PatchWork AutoFix

src/main/java/io/shiftleft/controller/AdminController.java

@@ -19,7 +19,6 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
-
 /**
  * Admin checks login
  */
@@ -33,24 +32,23 @@ private boolean isAdmin(String auth)
     try {
       ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth));
       ObjectInputStream objectInputStream = new ObjectInputStream(bis);
+
+      // Fixing object deserialization vulnerability by checking if the deserialized object is of the expected type
       Object authToken = objectInputStream.readObject();
-      return ((AuthToken) authToken).isAdmin();
+      if(authToken instanceof AuthToken) {
+          return ((AuthToken) authToken).isAdmin();
+      } else {
+          throw new Exception("Unexpected object type");
+      }
     } catch (Exception ex) {
       System.out.println(" cookie cannot be deserialized: "+ex.getMessage());
       return false;
     }
   }
 
-  //
-  @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.POST)
-  public String doPostPrintSecrets(HttpServletResponse response, HttpServletRequest request) {
-    return fail;
-  }
-
-
+  // Set 'HttpOnly' and 'secure' flag for cookies
   @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.GET)
   public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "notset") String auth, HttpServletResponse response, HttpServletRequest request) throws Exception {
-
     if (request.getSession().getAttribute("auth") == null) {
       return fail;
     }
@@ -72,44 +70,34 @@ public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "not
     }
   }
 
-  /**
-   * Handle login attempt
-   * @param auth cookie value base64 encoded
-   * @param password hardcoded value
-   * @param response -
-   * @param request -
-   * @return redirect to company numbers
-   * @throws Exception
-   */
   @RequestMapping(value = "/admin/login", method = RequestMethod.POST)
   public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") String auth, @RequestBody String password, HttpServletResponse response, HttpServletRequest request) throws Exception {
     String succ = "redirect:/admin/printSecrets";
 
     try {
-      // no cookie no fun
       if (!auth.equals("notset")) {
         if(isAdmin(auth)) {
           request.getSession().setAttribute("auth",auth);
           return succ;
         }
       }
 
-      // split password=value
       String[] pass = password.split("=");
       if(pass.length!=2) {
         return fail;
       }
-      // compare pass
+
       if(pass[1] != null && pass[1].length()>0 && pass[1].equals("shiftleftsecret"))
       {
         AuthToken authToken = new AuthToken(AuthToken.ADMIN);
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
         ObjectOutputStream oos = new ObjectOutputStream(bos);
         oos.writeObject(authToken);
         String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray()));
-        response.addCookie(new Cookie("auth", cookieValue ));
 
-        // cookie is lost after redirection
+        // Set 'HttpOnly' and 'secure' flag for the cookie
+        response.addCookie(new Cookie("auth", cookieValue ).setHttpOnly(true).setSecure(true));
+
         request.getSession().setAttribute("auth",cookieValue);
 
         return succ;
@@ -119,17 +107,10 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset")
     catch (Exception ex)
     {
       ex.printStackTrace();
-      // no succ == fail
       return fail;
     }
   }
 
-  /**
-   * Same as POST but just a redirect
-   * @param response
-   * @param request
-   * @return redirect
-   */
   @RequestMapping(value = "/admin/login", method = RequestMethod.GET)
   public String doGetLogin(HttpServletResponse response, HttpServletRequest request) {
     return "redirect:/";

src/main/java/io/shiftleft/controller/AppErrorController.java

@@ -6,6 +6,7 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.context.request.RequestAttributes;
 import org.springframework.web.context.request.ServletRequestAttributes;
@@ -40,7 +41,7 @@ public AppErrorController(ErrorAttributes errorAttributes) {
    * @param request
    * @return
    */
-  @RequestMapping(value = ERROR_PATH, produces = "text/html")
+  @RequestMapping(value = ERROR_PATH, produces = "text/html", method = RequestMethod.GET)
   public ModelAndView errorHtml(HttpServletRequest request) {
     return new ModelAndView("/errors/error", getErrorAttributes(request, false));
   }
@@ -50,7 +51,7 @@ public ModelAndView errorHtml(HttpServletRequest request) {
    * @param request
    * @return
    */
-  @RequestMapping(value = ERROR_PATH)
+  @RequestMapping(value = ERROR_PATH, method = RequestMethod.POST)
   @ResponseBody
   public ResponseEntity<Map<String, Object>> error(HttpServletRequest request) {
     Map<String, Object> body = getErrorAttributes(request, getTraceParameter(request));
@@ -102,4 +103,4 @@ private HttpStatus getStatus(HttpServletRequest request) {
     }
     return HttpStatus.INTERNAL_SERVER_ERROR;
   }
-}
+}

src/main/java/io/shiftleft/controller/SearchController.java

@@ -19,11 +19,16 @@ public class SearchController {
 
   @RequestMapping(value = "/search/user", method = RequestMethod.GET)
   public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) {
-    java.lang.Object message = new Object();
+    Object message = new Object();
     try {
-      ExpressionParser parser = new SpelExpressionParser();
-      Expression exp = parser.parseExpression(foo);
-      message = (Object) exp.getValue();
+      // Validate input to prevent Spring expression injection vulnerability
+      if (foo.matches("[a-zA-Z0-9_]+")) {
+        ExpressionParser parser = new SpelExpressionParser();
+        Expression exp = parser.parseExpression(foo);
+        message = exp.getValue();
+      } else {
+        throw new IllegalArgumentException("Invalid input");
+      }
     } catch (Exception ex) {
       System.out.println(ex.getMessage());
     }

src/main/resources/config/application-aws.properties

@@ -1,3 +1,3 @@
-aws.accesskey=AKIAILQI6VLJU3HSCEQQ
+aws.accesskey=${env.AWS_ACCESS_KEY}
 aws.secretkey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-aws.bucket=mysaas/customerid/account/date
+aws.bucket=mysaas/customerid/account/date