不安全的 JavaMail SSL 配置¶
ID: java/insecure-smtp-ssl
Kind: problem
Security severity: 5.9
Severity: warning
Precision: medium
Tags:
- security
- external/cwe/cwe-297
Query suites:
- java-security-extended.qls
- java-security-and-quality.qls
JavaMail 通常在 Java 应用程序中用于发送电子邮件。有流行的第三方库(如 Apache Commons Email),它们基于 JavaMail 构建并简化了集成。经过身份验证的邮件会话需要用户凭据,邮件会话可能需要 SSL/TLS 身份验证。主机特定证书数据未经验证或验证不正确是一个常见的安全漏洞。未能验证证书会使 SSL 会话容易受到中间人攻击。
此查询检查在电子邮件通信中使用凭据并启用 SSL 时是否验证了 SSL 证书。
此查询包含用于普通 JavaMail 调用和通过 Apache SimpleMail 发送邮件的代码,以使其更全面。
建议¶
在电子邮件通信中发送敏感信息时验证 SSL 证书。
示例¶
以下两个示例展示了通过 JavaMail 或 Apache SimpleMail 配置安全电子邮件的两种方法。在“BAD”情况下,凭据在未经证书验证的 SSL 会话中发送。在“GOOD”情况下,证书已得到验证。
import java.util.Properties;
import javax.activation.DataSource;
import javax.mail.Authenticator;
import javax.mail.Message;
import javax.mail.MessagingException;
import javax.mail.PasswordAuthentication;
import javax.mail.Session;
import org.apache.logging.log4j.util.PropertiesUtil;
class JavaMail {
public static void main(String[] args) {
// BAD: Don't have server certificate check
{
final Properties properties = PropertiesUtil.getSystemProperties();
properties.put("mail.transport.protocol", "protocol");
properties.put("mail.smtp.host", "hostname");
properties.put("mail.smtp.socketFactory.class", "classname");
final Authenticator authenticator = buildAuthenticator("username", "password");
if (null != authenticator) {
properties.put("mail.smtp.auth", "true");
}
final Session session = Session.getInstance(properties, authenticator);
}
// GOOD: Have server certificate check
{
final Properties properties = PropertiesUtil.getSystemProperties();
properties.put("mail.transport.protocol", "protocol");
properties.put("mail.smtp.host", "hostname");
properties.put("mail.smtp.socketFactory.class", "classname");
final Authenticator authenticator = buildAuthenticator("username", "password");
if (null != authenticator) {
properties.put("mail.smtp.auth", "true");
properties.put("mail.smtp.ssl.checkserveridentity", "true");
}
final Session session = Session.getInstance(properties, authenticator);
}
}
}
import org.apache.commons.mail.DefaultAuthenticator;
import org.apache.commons.mail.Email;
import org.apache.commons.mail.EmailException;
import org.apache.commons.mail.SimpleEmail;
class SimpleMail {
public static void main(String[] args) throws EmailException {
// BAD: Don't have setSSLCheckServerIdentity set or set as false
{
Email email = new SimpleEmail();
email.setHostName("hostName");
email.setSmtpPort(25);
email.setAuthenticator(new DefaultAuthenticator("username", "password"));
email.setSSLOnConnect(true);
//email.setSSLCheckServerIdentity(false);
email.setFrom("fromAddress");
email.setSubject("subject");
email.setMsg("body");
email.addTo("toAddress");
email.send();
}
// GOOD: Have setSSLCheckServerIdentity set to true
{
Email email = new SimpleEmail();
email.setHostName("hostName");
email.setSmtpPort(25);
email.setAuthenticator(new DefaultAuthenticator("username", "password"));
email.setSSLOnConnect(true);
email.setSSLCheckServerIdentity(true);
email.setFrom("fromAddress");
email.setSubject("subject");
email.setMsg("body");
email.addTo("toAddress");
email.send();
}
}
}