Skip to content

Commit baffb0e

Browse files
atorralbaatorralba
committed
Consider Jakarta Mail
1 parent a2e9c2f commit baffb0e

File tree

6 files changed

+175
-5
lines changed

6 files changed

+175
-5
lines changed

java/ql/src/semmle/code/java/frameworks/Mail.qll

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,14 +3,14 @@
33
import java
44

55
/**
6-
* The class `javax.mail.Session`
6+
* The class `javax.mail.Session` or `jakarta.mail.Session`.
77
*/
88
class MailSession extends Class {
9-
MailSession() { this.hasQualifiedName("javax.mail", "Session") }
9+
MailSession() { this.hasQualifiedName(["javax.mail", "jakarta.mail"], "Session") }
1010
}
1111

1212
/**
13-
* The method `getInstance` of the class `javax.mail.Session`
13+
* The method `getInstance` of the classes `javax.mail.Session` or `jakarta.mail.Session`.
1414
*/
1515
class MailSessionGetInstanceMethod extends Method {
1616
MailSessionGetInstanceMethod() {
@@ -20,7 +20,7 @@ class MailSessionGetInstanceMethod extends Method {
2020
}
2121

2222
/**
23-
* A subtype of the class `org.apache.commons.mail.Email`
23+
* A subtype of the class `org.apache.commons.mail.Email`.
2424
*/
2525
class ApacheEmail extends Class {
2626
ApacheEmail() { this.getASupertype*().hasQualifiedName("org.apache.commons.mail", "Email") }

java/ql/test/query-tests/security/CWE-297/InsecureJakartaMailTest.java

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
import java.util.Properties;
2+
3+
import jakarta.mail.Authenticator;
4+
import jakarta.mail.PasswordAuthentication;
5+
import jakarta.mail.Session;
6+
7+
class InsecureJakartaMailTest {
8+
public void testJavaMail() {
9+
final Properties properties = new Properties();
10+
properties.put("mail.transport.protocol", "protocol");
11+
properties.put("mail.smtp.host", "hostname");
12+
properties.put("mail.smtp.socketFactory.class", "classname");
13+
14+
final jakarta.mail.Authenticator authenticator = new jakarta.mail.Authenticator() {
15+
protected PasswordAuthentication getPasswordAuthentication() {
16+
return new PasswordAuthentication("username", "password");
17+
}
18+
};
19+
if (null != authenticator) {
20+
properties.put("mail.smtp.auth", "true");
21+
}
22+
final Session session = Session.getInstance(properties, authenticator); // $hasInsecureJavaMail
23+
}
24+
25+
public void testSecureJavaMail() {
26+
final Properties properties = new Properties();
27+
properties.put("mail.transport.protocol", "protocol");
28+
properties.put("mail.smtp.host", "hostname");
29+
properties.put("mail.smtp.socketFactory.class", "classname");
30+
31+
final jakarta.mail.Authenticator authenticator = new jakarta.mail.Authenticator() {
32+
protected PasswordAuthentication getPasswordAuthentication() {
33+
return new PasswordAuthentication("username", "password");
34+
}
35+
};
36+
if (null != authenticator) {
37+
properties.put("mail.smtp.auth", "true");
38+
properties.put("mail.smtp.ssl.checkserveridentity", "true");
39+
}
40+
final Session session = Session.getInstance(properties, authenticator); // Safe
41+
}
42+
}

java/ql/test/query-tests/security/CWE-297/options

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-email-1.6.0:${testdir}/../../../stubs/javamail-api-1.6.2
1+
// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-email-1.6.0:${testdir}/../../../stubs/javamail-api-1.6.2:${testdir}/../../../stubs/jakarta-mail-2.0.1

java/ql/test/stubs/jakarta-mail-2.0.1/jakarta/mail/Authenticator.java

Lines changed: 20 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

java/ql/test/stubs/jakarta-mail-2.0.1/jakarta/mail/PasswordAuthentication.java

Lines changed: 28 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

java/ql/test/stubs/jakarta-mail-2.0.1/jakarta/mail/Session.java

Lines changed: 80 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)