PatchWork AutoFix

src/main/java/io/shiftleft/controller/AdminController.java

@@ -19,7 +19,6 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
-
 /**
  * Admin checks login
  */
@@ -34,9 +33,12 @@ private boolean isAdmin(String auth)
       ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth));
       ObjectInputStream objectInputStream = new ObjectInputStream(bis);
       Object authToken = objectInputStream.readObject();
+      if (!(authToken instanceof AuthToken)) {
+        throw new IllegalArgumentException("Invalid object type");
+      }
       return ((AuthToken) authToken).isAdmin();
     } catch (Exception ex) {
-      System.out.println(" cookie cannot be deserialized: "+ex.getMessage());
+      System.out.println("cookie cannot be deserialized: " + ex.getMessage());
       return false;
     }
   }
@@ -47,16 +49,15 @@ public String doPostPrintSecrets(HttpServletResponse response, HttpServletReques
     return fail;
   }
 
-
   @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.GET)
   public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "notset") String auth, HttpServletResponse response, HttpServletRequest request) throws Exception {
-
+    
     if (request.getSession().getAttribute("auth") == null) {
       return fail;
     }
 
     String authToken = request.getSession().getAttribute("auth").toString();
-    if(!isAdmin(authToken)) {
+    if (!isAdmin(authToken)) {
       return fail;
     }
 
@@ -74,6 +75,7 @@ public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "not
 
   /**
    * Handle login attempt
+   *
    * @param auth cookie value base64 encoded
    * @param password hardcoded value
    * @param response -
@@ -88,36 +90,36 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset")
     try {
       // no cookie no fun
       if (!auth.equals("notset")) {
-        if(isAdmin(auth)) {
-          request.getSession().setAttribute("auth",auth);
+        if (isAdmin(auth)) {
+          request.getSession().setAttribute("auth", auth);
           return succ;
         }
       }
 
       // split password=value
       String[] pass = password.split("=");
-      if(pass.length!=2) {
-        return fail;
-      }
-      // compare pass
-      if(pass[1] != null && pass[1].length()>0 && pass[1].equals("shiftleftsecret"))
-      {
+        if (pass.length != 2) {
+          return fail;
+        }
+        // compare pass
+      if (pass[1] != null && pass[1].length() > 0 && pass[1].equals("shiftleftsecret")) {
         AuthToken authToken = new AuthToken(AuthToken.ADMIN);
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
         ObjectOutputStream oos = new ObjectOutputStream(bos);
         oos.writeObject(authToken);
         String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray()));
-        response.addCookie(new Cookie("auth", cookieValue ));
+        Cookie cookie = new Cookie("auth", cookieValue);
+        cookie.setHttpOnly(true);
+        cookie.setSecure(true);
+        response.addCookie(cookie);
 
         // cookie is lost after redirection
-        request.getSession().setAttribute("auth",cookieValue);
+        request.getSession().setAttribute("auth", cookieValue);
 
         return succ;
       }
       return fail;
-    }
-    catch (Exception ex)
-    {
+    } catch (Exception ex) {
       ex.printStackTrace();
       // no succ == fail
       return fail;
@@ -126,6 +128,7 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset")
 
   /**
    * Same as POST but just a redirect
+   *
    * @param response
    * @param request
    * @return redirect

src/main/java/io/shiftleft/controller/AppErrorController.java

@@ -10,6 +10,7 @@
 import org.springframework.web.context.request.RequestAttributes;
 import org.springframework.web.context.request.ServletRequestAttributes;
 import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.bind.annotation.RequestMethod;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.Map;
@@ -40,7 +41,7 @@ public AppErrorController(ErrorAttributes errorAttributes) {
    * @param request
    * @return
    */
-  @RequestMapping(value = ERROR_PATH, produces = "text/html")
+  @RequestMapping(value = ERROR_PATH, produces = "text/html", method = RequestMethod.GET)
   public ModelAndView errorHtml(HttpServletRequest request) {
     return new ModelAndView("/errors/error", getErrorAttributes(request, false));
   }
@@ -68,7 +69,6 @@ public String getErrorPath() {
     return ERROR_PATH;
   }
 
-
   private boolean getTraceParameter(HttpServletRequest request) {
     String parameter = request.getParameter("trace");
     if (parameter == null) {
@@ -102,4 +102,4 @@ private HttpStatus getStatus(HttpServletRequest request) {
     }
     return HttpStatus.INTERNAL_SERVER_ERROR;
   }
-}
+}

src/main/java/io/shiftleft/controller/CustomerController.java

@@ -228,27 +228,28 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t
 
     String settingsCookie = request.getHeader("Cookie");
     String[] cookie = settingsCookie.split(",");
-	if(cookie.length<2) {
-	  httpResponse.getOutputStream().println("Malformed cookie");
+    if(cookie.length < 2) {
+      httpResponse.getOutputStream().println("Malformed cookie");
       throw new Exception("cookie is incorrect");
     }
 
-    String base64txt = cookie[0].replace("settings=","");
+    String base64txt = cookie[0].replace("settings=", "");
 
     // Check md5sum
     String cookieMD5sum = cookie[1];
     String calcMD5Sum = DigestUtils.md5Hex(base64txt);
-	if(!cookieMD5sum.equals(calcMD5Sum))
+    if(!cookieMD5sum.equals(calcMD5Sum))
     {
       httpResponse.getOutputStream().println("Wrong md5");
       throw new Exception("Invalid MD5");
     }
 
     // Now we can store on filesystem
     String[] settings = new String(Base64.getDecoder().decode(base64txt)).split(",");
-	// storage will have ClassPathResource as basepath
+    // storage will have ClassPathResource as basepath
     ClassPathResource cpr = new ClassPathResource("./static/");
-	  File file = new File(cpr.getPath()+settings[0]);
+    String fileName = FilenameUtils.getName(settings[0]);
+    File file = new File(cpr.getFile(), fileName);
     if(!file.exists()) {
       file.getParentFile().mkdirs();
     }
@@ -257,8 +258,8 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t
     // First entry is the filename -> remove it
     String[] settingsArr = Arrays.copyOfRange(settings, 1, settings.length);
     // on setting at a linez
-    fos.write(String.join("\n",settingsArr).getBytes());
-    fos.write(("\n"+cookie[cookie.length-1]).getBytes());
+    fos.write(String.join("\n", settingsArr).getBytes());
+    fos.write(("\n" + cookie[cookie.length - 1]).getBytes());
     fos.close();
     httpResponse.getOutputStream().println("Settings Saved");
   }

src/main/java/io/shiftleft/controller/SearchController.java

@@ -21,6 +21,9 @@ public class SearchController {
   public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) {
     java.lang.Object message = new Object();
     try {
+      if (!foo.matches("[a-zA-Z0-9 ]*")) {
+        throw new IllegalArgumentException("Input contains illegal characters");
+      }
       ExpressionParser parser = new SpelExpressionParser();
       Expression exp = parser.parseExpression(foo);
       message = (Object) exp.getValue();

src/main/java/io/shiftleft/data/DataBuilder.java

@@ -35,48 +35,34 @@ public List<Customer> createCustomers() {
       BufferedWriter bw = new BufferedWriter(new FileWriter(temp));
       bw.write("This is the temporary file content");
       bw.close();
-      System.out.println(" File Write Successful ");
     } catch (IOException e) {
-
       e.printStackTrace();
-
     }
 
     try {
-
-      String output = new ProcessExecutor().command("java", "-version")
+      new ProcessExecutor().command("java", "-version")
           .redirectOutput(Slf4jStream.of(getClass()).asInfo()).readOutput(true).execute().outputUTF8();
-
-      System.out.println(" Output of System Call is " + output);
     } catch (InvalidExitValueException e) {
-      // TODO Auto-generated catch block
-      e.printStackTrace();
-    } catch (IOException e) {
-      // TODO Auto-generated catch block
-      e.printStackTrace();
-    } catch (InterruptedException e) {
-      // TODO Auto-generated catch block
       e.printStackTrace();
-    } catch (TimeoutException e) {
-      // TODO Auto-generated catch block
+    } catch (IOException | InterruptedException | TimeoutException e) {
       e.printStackTrace();
     }
 
-    Set<Account> accounts1 = new HashSet<Account>();
+    Set<Account> accounts1 = new HashSet<>();
     accounts1.add(new Account(1111, 321045, "CHECKING", 10000, 10));
     accounts1.add(new Account(1112, 321045, "SAVING", 100000, 20));
     Customer customer1 = new Customer("ID-4242", 4242, "Joe", "Smith", DateTime.parse("1982-01-10").toDate(),
             "123-45-3456", "000111222", "981-110-0101", "408-123-1233", new Address("High Street", "", "Santa Clara",
             "CA", "95054"), accounts1);
 
-    Set<Account> accounts2 = new HashSet<Account>();
+    Set<Account> accounts2 = new HashSet<>();
     accounts2.add(new Account(2111, 421045, "CHECKING", 20000, 10));
     accounts2.add(new Account(2112, 421045, "MMA", 200000, 20));
     Customer customer2 = new Customer("ID-4243", 4343, "Paul", "Jones", DateTime.parse("1973-01-03").toDate(),
             "321-67-3456", "222665436", "981-110-0100", "302-767-8796", new Address("Main Street", "", "Sunnyvale",
             "CA", "94086"), accounts2);
 
-    Set<Account> accounts3 = new HashSet<Account>();
+    Set<Account> accounts3 = new HashSet<>();
     accounts3.add(new Account(3111, 421045, "SAVING", 30000, 10));
     accounts3.add(new Account(3112, 421045, "MMA", 300000, 20));
     Customer customer3 = new Customer("ID-4244", 4244, "Steve", "Toale", DateTime.parse("1979-03-08").toDate(),

src/main/resources/config/application-aws.properties

@@ -1,3 +1,3 @@
-aws.accesskey=AKIAILQI6VLJU3HSCEQQ
+aws.accesskey=YOUR_ENV_VAR_FOR_ACCESS_KEY
 aws.secretkey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-aws.bucket=mysaas/customerid/account/date
+aws.bucket=mysaas/customerid/account/date