Skip to content

Email HTML Injection detection in IAST #8205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sezen-datadog merged 73 commits into from
Feb 5, 2025
Merged

Email HTML Injection detection in IAST #8205

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
73 commits
Select commit Hold shift + click to select a range
508a671
Email Injection detection in IAST
sezen-datadog Jan 15, 2025
a0f62f4
email injection checks
sezen-datadog Jan 15, 2025
59ea624
instrumentation class put in place
sezen-datadog Jan 15, 2025
14df382
EMAIL_HTML_INJECTION
sezen-datadog Jan 15, 2025
700dd63
pr comments easy ones
sezen-datadog Jan 15, 2025
b4225d2
only focus on transport send
sezen-datadog Jan 15, 2025
34ac9fb
pr comments
sezen-datadog Jan 15, 2025
bcca415
first attempt at instrumentation
sezen-datadog Jan 15, 2025
4b9c23c
correction on argument
sezen-datadog Jan 15, 2025
14458ed
Update dd-java-agent/instrumentation/javax-mail/src/main/java/datadog…
sezen-datadog Jan 16, 2025
b548721
Update dd-java-agent/instrumentation/javax-mail/src/main/java/datadog…
sezen-datadog Jan 16, 2025
4182134
advice class added for easier debugging
sezen-datadog Jan 16, 2025
791a5fa
html escapes with vulnerability mark
sezen-datadog Jan 16, 2025
cd9f249
instrumentation skeleton
sezen-datadog Jan 17, 2025
74cebb5
instrumentation of body elements
sezen-datadog Jan 17, 2025
ea76961
instrumentation of body elements
sezen-datadog Jan 17, 2025
e98038d
test start
sezen-datadog Jan 17, 2025
2111e77
test continue
sezen-datadog Jan 17, 2025
b814fd0
test continue
sezen-datadog Jan 17, 2025
460737d
test continue
sezen-datadog Jan 17, 2025
be50dc3
test OK
sezen-datadog Jan 20, 2025
fba4788
define the tests I want
sezen-datadog Jan 20, 2025
5fb78f1
content test OK
sezen-datadog Jan 20, 2025
a1ab334
content test OK
sezen-datadog Jan 20, 2025
d64327a
content test OK
sezen-datadog Jan 20, 2025
6f8e74f
content test OK
sezen-datadog Jan 20, 2025
49291c1
smoke test controller
sezen-datadog Jan 21, 2025
bbf5486
smoke test controller
sezen-datadog Jan 21, 2025
ee69fd5
smoke test
sezen-datadog Jan 21, 2025
ac708fe
smoke test
sezen-datadog Jan 21, 2025
ba2da19
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Jan 21, 2025
553c7d8
Update dd-java-agent/instrumentation/javax-mail/src/main/java/datadog…
sezen-datadog Jan 21, 2025
e3eaf20
Update dd-java-agent/instrumentation/javax-mail/src/main/java/datadog…
sezen-datadog Jan 21, 2025
95248a2
pr
sezen-datadog Jan 21, 2025
4993aec
pr
sezen-datadog Jan 21, 2025
4883918
pr
sezen-datadog Jan 21, 2025
56b3521
build correction
sezen-datadog Jan 22, 2025
cb9a54f
Update dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/…
sezen-datadog Jan 22, 2025
482a231
build correction
sezen-datadog Jan 22, 2025
69044c0
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Jan 22, 2025
bccb5ae
build correction
sezen-datadog Jan 22, 2025
990bbb7
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Jan 22, 2025
6727eff
pr
sezen-datadog Jan 22, 2025
6337ba5
pr
sezen-datadog Jan 22, 2025
b8595c7
pr
sezen-datadog Jan 22, 2025
3384382
build
sezen-datadog Jan 22, 2025
c9895be
build
sezen-datadog Jan 27, 2025
3f78b54
build
sezen-datadog Jan 27, 2025
7950096
unit tests pass
sezen-datadog Jan 27, 2025
f6da333
de sally no more
sezen-datadog Jan 27, 2025
f9b7617
de sally no more
sezen-datadog Jan 27, 2025
2ff2278
smoke tests
sezen-datadog Jan 27, 2025
a8b13ca
smoke tests
sezen-datadog Jan 27, 2025
c54f206
smoke tests
sezen-datadog Jan 28, 2025
4fdb7f7
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Jan 28, 2025
28a67ba
muzzle
sezen-datadog Jan 28, 2025
2e7468c
manu's suggestions
sezen-datadog Jan 28, 2025
59e42e0
beautify
sezen-datadog Jan 28, 2025
845b2d0
EMAIL_HTML_INJECTION instead of EMAIL_INJECTION
sezen-datadog Jan 29, 2025
34796da
EMAIL_HTML_INJECTION instead of EMAIL_INJECTION
sezen-datadog Jan 29, 2025
631b775
pr
sezen-datadog Jan 31, 2025
86321f6
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Feb 3, 2025
42b355d
unit test correction - propagation fails though
sezen-datadog Feb 3, 2025
aedcb1e
activation dependencies added
sezen-datadog Feb 3, 2025
f0aa378
test
sezen-datadog Feb 3, 2025
457e9f6
tests
sezen-datadog Feb 4, 2025
aac7112
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Feb 4, 2025
8b17208
javax removed from smoke tests (cant have both javax + jakarta)
sezen-datadog Feb 4, 2025
3f9815d
oops
sezen-datadog Feb 4, 2025
73b3cb1
oops
sezen-datadog Feb 4, 2025
bc708c5
PR
sezen-datadog Feb 5, 2025
943227d
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Feb 5, 2025
a37d29a
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Feb 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
test continue
  • Loading branch information
@sezen-datadog
sezen-datadog committed Jan 17, 2025
commit 2111e77df9655e41e66f9f5a003dfbb62f64126f
2 changes: 1 addition & 1 deletion .../src/main/java/datadog/trace/instrumentation/javax/mail/JavaxMailBodyInstrumentation.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
public class JavaxMailBodyInstrumentation extends InstrumenterModule.Iast
implements Instrumenter.ForSingleType, Instrumenter.HasMethodAdvice {

