#390: added api to disable client sided validations on email addresses and CRLF injection scanning

Author: bbottema

modules/core-module/src/main/java/org/simplejavamail/api/mailer/MailerGenericBuilder.java

@@ -105,6 +105,10 @@ public interface MailerGenericBuilder<T extends MailerGenericBuilder<?>> {
 	 * Defaults to <code>{@value}</code>, sending mails rather than just only logging the mails.
 	 */
 	boolean DEFAULT_JAVAXMAIL_DEBUG = false;
+	/**
+	 * Defaults to <code>{@value}</code>, validating emailaddresses (can be configured seperately, but this does override it) and CRLF injection detection (will arn instead).
+	 */
+	boolean DEFAULT_DISABLE_ALL_CLIENTVALIDATION = false;
 
 	/**
 	 * Changes the default for sending emails and testing server connections to asynchronous (batch mode).
@@ -203,6 +207,13 @@ public interface MailerGenericBuilder<T extends MailerGenericBuilder<?>> {
 	 */
 	T withDebugLogging(@NotNull Boolean debugLogging);
 
+	/**
+	 * Controls whether there will be any client-sided validation, including email address validation and CRLF injection attack detection (which will be warning instead).
+	 * <p>
+	 * If set to {@code true}, this silences the client completely and just delegates all responsibility of correctness/security to the server.
+	 */
+	T disablingAllClientValidation(@NotNull Boolean disableAllClientValidation);
+
 	/**
 	 * Controls the timeout to use when sending emails (affects socket connect-, read- and write timeouts).
 	 * <p>
@@ -497,6 +508,14 @@ public interface MailerGenericBuilder<T extends MailerGenericBuilder<?>> {
 	 */
 	T withCustomMailer(@NotNull CustomMailer customMailer);
 
+	/**
+	 * Reverts to default value '{@value #DEFAULT_VERIFY_SERVER_IDENTITY}' for the behaviour of disabling client-sided
+	 * validations (email addresses and CLRF injection scanning).
+	 *
+	 * @see #disablingAllClientValidation(Boolean)
+	 */
+	T resetDisableAllClientValidations();
+
 	/**
 	 * Resets session time to its default ({@value DEFAULT_SESSION_TIMEOUT_MILLIS}).
 	 *
@@ -698,6 +717,11 @@ public interface MailerGenericBuilder<T extends MailerGenericBuilder<?>> {
 	 */
 	boolean isDebugLogging();
 
+	/**
+	 * @see #disablingAllClientValidation(Boolean)
+	 */
+	boolean isDisableAllClientValidation();
+
 	/**
 	 * @see #withSessionTimeout(Integer)
 	 */

modules/core-module/src/main/java/org/simplejavamail/api/mailer/config/OperationalConfig.java

@@ -69,12 +69,17 @@ public interface OperationalConfig {
 	 * @see MailerGenericBuilder#withTransportModeLoggingOnly(Boolean)
 	 */
 	boolean isTransportModeLoggingOnly();
-	
+
 	/**
 	 * @see MailerGenericBuilder#withDebugLogging(Boolean)
 	 */
 	boolean isDebugLogging();
-	
+
+	/**
+	 * @see MailerGenericBuilder#disablingAllClientValidation(Boolean)
+	 */
+	boolean isDisableAllClientValidation();
+
 	/**
 	 * @see MailerGenericBuilder#trustingSSLHosts(String...)
 	 */

modules/core-module/src/main/java/org/simplejavamail/config/ConfigLoader.java

@@ -39,6 +39,7 @@
  * <li>simplejavamail.smtp.port</li>
  * <li>simplejavamail.smtp.username</li>
  * <li>simplejavamail.smtp.password</li>
+ * <li>simplejavamail.disable.all.clientvalidation</li>
  * <li>simplejavamail.custom.sslfactory.class</li>
  * <li>simplejavamail.proxy.host</li>
  * <li>simplejavamail.proxy.port</li>
@@ -131,6 +132,7 @@ public enum Property {
 		SMTP_PORT("simplejavamail.smtp.port"),
 		SMTP_USERNAME("simplejavamail.smtp.username"),
 		SMTP_PASSWORD("simplejavamail.smtp.password"),
+		DISABLE_ALL_CLIENTVALIDATION("simplejavamail.disable.all.clientvalidation"),
 		CUSTOM_SSLFACTORY_CLASS("simplejavamail.custom.sslfactory.class"),
 		PROXY_HOST("simplejavamail.proxy.host"),
 		PROXY_PORT("simplejavamail.proxy.port"),

modules/simple-java-mail/src/main/java/org/simplejavamail/mailer/MailerHelper.java

@@ -51,6 +51,34 @@ public static boolean validate(@NotNull final Email email, @Nullable final Email
 		return true;
 	}
 
