Consider setStartTLSRequired for Apache SimpleEmail

atorralba · atorralba · commit 2d1278ece50a · 2021-10-05T09:18:48.000+02:00
diff --git a/java/ql/src/semmle/code/java/security/Mail.qll b/java/ql/src/semmle/code/java/security/Mail.qll
@@ -33,7 +33,7 @@ predicate isInsecureMailPropertyConfig(VarAccess propertiesVarAccess) {
  * Holds if `ma` enables TLS/SSL with Apache Email.
  */
 predicate enablesEmailSsl(MethodAccess ma) {
-  ma.getMethod().hasName("setSSLOnConnect") and
+  ma.getMethod().hasName(["setSSLOnConnect", "setStartTLSRequired"]) and
   ma.getMethod().getDeclaringType() instanceof ApacheEmail and
   ma.getArgument(0).(BooleanLiteral).getBooleanValue() = true
 }
diff --git a/java/ql/test/query-tests/security/CWE-297/InsecureJavaMailTest.java b/java/ql/test/query-tests/security/CWE-297/InsecureJavaMailTest.java
@@ -4,12 +4,6 @@
 import javax.mail.PasswordAuthentication;
 import javax.mail.Session;
 
-import org.apache.commons.mail.DefaultAuthenticator;
-import org.apache.commons.mail.Email;
-import org.apache.commons.mail.SimpleEmail;
-
-import java.util.Properties;
-
 class InsecureJavaMailTest {
 	public void testJavaMail() {
 		final Properties properties = new Properties();
@@ -46,30 +40,5 @@ protected PasswordAuthentication getPasswordAuthentication() {
 		final Session session = Session.getInstance(properties, authenticator); // Safe
 	}
 
-	public void testSimpleMail() throws Exception {
-		Email email = new SimpleEmail();
-		email.setHostName("config.hostName");
-		email.setSmtpPort(25);
-		email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
-		email.setSSLOnConnect(true); // $hasInsecureJavaMail
-		email.setFrom("fromAddress");
-		email.setSubject("subject");
-		email.setMsg("body");
-		email.addTo("toAddress");
-		email.send();
-	}
 
-	public void testSecureSimpleMail() throws Exception {
-		Email email = new SimpleEmail();
-		email.setHostName("config.hostName");
-		email.setSmtpPort(25);
-		email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
-		email.setSSLOnConnect(true); // Safe
-		email.setSSLCheckServerIdentity(true);
-		email.setFrom("fromAddress");
-		email.setSubject("subject");
-		email.setMsg("body");
-		email.addTo("toAddress");
-		email.send();
-	}
 }
diff --git a/java/ql/test/query-tests/security/CWE-297/InsecureSimpleEmailTest.java b/java/ql/test/query-tests/security/CWE-297/InsecureSimpleEmailTest.java
@@ -0,0 +1,62 @@
+import org.apache.commons.mail.DefaultAuthenticator;
+import org.apache.commons.mail.Email;
+import org.apache.commons.mail.SimpleEmail;
+
+public class InsecureSimpleEmailTest {
+    public void test() throws Exception {
+        // with setSSLOnConnect
+        {
+            Email email = new SimpleEmail();
+            email.setHostName("config.hostName");
+            email.setSmtpPort(25);
+            email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
+            email.setSSLOnConnect(true); // $hasInsecureJavaMail
+            email.setFrom("fromAddress");
+            email.setSubject("subject");
+            email.setMsg("body");
+            email.addTo("toAddress");
+            email.send();
+        }
+        // with setStartTLSRequired
+        {
+            Email email = new SimpleEmail();
+            email.setHostName("config.hostName");
+            email.setSmtpPort(25);
+            email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
+            email.setStartTLSRequired(true); // $hasInsecureJavaMail
+            email.setFrom("fromAddress");
+            email.setSubject("subject");
+            email.setMsg("body");
+            email.addTo("toAddress");
+            email.send();
+        }
+        // safe with setSSLOnConnect
+        {
+            Email email = new SimpleEmail();
+            email.setHostName("config.hostName");
+            email.setSmtpPort(25);
+            email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
+            email.setSSLOnConnect(true); // Safe
+            email.setSSLCheckServerIdentity(true);
+            email.setFrom("fromAddress");
+            email.setSubject("subject");
+            email.setMsg("body");
+            email.addTo("toAddress");
+            email.send();
+        }
+        // safe with setStartTLSRequired
+        {
+            Email email = new SimpleEmail();
+            email.setHostName("config.hostName");
+            email.setSmtpPort(25);
+            email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
+            email.setStartTLSRequired(true); // Safe
+            email.setSSLCheckServerIdentity(true);
+            email.setFrom("fromAddress");
+            email.setSubject("subject");
+            email.setMsg("body");
+            email.addTo("toAddress");
+            email.send();
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ predicate isInsecureMailPropertyConfig(VarAccess propertiesVarAccess) {`
`33`	`33`	* Holds if `ma` enables TLS/SSL with Apache Email.
`34`	`34`	`*/`
`35`	`35`	`predicate enablesEmailSsl(MethodAccess ma) {`
`36`		`- ma.getMethod().hasName("setSSLOnConnect") and`
	`36`	`+ ma.getMethod().hasName(["setSSLOnConnect", "setStartTLSRequired"]) and`
`37`	`37`	`ma.getMethod().getDeclaringType() instanceof ApacheEmail and`
`38`	`38`	`ma.getArgument(0).(BooleanLiteral).getBooleanValue() = true`
`39`	`39`	`}`