Last post Dec 17, 2019 04:29 AM by KathyW
Dec 17, 2019 02:30 AM|amendoza29|LINK
Good Day Everyone
I have a method/function that is sending an email message to the user, but the problem is it's a low finding in Veracode Greenlight or in Veracode source code review, it's been a month since when i start looking for a solution on this, I've found out that
if you have a HTML body and you are replacing it a data, it becomes a risk, but if its a plain html body without replacing any of the text, it's fine, does anyone has a solution on this? see my code below
Dim objMailMsg As MailMessage = New MailMessage("email@example.com", "firstname.lastname@example.org")
Dim readFile As String = ""
Dim tempFile As String = HttpContext.Current.Server.MapPath("~/HTML/EmailNotif1.html")
Using strREader As StreamReader = New StreamReader(HostingEnvironment.MapPath("~/HTML/EmailNotif1.html"))
readFile = strREader.ReadToEnd
Dim myString As String = ""
myString = readFile
myString = myString.Replace("TransacID", GetTransactionID)
myString = myString.Replace("EmailMessage", GetMessage)
myString = myString.Replace("CreatedBy", GetName)
myString = myString.Replace("DateCreated", Date.Now)
Using objSMPTClient As SmtpClient = New SmtpClient
objMailMsg.BodyEncoding = Encoding.UTF8
objMailMsg.Subject = "Transaction Notification"
objMailMsg.Body = myString.ToString
objMailMsg.Priority = MailPriority.High
objMailMsg.IsBodyHtml = True
objSMPTClient.EnableSsl = False
Dec 17, 2019 04:29 AM|KathyW|LINK
"Great question, this flaw is concerned with sensitive information. The analysis engine sees the information originating from a sensitive source, and in your case it is most likely a config file. The
recommendation is to review if the data is sensitive according to your companies security policies. If it is sensitive, then you should not include the information. If it is not sensitive, mark it as Mitigated by Design, and get the mitigation proposal approved
by your security team." = Veracode employee
"For resolving the error in C# or any language, you will need to refer to the "Triage Flaws" view and flaw details in the Veracode Platform. The flaw details will identify what data is considered sensitive so that you
may review it. If it is sensitive, do not include it in the request. If it is not sensitive, use a mitigation to document your reasoning. Please refer to the previous reply to see a more detailed explanation."
You'll need to see which information you are sending is deemed sensitive (and why), and see if it really is. If not, explain why and ignore the error.