Email Injection detection in IAST

initial commit

Author: sezen-datadog

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/IastSystem.java

@@ -11,6 +11,7 @@
 import com.datadog.iast.securitycontrol.IastSecurityControlTransformer;
 import com.datadog.iast.sink.ApplicationModuleImpl;
 import com.datadog.iast.sink.CommandInjectionModuleImpl;
+import com.datadog.iast.sink.EmailInjectionModuleImpl;
 import com.datadog.iast.sink.HardcodedSecretModuleImpl;
 import com.datadog.iast.sink.HeaderInjectionModuleImpl;
 import com.datadog.iast.sink.HstsMissingHeaderModuleImpl;
@@ -179,7 +180,8 @@ private static Stream<IastModule> iastModules(
             HardcodedSecretModuleImpl.class,
             InsecureAuthProtocolModuleImpl.class,
             ReflectionInjectionModuleImpl.class,
-            UntrustedDeserializationModuleImpl.class);
+            UntrustedDeserializationModuleImpl.class,
+            EmailInjectionModuleImpl.class);
     if (iast != FULLY_ENABLED) {
       modules = modules.filter(IastSystem::isOptOut);
     }

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java

@@ -2,6 +2,7 @@
 
 import static com.datadog.iast.util.CRCUtils.update;
 import static datadog.trace.api.iast.VulnerabilityMarks.COMMAND_INJECTION_MARK;
+import static datadog.trace.api.iast.VulnerabilityMarks.EMAIL_INJECTION_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.HEADER_INJECTION_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.LDAP_INJECTION_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.NOT_MARKED;
@@ -109,6 +110,9 @@ public interface VulnerabilityType {
           .mark(UNTRUSTED_DESERIALIZATION_MARK)
           .build();
 
+  VulnerabilityType EMAIL_INJECTION =
+      type(VulnerabilityTypes.EMAIL_INJECTION).mark(EMAIL_INJECTION_MARK).build();
+
   /* All vulnerability types that have a mark. Should be updated if new vulnerabilityType with mark is added */
   VulnerabilityType[] MARKED_VULNERABILITIES = {
     SQL_INJECTION,
@@ -122,7 +126,8 @@ public interface VulnerabilityType {
     XSS,
     HEADER_INJECTION,
     REFLECTION_INJECTION,
-    UNTRUSTED_DESERIALIZATION
+    UNTRUSTED_DESERIALIZATION,
+    EMAIL_INJECTION
   };
 
   String name();

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/EmailInjectionModuleImpl.java

@@ -0,0 +1,23 @@
+package com.datadog.iast.sink;
+
+import com.datadog.iast.Dependencies;
+import com.datadog.iast.model.VulnerabilityType;
+import datadog.trace.api.iast.sink.EmailInjectionModule;
+import javax.annotation.Nullable;
+import javax.mail.internet.MimeMessage;
+
+public class EmailInjectionModuleImpl extends SinkModuleBase implements EmailInjectionModule {
+
+  public EmailInjectionModuleImpl(final Dependencies dependencies) {
+    super(dependencies);
+  }
+
+  @Override
+  public void onSendEmail(@Nullable final MimeMessage message) {
+    if (message == null) {
+      return;
+    }
+
+    checkInjection(VulnerabilityType.EMAIL_INJECTION, message);
+  }
+}

dd-java-agent/instrumentation/javax-mail/build.gradle

@@ -0,0 +1,19 @@
+muzzle {
+  pass {
+    coreJdk()
+  }
+}
+
+apply from: "$rootDir/gradle/java.gradle"
+apply plugin: 'call-site-instrumentation'
+
+addTestSuiteForDir('latestDepTest', 'test')
+
+dependencies {
+  testRuntimeOnly project(':dd-java-agent:instrumentation:iast-instrumenter')
+}
+
+
+tasks.compileTestJava.configure {
+  setJavaVersion(it, 8)
+}

