ASP.NET Web API - Veracode's CWE-201: Information Exposure Through Sent Data

Question

User135423268 posted

Good Day Everyone

I have a method/function that is sending an email message to the user, but the problem is it's a low finding in Veracode Greenlight or in Veracode source code review, it's been a month since when i start looking for a solution on this, I've found out that if you have a HTML body and you are replacing it a data, it becomes a risk, but if its a plain html body without replacing any of the text, it's fine, does anyone has a solution on this? see my code below

            Dim objMailMsg As MailMessage = New MailMessage("noreply@test.com", "abm112019@gmail.com")

            Dim readFile As String = ""

            Dim tempFile As String = HttpContext.Current.Server.MapPath("~/HTML/EmailNotif1.html")

            Using strREader As StreamReader = New StreamReader(HostingEnvironment.MapPath("~/HTML/EmailNotif1.html"))

                readFile = strREader.ReadToEnd


                Dim myString As String = ""

                myString = readFile
                myString = myString.Replace("TransacID", GetTransactionID)
                myString = myString.Replace("EmailMessage", GetMessage)
                myString = myString.Replace("CreatedBy", GetName)
                myString = myString.Replace("DateCreated", Date.Now)


                Using objSMPTClient As SmtpClient = New SmtpClient

                    objMailMsg.BodyEncoding = Encoding.UTF8
                    objMailMsg.Subject = "Transaction Notification"
                    objMailMsg.Body = myString.ToString
                    objMailMsg.Priority = MailPriority.High
                    objMailMsg.IsBodyHtml = True

                    objSMPTClient.EnableSsl = False
                    objSMPTClient.Send(objMailMsg)

                End Using

            End Using

Answer 1

User409696431 posted

From https://community.veracode.com/s/question/0D534000041BzqeCAC/information-exposure-through-sent-data-cwe-id-201

"Great question, this flaw is concerned with sensitive information. The analysis engine sees the information originating from a sensitive source, and in your case it is most likely a config file. The recommendation is to review if the data is sensitive according to your companies security policies. If it is sensitive, then you should not include the information. If it is not sensitive, mark it as Mitigated by Design, and get the mitigation proposal approved by your security team." = Veracode employee

And from: https://community.veracode.com/s/question/0D53400003zJoPDCA0/how-to-fix-information-exposure-through-send-data-flaw

"For resolving the error in C# or any language, you will need to refer to the "Triage Flaws" view and flaw details in the Veracode Platform. The flaw details will identify what data is considered sensitive so that you may review it. If it is sensitive, do not include it in the request. If it is not sensitive, use a mitigation to document your reasoning. Please refer to the previous reply to see a more detailed explanation."

You'll need to see which information you are sending is deemed sensitive (and why), and see if it really is.  If not, explain why and ignore the error.