DataDog · sezen-datadog · Feb 5, 2025 · Jan 15, 2025 · Jan 15, 2025 · Jan 15, 2025
@@ -11,6 +11,7 @@
 import com.datadog.iast.securitycontrol.IastSecurityControlTransformer;
 import com.datadog.iast.sink.ApplicationModuleImpl;
 import com.datadog.iast.sink.CommandInjectionModuleImpl;
+import com.datadog.iast.sink.EmailInjectionModuleImpl;
 import com.datadog.iast.sink.HardcodedSecretModuleImpl;
 import com.datadog.iast.sink.HeaderInjectionModuleImpl;
 import com.datadog.iast.sink.HstsMissingHeaderModuleImpl;
@@ -179,7 +180,8 @@ private static Stream<IastModule> iastModules(
             HardcodedSecretModuleImpl.class,
             InsecureAuthProtocolModuleImpl.class,
             ReflectionInjectionModuleImpl.class,
-            UntrustedDeserializationModuleImpl.class);
+            UntrustedDeserializationModuleImpl.class,
+            EmailInjectionModuleImpl.class);
     if (iast != FULLY_ENABLED) {
       modules = modules.filter(IastSystem::isOptOut);
     }

@@ -2,6 +2,7 @@
 
 import static com.datadog.iast.util.CRCUtils.update;
 import static datadog.trace.api.iast.VulnerabilityMarks.COMMAND_INJECTION_MARK;
+import static datadog.trace.api.iast.VulnerabilityMarks.EMAIL_HTML_INJECTION_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.HEADER_INJECTION_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.LDAP_INJECTION_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.NOT_MARKED;
@@ -164,6 +165,12 @@ public interface VulnerabilityType {
           .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
+  VulnerabilityType EMAIL_HTML_INJECTION =
+      type(VulnerabilityTypes.EMAIL_HTML_INJECTION)
+          .mark(EMAIL_HTML_INJECTION_MARK)
+          .excludedSources(Builder.DB_EXCLUDED)
+          .build();
+
   /* All vulnerability types that have a mark. Should be updated if new vulnerabilityType with mark is added */
   VulnerabilityType[] MARKED_VULNERABILITIES = {
     SQL_INJECTION,
@@ -177,7 +184,8 @@ public interface VulnerabilityType {
     XSS,
     HEADER_INJECTION,
     REFLECTION_INJECTION,
-    UNTRUSTED_DESERIALIZATION
+    UNTRUSTED_DESERIALIZATION,
+    EMAIL_HTML_INJECTION
   };
 
   String name();

@@ -0,0 +1,20 @@
+package com.datadog.iast.sink;
+
+import com.datadog.iast.Dependencies;
+import com.datadog.iast.model.VulnerabilityType;
+import datadog.trace.api.iast.sink.EmailInjectionModule;
+import javax.annotation.Nullable;
+
+public class EmailInjectionModuleImpl extends SinkModuleBase implements EmailInjectionModule {
+  public EmailInjectionModuleImpl(final Dependencies dependencies) {
+    super(dependencies);
+  }
+
+  @Override
+  public void onSendEmail(@Nullable final Object messageContent) {
+    if (messageContent == null) {
+      return;
+    }
+    checkInjection(VulnerabilityType.EMAIL_HTML_INJECTION, messageContent);
+  }
+}
@@ -0,0 +1,47 @@
+package com.datadog.iast.sink
+
+import com.datadog.iast.IastModuleImplTestBase
+import com.datadog.iast.Reporter
+import com.datadog.iast.model.Vulnerability
+import com.datadog.iast.model.VulnerabilityType
+import com.datadog.iast.propagation.PropagationModuleImpl
+import datadog.trace.api.iast.SourceTypes
+
+class EmailInjectionModuleTest extends IastModuleImplTestBase{
+
+  private EmailInjectionModuleImpl module
+
+  def setup() {
+    module = new EmailInjectionModuleImpl(dependencies)
+  }
+
+  @Override
+  protected Reporter buildReporter() {
+    return Mock(Reporter)
+  }
+
+  def "test onSendEmail with null messageContent"() {
+    when:
+    module.onSendEmail(null)
+
+    then:
+    noExceptionThrown()
+  }
+
+  def "test onSendEmail with non-null messageContent"() {
+    given:
+    def messageContent = "test message"
+    def propagationModule = new PropagationModuleImpl()
+    propagationModule.taintObject(messageContent, SourceTypes.NONE)
+
+    when:
+    module.onSendEmail(messageContent)
+
+    then:
+    1 * reporter.report(_, _) >> { args ->
+      def vulnerability = args[1] as Vulnerability
+      vulnerability.type == VulnerabilityType.EMAIL_HTML_INJECTION &&
+        vulnerability.evidence == messageContent
+    }
+  }
+}
@@ -25,7 +25,11 @@ public static String afterEscape(
     final PropagationModule module = InstrumentationBridge.PROPAGATION;
     if (module != null) {
       try {
-        module.taintStringIfTainted(result, input, false, VulnerabilityMarks.XSS_MARK);
+        module.taintStringIfTainted(
+            result,
+            input,
+            false,
+            VulnerabilityMarks.XSS_MARK | VulnerabilityMarks.EMAIL_HTML_INJECTION_MARK);
       } catch (final Throwable e) {
         module.onUnexpectedException("afterEscape threw", e);
       }