internal-api/src/main/java/datadog/trace/api/iast/InstrumentationBridge.java

@@ -5,6 +5,7 @@
 import datadog.trace.api.iast.propagation.StringModule;
 import datadog.trace.api.iast.sink.ApplicationModule;
 import datadog.trace.api.iast.sink.CommandInjectionModule;
+import datadog.trace.api.iast.sink.EmailInjectionModule;
 import datadog.trace.api.iast.sink.HardcodedSecretModule;
 import datadog.trace.api.iast.sink.HeaderInjectionModule;
 import datadog.trace.api.iast.sink.HstsMissingHeaderModule;
@@ -67,6 +68,7 @@ public abstract class InstrumentationBridge {
   public static InsecureAuthProtocolModule INSECURE_AUTH_PROTOCOL;
   public static ReflectionInjectionModule REFLECTION_INJECTION;
   public static UntrustedDeserializationModule UNTRUSTED_DESERIALIZATION;
+  public static EmailInjectionModule EMAIL_INJECTION;
 
   private static final Map<Class<? extends IastModule>, Field> MODULE_MAP = buildModuleMap();
 

internal-api/src/main/java/datadog/trace/api/iast/VulnerabilityMarks.java

@@ -22,6 +22,7 @@ private VulnerabilityMarks() {}
   public static final int UNTRUSTED_DESERIALIZATION_MARK = 1 << 11;
 
   public static final int CUSTOM_SECURITY_CONTROL_MARK = 1 << 13;
+  public static final int EMAIL_INJECTION_MARK = 1 << 14;
 
   public static int markForAll() {
     return XSS_MARK

internal-api/src/main/java/datadog/trace/api/iast/VulnerabilityTypes.java

@@ -37,6 +37,7 @@ private VulnerabilityTypes() {}
   public static final byte SESSION_REWRITING = 28;
   public static final byte DEFAULT_APP_DEPLOYED = 29;
   public static final byte UNTRUSTED_DESERIALIZATION = 30;
+  public static final byte EMAIL_INJECTION = 31;
 
   /**
    * Use for telemetry only, this is a special vulnerability type that is not reported, reported
@@ -115,7 +116,8 @@ private VulnerabilityTypes() {}
     "REFLECTION_INJECTION",
     "SESSION_REWRITING",
     "DEFAULT_APP_DEPLOYED",
-    "UNTRUSTED_DESERIALIZATION"
+    "UNTRUSTED_DESERIALIZATION",
+    "EMAIL_INJECTION"
   };
 
   public static String toString(final byte vulnerability) {

internal-api/src/main/java/datadog/trace/api/iast/sink/EmailInjectionModule.java

@@ -0,0 +1,9 @@
+package datadog.trace.api.iast.sink;
+
+import datadog.trace.api.iast.IastModule;
+import javax.annotation.Nullable;
+import javax.mail.internet.MimeMessage;
+
+public interface EmailInjectionModule extends IastModule {
+  void onSendEmail(@Nullable MimeMessage body);
+}

internal-api/src/test/groovy/datadog/trace/api/iast/VulnerabilityTypesTest.groovy

@@ -45,5 +45,6 @@ class VulnerabilityTypesTest extends DDSpecification {
     VulnerabilityTypes.SESSION_REWRITING           | 'SESSION_REWRITING'
     VulnerabilityTypes.DEFAULT_APP_DEPLOYED        | 'DEFAULT_APP_DEPLOYED'
     VulnerabilityTypes.UNTRUSTED_DESERIALIZATION   | 'UNTRUSTED_DESERIALIZATION'
+    VulnerabilityTypes.EMAIL_INJECTION             | 'EMAIL_INJECTION'
   }
 }

settings.gradle

@@ -297,6 +297,7 @@ include ':dd-java-agent:instrumentation:java-security'
 include ':dd-java-agent:instrumentation:java-util'
 include ':dd-java-agent:instrumentation:javax-naming'
 include ':dd-java-agent:instrumentation:javax-xml'
+include ':dd-java-agent:instrumentation:javax-mail'
 include ':dd-java-agent:instrumentation:jax-rs-annotations-1'
 include ':dd-java-agent:instrumentation:jax-rs-annotations-2'
 include ':dd-java-agent:instrumentation:jax-rs-annotations-2:filter-jersey'