I have a web service which is receiving email address from the user which is then put in an HTTP request header using Spring RestTemplate. The email address has been verified to be a legal email address using a regular expression. An email address is a legal HTTP header value because it contains only ASCII characters. For some reason sonarcloud is flagging this code with " HTTP response headers should not be vulnerable to injection attacks" which is strange since this is an HTTP request. From reading the rule description it seems as though the only way to resolve this is by checking the email address against a whitelist. Is that true? So given that i can’t practically have an email address whitelist do I have to resolve this by saying “Resolve as won’t fix”.
Thanks for the help.
Hello @Dan_Finucane
welcome to the community and thanks for this report
can you share with us a reproducer or even better the link to your (public?) issue in SonarCloud?
-
Recently we added support for some regular expression libraries like java.util.regex as a way to protect against this kind of vulnerabilities, which regex library are you using?
-
In this rule, user-controlled inputs used in add(), set() methods of org.springframework.http.HttpHeaders (among others libraries) are detected and you are right, httpHeaders object can be used to build http responses or requests, so we will look at how to adapt the detection behavior or the rule description to be more precise.
Eric
Thanks Eric. I’m wondering if the recent changes are deployed to sonarcloud.io yet because that is what we use. The code is private so I can’t put a link here but I can share the code that uses Pattern to make sure its a valid email address. This code is called just before adding the value to an HttpHeaders.
public final class EmailAddressValidator {
private EmailAddressValidator(){}
// the following regular expression for validating an email address was taken from https://stackoverflow.com/a/201378/30026
private static final Pattern EMAIL_ADDRESS_PATTERN = Pattern.compile("(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])*\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\])");
public static void validate(String emailAddressString) {
IllegalArgumentExceptionThrowHelper.throwIfMissingRequiredArgument("emailAddressString", emailAddressString);
if (!EMAIL_ADDRESS_PATTERN.matcher(emailAddressString).matches()) {
throw new IllegalArgumentException("The value provided was not a valid email address.");
}
}
}
dan
We forgot to define java.util.regex.Matcher type as a validator.
A ticket has been created, we will get back to you when the fix is released in few weeks, for the moment you can close this issue as “false positive”.
Thanks @Dan_Finucane for this relevant report.
Eric
Thanks Eric that sounds great.
dan
did this fix get deployed?
Indeed, it has been fixed and released to SonarCloud recently:
- We added
matcheras a validator -
httpHeaderslibrary will be addressed soon to trigger S5167 rule only when a HTTP response is created but it needs more work.
Anyway, can you confirm it resolves your initial problem?
Eric