github-actions[bot]
commented
7 months ago Closed julz0815 closed 5 months ago
github-actions[bot]
commented
7 months ago github-actions[bot]
commented
7 months ago github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -249,8 +250,11 @@ String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; logger.info(sql); + SetwhitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); Statement statement = connect.createStatement(); ResultSet result = statement.executeQuery(sql); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s";
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1020
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 253
Function Name: showPasswordHint
DIFF: ----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -249,8 +250,11 @@ String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; logger.info(sql); + Set
whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); Statement statement = connect.createStatement(); ResultSet result = statement.executeQuery(sql); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s";
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1020
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 253
Function Name: showPasswordHint
DIFF: ----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -249,8 +250,11 @@ String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; logger.info(sql); + Set
whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); Statement statement = connect.createStatement(); ResultSet result = statement.executeQuery(sql); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s";
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1020
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 253
Function Name: showPasswordHint
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -249,8 +250,11 @@ String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; logger.info(sql); + Set
whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); Statement statement = connect.createStatement(); ResultSet result = statement.executeQuery(sql); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s";
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1020
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 253
Function Name: showPasswordHint
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -249,8 +250,11 @@ String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; logger.info(sql); + Set
whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); Statement statement = connect.createStatement(); ResultSet result = statement.executeQuery(sql); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s";
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1020
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 253
Function Name: showPasswordHint
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -249,8 +250,11 @@ String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; logger.info(sql); + Set
whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); Statement statement = connect.createStatement(); ResultSet result = statement.executeQuery(sql); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s";
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1020
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 253
Function Name: showPasswordHint
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -249,8 +250,11 @@ String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; logger.info(sql); + Set
whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); Statement statement = connect.createStatement(); ResultSet result = statement.executeQuery(sql); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s";
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1020
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 253
Function Name: showPasswordHint
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -249,8 +250,11 @@ String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; logger.info(sql); + Set
whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); Statement statement = connect.createStatement(); ResultSet result = statement.executeQuery(sql); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s";
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1020
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 253
Function Name: showPasswordHint
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -249,8 +250,11 @@ String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; logger.info(sql); + Set
whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); Statement statement = connect.createStatement(); ResultSet result = statement.executeQuery(sql); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s";
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1020
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 253
Function Name: showPasswordHint
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -249,8 +250,11 @@ String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; logger.info(sql); + Set
whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); Statement statement = connect.createStatement(); ResultSet result = statement.executeQuery(sql); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s";
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1020
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 253
Function Name: showPasswordHint
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -249,8 +250,11 @@ String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; logger.info(sql); + Set
whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); Statement statement = connect.createStatement(); ResultSet result = statement.executeQuery(sql); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s";
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1020
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 253
Function Name: showPasswordHint
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -249,8 +250,11 @@ String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; logger.info(sql); + Set
whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); Statement statement = connect.createStatement(); ResultSet result = statement.executeQuery(sql); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s";
github-actions[bot]
commented
7 months ago 
Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 847a4bde-2790-4119-803a-be4b700cc101
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================
==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 184 issues.
====================details
-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------
=========================
FAILURE: Found 18 issues!
=========================
github-actions[bot]
commented
7 months ago
Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: db913032-5918-4a78-aae3-8362ad98b0cb
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================
==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 184 issues.
====================details
-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------
=========================
FAILURE: Found 18 issues!
=========================
github-actions[bot]
commented
7 months ago
Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: b92d9335-c31d-40ea-bcd8-aa2c23329bb9
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================
==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 184 issues.
====================details
-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------
=========================
FAILURE: Found 18 issues!
=========================
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1016
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 253
Function Name: showPasswordHint
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -247,10 +248,19 @@ Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); - String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; + String sql = "SELECT password_hint FROM users WHERE username = ?"; logger.info(sql); - Statement statement = connect.createStatement(); - ResultSet result = statement.executeQuery(sql); + Set
whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!(password.length() - 2).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2))) + throw new IllegalArgumentException(); + Set whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); + + PreparedStatement statement = connect.prepareStatement(sql); + statement.setString(1, username); + + ResultSet result = statement.executeQuery(); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s"; @@ -263,6 +273,6 @@ } else { return "No password found for " + username; } } catch (ClassNotFoundException e) { e.printStackTrace();
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1010
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 386
Function Name: processRegisterFinish
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -382,6 +383,21 @@ query.append("'" + blabName + "'"); query.append(");"); + Set