@@ -8,6 +8,7 @@ import groovy.transform.CompileDynamic
 
 import static datadog.trace.api.iast.VulnerabilityMarks.SQL_INJECTION_MARK
 import static datadog.trace.api.iast.VulnerabilityMarks.XSS_MARK
+import static datadog.trace.api.iast.VulnerabilityMarks.EMAIL_HTML_INJECTION_MARK
 
 @CompileDynamic
 class StringEscapeUtilsCallSiteTest extends AgentTestRunner {
@@ -27,15 +28,32 @@ class StringEscapeUtilsCallSiteTest extends AgentTestRunner {
 
     then:
     result == expected
-    1 * module.taintStringIfTainted(_ as String, args[0], false, mark)
+    1 * module.taintStringIfTainted(_ as String, args[0], false, XSS_MARK | EMAIL_HTML_INJECTION_MARK)
     0 * _
 
     where:
-    method             | args                  | mark               | expected
-    'escapeHtml'       | ['Ø-This is a quote'] | XSS_MARK           | '&Oslash;-This is a quote'
-    'escapeJava'       | ['Ø-This is a quote'] | XSS_MARK           | '\\u00D8-This is a quote'
-    'escapeJavaScript' | ['Ø-This is a quote'] | XSS_MARK           | '\\u00D8-This is a quote'
-    'escapeXml'        | ['Ø-This is a quote'] | XSS_MARK           | '&#216;-This is a quote'
-    'escapeSql'        | ['Ø-This is a quote'] | SQL_INJECTION_MARK | 'Ø-This is a quote'
+    method             | args                  | expected
+    'escapeHtml'       | ['Ø-This is a quote'] | '&Oslash;-This is a quote'
+    'escapeJava'       | ['Ø-This is a quote'] | '\\u00D8-This is a quote'
+    'escapeJavaScript' | ['Ø-This is a quote'] | '\\u00D8-This is a quote'
+    'escapeXml'        | ['Ø-This is a quote'] | '&#216;-This is a quote'
+  }
+
+  void 'test #method sql'() {
+    given:
+    final module = Mock(PropagationModule)
+    InstrumentationBridge.registerIastModule(module)
+
+    when:
+    final result = TestStringEscapeUtilsSuite.&"$method".call(args)
+
+    then:
+    result == expected
+    1 * module.taintStringIfTainted(_ as String, args[0], false, SQL_INJECTION_MARK)
+    0 * _
+
+    where:
+    method             | args                  | expected
+    'escapeSql'        | ['Ø-This is a quote'] | 'Ø-This is a quote'
   }
 }
@@ -27,7 +27,11 @@ public static String afterEscape(
     final PropagationModule module = InstrumentationBridge.PROPAGATION;
     if (module != null) {
       try {
-        module.taintStringIfTainted(result, input, false, VulnerabilityMarks.XSS_MARK);
+        module.taintStringIfTainted(
+            result,
+            input,
+            false,
+            VulnerabilityMarks.XSS_MARK | VulnerabilityMarks.EMAIL_HTML_INJECTION_MARK);
       } catch (final Throwable e) {
         module.onUnexpectedException("afterEscape threw", e);
       }

