How to fix VeraCode Improper Neutralization of CRLF Sequences Injection

Description

A function call contains a CRLF Injection flaw. Writing unsanitized user-supplied input to an interface or external application that treats the CRLF (carriage return line feed) sequence as a delimiter to separate lines or records can result in that data being misinterpreted. FTP and SMTP are examples of protocols that treat CRLF as a delimiter when parsing commands.

Recommendations

Sanitize CRLF sequences from user-supplied input when the data is being passed to an entity that may incorrectly interpret it.
For More detail - CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

Issue Code

message.setFrom(new InternetAddress(validSenderStr.toString());

Fixed Code

message.setFrom(new InternetAddress
(ESAPI.encoder().encodeForHTML(validSenderStr.toString()));

Explanation

Above Example "validSenderStr" is input from anywhere in the application can contain CRLF.By using encodeForHTML method to Encode the user data for use in HTML using HTML entity encoding.

Note that the following characters: 00-08, 0B-0C, 0E-1F, and 7F-9F cannot be used in HTML.

1 comments:

  1. You made some pretty good points. Thanks for posting this!

    If you are running any Laundry business then launching an On-demand Laundry App Development is very beneficial for you. How much does it cost to develop an On-Demand Laundry App Development? Want to know then Contact Us.

    ReplyDelete