Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feed) as a special element, e.g. to separate headers or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CRLF injection can be used to inject malicious headers in HTTP responses (HTTP response splitting), forge log entries, or manipulate other protocols that use CRLF as a delimiter.
如何修复此漏洞
基于 3 条 Shoulder 检测规则的 CRLF Injection 预防策略。
Validate email addresses and reject input containing CRLF characters
package main import ( - "net/http" - "net/smtp" - ) - - func handler(w http.ResponseWriter, r *http.Request) { - to := r.FormValue("to") - subject := r.FormValue("subject") - // Vulnerable: user input in email headers without validation - msg := []byte("To: " + to + "\r\nSubject: " + subject + "\r\n\r\nBody") + "errors" + "net/http" + "net/mail" + "net/smtp" + "strings" + ) + + func sanitizeHeader(s string) (string, error) { + if strings.ContainsAny(s, "\r\n") { + return "", errors.New("invalid characters in header") + } + return s, nil + } + + func handler(w http.ResponseWriter, r *http.Request) { + to := r.FormValue("to") + subject := r.FormValue("subject") + // Validate email address + if _, err := mail.ParseAddress(to); err != nil { + http.Error(w, "Invalid email", 400) + return + } + // Reject CRLF in subject + safeSubject, err := sanitizeHeader(subject) + if err != nil { + http.Error(w, "Invalid subject", 400) + return + } + msg := []byte("To: " + to + "\r\nSubject: " + safeSubject + "\r\n\r\nBody") smtp.SendMail("smtp:25", nil, "[email protected]", []string{to}, msg) }
Validate email addresses and strip CRLF characters from header values
- app.post('/contact', async (req, res) => { - await transporter.sendMail({ - to: req.body.email, - subject: req.body.subject, + const validator = require('validator'); + + app.post('/contact', async (req, res) => { + if (!validator.isEmail(req.body.email)) { + return res.status(400).json({ error: 'Invalid email' }); + } + const safeSubject = req.body.subject.replace(/[\r\n]/g, '').slice(0, 200); + await transporter.sendMail({ + to: '[email protected]', + subject: safeSubject, text: req.body.message }); });
Strip newline characters from email headers before use
from django.core.mail import send_mail - def contact(request): - subject = request.POST.get('subject') - send_mail( - subject=subject, + def sanitize_header(value): + return value.replace('\r', '').replace('\n', '') + + def contact(request): + subject = request.POST.get('subject', '') + safe_subject = sanitize_header(subject) + send_mail( + subject=safe_subject, message='Hello', from_email='[email protected]', recipient_list=['[email protected]'] )
查找代码中的漏洞
使用Shoulder扫描代码中的Improper Neutralization of CRLF Sequences ('CRLF Injection')模式。 3 规则.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=93 # Or scan entire project npx @shoulderdev/cli trust .
检测规则 (3)
代码审查中需要关注的内容
这些模式表明潜在的Improper Neutralization of CRLF Sequences ('CRLF Injection')漏洞。在代码审查和安全审计中注意查找。
扫描你的代码库: Improper Neutralization of CRLF Sequences ('CRLF Injection')
Shoulder CLI 在整个代码库中找到易受攻击的模式。