PatchWork AutoFix

src/main/java/io/shiftleft/controller/AdminController.java

@@ -2,10 +2,7 @@
 
 import io.shiftleft.model.AuthToken;
 import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import javax.servlet.http.Cookie;
@@ -19,38 +16,28 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
-
-/**
- * Admin checks login
- */
 @Controller
 public class AdminController {
   private String fail = "redirect:/";
 
-  // helper
-  private boolean isAdmin(String auth)
-  {
+  private boolean isAdmin(String auth) {
     try {
-      ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth));
-      ObjectInputStream objectInputStream = new ObjectInputStream(bis);
-      Object authToken = objectInputStream.readObject();
-      return ((AuthToken) authToken).isAdmin();
+      byte[] decodedAuth = Base64.getDecoder().decode(auth);
+      String decodedString = new String(decodedAuth, StandardCharsets.UTF_8);
+      return Boolean.parseBoolean(decodedString.split(",")[1]);
     } catch (Exception ex) {
       System.out.println(" cookie cannot be deserialized: "+ex.getMessage());
       return false;
     }
   }
 
-  //
   @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.POST)
   public String doPostPrintSecrets(HttpServletResponse response, HttpServletRequest request) {
     return fail;
   }
 
-
   @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.GET)
   public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "notset") String auth, HttpServletResponse response, HttpServletRequest request) throws Exception {
-
     if (request.getSession().getAttribute("auth") == null) {
       return fail;
     }
@@ -67,49 +54,34 @@ public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "not
       return null;
     } catch (IOException ex) {
       ex.printStackTrace();
-      // redirect to /
       return fail;
     }
   }
 
-  /**
-   * Handle login attempt
-   * @param auth cookie value base64 encoded
-   * @param password hardcoded value
-   * @param response -
-   * @param request -
-   * @return redirect to company numbers
-   * @throws Exception
-   */
   @RequestMapping(value = "/admin/login", method = RequestMethod.POST)
   public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") String auth, @RequestBody String password, HttpServletResponse response, HttpServletRequest request) throws Exception {
     String succ = "redirect:/admin/printSecrets";
 
     try {
-      // no cookie no fun
       if (!auth.equals("notset")) {
         if(isAdmin(auth)) {
           request.getSession().setAttribute("auth",auth);
           return succ;
         }
       }
 
-      // split password=value
       String[] pass = password.split("=");
       if(pass.length!=2) {
         return fail;
       }
-      // compare pass
       if(pass[1] != null && pass[1].length()>0 && pass[1].equals("shiftleftsecret"))
       {
         AuthToken authToken = new AuthToken(AuthToken.ADMIN);
-        ByteArrayOutputStream bos = new ByteArrayOutputStream();
-        ObjectOutputStream oos = new ObjectOutputStream(bos);
-        oos.writeObject(authToken);
-        String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray()));
-        response.addCookie(new Cookie("auth", cookieValue ));
-
-        // cookie is lost after redirection
+        String cookieValue = Base64.getEncoder().encodeToString((authToken.getRole()+","+authToken.isAdmin()).getBytes(StandardCharsets.UTF_8));
+        Cookie authCookie = new Cookie("auth", cookieValue);
+        authCookie.setHttpOnly(true);
+        authCookie.setSecure(true);
+        response.addCookie(authCookie);
         request.getSession().setAttribute("auth",cookieValue);
 
         return succ;
@@ -119,17 +91,10 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset")
     catch (Exception ex)
     {
       ex.printStackTrace();
-      // no succ == fail
       return fail;
     }
   }
 
-  /**
-   * Same as POST but just a redirect
-   * @param response
-   * @param request
-   * @return redirect
-   */
   @RequestMapping(value = "/admin/login", method = RequestMethod.GET)
   public String doGetLogin(HttpServletResponse response, HttpServletRequest request) {
     return "redirect:/";

src/main/java/io/shiftleft/controller/AppErrorController.java

@@ -6,6 +6,7 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.context.request.RequestAttributes;
 import org.springframework.web.context.request.ServletRequestAttributes;
@@ -18,7 +19,7 @@
  * Error controller, based on https://stackoverflow.com/questions/31134333/this-application-has-no-explicit-mapping-for-error/31838439#31838439
  */
 @Controller
-public class AppErrorController implements ErrorController{
+public class AppErrorController implements ErrorController {
 
   /**
    * Error Attributes in the Application
@@ -40,7 +41,7 @@ public AppErrorController(ErrorAttributes errorAttributes) {
    * @param request
    * @return
    */
-  @RequestMapping(value = ERROR_PATH, produces = "text/html")
+  @RequestMapping(value = ERROR_PATH, produces = "text/html", method = RequestMethod.GET)
   public ModelAndView errorHtml(HttpServletRequest request) {
     return new ModelAndView("/errors/error", getErrorAttributes(request, false));
   }
@@ -50,7 +51,7 @@ public ModelAndView errorHtml(HttpServletRequest request) {
    * @param request
    * @return
    */
-  @RequestMapping(value = ERROR_PATH)
+  @RequestMapping(value = ERROR_PATH, method = RequestMethod.GET)
   @ResponseBody
   public ResponseEntity<Map<String, Object>> error(HttpServletRequest request) {
     Map<String, Object> body = getErrorAttributes(request, getTraceParameter(request));
@@ -68,7 +69,6 @@ public String getErrorPath() {
     return ERROR_PATH;
   }
 
-
   private boolean getTraceParameter(HttpServletRequest request) {
     String parameter = request.getParameter("trace");
     if (parameter == null) {
@@ -102,4 +102,4 @@ private HttpStatus getStatus(HttpServletRequest request) {
     }
     return HttpStatus.INTERNAL_SERVER_ERROR;
   }
-}
+}

src/main/java/io/shiftleft/controller/SearchController.java

@@ -2,6 +2,7 @@
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+
 import org.springframework.expression.Expression;
 import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
@@ -10,19 +11,16 @@
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 
-
-/**
- * Search login
- */
 @Controller
 public class SearchController {
 
   @RequestMapping(value = "/search/user", method = RequestMethod.GET)
   public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) {
     java.lang.Object message = new Object();
     try {
+      String sanitizedFoo = foo.replaceAll("[^a-zA-Z0-9 ]", "");
       ExpressionParser parser = new SpelExpressionParser();
-      Expression exp = parser.parseExpression(foo);
+      Expression exp = parser.parseExpression(sanitizedFoo);
       message = (Object) exp.getValue();
     } catch (Exception ex) {
       System.out.println(ex.getMessage());

src/main/resources/config/application-aws.properties

@@ -1,3 +1,3 @@
-aws.accesskey=AKIAILQI6VLJU3HSCEQQ
-aws.secretkey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-aws.bucket=mysaas/customerid/account/date
+aws.accesskey=${env:AWS_ACCESS_KEY_ID} 
+aws.secretkey=${env:AWS_SECRET_ACCESS_KEY}
+aws.bucket=${env:AWS_BUCKET}