Consider Jakarta Mail

2025-12-24 04:36:35 +01:00 · 2021-06-30 12:14:55 +02:00
parent a2e9c2f4ab
commit baffb0ed89
6 changed files with 175 additions and 5 deletions
--- a/java/ql/src/semmle/code/java/frameworks/Mail.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Mail.qll
@@ -3,14 +3,14 @@
 import java

 /**
- * The class `javax.mail.Session`
+ * The class `javax.mail.Session` or `jakarta.mail.Session`.
 */
 class MailSession extends Class {
-  MailSession() { this.hasQualifiedName("javax.mail", "Session") }
+  MailSession() { this.hasQualifiedName(["javax.mail", "jakarta.mail"], "Session") }
 }

 /**
- * The method `getInstance` of the class `javax.mail.Session`
+ * The method `getInstance` of the classes `javax.mail.Session` or `jakarta.mail.Session`.
 */
 class MailSessionGetInstanceMethod extends Method {
  MailSessionGetInstanceMethod() {
@@ -20,7 +20,7 @@ class MailSessionGetInstanceMethod extends Method {
 }

 /**
- * A subtype of the class `org.apache.commons.mail.Email`
+ * A subtype of the class `org.apache.commons.mail.Email`.
 */
 class ApacheEmail extends Class {
  ApacheEmail() { this.getASupertype*().hasQualifiedName("org.apache.commons.mail", "Email") }
--- a/java/ql/test/query-tests/security/CWE-297/InsecureJakartaMailTest.java
+++ b/java/ql/test/query-tests/security/CWE-297/InsecureJakartaMailTest.java
@@ -0,0 +1,42 @@
+import java.util.Properties;
+
+import jakarta.mail.Authenticator;
+import jakarta.mail.PasswordAuthentication;
+import jakarta.mail.Session;
+
+class InsecureJakartaMailTest {
+	public void testJavaMail() {
+		final Properties properties = new Properties();
+		properties.put("mail.transport.protocol", "protocol");
+		properties.put("mail.smtp.host", "hostname");
+		properties.put("mail.smtp.socketFactory.class", "classname");
+
+		final jakarta.mail.Authenticator authenticator = new jakarta.mail.Authenticator() {
+			protected PasswordAuthentication getPasswordAuthentication() {
+				return new PasswordAuthentication("username", "password");
+			}
+		};
+		if (null != authenticator) {
+			properties.put("mail.smtp.auth", "true");
+		}
+		final Session session = Session.getInstance(properties, authenticator); // $hasInsecureJavaMail
+	}
+
+	public void testSecureJavaMail() {
+		final Properties properties = new Properties();
+		properties.put("mail.transport.protocol", "protocol");
+		properties.put("mail.smtp.host", "hostname");
+		properties.put("mail.smtp.socketFactory.class", "classname");
+
+		final jakarta.mail.Authenticator authenticator = new jakarta.mail.Authenticator() {
+			protected PasswordAuthentication getPasswordAuthentication() {
+				return new PasswordAuthentication("username", "password");
+			}
+		};
+		if (null != authenticator) {
+			properties.put("mail.smtp.auth", "true");
+			properties.put("mail.smtp.ssl.checkserveridentity", "true");
+		}
+		final Session session = Session.getInstance(properties, authenticator); // Safe
+	}
+}
--- a/java/ql/test/query-tests/security/CWE-297/options
+++ b/java/ql/test/query-tests/security/CWE-297/options
@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-email-1.6.0:${testdir}/../../../stubs/javamail-api-1.6.2
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-email-1.6.0:${testdir}/../../../stubs/javamail-api-1.6.2:${testdir}/../../../stubs/jakarta-mail-2.0.1
--- a/java/ql/test/stubs/jakarta-mail-2.0.1/jakarta/mail/Authenticator.java
+++ b/java/ql/test/stubs/jakarta-mail-2.0.1/jakarta/mail/Authenticator.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 1997, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.mail;
+
+public abstract class Authenticator {
+}
--- a/java/ql/test/stubs/jakarta-mail-2.0.1/jakarta/mail/PasswordAuthentication.java
+++ b/java/ql/test/stubs/jakarta-mail-2.0.1/jakarta/mail/PasswordAuthentication.java
@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 1997, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the terms of the Eclipse
+ * Public License v. 2.0, which is available at http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary Licenses when the
+ * conditions for such availability set forth in the Eclipse Public License v. 2.0 are satisfied:
+ * GNU General Public License, version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.mail;
+
+public final class PasswordAuthentication {
+  public PasswordAuthentication(String userName, String password) {}
+
+  public String getUserName() {
+    return null;
+  }
+
+  public String getPassword() {
+    return null;
+  }
+
+}
--- a/java/ql/test/stubs/jakarta-mail-2.0.1/jakarta/mail/Session.java
+++ b/java/ql/test/stubs/jakarta-mail-2.0.1/jakarta/mail/Session.java
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 1997, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the terms of the Eclipse
+ * Public License v. 2.0, which is available at http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary Licenses when the
+ * conditions for such availability set forth in the Eclipse Public License v. 2.0 are satisfied:
+ * GNU General Public License, version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.mail;
+
+import java.lang.reflect.*;
+import java.io.*;
+import java.net.*;
+import java.security.*;
+import java.util.Properties;
+
+public final class Session {
+  public static Session getInstance(Properties props, Authenticator authenticator) {
+    return null;
+  }
+
+  public static Session getInstance(Properties props) {
+    return null;
+  }
+
+  public static synchronized Session getDefaultInstance(Properties props,
+      Authenticator authenticator) {
+    return null;
+  }
+
+  public static Session getDefaultInstance(Properties props) {
+    return null;
+  }
+
+  public synchronized void setDebug(boolean debug) {}
+
+  public synchronized boolean getDebug() {
+    return false;
+  }
+
+  public synchronized void setDebugOut(PrintStream out) {}
+
+  public synchronized PrintStream getDebugOut() {
+    return null;
+  }
+
+  public synchronized Provider[] getProviders() {
+    return null;
+  }
+
+  public synchronized Provider getProvider(String protocol) throws NoSuchProviderException {
+    return null;
+  }
+
+  public synchronized void setProvider(Provider provider) throws NoSuchProviderException {}
+
+  public PasswordAuthentication requestPasswordAuthentication(InetAddress addr, int port,
+      String protocol, String prompt, String defaultUserName) {
+    return null;
+  }
+
+  public Properties getProperties() {
+    return null;
+  }
+
+  public String getProperty(String name) {
+    return null;
+  }
+
+  public synchronized void addProvider(Provider provider) {}
+
+  public synchronized void setProtocolForAddress(String addresstype, String protocol) {}
+
+}