Improper Neutralization of CRLF Sequences ('CRLF Injection') in Mailadress in JAVA

Question

This code:

    InternetAddress[] myAdrs = getAdrs(message.getToAddresses());
    for (int i = 0; i < myAdrs.length; i++) {
        String s = myAdrs[i].getAddress();
        s = s.replace("\r","").replace("\n","").replace("%0A","").replace("%0a","").replace("%0D","").replace("%0d","");
        InternetAddress adr = new InternetAddress( s, false );
        // --> Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE ID 93)
        lMessage.addRecipient(Message.RecipientType.TO, adr);
    }

still gives me the CWE ID 93 although I removed any unwanted strings in s with s=s.replace(\r.... In the examples i found one the web the s=s.replace should be the solution but still i have this flaw? Whats do I miss? Any hints would be very appreciated!

Answer 1

I faced such situations when Veracode doesn't accept handmade solutions like usage of StringEscapeUtils and simple replace methods. Try ESAPI library. Veracode usually accepts ESAPI as trusted tool to defeat vulnerabilities. For example:

//need to handle ValidationException
String s = ESAPI.validator().getValidInput("User Email", myAdrs[i].getAddress(), "Email", 255, true);
InternetAddress adr = new InternetAddress( s, false );

And put regex to test your email to validation.properties (or other file you specify in ESAPI.properties file as Validator.ConfigurationFile=validation.properties) file as Validation.Email property. For example:

Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,6}$