Skip to content

Email HTML Injection detection in IAST #8205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sezen-datadog merged 73 commits into from
Feb 5, 2025
Merged

Email HTML Injection detection in IAST #8205

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
73 commits
Select commit Hold shift + click to select a range
508a671
Email Injection detection in IAST
sezen-datadog Jan 15, 2025
a0f62f4
email injection checks
sezen-datadog Jan 15, 2025
59ea624
instrumentation class put in place
sezen-datadog Jan 15, 2025
14df382
EMAIL_HTML_INJECTION
sezen-datadog Jan 15, 2025
700dd63
pr comments easy ones
sezen-datadog Jan 15, 2025
b4225d2
only focus on transport send
sezen-datadog Jan 15, 2025
34ac9fb
pr comments
sezen-datadog Jan 15, 2025
bcca415
first attempt at instrumentation
sezen-datadog Jan 15, 2025
4b9c23c
correction on argument
sezen-datadog Jan 15, 2025
14458ed
Update dd-java-agent/instrumentation/javax-mail/src/main/java/datadog…
sezen-datadog Jan 16, 2025
b548721
Update dd-java-agent/instrumentation/javax-mail/src/main/java/datadog…
sezen-datadog Jan 16, 2025
4182134
advice class added for easier debugging
sezen-datadog Jan 16, 2025
791a5fa
html escapes with vulnerability mark
sezen-datadog Jan 16, 2025
cd9f249
instrumentation skeleton
sezen-datadog Jan 17, 2025
74cebb5
instrumentation of body elements
sezen-datadog Jan 17, 2025
ea76961
instrumentation of body elements
sezen-datadog Jan 17, 2025
e98038d
test start
sezen-datadog Jan 17, 2025
2111e77
test continue
sezen-datadog Jan 17, 2025
b814fd0
test continue
sezen-datadog Jan 17, 2025
460737d
test continue
sezen-datadog Jan 17, 2025
be50dc3
test OK
sezen-datadog Jan 20, 2025
fba4788
define the tests I want
sezen-datadog Jan 20, 2025
5fb78f1
content test OK
sezen-datadog Jan 20, 2025
a1ab334
content test OK
sezen-datadog Jan 20, 2025
d64327a
content test OK
sezen-datadog Jan 20, 2025
6f8e74f
content test OK
sezen-datadog Jan 20, 2025
49291c1
smoke test controller
sezen-datadog Jan 21, 2025
bbf5486
smoke test controller
sezen-datadog Jan 21, 2025
ee69fd5
smoke test
sezen-datadog Jan 21, 2025
ac708fe
smoke test
sezen-datadog Jan 21, 2025
ba2da19
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Jan 21, 2025
553c7d8
Update dd-java-agent/instrumentation/javax-mail/src/main/java/datadog…
sezen-datadog Jan 21, 2025
e3eaf20
Update dd-java-agent/instrumentation/javax-mail/src/main/java/datadog…
sezen-datadog Jan 21, 2025
95248a2
pr
sezen-datadog Jan 21, 2025
4993aec
pr
sezen-datadog Jan 21, 2025
4883918
pr
sezen-datadog Jan 21, 2025
56b3521
build correction
sezen-datadog Jan 22, 2025
cb9a54f
Update dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/…
sezen-datadog Jan 22, 2025
482a231
build correction
sezen-datadog Jan 22, 2025
69044c0
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Jan 22, 2025
bccb5ae
build correction
sezen-datadog Jan 22, 2025
990bbb7
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Jan 22, 2025
6727eff
pr
sezen-datadog Jan 22, 2025
6337ba5
pr
sezen-datadog Jan 22, 2025
b8595c7
pr
sezen-datadog Jan 22, 2025
3384382
build
sezen-datadog Jan 22, 2025
c9895be
build
sezen-datadog Jan 27, 2025
3f78b54
