Skip to content

/ securitylab

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Golang : Add Email Content Injection query #100

Closed
porcupineyhairs opened this issue May 21, 2020 · 1 comment
Closed

Golang : Add Email Content Injection query #100

porcupineyhairs opened this issue May 21, 2020 · 1 comment
Labels
All For One

Comments

@porcupineyhairs
Copy link

@porcupineyhairs porcupineyhairs commented May 21, 2020

CVE

The final version of this query has not been tested against all lgtm projects.
However, a run of a draft version of query against all lgtm databases found two alerts both of them valid. I haven't reported them yet. Hence, I am not listing them here.

Report

Using untrusted input to construct an email can cause multiple security
vulnerabilities. For instance, inclusion of an untrusted input in an email body
may allow an attacker to conduct Cross Site Scripting (XSS) attacks, while
inclusion of an HTTP header may allow a full account compromise as shown in the
example below.

func mail(w http.ResponseWriter, r *http.Request) {
	host := r.Header.Get("Host")
	token := backend.getUserSecretResetToken(email)
	body := "Click to reset password: " + host + "/" + token
	smtp.SendMail("test.test", nil, "from@from.com", nil, []byte(body))
}

This query detects instances where untrusted content is written to an email. It models the Golang's net/smtp library as well as the Sendgrid library (581 stars)

I also include library-tests, query-tests and qhelp files along with well documented code.

Link to the now merged PR:[github/codeql-go#108]
@xcorail
Copy link
Contributor

@xcorail xcorail commented Jun 5, 2020

Created Hackerone report 892465 for bounty 221542 : [66] CodeQL query to detect JNDI injections
🎉
Waiting for the author to ask for disclosure
@xcorail xcorail closed this Jun 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
All For One
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@xcorail @porcupineyhairs
You can’t perform that action at this time.