diff --git a/src/main/java/io/shiftleft/controller/AdminController.java b/src/main/java/io/shiftleft/controller/AdminController.java index 296c26573..9e13bdb01 100644 --- a/src/main/java/io/shiftleft/controller/AdminController.java +++ b/src/main/java/io/shiftleft/controller/AdminController.java @@ -19,7 +19,6 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; - /** * Admin checks login */ @@ -34,9 +33,12 @@ private boolean isAdmin(String auth) ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth)); ObjectInputStream objectInputStream = new ObjectInputStream(bis); Object authToken = objectInputStream.readObject(); + if (!(authToken instanceof AuthToken)) { + throw new IllegalArgumentException("Invalid object type"); + } return ((AuthToken) authToken).isAdmin(); } catch (Exception ex) { - System.out.println(" cookie cannot be deserialized: "+ex.getMessage()); + System.out.println("cookie cannot be deserialized: " + ex.getMessage()); return false; } } @@ -47,16 +49,15 @@ public String doPostPrintSecrets(HttpServletResponse response, HttpServletReques return fail; } - @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.GET) public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "notset") String auth, HttpServletResponse response, HttpServletRequest request) throws Exception { - + if (request.getSession().getAttribute("auth") == null) { return fail; } String authToken = request.getSession().getAttribute("auth").toString(); - if(!isAdmin(authToken)) { + if (!isAdmin(authToken)) { return fail; } @@ -74,6 +75,7 @@ public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "not /** * Handle login attempt + * * @param auth cookie value base64 encoded * @param password hardcoded value * @param response - @@ -88,36 +90,36 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") try { // no cookie no fun if (!auth.equals("notset")) { - if(isAdmin(auth)) { - request.getSession().setAttribute("auth",auth); + if (isAdmin(auth)) { + request.getSession().setAttribute("auth", auth); return succ; } } // split password=value String[] pass = password.split("="); - if(pass.length!=2) { - return fail; - } - // compare pass - if(pass[1] != null && pass[1].length()>0 && pass[1].equals("shiftleftsecret")) - { + if (pass.length != 2) { + return fail; + } + // compare pass + if (pass[1] != null && pass[1].length() > 0 && pass[1].equals("shiftleftsecret")) { AuthToken authToken = new AuthToken(AuthToken.ADMIN); ByteArrayOutputStream bos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(bos); oos.writeObject(authToken); String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray())); - response.addCookie(new Cookie("auth", cookieValue )); + Cookie cookie = new Cookie("auth", cookieValue); + cookie.setHttpOnly(true); + cookie.setSecure(true); + response.addCookie(cookie); // cookie is lost after redirection - request.getSession().setAttribute("auth",cookieValue); + request.getSession().setAttribute("auth", cookieValue); return succ; } return fail; - } - catch (Exception ex) - { + } catch (Exception ex) { ex.printStackTrace(); // no succ == fail return fail; @@ -126,6 +128,7 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") /** * Same as POST but just a redirect + * * @param response * @param request * @return redirect diff --git a/src/main/java/io/shiftleft/controller/AppErrorController.java b/src/main/java/io/shiftleft/controller/AppErrorController.java index 68f4d669f..829734007 100644 --- a/src/main/java/io/shiftleft/controller/AppErrorController.java +++ b/src/main/java/io/shiftleft/controller/AppErrorController.java @@ -10,6 +10,7 @@ import org.springframework.web.context.request.RequestAttributes; import org.springframework.web.context.request.ServletRequestAttributes; import org.springframework.web.servlet.ModelAndView; +import org.springframework.web.bind.annotation.RequestMethod; import javax.servlet.http.HttpServletRequest; import java.util.Map; @@ -40,7 +41,7 @@ public AppErrorController(ErrorAttributes errorAttributes) { * @param request * @return */ - @RequestMapping(value = ERROR_PATH, produces = "text/html") + @RequestMapping(value = ERROR_PATH, produces = "text/html", method = RequestMethod.GET) public ModelAndView errorHtml(HttpServletRequest request) { return new ModelAndView("/errors/error", getErrorAttributes(request, false)); } @@ -68,7 +69,6 @@ public String getErrorPath() { return ERROR_PATH; } - private boolean getTraceParameter(HttpServletRequest request) { String parameter = request.getParameter("trace"); if (parameter == null) { @@ -102,4 +102,4 @@ private HttpStatus getStatus(HttpServletRequest request) { } return HttpStatus.INTERNAL_SERVER_ERROR; } -} \ No newline at end of file +} diff --git a/src/main/java/io/shiftleft/controller/CustomerController.java b/src/main/java/io/shiftleft/controller/CustomerController.java index 40e1c4917..cc0e434b2 100644 --- a/src/main/java/io/shiftleft/controller/CustomerController.java +++ b/src/main/java/io/shiftleft/controller/CustomerController.java @@ -228,17 +228,17 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t String settingsCookie = request.getHeader("Cookie"); String[] cookie = settingsCookie.split(","); - if(cookie.length<2) { - httpResponse.getOutputStream().println("Malformed