build
sezen-datadog Jan 27, 2025
7950096
unit tests pass
sezen-datadog Jan 27, 2025
f6da333
de sally no more
sezen-datadog Jan 27, 2025
f9b7617
de sally no more
sezen-datadog Jan 27, 2025
2ff2278
smoke tests
sezen-datadog Jan 27, 2025
a8b13ca
smoke tests
sezen-datadog Jan 27, 2025
c54f206
smoke tests
sezen-datadog Jan 28, 2025
4fdb7f7
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Jan 28, 2025
28a67ba
muzzle
sezen-datadog Jan 28, 2025
2e7468c
manu's suggestions
sezen-datadog Jan 28, 2025
59e42e0
beautify
sezen-datadog Jan 28, 2025
845b2d0
EMAIL_HTML_INJECTION instead of EMAIL_INJECTION
sezen-datadog Jan 29, 2025
34796da
EMAIL_HTML_INJECTION instead of EMAIL_INJECTION
sezen-datadog Jan 29, 2025
631b775
pr
sezen-datadog Jan 31, 2025
86321f6
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Feb 3, 2025
42b355d
unit test correction - propagation fails though
sezen-datadog Feb 3, 2025
aedcb1e
activation dependencies added
sezen-datadog Feb 3, 2025
f0aa378
test
sezen-datadog Feb 3, 2025
457e9f6
tests
sezen-datadog Feb 4, 2025
aac7112
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Feb 4, 2025
8b17208
javax removed from smoke tests (cant have both javax + jakarta)
sezen-datadog Feb 4, 2025
3f9815d
oops
sezen-datadog Feb 4, 2025
73b3cb1
oops
sezen-datadog Feb 4, 2025
bc708c5
PR
sezen-datadog Feb 5, 2025
943227d
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Feb 5, 2025
a37d29a
Merge branch 'master' into sezen.leblay/APPSEC-56330-email-injection
sezen-datadog Feb 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion dd-java-agent/agent-iast/src/main/java/com/datadog/iast/IastSystem.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
import com.datadog.iast.securitycontrol.IastSecurityControlTransformer;
import com.datadog.iast.sink.ApplicationModuleImpl;
import com.datadog.iast.sink.CommandInjectionModuleImpl;
import com.datadog.iast.sink.EmailInjectionModuleImpl;
import com.datadog.iast.sink.HardcodedSecretModuleImpl;
import com.datadog.iast.sink.HeaderInjectionModuleImpl;
import com.datadog.iast.sink.HstsMissingHeaderModuleImpl;
Expand Down Expand Up @@ -179,7 +180,8 @@ private static Stream<IastModule> iastModules(
HardcodedSecretModuleImpl.class,
InsecureAuthProtocolModuleImpl.class,
ReflectionInjectionModuleImpl.class,
UntrustedDeserializationModuleImpl.class);
UntrustedDeserializationModuleImpl.class,
EmailInjectionModuleImpl.class);
if (iast != FULLY_ENABLED) {
modules = modules.filter(IastSystem::isOptOut);
}
Expand Down
7 changes: 6 additions & 1 deletion dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import static com.datadog.iast.util.CRCUtils.update;
import static datadog.trace.api.iast.VulnerabilityMarks.COMMAND_INJECTION_MARK;
import static datadog.trace.api.iast.VulnerabilityMarks.EMAIL_HTML_INJECTION_MARK;
import static datadog.trace.api.iast.VulnerabilityMarks.HEADER_INJECTION_MARK;
import static datadog.trace.api.iast.VulnerabilityMarks.LDAP_INJECTION_MARK;
import static datadog.trace.api.iast.VulnerabilityMarks.NOT_MARKED;
Expand Down Expand Up @@ -109,6 +110,9 @@ public interface VulnerabilityType {
.mark(UNTRUSTED_DESERIALIZATION_MARK)
.build();

