search

java-json-tools / json-schema-validator

A JSON Schema validation implementation in pure Java, which aims for correctness and performance, in that order
http://json-schema-validator.herokuapp.com/
Other
1.63k stars 399 forks source link

Wrong Mail API artifact is used #258

Open highsource opened 6 years ago

highsource commented 6 years ago

json-schema-validator currently uses the invalid Mail API artifact javax.mail:mailapi:1.4.3. Mail API has group id and artifact id javax.mail:javax.mail-api. Would it be possible to upgrade to something like javax.mail:javax.mail-api:1.4.4?

elreydetodo commented 6 years ago

Better question, can we remove the dependency on mailapi outright? Why does my json schema validation need to be able to send an email as a result of the validation operation? Seems like that's a layer someone should throw on top of it, not a part of the core library functionality.

atkawa7 commented 6 years ago

@huggsboson +1

romabaz commented 6 years ago

As I understand, this javax.mail is used in the only single place here: https://github.com/java-json-tools/json-schema-validator/blob/master/src/main/java/com/github/fge/jsonschema/format/common/EmailAttribute.java#L65

 try {
            new InternetAddress(value, true);
        } catch (AddressException ignored) {
            report.error(newMsg(data, bundle, "err.format.invalidEmail")
                .putArgument("value", value));
        }

However, javax.mail has known vulnerability which is usually detected by Sonatype Scan: https://cwe.mitre.org/data/definitions/200.html

mail - Message-Id leaks current user/hostname of the Java process

Is it really necessary to use the whole library with known vulnerability for such simple operation as email validation? Or, at least upgrade the library version to the latest one