This code:
InternetAddress[] myAdrs = getAdrs(message.getToAddresses());
for (int i = 0; i < myAdrs.length; i++) {
String s = myAdrs[i].getAddress();
s = s.replace("\r","").replace("\n","").replace("%0A","").replace("%0a","").replace("%0D","").replace("%0d","");
InternetAddress adr = new InternetAddress( s, false );
// --> Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE ID 93)
lMessage.addRecipient(Message.RecipientType.TO, adr);
}
still gives me the CWE ID 93 although I removed any unwanted strings in s with s=s.replace(\r.... In the examples i found one the web the s=s.replace should be the solution but still i have this flaw? Whats do I miss? Any hints would be very appreciated!
I faced such situations when Veracode doesn't accept handmade solutions like usage of StringEscapeUtils and simple replace methods. Try ESAPI library. Veracode usually accepts ESAPI as trusted tool to defeat vulnerabilities. For example:
And put regex to test your email to validation.properties (or other file you specify in
ESAPI.properties
file asValidator.ConfigurationFile=validation.properties
) file asValidation.Email
property. For example: