codeql
codeql copied to clipboard
github
False positive: email content injection
Description of the false positive
A simple, valid e-mail address inside an e-mail message triggers https://codeql.github.com/codeql-query-help/go/go-email-injection/
The rule also triggers on valid html, although the security model in html/template should make it safe.
Code samples
func SendEmailHandler(w http.Response, r http.Request) {
user := r.URL.Query().Get("user")
if m, _ := regexp.MatchString("[a-z]{3}", user); !m {
return
}
msg := fmt.Sprintf("To: %[email protected]\r\n\r\nHello!", user)
smtp.SendMail("", nil, "", nil, []byte(msg))
}
Another example where html/template takes care of escaping the html content.
var htmlTempl = template.Must(template.New("t").Parse("Message: <div>{{.}}</div>"))
func SendEmailHandler(w http.Response, r http.Request) {
msg := r.URL.Query().Get("message")
buf := bytes.NewBuffer([]byte(`MIME-version: 1.0;\nContent-Type: text/html; charset=\"UTF-8\";\n\n`))
htmlTempl.Execute(buf, msg)
smtp.SendMail("", nil, "", nil, buf.Bytes())
}```
Thank you for this false positive report. Resolving this issue is not a current product priority, but we acknowledge the report and will track it internally for future consideration, or if we observe repeated instances of the same problem.
