False positive: email content injection

[larschri]

Description of the false positive

A simple, valid e-mail address inside an e-mail message triggers https://codeql.github.com/codeql-query-help/go/go-email-injection/

The rule also triggers on valid html, although the security model in html/template should make it safe.

Code samples

func SendEmailHandler(w http.Response, r http.Request) {
        user := r.URL.Query().Get("user")
        if m, _ := regexp.MatchString("[a-z]{3}", user); !m {
                return
        }
        msg := fmt.Sprintf("To: %s@example.com\r\n\r\nHello!", user)
        smtp.SendMail("", nil, "", nil, []byte(msg))
}

Another example where html/template takes care of escaping the html content.

var htmlTempl = template.Must(template.New("t").Parse("Message: <div>{{.}}</div>"))

func SendEmailHandler(w http.Response, r http.Request) {
        msg := r.URL.Query().Get("message")
        buf := bytes.NewBuffer([]byte(`MIME-version: 1.0;\nContent-Type: text/html; charset=\"UTF-8\";\n\n`))
        htmlTempl.Execute(buf, msg)
        smtp.SendMail("", nil, "", nil, buf.Bytes())
}```

[ginsbach]

Thank you for this false positive report. Resolving this issue is not a current product priority, but we acknowledge the report and will track it internally for future consideration, or if we observe repeated instances of the same problem.