+	/**
+	 * Lenient validation only checks for missing fields (which implies incorrect configuration or missing data),
+	 * but only warns for invalid address and suspected CRLF injections.
+	 *
+	 * @see #validateCompleteness(Email)
+	 * @see #validateAddresses(Email, EmailValidator)
+	 * @see #scanForInjectionAttacks(Email)
+	 */
+	@SuppressWarnings({ "SameReturnValue" })
+	public static boolean validateLenient(@NotNull final Email email, @Nullable final EmailValidator emailValidator)
+			throws MailException {
+		LOGGER.debug("validating email...");
+		MailerHelper.validateCompleteness(email);
+		try {
+			MailerHelper.validateAddresses(email, emailValidator);
+		} catch (MailInvalidAddressException e) {
+			LOGGER.warn("encountered (and ignored) invalid address: {}", e.getMessage());
+		}
+		try {
+			MailerHelper.scanForInjectionAttacks(email);
+		} catch (MailSuspiciousCRLFValueException e) {
+			LOGGER.warn("encountered (and ignored) suspected CRLF injection: {}", e.getMessage());
+		}
+		LOGGER.debug("...no blocking problems found");
+
+		return true;
+	}
+
 	/**
 	 * Checks whether:
 	 * <ol>

modules/simple-java-mail/src/main/java/org/simplejavamail/mailer/internal/MailerGenericBuilderImpl.java

@@ -92,6 +92,11 @@ abstract class MailerGenericBuilderImpl<T extends MailerGenericBuilderImpl<?>> i
 	 * @see MailerGenericBuilder#withDebugLogging(Boolean)
 	 */
 	private boolean debugLogging;
+
+	/**
+	 * @see #disablingAllClientValidation(Boolean)
+	 */
+	private boolean disableAllClientValidation;
 
 	/**
 	 * @see MailerGenericBuilder#withSessionTimeout(Integer)
@@ -219,6 +224,7 @@ abstract class MailerGenericBuilderImpl<T extends MailerGenericBuilderImpl<?>> i
 
 		this.proxyPort 								= verifyNonnullOrEmpty(valueOrPropertyAsInteger(null, Property.PROXY_PORT, DEFAULT_PROXY_PORT));
 		this.proxyBridgePort 						= verifyNonnullOrEmpty(valueOrPropertyAsInteger(null, Property.PROXY_SOCKS5BRIDGE_PORT, DEFAULT_PROXY_BRIDGE_PORT));
+		this.disableAllClientValidation				= verifyNonnullOrEmpty(valueOrPropertyAsBoolean(null, Property.DISABLE_ALL_CLIENTVALIDATION, DEFAULT_DISABLE_ALL_CLIENTVALIDATION));
 		this.debugLogging 							= verifyNonnullOrEmpty(valueOrPropertyAsBoolean(null, Property.JAVAXMAIL_DEBUG, DEFAULT_JAVAXMAIL_DEBUG));
 		this.sessionTimeout 						= verifyNonnullOrEmpty(valueOrPropertyAsInteger(null, Property.DEFAULT_SESSION_TIMEOUT_MILLIS, DEFAULT_SESSION_TIMEOUT_MILLIS));
 		this.trustAllSSLHost 						= verifyNonnullOrEmpty(valueOrPropertyAsBoolean(null, Property.DEFAULT_TRUST_ALL_HOSTS, DEFAULT_TRUST_ALL_HOSTS));
@@ -298,6 +304,7 @@ OperationalConfig buildOperationalConfig() {
 				getConnectionPoolLoadBalancingStrategy(),
 				isTransportModeLoggingOnly(),
 				isDebugLogging(),
+				isDisableAllClientValidation(),
 				getSslHostsToTrust(),
 				isTrustAllSSLHost(),
 				isVerifyingServerIdentity(),
@@ -379,7 +386,7 @@ public T withProxyBridgePort(@NotNull final Integer proxyBridgePort) {
 		this.proxyBridgePort = proxyBridgePort;
 		return (T) this;
 	}
-	
+
 	/**
 	 * @see MailerGenericBuilder#withDebugLogging(Boolean)
 	 */
@@ -388,6 +395,15 @@ public T withDebugLogging(@NotNull final Boolean debugLogging) {
 		this.debugLogging = debugLogging;
 		return (T) this;
 	}
+
+	/**
+	 * @see MailerGenericBuilder#disablingAllClientValidation(Boolean)
+	 */
+	@Override
+	public T disablingAllClientValidation(@NotNull final Boolean disableAllClientValidation) {
+		this.disableAllClientValidation = disableAllClientValidation;
+		return (T) this;
+	}
 
 	/**
 	 * @see MailerGenericBuilder#withSessionTimeout(Integer)
@@ -632,6 +648,14 @@ public T withCustomMailer(@NotNull CustomMailer customMailer) {
 		return (T) this;
 	}
 
