Email HTML Injection detection in IAST (#8205)

* Email Injection detection in IAST

---------

Co-authored-by: Alejandro González García <[email protected]>
Co-authored-by: Santiago M. Mola <[email protected]>
Co-authored-by: Mario Vidal Domínguez <[email protected]>

Author: 4 people

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/IastSystem.java

@@ -11,6 +11,7 @@
 import com.datadog.iast.securitycontrol.IastSecurityControlTransformer;
 import com.datadog.iast.sink.ApplicationModuleImpl;
 import com.datadog.iast.sink.CommandInjectionModuleImpl;
+import com.datadog.iast.sink.EmailInjectionModuleImpl;
 import com.datadog.iast.sink.HardcodedSecretModuleImpl;
 import com.datadog.iast.sink.HeaderInjectionModuleImpl;
 import com.datadog.iast.sink.HstsMissingHeaderModuleImpl;
@@ -179,7 +180,8 @@ private static Stream<IastModule> iastModules(
             HardcodedSecretModuleImpl.class,
             InsecureAuthProtocolModuleImpl.class,
             ReflectionInjectionModuleImpl.class,
-            UntrustedDeserializationModuleImpl.class);
+            UntrustedDeserializationModuleImpl.class,
+            EmailInjectionModuleImpl.class);
     if (iast != FULLY_ENABLED) {
       modules = modules.filter(IastSystem::isOptOut);
     }

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/model/VulnerabilityType.java

@@ -2,6 +2,7 @@
 
 import static com.datadog.iast.util.CRCUtils.update;
 import static datadog.trace.api.iast.VulnerabilityMarks.COMMAND_INJECTION_MARK;
+import static datadog.trace.api.iast.VulnerabilityMarks.EMAIL_HTML_INJECTION_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.HEADER_INJECTION_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.LDAP_INJECTION_MARK;
 import static datadog.trace.api.iast.VulnerabilityMarks.NOT_MARKED;
@@ -164,6 +165,12 @@ public interface VulnerabilityType {
           .excludedSources(Builder.DB_EXCLUDED)
           .build();
 
+  VulnerabilityType EMAIL_HTML_INJECTION =
+      type(VulnerabilityTypes.EMAIL_HTML_INJECTION)
+          .mark(EMAIL_HTML_INJECTION_MARK)
+          .excludedSources(Builder.DB_EXCLUDED)
+          .build();
+
   /* All vulnerability types that have a mark. Should be updated if new vulnerabilityType with mark is added */
   VulnerabilityType[] MARKED_VULNERABILITIES = {
     SQL_INJECTION,
@@ -177,7 +184,8 @@ public interface VulnerabilityType {
     XSS,
     HEADER_INJECTION,
     REFLECTION_INJECTION,
-    UNTRUSTED_DESERIALIZATION
+    UNTRUSTED_DESERIALIZATION,
+    EMAIL_HTML_INJECTION
   };
 
   String name();

dd-java-agent/agent-iast/src/main/java/com/datadog/iast/sink/EmailInjectionModuleImpl.java

@@ -0,0 +1,20 @@
+package com.datadog.iast.sink;
+
+import com.datadog.iast.Dependencies;
+import com.datadog.iast.model.VulnerabilityType;
+import datadog.trace.api.iast.sink.EmailInjectionModule;
+import javax.annotation.Nullable;
+
+public class EmailInjectionModuleImpl extends SinkModuleBase implements EmailInjectionModule {
+  public EmailInjectionModuleImpl(final Dependencies dependencies) {
+    super(dependencies);
+  }
+
+  @Override
+  public void onSendEmail(@Nullable final Object messageContent) {
+    if (messageContent == null) {
+      return;
+    }
+    checkInjection(VulnerabilityType.EMAIL_HTML_INJECTION, messageContent);
+  }
+}

dd-java-agent/agent-iast/src/test/groovy/com/datadog/iast/sink/EmailInjectionModuleTest.groovy

@@ -0,0 +1,47 @@
+package com.datadog.iast.sink
+
+import com.datadog.iast.IastModuleImplTestBase
+import com.datadog.iast.Reporter
+import com.datadog.iast.model.Vulnerability
+import com.datadog.iast.model.VulnerabilityType
+import com.datadog.iast.propagation.PropagationModuleImpl
+import datadog.trace.api.iast.SourceTypes
+
+class EmailInjectionModuleTest extends IastModuleImplTestBase{
+
+  private EmailInjectionModuleImpl module
+
+  def setup() {
+    module = new EmailInjectionModuleImpl(dependencies)
+  }
+
+  @Override
+  protected Reporter buildReporter() {
+    return Mock(Reporter)
+  }
+
+  def "test onSendEmail with null messageContent"() {
+    when:
+    module.onSendEmail(null)
+
+    then:
+    noExceptionThrown()
+  }
+
+  def "test onSendEmail with non-null messageContent"() {
+    given:
+    def messageContent = "test message"
+    def propagationModule = new PropagationModuleImpl()
+    propagationModule.taintObject(messageContent, SourceTypes.NONE)
+
+    when:
+    module.onSendEmail(messageContent)
+
+    then:
+    1 * reporter.report(_, _) >> { args ->
+      def vulnerability = args[1] as Vulnerability
+      vulnerability.type == VulnerabilityType.EMAIL_HTML_INJECTION &&
+        vulnerability.evidence == messageContent
+    }
+  }
+}

dd-java-agent/instrumentation/commons-lang-2/src/main/java/datadog/trace/instrumentation/commonslang/StringEscapeUtilsCallSite.java

