Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)

Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feed) as a special element, e.g. to separate headers or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

CRLF injection can be used to inject malicious headers in HTTP responses (HTTP response splitting), forge log entries, or manipulate other protocols that use CRLF as a delimiter.

보급률

보통

3개 언어 지원

영향

높음

3개의 높은 심각도 규칙

예방

문서화됨

3개의 수정 예시

2 예방

이 취약점을 수정하는 방법

3개의 Shoulder 탐지 규칙을 기반으로 한 CRLF Injection 예방 전략.

🐹 Go 모두 보기 Go 자세히 →

Email Header Injection HIGH

Validate email addresses and reject input containing CRLF characters

+29 -9 go

  package main
  
  import (
-     "net/http"
-     "net/smtp"
- )
- 
- func handler(w http.ResponseWriter, r *http.Request) {
-     to := r.FormValue("to")
-     subject := r.FormValue("subject")
-     // Vulnerable: user input in email headers without validation
-     msg := []byte("To: " + to + "\r\nSubject: " + subject + "\r\n\r\nBody")
+     "errors"
+     "net/http"
+     "net/mail"
+     "net/smtp"
+     "strings"
+ )
+ 
+ func sanitizeHeader(s string) (string, error) {
+     if strings.ContainsAny(s, "\r\n") {
+         return "", errors.New("invalid characters in header")
+     }
+     return s, nil
+ }
+ 
+ func handler(w http.ResponseWriter, r *http.Request) {
+     to := r.FormValue("to")
+     subject := r.FormValue("subject")
+     // Validate email address
+     if _, err := mail.ParseAddress(to); err != nil {
+         http.Error(w, "Invalid email", 400)
+         return
+     }
+     // Reject CRLF in subject
+     safeSubject, err := sanitizeHeader(subject)
+     if err != nil {
+         http.Error(w, "Invalid subject", 400)
+         return
+     }
+     msg := []byte("To: " + to + "\r\nSubject: " + safeSubject + "\r\n\r\nBody")
      smtp.SendMail("smtp:25", nil, "[email protected]", []string{to}, msg)
  }

🟨 JavaScript 모두 보기 JavaScript 자세히 →

Email Header Injection HIGH

Validate email addresses and strip CRLF characters from header values

+10 -4 javascript

- app.post('/contact', async (req, res) => {
-   await transporter.sendMail({
-     to: req.body.email,
-     subject: req.body.subject,
+ const validator = require('validator');
+ 
+ app.post('/contact', async (req, res) => {
+   if (!validator.isEmail(req.body.email)) {
+     return res.status(400).json({ error: 'Invalid email' });
+   }
+   const safeSubject = req.body.subject.replace(/[\r\n]/g, '').slice(0, 200);
+   await transporter.sendMail({
+     to: '[email protected]',
+     subject: safeSubject,
      text: req.body.message
    });
  });

🐍 Python 모두 보기 Python 자세히 →

Email Header Injection HIGH

Strip newline characters from email headers before use

+8 -4 python

  from django.core.mail import send_mail
  
- def contact(request):
-     subject = request.POST.get('subject')
-     send_mail(
-         subject=subject,
+ def sanitize_header(value):
+     return value.replace('\r', '').replace('\n', '')
+ 
+ def contact(request):
+     subject = request.POST.get('subject', '')
+     safe_subject = sanitize_header(subject)
+     send_mail(
+         subject=safe_subject,
          message='Hello',
          from_email='[email protected]',
          recipient_list=['[email protected]']
      )

3 탐지

코드에서 취약점 찾기

Shoulder를 사용하여 코드에서 Improper Neutralization of CRLF Sequences ('CRLF Injection') 패턴을 스캔하세요. 3 규칙.

터미널

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=93

# Or scan entire project
npx @shoulderdev/cli trust .

탐지 규칙 (3)

🐹 Go 1 rules

Email Header Injection HIGH

User input flows into email headers without CRLF validation.

🟨 Javascript 1 rules

Email Header Injection HIGH

Detects email header injection vulnerabilities where user input flows into email headers (To, From, Subject, Cc, Bcc) without validation. Attackers can inject CRLF sequences (\r\n) to add arbitrary headers or body content. Attack impact: - Send spam/phishing emails via your server - Add hidden recipients (Cc/Bcc injection) - Modify email content - Bypass spam filters using your domain reputation Common vulnerable patterns: - nodemailer with user-controlled options - SendGrid/Mailgun APIs with

🔷 Typescript 1 rules

Email Header Injection HIGH

🐍 Python 1 rules

Email Header Injection HIGH

Detects user input used in email headers without newline sanitization.

4 경고 신호

코드 리뷰에서 주의할 점

이 패턴은 잠재적인 Improper Neutralization of CRLF Sequences ('CRLF Injection') 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.

🟠

email header injection vulnerabilities where user input flows into email headers (To, From, Subject, javascript-email-header-injection

🟠

user input used in email headers without newline sanitization python-email-injection

🔍

코드베이스를 스캔하세요: Improper Neutralization of CRLF Sequences ('CRLF Injection')

Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.

npx shoulder trust 모든 규칙 보기