+	/**
+	 * @see MailerGenericBuilder#resetDisableAllClientValidations()
+	 */
+	@Override
+	public T resetDisableAllClientValidations() {
+		return disablingAllClientValidation(DEFAULT_DISABLE_ALL_CLIENTVALIDATION);
+	}
+
 	/**
 	 * @see MailerGenericBuilder#resetSessionTimeout()
 	 */
@@ -848,14 +872,22 @@ public String getProxyPassword() {
 	public Integer getProxyBridgePort() {
 		return proxyBridgePort;
 	}
-	
+
 	/**
 	 * @see MailerGenericBuilder#isDebugLogging()
 	 */
 	@Override
 	public boolean isDebugLogging() {
 		return debugLogging;
 	}
+
+	/**
+	 * @see MailerGenericBuilder#isDisableAllClientValidation()
+	 */
+	@Override
+	public boolean isDisableAllClientValidation() {
+		return disableAllClientValidation;
+	}
 
 	/**
 	 * @see MailerGenericBuilder#getSessionTimeout()

modules/simple-java-mail/src/main/java/org/simplejavamail/mailer/internal/MailerImpl.java

@@ -343,10 +343,11 @@ public final CompletableFuture<Void> sendMail(final Email email, @SuppressWarnin
 	 * @see Mailer#validate(Email)
 	 */
 	@Override
-	@SuppressWarnings({"SameReturnValue"})
 	public boolean validate(@NotNull final Email email)
 			throws MailException {
-		return MailerHelper.validate(email, emailGovernance.getEmailValidator());
+		return operationalConfig.isDisableAllClientValidation() ?
+				MailerHelper.validateLenient(email, emailGovernance.getEmailValidator()) :
+				MailerHelper.validate(email, emailGovernance.getEmailValidator());
 	}
 
 	/**

modules/simple-java-mail/src/main/java/org/simplejavamail/mailer/internal/OperationalConfigImpl.java

@@ -90,7 +90,12 @@ class OperationalConfigImpl implements OperationalConfig {
 	 * @see org.simplejavamail.api.mailer.MailerGenericBuilder#withDebugLogging(Boolean)
 	 */
 	private final boolean debugLogging;
-	
+
+	/**
+	 * @see org.simplejavamail.api.mailer.MailerGenericBuilder#disablingAllClientValidation(Boolean)
+	 */
+	private final boolean disableAllClientValidation;
+
 	/**
 	 * @see org.simplejavamail.api.mailer.MailerGenericBuilder#trustingSSLHosts(String...)
 	 */

modules/simple-java-mail/src/test/java/org/simplejavamail/config/ConfigLoaderTest.java

@@ -15,7 +15,6 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.simplejavamail.api.email.ContentTransferEncoding.BINARY;
-import static org.simplejavamail.api.email.ContentTransferEncoding.QUOTED_PRINTABLE;
 import static org.simplejavamail.api.mailer.config.TransportStrategy.SMTPS;
 import static org.simplejavamail.config.ConfigLoader.Property.CUSTOM_SSLFACTORY_CLASS;
 import static org.simplejavamail.config.ConfigLoader.Property.DEFAULT_BCC_ADDRESS;
@@ -30,6 +29,7 @@
 import static org.simplejavamail.config.ConfigLoader.Property.DEFAULT_SUBJECT;
 import static org.simplejavamail.config.ConfigLoader.Property.DEFAULT_TO_ADDRESS;
 import static org.simplejavamail.config.ConfigLoader.Property.DEFAULT_TO_NAME;
+import static org.simplejavamail.config.ConfigLoader.Property.DISABLE_ALL_CLIENTVALIDATION;
 import static org.simplejavamail.config.ConfigLoader.Property.EMBEDDEDIMAGES_DYNAMICRESOLUTION_BASE_CLASSPATH;
 import static org.simplejavamail.config.ConfigLoader.Property.EMBEDDEDIMAGES_DYNAMICRESOLUTION_BASE_DIR;
 import static org.simplejavamail.config.ConfigLoader.Property.EMBEDDEDIMAGES_DYNAMICRESOLUTION_BASE_URL;
@@ -186,6 +186,7 @@ public void loadPropertiesFromFileClassPath() {
 		assertThat(ConfigLoader.<Integer>getProperty(PROXY_PORT)).isEqualTo(1080);
 		assertThat(ConfigLoader.<String>getProperty(PROXY_USERNAME)).isEqualTo("username proxy");
 		assertThat(ConfigLoader.<String>getProperty(PROXY_PASSWORD)).isEqualTo("password proxy");
+		assertThat(ConfigLoader.<Boolean>getProperty(DISABLE_ALL_CLIENTVALIDATION)).isFalse();
 		assertThat(ConfigLoader.<Integer>getProperty(PROXY_SOCKS5BRIDGE_PORT)).isEqualTo(1081);
 
 		assertThat(ConfigLoader.<String>getProperty(DEFAULT_FROM_NAME)).isEqualTo("From Default");