Merge pull request #3491 from luchua-bc/java-insecure-smtp-ssl

Java: CWE-297 insecure JavaMail SSL configuration
2026-04-28 18:25:24 +02:00 · 2020-06-10 11:02:50 +02:00
parent 06066f0c5b 1fd9c7fdec
commit 4b3ca13f25
17 changed files with 2783 additions and 0 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.expected
@@ -0,0 +1,2 @@
+| InsecureJavaMail.java:29:27:29:72 | getInstance(...) | Java mailing has insecure SSL configuration |
+| InsecureJavaMail.java:37:3:37:29 | setSSLOnConnect(...) | Java mailing has insecure SSL configuration |
--- a/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.java
@@ -0,0 +1,45 @@
+import java.util.Properties;
+
+import javax.mail.Authenticator;
+import javax.mail.PasswordAuthentication;
+import javax.mail.Session;
+
+import org.apache.commons.mail.DefaultAuthenticator;
+import org.apache.commons.mail.Email;
+import org.apache.commons.mail.SimpleEmail;
+
+import java.util.Properties;
+
+class InsecureJavaMail {
+	public void testJavaMail() {
+		final Properties properties = new Properties();
+		properties.put("mail.transport.protocol", "protocol");
+		properties.put("mail.smtp.host", "hostname");
+		properties.put("mail.smtp.socketFactory.class", "classname");
+
+		final javax.mail.Authenticator authenticator = new javax.mail.Authenticator() {
+			protected PasswordAuthentication getPasswordAuthentication() {
+				return new PasswordAuthentication("username", "password");
+			}
+		};
+		if (null != authenticator) {
+			properties.put("mail.smtp.auth", "true");
+			// properties.put("mail.smtp.ssl.checkserveridentity", "true");
+		}
+		final Session session = Session.getInstance(properties, authenticator);
+	}
+
+	public void testSimpleMail() {
+		Email email = new SimpleEmail();
+		email.setHostName("config.hostName");
+		email.setSmtpPort(25);
+		email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
+		email.setSSLOnConnect(true);
+		// email.setSSLCheckServerIdentity(true);
+		email.setFrom("fromAddress");
+		email.setSubject("subject");
+		email.setMsg("body");
+		email.addTo("toAddress");
+		email.send();
+	}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-297/InsecureJavaMail.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-297/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-commons-email-1.6.0:${testdir}/../../../../stubs/javamail-api-1.6.2
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-297/InsecureJavaMail.ql`
				`@@ -0,0 +1 @@`
				`// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-commons-email-1.6.0:${testdir}/../../../../stubs/javamail-api-1.6.2`