kirito-kun
Reputation: 11
Veracode flaw CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
I've been working on a veracode flaw which I believe has already been fixed since we are already doing an Encode.forJava. But it is still being scanned as a flaw. Can someone please help me if I missed something? Here is the code snippet:
InternetAddress[] addressCC = { new InternetAddress(Encode.forJava(strCc)) };
msg.setRecipients(Message.RecipientType.CC, addressCC);
Thank you so much for you help.
Upvotes: 1
Views: 1442
Answers (1)
splashout
Reputation: 553
Don't use the plural form method setRecipients().
Instead:
If you only have one email address to add you can use this:
msg.setRecipient(Message.RecipientType.CC, new InternetAddress(Encode.forJava(address)));
If you need to add multiple addresses you can call addRecipient() multiple times like this:
for (String address: recipients) {
msg.addRecipient(Message.RecipientType.TO, new InternetAddress(Encode.forJava(address)));
}
Upvotes: 1
Related Questions
- How to fix Trust Boundary Violation flaw in Java Web application
- OS Command Injection (CWE ID 78) (1 flaw) Java code
- How can i change this code to be vulnerable of CRLF injection?
- Security flaws in code with veracode tool
- CloudLoggerFactory's Sanitized Logger shows CRLF Injection vulnerability in Veracode Scan
- security flaw - veracode report - crlf injection
- Java security vulnerability OS Injection Veracode
- Trust Boundary Violation - Veracode flaw
- How to fix the Veracode Flaw: CWE-489: Leftover Debug Code?
- How to resolve CWE 117 Issue