public JavaxMailBodyInstrumentation(String instrumentationName, String... additionalNames) {
public JavaxMailBodyInstrumentation() {
super("javax-mail", "body");
}

Expand Down
4 changes: 2 additions & 2 deletions ...mail/src/main/java/datadog/trace/instrumentation/javax/mail/JavaxMailInstrumentation.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ public class JavaxMailInstrumentation extends InstrumenterModule.Iast

private static Logger LOGGER = LoggerFactory.getLogger(JavaxMailInstrumentation.class);

public JavaxMailInstrumentation(String instrumentationName, String... additionalNames) {
public JavaxMailInstrumentation() {
super("javax-mail", "transport");
}

Expand All @@ -40,7 +40,7 @@ public String instrumentedType() {
public static class MailInjectionAdvice {
@Sink(VulnerabilityTypes.EMAIL_HTML_INJECTION)
@Advice.OnMethodEnter(suppress = Throwable.class)
private static void onSend(@Advice.Argument(0) final Part message)
public static void onSend(@Advice.Argument(0) final Part message)
throws MessagingException, IOException {
EmailInjectionModule emailInjectionModule = InstrumentationBridge.EMAIL_INJECTION;
if (message != null && message.getContent() != null) {
Expand Down
10 changes: 8 additions & 2 deletions dd-java-agent/instrumentation/javax-mail/src/test/groovy/JavaxMailInstrumentationTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import datadog.trace.agent.test.AgentTestRunner
import datadog.trace.api.iast.InstrumentationBridge
import datadog.trace.api.iast.sink.EmailInjectionModule

import javax.mail.Session
import javax.mail.Transport
import javax.mail.internet.MimeMessage

Expand All @@ -13,7 +14,7 @@ class JavaxMailInstrumentationTest extends AgentTestRunner {
}


void 'test javax.mail.Message'(Object value) {
void 'test javax.mail.Message'(MimeMessage value) {
given:
final module = Mock(EmailInjectionModule)
InstrumentationBridge.registerIastModule(module)
Expand All @@ -27,6 +28,11 @@ class JavaxMailInstrumentationTest extends AgentTestRunner {
1 * module.onSendEmail(message)

where:
value << [new MimeMessage(null), new MimeMessage(null)]
value << [
new MimeMessage(Session.getDefaultInstance(new Properties())) { {
setContent("<html><body>Hello, World!</body></html>", "text/html")
}
}
]
}
}
Loading