# Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93) The product uses CRLF (carriage return line feed) as a special element, e.g. to separate headers or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. - Prevalence: 보통 3개 언어 지원 - Impact: 높음 3개의 높은 심각도 규칙 - Prevention: 문서화됨 3개의 수정 예시 **OWASP:** Injection (A03:2021-Injection) - #3 ## Description CRLF injection can be used to inject malicious headers in HTTP responses (HTTP response splitting), forge log entries, or manipulate other protocols that use CRLF as a delimiter. ## Prevention 3개의 Shoulder 탐지 규칙을 기반으로 한 CRLF Injection 예방 전략. ### Go Validate email addresses and reject input containing CRLF characters ### JavaScript Validate email addresses and strip CRLF characters from header values ### Python Strip newline characters from email headers before use ## Warning Signs - [HIGH] email header injection vulnerabilities where user input flows into email headers (To, From, Subject, - [HIGH] user input used in email headers without newline sanitization ## Consequences - 애플리케이션 데이터 수정 - 승인되지 않은 코드 실행 - 활동 은폐 ## Mitigations - 헤더나 로그에 사용되는 모든 입력에서 CRLF 시퀀스를 제거하거나 인코딩하세요 - 헤더 인코딩을 자동으로 처리하는 프레임워크를 사용하세요 - 입력에 예기치 않은 제어 문자가 포함되어 있지 않은지 검증하세요 ## Detection - Total rules: 3 - Languages: go, javascript, typescript, python ## Rules by Language ### Go (1 rules) - **Email Header Injection** [HIGH]: User input flows into email headers without CRLF validation. - Remediation: Reject input containing CRLF characters and validate email addresses. ```go func sanitizeHeader(s string) (string, error) { if strings.ContainsAny(s, "\r\n") { return "", errors.New("invalid characters") } return s, nil } subject, err := sanitizeHeader(r.FormValue("subject")) if err != nil { http.Error(w, "Invalid input", 400) return } ``` Learn more: https://shoulder.dev/learn/go/cwe-93/email-header-injection ### Javascript (1 rules) - **Email Header Injection** [HIGH]: Detects email header injection vulnerabilities where user input flows into email headers (To, From, Subject, Cc, Bcc) without validation. Attackers can inject CRLF sequences (\r\n) to add arbitrary headers or body content. Attack impact: - Send spam/phishing emails via your server - Add hidden recipients (Cc/Bcc injection) - Modify email content - Bypass spam filters using your domain reputation Common vulnerable patterns: - nodemailer with user-controlled options - SendGrid/Mailgun APIs with - Remediation: Validate email addresses and remove CRLF from header values: ```javascript const validator = require('validator'); function sanitizeHeader(value) { return value.replace(/[\r\n]/g, ''); } if (!validator.isEmail(email)) { return res.status(400).json({ error: 'Invalid email' }); } const safeSubject = sanitizeHeader(subject).slice(0, 200); await transporter.sendMail({ to: 'admin@example.com', subject: `Contact: ${safeSubject}`, text: message }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-93/email-header-injection ### Typescript (1 rules) - **Email Header Injection** [HIGH]: Detects email header injection vulnerabilities where user input flows into email headers (To, From, Subject, Cc, Bcc) without validation. Attackers can inject CRLF sequences (\r\n) to add arbitrary headers or body content. Attack impact: - Send spam/phishing emails via your server - Add hidden recipients (Cc/Bcc injection) - Modify email content - Bypass spam filters using your domain reputation Common vulnerable patterns: - nodemailer with user-controlled options - SendGrid/Mailgun APIs with - Remediation: Validate email addresses and remove CRLF from header values: ```javascript const validator = require('validator'); function sanitizeHeader(value) { return value.replace(/[\r\n]/g, ''); } if (!validator.isEmail(email)) { return res.status(400).json({ error: 'Invalid email' }); } const safeSubject = sanitizeHeader(subject).slice(0, 200); await transporter.sendMail({ to: 'admin@example.com', subject: `Contact: ${safeSubject}`, text: message }); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-93/email-header-injection ### Python (1 rules) - **Email Header Injection** [HIGH]: Detects user input used in email headers without newline sanitization. - Remediation: Remove newlines from email headers before use. ```python safe_subject = subject.replace('\r', '').replace('\n', '') ``` Learn more: https://shoulder.dev/learn/python/cwe-93/email-injection