Description

Detects unsafe handling of email recipients in Scala web applications where user-controlled HTTP parameters could be used directly in email recipient settings. This could allow attackers to manipulate email destinations by tampering with request parameters, potentially leading to unauthorized email redirection.

Detection Strategy

• Check if Java/Jakarta mail (InternetAddress) and servlet (HttpServletRequest) libraries are imported in the codebase

• Look for calls to setRecipient or setRecipients methods on MimeMessage objects

• Determine if the recipient argument comes from unsafe user input like HTTP parameters

• Report a vulnerability if email recipient values are set using unvalidated user input from HTTP requests

Vulnerable code example

import javax.servlet.http.HttpServletRequest
import javax.mail.Message
import javax.mail.Session
import javax.mail.Transport
import javax.mail.internet.InternetAddress
import javax.mail.internet.MimeMessage

def sendEmail(req: HttpServletRequest): Unit = {...

✅ Secure code example

import javax.servlet.http.HttpServletRequest
import javax.mail.Message
import javax.mail.Session
import javax.mail.Transport
import javax.mail.internet.InternetAddress
import javax.mail.internet.MimeMessage

def sendEmail(req: HttpServletRequest): Unit = {...