@@ -25,7 +25,7 @@ class StringEscapeUtilsCallSiteTest extends AgentTestRunner {
 
     then:
     result == expected
-    1 * module.taintStringIfTainted(_ as String, args[0], false, VulnerabilityMarks.XSS_MARK)
+    1 * module.taintStringIfTainted(_ as String, args[0], false, VulnerabilityMarks.XSS_MARK | VulnerabilityMarks.EMAIL_HTML_INJECTION_MARK)
     0 * _
 
     where:

@@ -29,7 +29,11 @@ public static String afterEscape(
     final PropagationModule module = InstrumentationBridge.PROPAGATION;
     if (module != null) {
       try {
-        module.taintStringIfTainted(result, input, false, VulnerabilityMarks.XSS_MARK);
+        module.taintStringIfTainted(
+            result,
+            input,
+            false,
+            VulnerabilityMarks.XSS_MARK | VulnerabilityMarks.EMAIL_HTML_INJECTION_MARK);
       } catch (final Throwable e) {
         module.onUnexpectedException("afterEscape threw", e);
       }

@@ -25,7 +25,7 @@ class StringEscapeUtilsCallSiteTest extends AgentTestRunner {
 
     then:
     result == expected
-    1 * module.taintStringIfTainted(_ as String, args[0], false, VulnerabilityMarks.XSS_MARK)
+    1 * module.taintStringIfTainted(_ as String, args[0], false, VulnerabilityMarks.XSS_MARK | VulnerabilityMarks.EMAIL_HTML_INJECTION_MARK)
     0 * _
 
     where:

