Tellier Benoit created JAMES-1734:
-------------------------------------
Summary: As an authenticated JMAP user, I can prentend to be
someone else in the mails I send
Key: JAMES-1734
URL: https://issues.apache.org/jira/browse/JAMES-1734
Project: James Server
Issue Type: Bug
Components: JMAP
Affects Versions: Trunk
Reporter: Tellier Benoit
Assignee: Tellier Benoit
Fix For: Trunk
Scenario :
Bob and Alice are together an happy couple. William is jaleaous of this. He
decides to send a mail to Alice, with Bob identity to tell her Bob decided to
brake up.
To do this, Bob proceide a JMAP post on setMessages endpoint on outbox. He then
uses bob address in the from field.
Alice will receive a mail from bob saying they broke up. And she will believe
it, cry all the night and meet William.
Code snipsets : failing test :
```
@Test
public void test() throws Exception {
jmapServer.serverProbe().createMailbox(MailboxConstants.USER_NAMESPACE,
username, "sent");
jmapServer.serverProbe().addUser("[email protected]", "1234");
jmapServer.serverProbe().addUser("[email protected]", "1234");
String requestBody = "[" +
" [" +
" \"setMessages\","+
" {" +
" \"create\": { \"user|inbox|1\" : {" +
" \"from\": { \"email\": \"[email protected]\"}," +
" \"to\": [{ \"name\": \"Alice\", \"email\":
\"[email protected]\"}]," +
" \"cc\": [{ \"name\": \"ALICE\"}]," +
" \"subject\": \"Alice, I break up with you !\"," +
" \"textBody\": \"In this mail [email protected] pretends
to be [email protected], and takes advantage of it\"," +
" \"mailboxIds\": [\"" + getOutboxId() + "\"]" +
" }}" +
" }," +
" \"#0\"" +
" ]" +
"]";
// Given
given()
.accept(ContentType.JSON)
.contentType(ContentType.JSON)
.header("Authorization", accessToken.serialize())
.body(requestBody)
// When
.when()
.post("/jmap")
.prettyPeek();
// Then
AccessToken user2AccessToken = accessToken =
JmapAuthentication.authenticateJamesUser("[email protected]", "1234");
Thread.sleep(10000);
with()
.accept(ContentType.JSON)
.contentType(ContentType.JSON)
.header("Authorization", user2AccessToken.serialize())
.body("[[\"getMessageList\", {\"fetchMessages\":true,
\"fetchMessageProperties\":[\"from\", \"subject\", \"textBody\"]}, \"#0\"]]")
.when()
.post("/jmap")
.prettyPeek();
}
```
Jmap responses :
William :
```
[
[
"messagesSet",
{
"accountId": null,
"oldState": null,
"newState": null,
"created": {
"user|inbox|1": {
"id": "[email protected]|outbox|1",
"blobId": "1",
"threadId": "[email protected]|outbox|1",
"mailboxIds": [
"cf265170-1299-11e6-9382-c5a352d114a2"
],
"inReplyToMessageId": null,
"isUnread": false,
"isFlagged": false,
"isAnswered": false,
"isDraft": false,
"hasAttachment": false,
"headers": {
"cc": " ",
"date": "Thu, 5 May 2016 15:17:29 +0700",
"bcc": " ",
"sender": "[email protected]",
"subject": "Alice, I break up with you !",
"message-id": "user|inbox|1",
"from": "[email protected]",
"to": "Alice <[email protected]>",
"reply-to": " "
},
"from": {
"name": "[email protected]",
"email": "[email protected]"
},
"to": [
{
"name": "Alice",
"email": "[email protected]"
}
],
"cc": [
],
"bcc": [
],
"replyTo": [
],
"subject": "Alice, I break up with you !",
"date": "2016-05-05T08:17:29.974Z",
"size": 297,
"preview": "In this mail [email protected] pretends to be
[email protected], and takes advantage of it",
"textBody": "In this mail [email protected] pretends to
be [email protected], and takes advantage of it",
"htmlBody": null,
"attachments": [
],
"attachedMessages": {
}
}
},
"updated": [
],
"destroyed": [
],
"notCreated": {
},
"notUpdated": {
},
"notDestroyed": {
}
},
"#0"
]
]
```
Alice :
```
[
[
"messageList",
{
"accountId": null,
"filter": null,
"sort": [
],
"collapseThreads": false,
"state": null,
"canCalculateUpdates": false,
"position": 0,
"total": 0,
"threadIds": [
],
"messageIds": [
"[email protected]|INBOX|1"
]
},
"#0"
],
[
"messages",
{
"notFound": [
],
"list": [
{
"id": "[email protected]|INBOX|1",
"from": {
"name": "[email protected]",
"email": "[email protected]"
},
"subject": "Alice, I break up with you !",
"textBody": "In this mail [email protected] pretends to
be [email protected], and takes advantage of it"
}
]
},
"#0"
]
]
```
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
