james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tellier Benoit (JIRA)" <server-...@james.apache.org>
Subject [jira] [Created] (JAMES-1734) As an authenticated JMAP user, I can prentend to be someone else in the mails I send
Date Thu, 05 May 2016 08:27:12 GMT
Tellier Benoit created JAMES-1734:
-------------------------------------

             Summary: As an authenticated JMAP user, I can prentend to be someone else in
the mails I send
                 Key: JAMES-1734
                 URL: https://issues.apache.org/jira/browse/JAMES-1734
             Project: James Server
          Issue Type: Bug
          Components: JMAP
    Affects Versions: Trunk
            Reporter: Tellier Benoit
            Assignee: Tellier Benoit
             Fix For: Trunk


Scenario :

Bob and Alice are together an happy couple. William is jaleaous of this. He decides to send
a mail to Alice, with Bob identity to tell her Bob decided to brake up.

To do this, Bob proceide a JMAP post on setMessages endpoint on outbox. He then uses bob address
in the from field.

Alice will receive a mail from bob saying they broke up. And she will believe it, cry all
the night and meet William.

Code snipsets : failing test :

```
    @Test
    public void test() throws Exception {
        jmapServer.serverProbe().createMailbox(MailboxConstants.USER_NAMESPACE, username,
"sent");
        jmapServer.serverProbe().addUser("bob@domain.tld", "1234");
        jmapServer.serverProbe().addUser("alice@domain.tld", "1234");

        String requestBody = "[" +
            "  [" +
            "    \"setMessages\","+
            "    {" +
            "      \"create\": { \"user|inbox|1\" : {" +
            "        \"from\": { \"email\": \"bob@domain.tld\"}," +
            "        \"to\": [{ \"name\": \"Alice\", \"email\": \"alice@domain.tld\"}]," +
            "        \"cc\": [{ \"name\": \"ALICE\"}]," +
            "        \"subject\": \"Alice, I break up with you !\"," +
            "        \"textBody\": \"In this mail username@domain.tld pretends to be user1@domain.tld,
and takes advantage of it\"," +
            "        \"mailboxIds\": [\"" + getOutboxId() + "\"]" +
            "      }}" +
            "    }," +
            "    \"#0\"" +
            "  ]" +
            "]";

        // Given
        given()
            .accept(ContentType.JSON)
            .contentType(ContentType.JSON)
            .header("Authorization", accessToken.serialize())
            .body(requestBody)
            // When
            .when()
            .post("/jmap")
            .prettyPeek();

        // Then
        AccessToken user2AccessToken = accessToken = JmapAuthentication.authenticateJamesUser("alice@domain.tld",
"1234");
        
        Thread.sleep(10000);

        with()
            .accept(ContentType.JSON)
            .contentType(ContentType.JSON)
            .header("Authorization", user2AccessToken.serialize())
            .body("[[\"getMessageList\", {\"fetchMessages\":true, \"fetchMessageProperties\":[\"from\",
\"subject\", \"textBody\"]}, \"#0\"]]")
        .when()
            .post("/jmap")
            .prettyPeek();
    }
```

Jmap responses : 

William :

```
[
    [
        "messagesSet",
        {
            "accountId": null,
            "oldState": null,
            "newState": null,
            "created": {
                "user|inbox|1": {
                    "id": "username@domain.tld|outbox|1",
                    "blobId": "1",
                    "threadId": "username@domain.tld|outbox|1",
                    "mailboxIds": [
                        "cf265170-1299-11e6-9382-c5a352d114a2"
                    ],
                    "inReplyToMessageId": null,
                    "isUnread": false,
                    "isFlagged": false,
                    "isAnswered": false,
                    "isDraft": false,
                    "hasAttachment": false,
                    "headers": {
                        "cc": " ",
                        "date": "Thu, 5 May 2016 15:17:29 +0700",
                        "bcc": " ",
                        "sender": "bob@domain.tld",
                        "subject": "Alice, I break up with you !",
                        "message-id": "user|inbox|1",
                        "from": "bob@domain.tld",
                        "to": "Alice <alice@domain.tld>",
                        "reply-to": " "
                    },
                    "from": {
                        "name": "bob@domain.tld",
                        "email": "bob@domain.tld"
                    },
                    "to": [
                        {
                            "name": "Alice",
                            "email": "alice@domain.tld"
                        }
                    ],
                    "cc": [
                        
                    ],
                    "bcc": [
                        
                    ],
                    "replyTo": [
                        
                    ],
                    "subject": "Alice, I break up with you !",
                    "date": "2016-05-05T08:17:29.974Z",
                    "size": 297,
                    "preview": "In this mail username@domain.tld pretends to be user1@domain.tld,
and takes advantage of it",
                    "textBody": "In this mail username@domain.tld pretends to be user1@domain.tld,
and takes advantage of it",
                    "htmlBody": null,
                    "attachments": [
                        
                    ],
                    "attachedMessages": {
                        
                    }
                }
            },
            "updated": [
                
            ],
            "destroyed": [
                
            ],
            "notCreated": {
                
            },
            "notUpdated": {
                
            },
            "notDestroyed": {
                
            }
        },
        "#0"
    ]
]
```

Alice : 

```
[
    [
        "messageList",
        {
            "accountId": null,
            "filter": null,
            "sort": [
                
            ],
            "collapseThreads": false,
            "state": null,
            "canCalculateUpdates": false,
            "position": 0,
            "total": 0,
            "threadIds": [
                
            ],
            "messageIds": [
                "alice@domain.tld|INBOX|1"
            ]
        },
        "#0"
    ],
    [
        "messages",
        {
            "notFound": [
                
            ],
            "list": [
                {
                    "id": "alice@domain.tld|INBOX|1",
                    "from": {
                        "name": "bob@domain.tld",
                        "email": "bob@domain.tld"
                    },
                    "subject": "Alice, I break up with you !",
                    "textBody": "In this mail username@domain.tld pretends to be user1@domain.tld,
and takes advantage of it"
                }
            ]
        },
        "#0"
    ]
]
```



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message