@@ -0,0 +1,17 @@
+muzzle {
+  pass {
+    coreJdk()
+  }
+}
+
+apply from: "$rootDir/gradle/java.gradle"
+apply plugin: 'call-site-instrumentation'
+
+addTestSuiteForDir('latestDepTest', 'test')
+
+dependencies {
+  testRuntimeOnly project(':dd-java-agent:instrumentation:iast-instrumenter')
+  implementation 'javax.mail:javax.mail-api:1.4.4'
+  latestDepTestImplementation 'javax.mail:javax.mail-api:+'
+  testImplementation 'de.saly:javamail-mock2:0.4-beta3'
+}
diff --git a/.../src/main/java/datadog/trace/instrumentation/javax/mail/JavaxMailBodyInstrumentation.java b/.../src/main/java/datadog/trace/instrumentation/javax/mail/JavaxMailBodyInstrumentation.java
@@ -0,0 +1,66 @@
+package datadog.trace.instrumentation.javax.mail;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.HierarchyMatchers.implementsInterface;
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+
+import com.google.auto.service.AutoService;
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.agent.tooling.InstrumenterModule;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.Propagation;
+import datadog.trace.api.iast.propagation.PropagationModule;
+import javax.mail.Part;
+import net.bytebuddy.asm.Advice;
+import net.bytebuddy.description.type.TypeDescription;
+import net.bytebuddy.matcher.ElementMatcher;
+
+@AutoService(InstrumenterModule.class)
+public class JavaxMailBodyInstrumentation extends InstrumenterModule.Iast
+    implements Instrumenter.ForTypeHierarchy, Instrumenter.HasMethodAdvice {
+
+  public JavaxMailBodyInstrumentation() {
+    super("javax-mail", "javax-mail-body");
+  }
+
+  @Override
+  public void methodAdvice(MethodTransformer transformer) {
+    transformer.applyAdvice(
+        named("setContent"),
+        JavaxMailBodyInstrumentation.class.getName() + "$ContentInjectionAdvice");
+    transformer.applyAdvice(
+        named("setText"), JavaxMailBodyInstrumentation.class.getName() + "$TextInjectionAdvice");
+  }
+
+  @Override
+  public String hierarchyMarkerType() {
+    return "javax.mail.Message";
+  }
+
+  @Override
+  public ElementMatcher<TypeDescription> hierarchyMatcher() {
+    return implementsInterface(named(hierarchyMarkerType()));
+  }
+
+  public static class ContentInjectionAdvice {
+    @Propagation
+    @Advice.OnMethodEnter(suppress = Throwable.class)
+    private static void onSetContent(
+        @Advice.This Part part, @Advice.Argument(0) final Object content) {
+      PropagationModule propagationModule = InstrumentationBridge.PROPAGATION;
+      if (propagationModule != null && content != null) {
+        propagationModule.taintObjectIfTainted(part, content);
+      }
+    }
+  }
+
+  public static class TextInjectionAdvice {
+    @Propagation
+    @Advice.OnMethodEnter(suppress = Throwable.class)
+    private static void onSetText(@Advice.This Part part, @Advice.Argument(0) final String text) {
+      PropagationModule propagationModule = InstrumentationBridge.PROPAGATION;
+      if (propagationModule != null && text != null) {
+        propagationModule.taintObjectIfTainted(part, text);
+      }
+    }
+  }
+}
@@ -0,0 +1,61 @@
+package datadog.trace.instrumentation.javax.mail;
+
+import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;
+
+import com.google.auto.service.AutoService;
+import datadog.trace.agent.tooling.Instrumenter;
+import datadog.trace.agent.tooling.InstrumenterModule;
+import datadog.trace.api.iast.InstrumentationBridge;
+import datadog.trace.api.iast.Sink;
+import datadog.trace.api.iast.VulnerabilityTypes;
+import datadog.trace.api.iast.sink.EmailInjectionModule;
+import java.io.IOException;
+import javax.mail.MessagingException;
+import javax.mail.Multipart;
+import javax.mail.Part;
+import net.bytebuddy.asm.Advice;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@AutoService(InstrumenterModule.class)
+public class JavaxMailInstrumentation extends InstrumenterModule.Iast
+    implements Instrumenter.ForSingleType, Instrumenter.HasMethodAdvice {
+
+  private static Logger LOGGER = LoggerFactory.getLogger(JavaxMailInstrumentation.class);
+
+  public JavaxMailInstrumentation() {
+    super("javax-mail", "javax-mail-transport");
+  }
+
+  @Override
+  public void methodAdvice(MethodTransformer transformer) {
+    transformer.applyAdvice(
+        named("send0"), JavaxMailInstrumentation.class.getName() + "$MailInjectionAdvice");
+  }
+
+  @Override
+  public String instrumentedType() {
+    return "javax.mail.Transport";
+  }
+
+  public static class MailInjectionAdvice {
+    @Sink(VulnerabilityTypes.EMAIL_HTML_INJECTION)
+    @Advice.OnMethodEnter(suppress = Throwable.class)
+    public static void onSend(@Advice.Argument(0) final Part message)
+        throws MessagingException, IOException {
+      EmailInjectionModule emailInjectionModule = InstrumentationBridge.EMAIL_INJECTION;
+      if (message != null && message.getContent() != null) {
+        if (message.isMimeType("text/html")) {
+          emailInjectionModule.onSendEmail(message.getContent());
+        } else if (message.isMimeType("multipart/*")) {
+          Multipart parts = (Multipart) message.getContent();
+          for (int i = 0; i < parts.getCount(); i++) {
+            if (parts.getBodyPart(i).isMimeType("text/html")) {
+              emailInjectionModule.onSendEmail(parts.getBodyPart(i).getContent());
+            }
+          }
+        }
+      }
+    }
+  }
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -25,7 +25,7 @@ class StringEscapeUtilsCallSiteTest extends AgentTestRunner { @@
         then:
         result == expected
-* module.taintStringIfTainted(_ as String, args[0], false, VulnerabilityMarks.XSS_MARK)
+* module.taintStringIfTainted(_ as String, args[0], false, VulnerabilityMarks.XSS_MARK | VulnerabilityMarks.EMAIL_HTML_INJECTION_MARK)
 * _
         where:
@@ Expand Down @@