VulnerabilityType EMAIL_HTML_INJECTION =
type(VulnerabilityTypes.EMAIL_HTML_INJECTION).mark(EMAIL_HTML_INJECTION_MARK).build();

/* All vulnerability types that have a mark. Should be updated if new vulnerabilityType with mark is added */
VulnerabilityType[] MARKED_VULNERABILITIES = {
SQL_INJECTION,
Expand All @@ -122,7 +126,8 @@ public interface VulnerabilityType {
XSS,
HEADER_INJECTION,
REFLECTION_INJECTION,
UNTRUSTED_DESERIALIZATION
UNTRUSTED_DESERIALIZATION,
EMAIL_HTML_INJECTION
};

String name();
Expand Down
42 changes: 42 additions & 0 deletions dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/EmailInjectionModuleImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
package com.datadog.iast.sink;

import com.datadog.iast.Dependencies;
import com.datadog.iast.model.VulnerabilityType;
import datadog.trace.api.iast.sink.EmailInjectionModule;
import javax.annotation.Nullable;
import javax.mail.Message;
import javax.mail.MessagingException;
import javax.mail.internet.MimeMultipart;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class EmailInjectionModuleImpl extends SinkModuleBase implements EmailInjectionModule {

private static final Logger LOGGER = LoggerFactory.getLogger(EmailInjectionModule.class);

public EmailInjectionModuleImpl(final Dependencies dependencies) {
super(dependencies);
}

@Override
public void onSendEmail(@Nullable final MimeMultipart message) {
if (message == null) {
return;
}
try {
for (int i = 0; i < message.getCount(); i++) {
checkInjection(VulnerabilityType.EMAIL_HTML_INJECTION, message.getBodyPart(i));
}
} catch (MessagingException e) {
LOGGER.debug("Exception while checking injections of mime multipart message", e);
}
}

@Override
public void onSendEmail(@Nullable final Message message) {
if (message == null) {
return;
}
checkInjection(VulnerabilityType.EMAIL_HTML_INJECTION, message);
}
}
19 changes: 19 additions & 0 deletions dd-java-agent/instrumentation/javax-mail/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
muzzle {
pass {
coreJdk()
}
}

apply from: "$rootDir/gradle/java.gradle"
apply plugin: 'call-site-instrumentation'
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez Feb 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as with jakarta, I think the plugin is not needed


addTestSuiteForDir('latestDepTest', 'test')

dependencies {
testRuntimeOnly project(':dd-java-agent:instrumentation:iast-instrumenter')
}


tasks.compileTestJava.configure {
setJavaVersion(it, 8)
}
34 changes: 34 additions & 0 deletions ...mail/src/main/java/datadog/trace/instrumentation/javax/mail/JavaxMailInstrumentation.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
package datadog.trace.instrumentation.javax.mail;

import static datadog.trace.agent.tooling.bytebuddy.matcher.HierarchyMatchers.implementsInterface;
import static datadog.trace.agent.tooling.bytebuddy.matcher.NameMatchers.named;

import com.google.auto.service.AutoService;
import datadog.trace.agent.tooling.Instrumenter;
import datadog.trace.agent.tooling.InstrumenterModule;
import net.bytebuddy.description.type.TypeDescription;
import net.bytebuddy.matcher.ElementMatcher;

@AutoService(InstrumenterModule.class)
public class JavaxMailInstrumentation extends InstrumenterModule.Iast
implements Instrumenter.ForTypeHierarchy, Instrumenter.HasMethodAdvice {

public JavaxMailInstrumentation(String instrumentationName, String... additionalNames) {
super("javaxmailinstrumentation", "javaxmail");
}

@Override
public String hierarchyMarkerType() {
return "org.java.mail";
}

@Override
public ElementMatcher<TypeDescription> hierarchyMatcher() {
return implementsInterface(named(hierarchyMarkerType()));
}