@@ -25,7 +25,7 @@ public static String afterEscape(
     final PropagationModule module = InstrumentationBridge.PROPAGATION;
     if (module != null) {
       try {
-        module.taintStringIfTainted(result, input, false, VulnerabilityMarks.XSS_MARK);
+        module.taintStringIfTainted(result, input, false, VulnerabilityMarks.HTML_ESCAPED_MARK);
       } catch (final Throwable e) {
         module.onUnexpectedException("afterEscape threw", e);
       }

dd-java-agent/instrumentation/commons-lang-2/src/test/groovy/datadog/trace/instrumentation/commonslang/StringEscapeUtilsCallSiteTest.groovy

@@ -8,6 +8,7 @@ import groovy.transform.CompileDynamic
 
 import static datadog.trace.api.iast.VulnerabilityMarks.SQL_INJECTION_MARK
 import static datadog.trace.api.iast.VulnerabilityMarks.XSS_MARK
+import static datadog.trace.api.iast.VulnerabilityMarks.EMAIL_HTML_INJECTION_MARK
 
 @CompileDynamic
 class StringEscapeUtilsCallSiteTest extends AgentTestRunner {
@@ -27,15 +28,32 @@ class StringEscapeUtilsCallSiteTest extends AgentTestRunner {
 
     then:
     result == expected
-    1 * module.taintStringIfTainted(_ as String, args[0], false, mark)
+    1 * module.taintStringIfTainted(_ as String, args[0], false, XSS_MARK | EMAIL_HTML_INJECTION_MARK)
     0 * _
 
     where:
-    method             | args                  | mark               | expected
-    'escapeHtml'       | ['Ø-This is a quote'] | XSS_MARK           | 'Ø-This is a quote'
-    'escapeJava'       | ['Ø-This is a quote'] | XSS_MARK           | '\\u00D8-This is a quote'
-    'escapeJavaScript' | ['Ø-This is a quote'] | XSS_MARK           | '\\u00D8-This is a quote'
-    'escapeXml'        | ['Ø-This is a quote'] | XSS_MARK           | 'Ø-This is a quote'
-    'escapeSql'        | ['Ø-This is a quote'] | SQL_INJECTION_MARK | 'Ø-This is a quote'
+    method             | args                  | expected
+    'escapeHtml'       | ['Ø-This is a quote'] | 'Ø-This is a quote'
+    'escapeJava'       | ['Ø-This is a quote'] | '\\u00D8-This is a quote'
+    'escapeJavaScript' | ['Ø-This is a quote'] | '\\u00D8-This is a quote'
+    'escapeXml'        | ['Ø-This is a quote'] | 'Ø-This is a quote'
+  }
+
+  void 'test #method sql'() {
+    given:
+    final module = Mock(PropagationModule)
+    InstrumentationBridge.registerIastModule(module)
+
+    when:
+    final result = TestStringEscapeUtilsSuite.&"$method".call(args)
+
+    then:
+    result == expected
+    1 * module.taintStringIfTainted(_ as String, args[0], false, SQL_INJECTION_MARK)
+    0 * _
+
+    where:
+    method             | args                  | expected
+    'escapeSql'        | ['Ø-This is a quote'] | 'Ø-This is a quote'
   }
 }

dd-java-agent/instrumentation/commons-lang-3/src/main/java/datadog/trace/instrumentation/commonslang3/StringEscapeUtilsCallSite.java

@@ -27,7 +27,7 @@ public static String afterEscape(
     final PropagationModule module = InstrumentationBridge.PROPAGATION;
     if (module != null) {
       try {
-        module.taintStringIfTainted(result, input, false, VulnerabilityMarks.XSS_MARK);
+        module.taintStringIfTainted(result, input, false, VulnerabilityMarks.HTML_ESCAPED_MARK);
       } catch (final Throwable e) {
         module.onUnexpectedException("afterEscape threw", e);
       }

dd-java-agent/instrumentation/commons-lang-3/src/test/groovy/datadog/trace/instrumentation/commonslang3/StringEscapeUtilsCallSiteTest.groovy

@@ -25,7 +25,7 @@ class StringEscapeUtilsCallSiteTest extends AgentTestRunner {
 
     then:
     result == expected
-    1 * module.taintStringIfTainted(_ as String, args[0], false, VulnerabilityMarks.XSS_MARK)
+    1 * module.taintStringIfTainted(_ as String, args[0], false, VulnerabilityMarks.HTML_ESCAPED_MARK)
     0 * _
 
     where:

dd-java-agent/instrumentation/commons-text/src/main/java/datadog/trace/instrumentation/commonstext/StringEscapeUtilsCallSite.java

@@ -29,7 +29,7 @@ public static String afterEscape(
     final PropagationModule module = InstrumentationBridge.PROPAGATION;
     if (module != null) {
       try {
-        module.taintStringIfTainted(result, input, false, VulnerabilityMarks.XSS_MARK);
+        module.taintStringIfTainted(result, input, false, VulnerabilityMarks.HTML_ESCAPED_MARK);
       } catch (final Throwable e) {
         module.onUnexpectedException("afterEscape threw", e);
       }

dd-java-agent/instrumentation/commons-text/src/test/groovy/datadog/trace/instrumentation/commonstext/StringEscapeUtilsCallSiteTest.groovy

@@ -25,7 +25,7 @@ class StringEscapeUtilsCallSiteTest extends AgentTestRunner {
 
     then:
     result == expected
-    1 * module.taintStringIfTainted(_ as String, args[0], false, VulnerabilityMarks.XSS_MARK)
+    1 * module.taintStringIfTainted(_ as String, args[0], false, VulnerabilityMarks.HTML_ESCAPED_MARK)
     0 * _
 
     where: