@sun-asterisk/sunlint 1.3.39 → 1.3.41

package/skill-assets/sunlint-code-quality/rules/kotlin/S004-no-log-credentials.md

@@ -0,0 +1,59 @@
+---
+title: Do Not Log Credentials Or Tokens
+impact: HIGH
+impactDescription: prevents sensitive credential exposure in monitoring systems
+tags: logging, credentials, tokens, secrets, security, kotlin
+---
+
+## Do Not Log Credentials Or Tokens
+
+Logging systems are often less protected than core databases. Credentials or tokens in logs can be harvested by attackers or accidentally exposed to unauthorized personnel.
+
+**Incorrect (logging sensitive data):**
+
+```kotlin
+// Logging passwords
+logger.info("Login attempt for user: {}, password: {}", user.username, user.password) // NEVER!
+
+// Logging full request headers
+logger.debug("Request headers: {}", request.headers)
+// Authorization header contains Bearer tokens!
+
+// Logging raw request body
+logger.info("Incoming request body: {}", request.body())
+// May contain passwords, credit card numbers, or PII
+```
+
+**Correct (sanitized logging):**
+
+```kotlin
+// Omit sensitive fields
+logger.info("Login attempt for user: {}", user.username)
+
+// Sanitize or mask headers
+val safeHeaders = request.headers.toMutableMap().mapValues { (key, value) ->
+    if (key.equals("Authorization", ignoreCase = true) || key.equals("Cookie", ignoreCase = true)) {
+        "[REDACTED]"
+    } else {
+        value
+    }
+}
+logger.debug("Request headers: {}", safeHeaders)
+
+// Use a data sanitizer for objects
+fun sanitize(data: Map<String, Any?>): Map<String, Any?> {
+    val sensitiveKeys = setOf("password", "token", "secret", "credit_card", "cvv")
+    return data.mapValues { (key, value) ->
+        if (sensitiveKeys.any { key.contains(it, ignoreCase = true) }) "[REDACTED]" else value
+    }
+}
+```
+
+**Sensitive Data strictly forbidden in logs:**
+- Passwords (raw or encrypted).
+- Authentication tokens (JWT, OAuth tokens, API Keys).
+- Session IDs and Cookies.
+- Payment information (Credit Card, CVV).
+- Personal IDs (SSN, National ID).
+
+**Tools:** Logback mask pattern, SonarQube, Manual Security Audit, Sentry Data Scrubbing

package/skill-assets/sunlint-code-quality/rules/kotlin/S005-server-authorization.md

@@ -0,0 +1,75 @@
+---
+title: Enforce Authorization At Trusted Service Layer
+impact: CRITICAL
+impactDescription: prevents unauthorized access to protected resources and data
+tags: authorization, rbac, abac, security, access-control, kotlin
+---
+
+## Enforce Authorization At Trusted Service Layer
+
+Client-side checks are purely for UI/UX and can be trivially bypassed. Every request reaching the server must be authenticated and authorized against the required permissions in a trusted environment.
+
+**Incorrect (trusting client state):**
+
+```kotlin
+// Relying on a hidden field or value sent from client
+@PostMapping("/user/update")
+fun update(@RequestBody req: UpdateRequest): String {
+    // req.isAdmin is provided by the client's form!
+    if (req.isAdmin) {
+        db.updatePermissions(req.userId)
+    }
+    return "ok"
+}
+
+// Insecure check in a Controller without proper security context
+@DeleteMapping("/post/{id}")
+fun delete(@PathVariable id: String) {
+    // No check if 'current user' owns this 'post'
+    postService.delete(id)
+}
+```
+
+**Correct (server-side authorization):**
+
+```kotlin
+// Using Spring Security with Method Security
+@PreAuthorize("hasRole('ADMIN')")
+@DeleteMapping("/users/{id}")
+fun deleteUser(@PathVariable id: String) {
+    userService.delete(id)
+}
+
+// Data-level authorization (checking ownership)
+@PutMapping("/posts/{id}")
+fun updatePost(@PathVariable id: String, @RequestBody data: PostData) {
+    val post = postService.findById(id) ?: throw NotFoundException()
+    val currentUser = SecurityContextHolder.getContext().authentication.name
+    
+    // Check ownership at the server layer
+    if (post.author != currentUser && !isAdmin(currentUser)) {
+        throw AccessDeniedException("You do not own this post")
+    }
+    
+    postService.update(id, data)
+}
+
+// Ktor Authentication/Authorization
+route("/admin") {
+    install(Authorization) {
+        check {
+            val user = call.principal<UserPrincipal>()
+            user?.roles?.contains("ADMIN") ?: false
+        }
+    }
+    get("/dashboard") { /* handle admin request */ }
+}
+```
+
+**Never trust for Authorization:**
+- Client-side Boolean flags (e.g., `user.isAdmin`).
+- Parameters like `?role=admin` in the URL.
+- Unsigned or unvalidated JWT claims from local storage.
+- The existence of a "secret" URL (Security by Obscurity).
+
+**Tools:** Spring Security, Ktor Auth, Shiro, OPA (Open Policy Agent), Manual Security Review

package/skill-assets/sunlint-code-quality/rules/kotlin/S006-default-credentials.md

@@ -0,0 +1,49 @@
+---
+title: Do Not Use Default Credentials
+impact: CRITICAL
+impactDescription: prevents trivial unauthorized access via publicly known default accounts
+tags: credentials, default, passwords, configuration, security, kotlin
+---
+
+## Do Not Use Default Credentials
+
+Default credentials (e.g., `admin/admin`, `root/root`) are the first thing an attacker or automated bot will try. Using them effectively leaves your system wide open.
+
+**Incorrect (default or common credentials in config):**
+
+```kotlin
+// application.properties
+spring.datasource.username=postgres
+spring.datasource.password=postgres # DEFAULT!
+
+// Hardcoded in code
+val defaultAdminUser = "admin"
+val defaultAdminPass = "admin" // CRITICAL!
+```
+
+**Correct (environment-based secrets):**
+
+```kotlin
+// In application.properties, use environment variables
+// spring.datasource.password=${DB_PASSWORD}
+
+// In Kotlin code, ensure no fallback to defaults
+val dbPassword = System.getenv("DB_PASSWORD") ?: throw IllegalStateException("DB_PASSWORD must be provided")
+
+// For development, use a local, git-ignored file (e.g., .env)
+// Never commit these to version control.
+```
+
+**Commonly Blocked Defaults:**
+- `admin / admin`
+- `root / root` or `root / <empty>`
+- `postgres / postgres`
+- `sa / <empty>` (Common for SQL Server)
+- `guest / guest`
+
+**Security Best Practices:**
+- Force users to change default passwords on first login.
+- Disable default system accounts if not strictly needed.
+- Use CI/CD to scan for common password patterns in configuration files.
+
+**Tools:** Gitleaks, CI/CD Secret Scanning, Manual Review, SonarQube

package/skill-assets/sunlint-code-quality/rules/kotlin/S007-output-encoding.md

@@ -0,0 +1,62 @@
+---
+title: Output Encoding Before Interpreter Use
+impact: HIGH
+impactDescription: prevents Cross-Site Scripting (XSS) and other injection attacks
+tags: xss, encoding, output, html, security, kotlin
+---
+
+## Output Encoding Before Interpreter Use
+
+Cross-Site Scripting (XSS) and other injection attacks occur when unescaped user data is sent back to the browser and interpreted as code. All output must be encoded based on the context in which it will be used (HTML, URL, JavaScript).
+
+**Incorrect (no encoding):**
+
+```kotlin
+// XSS vulnerability in Ktor
+get("/greet") {
+    val name = call.parameters["name"]
+    call.respondText("<h1>Hello, $name</h1>", ContentType.Text.Html) // XSS!
+}
+
+// Thymeleaf - using utext (unescaped text) with user input
+// <div th:utext="${userInput}"></div>
+```
+
+**Correct (context-aware encoding):**
+
+```kotlin
+// Thymeleaf - use th:text (automatically escapes HTML)
+// <div th:text="${userInput}"></div>
+
+// Using a library like OWASP Java Encoder
+import org.owasp.encoder.Encode
+
+val safeHtml = Encode.forHtml(untrustedInput)
+val safeAttr = Encode.forHtmlAttribute(untrustedInput)
+val safeJs = Encode.forJavaScript(untrustedInput)
+
+// Ktor - Using HTML DSL (automatically escapes)
+call.respondHtml {
+    body {
+        h1 { +"Hello, $name" } // "+" operator escapes content
+    }
+}
+
+// Sanitizing HTML when you MUST allow some tags
+val sanitizer = HtmlPolicyBuilder()
+    .allowElements("b", "i", "u")
+    .toFactory()
+val cleanHtml = sanitizer.sanitize(untrustedHtml)
+```
+
+**Encoding by Context:**
+
+| Context | Purpose | Recommended Encoder |
+|---------|---------|---------------------|
+| HTML Body | `<div>...</div>` | `Encode.forHtml()` |
+| HTML Attribute | `<div title="...">` | `Encode.forHtmlAttribute()` |
+| URL Parameter | `?q=...` | `URLEncoder.encode(s, "UTF-8")` |
+| JavaScript | `var x = '...';` | `Encode.forJavaScript()` |
+| CSS | `color: ...` | `Encode.forCssString()` |
+
+**Tools:** OWASP Java Encoder, HTML Sanitizer (Guava), SonarQube (S5131)

package/skill-assets/sunlint-code-quality/rules/kotlin/S009-approved-crypto.md

@@ -0,0 +1,51 @@
+---
+title: Use Only Approved Crypto Algorithms
+impact: MEDIUM
+impactDescription: ensures cryptographic strength and protects against known attacks
+tags: cryptography, algorithms, hashing, encryption, security, kotlin
+---
+
+## Use Only Approved Crypto Algorithms
+
+Weak cryptographic algorithms (MD5, SHA1, DES) or insecure modes (ECB) have known vulnerabilities and can be broken with modern hardware. Using them puts data at risk of decryption or collision attacks.
+
+**Incorrect (weak or deprecated algorithms):**
+
+```kotlin
+// WEAK hash (MD5/SHA1)
+val md = MessageDigest.getInstance("MD5")
+val hash = md.digest(password.toByteArray())
+
+// WEAK encryption mode (ECB mode is insecure)
+val cipher = Cipher.getInstance("AES/ECB/PKCS5Padding")
+
+// WEAK algorithm
+val desCipher = Cipher.getInstance("DES")
+```
+
+**Correct (approved strong algorithms):**
+
+```kotlin
+// STRONG hash for integrity
+val digest = MessageDigest.getInstance("SHA-256")
+val hash = digest.digest(data.toByteArray())
+
+// STRONG authenticated encryption (GCM mode)
+val cipher = Cipher.getInstance("AES/GCM/NoPadding")
+val spec = GCMParameterSpec(128, iv)
+cipher.init(Cipher.ENCRYPT_MODE, secretKey, spec)
+
+// For passwords - use specialized libraries like BCrypt or Argon2 (via Spring Security or Ktor)
+val hashedPassword = BCrypt.withDefaults().hashToString(12, password.toCharArray())
+val isMatched = BCrypt.verifyer().verify(password.toCharArray(), hashedPassword).verified
+```
+
+**Approved vs Prohibited:**
+
+| Purpose | Approved | Prohibited |
+|---------|----------|------------|
+| General Hashing | SHA-256, SHA-512, SHA-3 | MD5, SHA-1 |
+| Data Encryption | AES-GCM (256-bit) | DES, 3DES, AES-ECB |
+| Password Hashing | Argon2id, bcrypt (cost >= 12) | SHA-*, plain AES, MD5 |
+
+**Tools:** SonarQube (S2070, S4790), Semgrep, detekt (WeakCrypto)

package/skill-assets/sunlint-code-quality/rules/kotlin/S010-csprng.md

@@ -0,0 +1,61 @@
+---
+title: Use CSPRNG For Security Purposes
+impact: HIGH
+impactDescription: prevents predictable tokens, session hijacking, and brute-force attacks
+tags: random, csprng, tokens, session, cryptography, security, kotlin
+---
+
+## Use CSPRNG For Security Purposes
+
+Standard pseudo-random number generators (PRNGs) like `java.util.Random` are predictable. If used for security purposes (sessions, tokens, passwords), an attacker can predict future values by observing previous ones. Cryptographically Secure Pseudo-Random Number Generators (CSPRNG) must be used instead.
+
+**Incorrect (predictable random):**
+
+```kotlin
+// INSECURE - predictable!
+val sessionId = Random().nextLong().toString(16)
+
+// INSECURE - based on timestamp and weak random
+val resetToken = "${System.currentTimeMillis()}-${Random().nextInt()}"
+
+// INSECURE - Math.random()
+val otp = (Math.random() * 1000000).toInt().toString()
+```
+
+**Correct (cryptographically secure):**
+
+```kotlin
+import java.security.SecureRandom
+import java.util.Base64
+
+// Cryptographically secure random source
+val secureRandom = SecureRandom()
+
+// Secure session ID or token
+val bytes = ByteArray(32)
+secureRandom.nextBytes(bytes)
+val sessionId = Base64.getUrlEncoder().encodeToString(bytes) // 256-bit entropy
+
+// Secure OTP generation
+fun generateOTP(length: Int = 6): String {
+    val secureRandom = SecureRandom()
+    val stringBuilder = StringBuilder()
+    repeat(length) {
+        stringBuilder.append(secureRandom.nextInt(10))
+    }
+    return stringBuilder.toString()
+}
+
+// Secure UUID v4 (random-based)
+val token = java.util.UUID.randomUUID().toString()
+```
+
+**CSPRNG in JVM/Kotlin:**
+
+| Source | Security Level | Purpose |
+|--------|----------------|---------|
+| `java.security.SecureRandom` | **High (CSPRNG)** | Security tokens, salts, keys |
+| `java.util.Random` | Low (PRNG) | Simulations, low-priority sorting |
+| `kotlin.random.Random` | Low (PRNG) | General non-security logic |
+
+**Tools:** SonarQube (S2245), detekt (InsecureRandom), Manual Review

package/skill-assets/sunlint-code-quality/rules/kotlin/S011-encrypted-client-hello.md

@@ -0,0 +1,48 @@
+---
+title: Enable Encrypted Client Hello (ECH)
+impact: MEDIUM
+impactDescription: protects Server Name Indication (SNI) from eavesdropping and prevents leaking the visited website to the network
+tags: tls, ech, sni, privacy, security, kotlin
+---
+
+## Enable Encrypted Client Hello (ECH)
+
+Encrypted Client Hello (ECH) is a TLS extension that encrypts the entire `ClientHello` message during the handshake. This protects the Server Name Indication (SNI), which otherwise would allow network observers (ISPs, public Wi-Fi operators) to see which specific domain you are connecting to.
+
+**About ECH:**
+ECH solves the privacy problem where, even with HTTPS, the name of the website you are visiting is sent in plain text (SNI) during the initial connection setup.
+
+**Implementation (Server-side via Nginx/Infrastructure):**
+
+Kotlin backend applications usually sit behind a reverse proxy like Nginx or a Cloud Load Balancer that handles TLS.
+
+```nginx
+# Nginx with ECH support (requires a build with ECH support)
+ssl_ech on;
+ssl_ech_key /etc/nginx/certs/ech_private.key;
+ssl_ech_config_list /etc/nginx/certs/ech_configs.list;
+```
+
+**DNS Configuration:**
+ECH requires an `HTTPS` DNS record to contain the public key used for encrypting the `ClientHello`.
+
+```text
+# Example HTTPS DNS record
+_https.example.com. IN HTTPS 1 . alpn="h2,h3" ipv4hint=1.2.3.4 ech="<base64_encoded_config>"
+```
+
+**Client-side (Kotlin/JVM Environment):**
+Current JVM TLS implementations and typical libraries (OkHttp, Ktor Client) depend on the underlying JVM provider. Security providers like Bouncy Castle or newer Java versions are adding support for modern TLS extensions.
+
+```kotlin
+// Ensure TLS 1.3 is enabled, as ECH is a TLS 1.3 extension
+val client = OkHttpClient.Builder()
+    .connectionSpecs(listOf(ConnectionSpec.RESTRICTED_TLS)) // Enforces TLS 1.3
+    .build()
+```
+
+**Benefits:**
+- **Privacy:** Prevents network metadata leaks.
+- **Security:** Reduces the effectiveness of censorship and site-specific traffic fingerprinting.
+
+**Tools:** Cloudflare (supports ECH), Nginx with ECH, DNS HTTPS records, SSLLabs

package/skill-assets/sunlint-code-quality/rules/kotlin/S012-secrets-management.md

@@ -0,0 +1,53 @@
+---
+title: Use Secrets Management For Backend Secrets
+impact: CRITICAL
+impactDescription: centralizes and secures sensitive credential storage and access control
+tags: secrets, vault, credentials, configuration, security, kotlin
+---
+
+## Use Secrets Management For Backend Secrets
+
+Sensitive credentials should never reside in plain text within source code or configuration files. Use a dedicated secrets management system to centralize, audit, and rotate credentials securely.
+
+**Incorrect (hardcoded or plain environment exposure):**
+
+```kotlin
+// Hardcoded in code
+const val API_KEY = "sk-live-123456"
+
+// application.yml committed to git with real secrets
+database:
+  password: "production_password_123"
+```
+
+**Correct (automated secrets management):**
+
+```kotlin
+// Using a cloud-native Secrets Manager (AWS / GCP / Azure)
+val dbPassword = secretsClient.getSecret("prod/db/password")
+
+// Using Kubernetes Secrets integration
+// In Spring Boot, these are often mapped to properties automatically:
+@Value("\${db.password}")
+private lateinit var dbPasswordFromSecret: String
+
+// Using Spring Cloud Vault
+// Secrets are retrieved automatically on startup from HashiCorp Vault
+
+// Environment validation
+val stripeKey = System.getenv("STRIPE_KEY") 
+    ?: throw IllegalStateException("Required secret STRIPE_KEY is missing")
+```
+
+**Secrets Management Hierarchy:**
+1.  **Vaults:** (Best) HashiCorp Vault, AWS/GCP/Azure Secret Managers.
+2.  **Orchestrator Secrets:** Kubernetes Secrets, Docker Secrets.
+3.  **Environment Variables:** Scalable but requires careful process isolation.
+4.  **Local Env Files:** Only for local development, must be `.gitignore`d.
+
+**Crucial Steps:**
+- Enable Secret Rotation.
+- Use Least Privilege for secret access.
+- Audit logs to monitor who/what accessed which secret.
+
+**Tools:** HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, Spring Cloud Config

package/skill-assets/sunlint-code-quality/rules/kotlin/S013-tls-connections.md

@@ -0,0 +1,61 @@
+---
+title: Always Use TLS For All Connections
+impact: HIGH
+impactDescription: protects data in transit from eavesdropping and tampering
+tags: tls, https, encryption, transport, security, kotlin
+---
+
+## Always Use TLS For All Connections
+
+Transmitting data over unencrypted HTTP, JDBC, or Redis connections exposes sensitive information to everyone on the network path. All connections in production must use TLS 1.2 or higher.
+
+**Incorrect (unencrypted connections):**
+
+```kotlin
+// HTTP API calls
+val client = HttpClient(CIO)
+client.get("http://api.sun-asterisk.vn/users")
+
+// Unencrypted database connection
+val url = "jdbc:postgresql://db.sun-asterisk.vn:5432/mydb"
+
+// Redis without TLS
+val config = Config().apply {
+    useSingleServer().setAddress("redis://redis.sun-asterisk.vn:6379")
+}
+```
+
+**Correct (TLS/SSL everywhere):**
+
+```kotlin
+// HTTPS for all APIs
+client.get("https://api.sun-asterisk.vn/users")
+
+// TLS for Database (via JDBC parameters)
+val url = "jdbc:postgresql://db.sun-asterisk.vn:5432/mydb?ssl=true&sslmode=verify-full"
+
+// Redis with TLS
+val config = Config().apply {
+    useSingleServer().setAddress("rediss://redis.sun-asterisk.vn:6380")
+}
+
+// Ktor: Force HTTPS using HSTS
+install(HSTS) {
+    maxAgeInSeconds = 31536000 // 1 year
+    includeSubDomains = true
+}
+
+// Redirect HTTP to HTTPS in Ktor
+install(HttpsRedirect) {
+    sslPort = 443
+    permanentRedirect = true
+}
+```
+
+**Requirements:**
+- Minimum TLS version: **1.2** (Recommended: **1.3**).
+- Validate server certificates against a trusted CA (avoid `allowSelfSigned`).
+- Use `rediss://` for secure Redis.
+- Use `ssl=true` for database drivers.
+
+**Tools:** SSLyze, Qualys SSL Labs, OWASP ZAP, Manual Review

package/skill-assets/sunlint-code-quality/rules/kotlin/S016-no-sensitive-query-string.md

@@ -0,0 +1,51 @@
+---
+title: Do Not Pass Sensitive Data In Query String
+impact: HIGH
+impactDescription: prevents sensitive credential leakage in browser history, logs, and referrer headers
+tags: url, query-string, sensitive-data, leakage, security, kotlin
+---
+
+## Do Not Pass Sensitive Data In Query String
+
+URL query strings are stored in browser history, server access logs, and transmitted in `Referer` headers. Sensitive data like tokens, passwords, or PII (Personally Identifiable Information) must never be part of a URL.
+
+**Incorrect (sensitive data in URL):**
+
+```kotlin
+// Token in URL
+httpClient.get("https://api.sun-asterisk.vn/data?apiKey=$mySecretKey")
+
+// Sending sensitive PII in URL
+httpClient.get("https://api.sun-asterisk.vn/profile?email=$userEmail&phone=$phone")
+
+// Password-based login via GET
+@GetMapping("/login")
+fun login(@RequestParam pass: String) { ... }
+```
+
+**Correct (sensitive data in body or headers):**
+
+```kotlin
+// Token in Authorization Header (Stateless)
+httpClient.get("https://api.sun-asterisk.vn/data") {
+    headers {
+        append(HttpHeaders.Authorization, "Bearer $accessToken")
+    }
+}
+
+// Credentials in POST Body
+@PostMapping("/login")
+fun login(@RequestBody credentials: LoginRequest) { ... }
+
+// Sensitive search via POST session-based
+@PostMapping("/api/secure-search")
+fun secureSearch(@RequestBody query: SecureSearchRequest) { ... }
+```
+
+**Where Query Strings Leak:**
+1.  **Server Logs:** Almost all web servers (NGINX, Apache) log the full requested URL.
+2.  **Browser History:** Browser "Back" button or history allows anyone with local access to see the sensitive URL.
+3.  **Referer Headers:** If the page redirects or the user clicks a link, the URL (with tokens) is sent to the next site.
+4.  **Forward Proxies/CDNs:** Any intermediate network device may log the full URL.
+
+**Tools:** Semgrep, SonarQube (S2245), Manual Review, OWASP Secure Headers

package/skill-assets/sunlint-code-quality/rules/kotlin/S017-parameterized-queries.md

@@ -0,0 +1,41 @@
+---
+title: Always Use Parameterized Queries
+impact: CRITICAL
+impactDescription: prevents SQL and NoSQL injection attacks
+tags: injection, sql, nosql, database, parameterized, security, kotlin
+---
+
+## Always Use Parameterized Queries
+
+SQL injection is one of the top security vulnerabilities. Direct string concatenation allows attackers to execute arbitrary database commands, steal data, or destroy databases.
+
+**Incorrect (string concatenation):**
+
+```kotlin
+// SQL Injection vulnerability
+val userId = request.params["id"]
+val query = "SELECT * FROM users WHERE id = '$userId'"
+val result = connection.createStatement().executeQuery(query)
+
+// Attacker input: ' OR '1'='1
+// Resulting query: SELECT * FROM users WHERE id = '' OR '1'='1'
+// Returns ALL users!
+```
+
+**Correct (parameterized queries):**
+
+```kotlin
+// Parameterized query using PreparedStatement
+val userId = request.params["id"]
+val query = "SELECT * FROM users WHERE id = ?"
+val preparedStatement = connection.prepareStatement(query)
+preparedStatement.setString(1, userId)
+val result = preparedStatement.executeQuery()
+
+// Using an ORM or Database Library like Exposed or Spring Data JPA
+val user = transaction {
+    User.find { Users.id eq userId }.firstOrNull()
+}
+```
+
+**Tools:** SonarQube (S2077, S3649), Semgrep, CodeQL, detekt

package/skill-assets/sunlint-code-quality/rules/kotlin/S019-email-input-sanitization.md

@@ -0,0 +1,50 @@
+---
+title: Sanitize Input Before Sending Emails
+impact: MEDIUM
+impactDescription: prevents email header injection and spam abuse
+tags: email, injection, sanitization, input-validation, security, kotlin
+---
+
+## Sanitize Input Before Sending Emails
+
+Email header injection occurs when an attacker can inject CRLF (Carriage Return + Line Feed) characters into email fields (Subject, From, To, etc.). This allows them to manipulate the SMTP protocol to add their own headers (like `Bcc:` or `Cc:`) and send unauthorized spam via your server.
+
+**Incorrect (unsanitized input):**
+
+```kotlin
+// Email injection vulnerability
+val subject = request.getParameter("subject") // Attacker: "Hello\r\nBcc: spam@evil.com"
+val helper = MimeMessageHelper(message)
+helper.setSubject(subject) // Now Bcc: spam@evil.com is part of the email headers!
+```
+
+**Correct (sanitized email fields):**
+
+```kotlin
+fun sanitizeEmailHeader(input: String): String {
+    // Remove all CRLF characters to prevent header injection
+    return input.replace("[\r\n]".toRegex(), "").trim()
+}
+
+fun isValidEmail(email: String): Boolean {
+    val emailRegex = "^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,6}$".toRegex()
+    return emailRegex.matches(email) && !email.contains("\n") && !email.contains("\r")
+}
+
+@PostMapping("/api/contact")
+fun send(@RequestBody req: ContactRequest) {
+    if (!isValidEmail(req.to)) throw ValidationException("Invalid email format")
+
+    val helper = MimeMessageHelper(message)
+    helper.setTo(sanitizeEmailHeader(req.to))
+    helper.setSubject(sanitizeEmailHeader(req.subject))
+    helper.setText(req.body) // Message body is usually safe from header injection
+}
+```
+
+**Prevention Strategies:**
+- **Whitelisting:** Strictly validate email formats.
+- **Header Stripping:** Automatically strip or replace all `\r` and `\n` characters from variables that will be used in email headers.
+- **Modern Libraries:** Use high-level mailing libraries (like Spring Mail or Ktor Mail) that often perform basic sanitization, but always double-check and manually sanitize user input.
+
+**Tools:** OWASP ESAPI, Hibernate Validator (@Email), Manual Review