - Do not write null values to jvminfo event by [@​jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#184 - Productize VMStructs-based stack walker by [@​jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#177 - A few minor downport issues by [@​jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#180 - Enable ASGCT by default on fairly safe J9 JDK versions by [@​jbachorik](https://github.com/jbachorik) in DataDog/java-profiler#181 - 🐛 Exclude OrderedThreadPoolExecutor from queue-time measurements ([#​8456](DataDog/dd-trace-java#8456) - [@​jbachorik](https://github.com/jbachorik)) - ✨ Record JVM info on JVMs without JFR ([#​8431](DataDog/dd-trace-java#8431) - [@​jbachorik](https://github.com/jbachorik)) - 🐛 Actually use CleanupTask in TempLocationManager ([#​8420](DataDog/dd-trace-java#8420) - [@​mcculls](https://github.com/mcculls)) - ✨ Only fork jps when required ([#​8419](DataDog/dd-trace-java#8419) - [@​mcculls](https://github.com/mcculls)) - 🐛 Adjust JFR checks for J9 ([#​8405](DataDog/dd-trace-java#8405) - [@​jbachorik](https://github.com/jbachorik)) - 🧹 Disable smap RSS parsing by default ([#​8342](DataDog/dd-trace-java#8342) - [@​MattAlp](https://github.com/MattAlp)) ##### Telemetry - 🐛 Add support for JBoss jar:file format to DependencyResolver ([#​8428](DataDog/dd-trace-java#8428) - [@​jandro996](https://github.com/jandro996)) - ✨ Update metrics: appsec.waf.requests ([#​8353](DataDog/dd-trace-java#8353) - [@​Mariovido](https://github.com/Mariovido)) ##### Trace context propagation - ✨ Introduce tracing propagator ([#​8313](DataDog/dd-trace-java#8313) - [@​PerfectSlayer](https://github.com/PerfectSlayer)) ##### Tracer core - 🐛 Fix Stable Config telemetry source names ([#​8460](DataDog/dd-trace-java#8460) - [@​BaptisteFoy](https://github.com/BaptisteFoy)) - ✨ Probe trace endpoints with a valid payload of empty arrays ([#​8414](DataDog/dd-trace-java#8414) - [@​mcculls](https://github.com/mcculls)) - ✨ Add 1 minute fail-safe to JUL/JMX class-loading callback ([#​8399](DataDog/dd-trace-java#8399) - [@​mcculls](https://github.com/mcculls)) - ✨ Migrate DSM injection calls to context-first APIs ([#​8383](DataDog/dd-trace-java#8383) - [@​PerfectSlayer](https://github.com/PerfectSlayer)) - 🧹 Move continuation capture methods from scope to tracer ([#​8371](DataDog/dd-trace-java#8371) - [@​mcculls](https://github.com/mcculls)) - ✨ Migrate context extraction calls to context-first APIs ([#​8368](DataDog/dd-trace-java#8368) - [@​PerfectSlayer](https://github.com/PerfectSlayer)) - 🧹 Migrate context injection calls to context-first APIs ([#​8358](DataDog/dd-trace-java#8358) - [@​PerfectSlayer](https://github.com/PerfectSlayer)) - 💡 Support reading configurations from files ([#​8338](DataDog/dd-trace-java#8338) - [@​mtoffl01](https://github.com/mtoffl01)) - 💡 Implementation of BaggagePropagator and BaggageContext ([#​8330](DataDog/dd-trace-java#8330) - [@​mhlidd](https://github.com/mhlidd)) - 🧹 Combine continuation implementations into one which supports multiple activations ([#​8324](DataDog/dd-trace-java#8324) - [@​mcculls](https://github.com/mcculls)) - ✨ Introduce tracing propagator ([#​8313](DataDog/dd-trace-java#8313) - [@​PerfectSlayer](https://github.com/PerfectSlayer)) - ✨ Remove old context propagation API ([#​8271](DataDog/dd-trace-java#8271) - [@​PerfectSlayer](https://github.com/PerfectSlayer)) ##### Instrumentations ##### AWS Lambda instrumentation - 🐛 Send error message and stack to Lambda extension ([#​8417](DataDog/dd-trace-java#8417) - [@​nhulston](https://github.com/nhulston)) ##### AWS SDK instrumentation - 🐛 Fix error happening when sqs message attributes are readonly ([#​8473](DataDog/dd-trace-java#8473) - [@​vandonr](https://github.com/vandonr)) - 💡 Inject trace context into AWS Step Functions input ([#​7585](DataDog/dd-trace-java#7585) - [@​DylanLovesCoffee](https://github.com/DylanLovesCoffee)) ##### Core Java language instrumentation - ✨ Look in another location for grpc service methods ([#​8468](DataDog/dd-trace-java#8468) - [@​evanchooly](https://github.com/evanchooly)) - ✨ Add code origin support for spring-webmvc ([#​8416](DataDog/dd-trace-java#8416) - [@​evanchooly](https://github.com/evanchooly)) - 💡 Implementation of BaggagePropagator and BaggageContext ([#​8330](DataDog/dd-trace-java#8330) - [@​mhlidd](https://github.com/mhlidd)) - ✨ Add code origin support to kafka message listeners ([#​8301](DataDog/dd-trace-java#8301) - [@​evanchooly](https://github.com/evanchooly)) ##### gRPC instrumentation - ✨ Look in another location for grpc service methods ([#​8468](DataDog/dd-trace-java#8468) - [@​evanchooly](https://github.com/evanchooly)) ##### Kafka instrumentation - ✨ Add messaging.destination.name tag to kafka integrations ([#​8366](DataDog/dd-trace-java#8366) - [@​rarguelloF](https://github.com/rarguelloF)) ##### Protocol Buffer instrumentation - 🐛 Fix bug on proto schema extraction ([#​8403](DataDog/dd-trace-java#8403) - [@​vandonr](https://github.com/vandonr)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 6pm every weekday,before 2am every weekday" in timezone Australia/Melbourne, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). GitOrigin-RevId: 108a0f86aa59ab4c938cbac0688dd4c19cb301fa
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What Does This Do
Controls the mails to detect tainted content for javax mail methods, in particular, Transport.send
Motivation
Email HTML injection is a vulnerability where user input is included in the content of an email without proper validation and sanitization. This vulnerability can have severe consequences as it opens the door for various attacks, including phishing, social engineering exploits, and the exploitation of email client vulnerabilities.
This modification provides a control of the body of the email that is meant to be sent. If an injection occurred in the mail body and no sanitization has taken place, the sink will raise an alert.
Jira ticket: APPSEC-56330