cookie"); + if(cookie.length < 2) { + httpResponse.getOutputStream().println("Malformed cookie"); throw new Exception("cookie is incorrect"); } - String base64txt = cookie[0].replace("settings=",""); + String base64txt = cookie[0].replace("settings=", ""); // Check md5sum String cookieMD5sum = cookie[1]; String calcMD5Sum = DigestUtils.md5Hex(base64txt); - if(!cookieMD5sum.equals(calcMD5Sum)) + if(!cookieMD5sum.equals(calcMD5Sum)) { httpResponse.getOutputStream().println("Wrong md5"); throw new Exception("Invalid MD5"); @@ -246,9 +246,10 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t // Now we can store on filesystem String[] settings = new String(Base64.getDecoder().decode(base64txt)).split(","); - // storage will have ClassPathResource as basepath + // storage will have ClassPathResource as basepath ClassPathResource cpr = new ClassPathResource("./static/"); - File file = new File(cpr.getPath()+settings[0]); + String fileName = FilenameUtils.getName(settings[0]); + File file = new File(cpr.getFile(), fileName); if(!file.exists()) { file.getParentFile().mkdirs(); } @@ -257,8 +258,8 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t // First entry is the filename -> remove it String[] settingsArr = Arrays.copyOfRange(settings, 1, settings.length); // on setting at a linez - fos.write(String.join("\n",settingsArr).getBytes()); - fos.write(("\n"+cookie[cookie.length-1]).getBytes()); + fos.write(String.join("\n", settingsArr).getBytes()); + fos.write(("\n" + cookie[cookie.length - 1]).getBytes()); fos.close(); httpResponse.getOutputStream().println("Settings Saved"); } diff --git a/src/main/java/io/shiftleft/controller/SearchController.java b/src/main/java/io/shiftleft/controller/SearchController.java index faa409760..35790f8fc 100644 --- a/src/main/java/io/shiftleft/controller/SearchController.java +++ b/src/main/java/io/shiftleft/controller/SearchController.java @@ -21,6 +21,9 @@ public class SearchController { public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) { java.lang.Object message = new Object(); try { + if (!foo.matches("[a-zA-Z0-9 ]*")) { + throw new IllegalArgumentException("Input contains illegal characters"); + } ExpressionParser parser = new SpelExpressionParser(); Expression exp = parser.parseExpression(foo); message = (Object) exp.getValue(); diff --git a/src/main/java/io/shiftleft/data/DataBuilder.java b/src/main/java/io/shiftleft/data/DataBuilder.java index 85ab53f26..99cf22b37 100644 --- a/src/main/java/io/shiftleft/data/DataBuilder.java +++ b/src/main/java/io/shiftleft/data/DataBuilder.java @@ -35,48 +35,34 @@ public List createCustomers() { BufferedWriter bw = new BufferedWriter(new FileWriter(temp)); bw.write("This is the temporary file content"); bw.close(); - System.out.println(" File Write Successful "); } catch (IOException e) { - e.printStackTrace(); - } try { - - String output = new ProcessExecutor().command("java", "-version") + new ProcessExecutor().command("java", "-version") .redirectOutput(Slf4jStream.of(getClass()).asInfo()).readOutput(true).execute().outputUTF8(); - - System.out.println(" Output of System Call is " + output); } catch (InvalidExitValueException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } catch (IOException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } catch (InterruptedException e) { - // TODO Auto-generated catch block e.printStackTrace(); - } catch (TimeoutException e) { - // TODO Auto-generated catch block + } catch (IOException | InterruptedException | TimeoutException e) { e.printStackTrace(); } - Set accounts1 = new HashSet(); + Set accounts1 = new HashSet<>(); accounts1.add(new Account(1111, 321045, "CHECKING", 10000, 10)); accounts1.add(new Account(1112, 321045, "SAVING", 100000, 20)); Customer customer1 = new Customer("ID-4242", 4242, "Joe", "Smith", DateTime.parse("1982-01-10").toDate(), "123-45-3456", "000111222", "981-110-0101", "408-123-1233", new Address("High Street", "", "Santa Clara", "CA", "95054"), accounts1); - Set accounts2 = new HashSet(); + Set accounts2 = new HashSet<>(); accounts2.add(new Account(2111, 421045, "CHECKING", 20000, 10)); accounts2.add(new Account(2112, 421045, "MMA", 200000, 20)); Customer customer2 = new Customer("ID-4243", 4343, "Paul", "Jones", DateTime.parse("1973-01-03").toDate(), "321-67-3456", "222665436", "981-110-0100", "302-767-8796", new Address("Main Street", "", "Sunnyvale", "CA", "94086"), accounts2); - Set accounts3 = new HashSet(); + Set accounts3 = new HashSet<>(); accounts3.add(new Account(3111, 421045, "SAVING", 30000, 10)); accounts3.add(new Account(3112, 421045, "MMA", 300000, 20)); Customer customer3 = new Customer("ID-4244", 4244, "Steve", "Toale", DateTime.parse("1979-03-08").toDate(), diff --git a/src/main/resources/config/application-aws.properties b/src/main/resources/config/application-aws.properties index 6467531bd..aafec2dfa 100644 --- a/src/main/resources/config/application-aws.properties +++ b/src/main/resources/config/application-aws.properties @@ -1,3 +1,3 @@ -aws.accesskey=AKIAILQI6VLJU3HSCEQQ +aws.accesskey=YOUR_ENV_VAR_FOR_ACCESS_KEY aws.secretkey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY -aws.bucket=mysaas/customerid/account/date \ No newline at end of file +aws.bucket=mysaas/customerid/account/date