@Override
public void methodAdvice(MethodTransformer transformer) {
// TODO
}
}
2 changes: 2 additions & 0 deletions internal-api/src/main/java/datadog/trace/api/iast/InstrumentationBridge.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import datadog.trace.api.iast.propagation.StringModule;
import datadog.trace.api.iast.sink.ApplicationModule;
import datadog.trace.api.iast.sink.CommandInjectionModule;
import datadog.trace.api.iast.sink.EmailInjectionModule;
import datadog.trace.api.iast.sink.HardcodedSecretModule;
import datadog.trace.api.iast.sink.HeaderInjectionModule;
import datadog.trace.api.iast.sink.HstsMissingHeaderModule;
Expand Down Expand Up @@ -67,6 +68,7 @@ public abstract class InstrumentationBridge {
public static InsecureAuthProtocolModule INSECURE_AUTH_PROTOCOL;
public static ReflectionInjectionModule REFLECTION_INJECTION;
public static UntrustedDeserializationModule UNTRUSTED_DESERIALIZATION;
public static EmailInjectionModule EMAIL_INJECTION;

private static final Map<Class<? extends IastModule>, Field> MODULE_MAP = buildModuleMap();

Expand Down
1 change: 1 addition & 0 deletions internal-api/src/main/java/datadog/trace/api/iast/VulnerabilityMarks.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ private VulnerabilityMarks() {}
public static final int UNTRUSTED_DESERIALIZATION_MARK = 1 << 11;

public static final int CUSTOM_SECURITY_CONTROL_MARK = 1 << 13;
public static final int EMAIL_HTML_INJECTION_MARK = 1 << 14;

public static int markForAll() {
return XSS_MARK
Expand Down
4 changes: 3 additions & 1 deletion internal-api/src/main/java/datadog/trace/api/iast/VulnerabilityTypes.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ private VulnerabilityTypes() {}
public static final byte SESSION_REWRITING = 28;
public static final byte DEFAULT_APP_DEPLOYED = 29;
public static final byte UNTRUSTED_DESERIALIZATION = 30;
public static final byte EMAIL_HTML_INJECTION = 31;

/**
* Use for telemetry only, this is a special vulnerability type that is not reported, reported
Expand Down Expand Up @@ -115,7 +116,8 @@ private VulnerabilityTypes() {}
"REFLECTION_INJECTION",
"SESSION_REWRITING",
"DEFAULT_APP_DEPLOYED",
"UNTRUSTED_DESERIALIZATION"
"UNTRUSTED_DESERIALIZATION",
"EMAIL_INJECTION"
};

public static String toString(final byte vulnerability) {
Expand Down
12 changes: 12 additions & 0 deletions internal-api/src/main/java/datadog/trace/api/iast/sink/EmailInjectionModule.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
package datadog.trace.api.iast.sink;

import datadog.trace.api.iast.IastModule;
import javax.annotation.Nullable;
import javax.mail.Message;
import javax.mail.internet.MimeMultipart;

public interface EmailInjectionModule extends IastModule {
void onSendEmail(@Nullable MimeMultipart body);

void onSendEmail(@Nullable Message message);
}
1 change: 1 addition & 0 deletions internal-api/src/test/groovy/datadog/trace/api/iast/VulnerabilityTypesTest.groovy
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,5 +45,6 @@ class VulnerabilityTypesTest extends DDSpecification {
VulnerabilityTypes.SESSION_REWRITING | 'SESSION_REWRITING'
VulnerabilityTypes.DEFAULT_APP_DEPLOYED | 'DEFAULT_APP_DEPLOYED'
VulnerabilityTypes.UNTRUSTED_DESERIALIZATION | 'UNTRUSTED_DESERIALIZATION'
VulnerabilityTypes.EMAIL_HTML_INJECTION | 'EMAIL_INJECTION'
}
}
1 change: 1 addition & 0 deletions settings.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,7 @@ include ':dd-java-agent:instrumentation:java-security'
include ':dd-java-agent:instrumentation:java-util'
include ':dd-java-agent:instrumentation:javax-naming'
include ':dd-java-agent:instrumentation:javax-xml'
include ':dd-java-agent:instrumentation:javax-mail'
include ':dd-java-agent:instrumentation:jax-rs-annotations-1'
include ':dd-java-agent:instrumentation:jax-rs-annotations-2'
include ':dd-java-agent:instrumentation:jax-rs-annotations-2:filter-jersey'
Expand Down
Loading