whitelistRealname = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!realName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistRealname.contains(realName)) + throw new IllegalArgumentException(); + Set whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); + Set whitelistMysqlcurrentdatetime = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!mysqlCurrentDateTime.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistMysqlcurrentdatetime.contains(mysqlCurrentDateTime)) + throw new IllegalArgumentException(); + Set whitelistPassword = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!password.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPassword.contains(password)) + throw new IllegalArgumentException(); + Set whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName)) + throw new IllegalArgumentException(); sqlStatement = connect.createStatement(); sqlStatement.execute(query.toString()); logger.info(query.toString()); @@ -411,6 +427,6 @@ } } return "redirect:login?username=" + username; } private void emailUser(String username)
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1025
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 508
Function Name: showProfile
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -490,11 +490,12 @@ ArrayList
events = new ArrayList (); /* START BAD CODE */ - String sqlMyEvents = "select event from users_history where blabber=\"" + username - + "\" ORDER BY eventid DESC; "; + String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; "; logger.info(sqlMyEvents); - Statement sqlStatement = connect.createStatement(); - ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents); + PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents); + sqlStatement.setString(1, username); + + ResultSet userHistoryResult = sqlStatement.executeQuery(); /* END BAD CODE */ while (userHistoryResult.next()) {
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1014
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/commands/RemoveAccountCommand.java
Source Line: 40
Function Name: execute
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java +++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java @@ -34,10 +34,12 @@ action.setString(2, blabberUsername); action.execute(); - sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'"; - Statement sqlStatement = connect.createStatement(); + sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); + PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery); + sqlStatement.setString(1, blabberUsername); + + ResultSet result = sqlStatement.executeQuery(); result.next(); /* START BAD CODE ------*/
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1011
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/commands/RemoveAccountCommand.java
Source Line: 51
Function Name: execute
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java +++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java @@ -8,6 +8,7 @@ import org.apache.log4j.LogManager; import org.apache.log4j.Logger; +import java.util.*; public class RemoveAccountCommand implements BlabberCommand { private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand"); @@ -35,16 +36,23 @@ action.execute(); sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'"; - Statement sqlStatement = connect.createStatement(); logger.info(sqlQuery); ResultSet result = sqlStatement.executeQuery(sqlQuery); result.next(); /* START BAD CODE ------*/ String event = "Removed account for blabber " + result.getString(1); - sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')"; + sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)"; logger.info(sqlQuery); - sqlStatement.execute(sqlQuery); + Set
whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1))) + throw new IllegalArgumentException(); + + PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery); + sqlStatement.setString(1, blabberUsername); + sqlStatement.setString(2, event); + + sqlStatement.execute(); sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'"; logger.info(sqlQuery);
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1008
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/commands/ListenCommand.java
Source Line: 47
Function Name: execute
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/commands/ListenCommand.java +++ src/main/java/com/veracode/verademo/commands/ListenCommand.java @@ -34,10 +34,12 @@ action.setString(2, username); action.execute(); - sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'"; - Statement sqlStatement = connect.createStatement(); + sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); + PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery); + sqlStatement.setString(1, blabberUsername); + + ResultSet result = sqlStatement.executeQuery(); result.next(); /* START BAD CODE -----*/
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1007
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/commands/IgnoreCommand.java
Source Line: 47
Function Name: execute
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java +++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java @@ -34,10 +34,12 @@ action.setString(2, username); action.execute(); - sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'"; - Statement sqlStatement = connect.createStatement(); + sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); + PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery); + sqlStatement.setString(1, blabberUsername); + + ResultSet result = sqlStatement.executeQuery(); result.next(); /* START BAD CODE */
github-actions[bot]
commented
7 months ago
Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: c07a1eb4-b0b6-4e7e-a862-e28668da21b5
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================
==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 184 issues.
====================details
-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------
=========================
FAILURE: Found 18 issues!
=========================
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1015
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 318
Function Name: processRegister
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -313,11 +314,18 @@ Class.forName("com.mysql.jdbc.Driver"); Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); - String sql = "SELECT username FROM users WHERE username = '" + username + "'"; - Statement statement = connect.createStatement(); - ResultSet result = statement.executeQuery(sql); + String sql = "SELECT username FROM users WHERE username = ?"; + + Set
whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); + + PreparedStatement statement = connect.prepareStatement(sql); + statement.setString(1, username); + + ResultSet result = statement.executeQuery(); if (result.first()) { model.addAttribute("error", "Username '" + username + "' already exists!"); return "register"; } else {
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1017
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlMyEvents. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 497
Function Name: showProfile
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -490,11 +490,12 @@ ArrayList
events = new ArrayList (); /* START BAD CODE */ - String sqlMyEvents = "select event from users_history where blabber=\"" + username - + "\" ORDER BY eventid DESC; "; + String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; "; logger.info(sqlMyEvents); - Statement sqlStatement = connect.createStatement(); - ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents); + PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents); + sqlStatement.setString(1, username); + + ResultSet userHistoryResult = sqlStatement.executeQuery(); /* END BAD CODE */ while (userHistoryResult.next()) {
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1024
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the blabberQuery object, which contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/BlabController.java
Source Line: 490
Function Name: showBlabbers
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/BlabController.java +++ src/main/java/com/veracode/verademo/controller/BlabController.java @@ -27,6 +27,7 @@ import com.veracode.verademo.model.Blabber; import com.veracode.verademo.model.Comment; import com.veracode.verademo.utils.Constants; +import java.util.*; @Controller @Scope("request") @@ -484,10 +485,13 @@ // Find the Blabbers logger.info(blabbersSql); + Set
whitelistSort = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!sort.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistSort.contains(sort)) + throw new IllegalArgumentException(); blabberQuery = connect.prepareStatement(blabbersSql); blabberQuery.setString(1, username); blabberQuery.setString(2, username); ResultSet blabbersResults = blabberQuery.executeQuery(); /* END BAD CODE */ List blabbers = new ArrayList ();
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1009
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/commands/RemoveAccountCommand.java
Source Line: 47
Function Name: execute
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java +++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java @@ -8,6 +8,7 @@ import org.apache.log4j.LogManager; import org.apache.log4j.Logger; +import java.util.*; public class RemoveAccountCommand implements BlabberCommand { private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand"); @@ -35,16 +36,23 @@ action.execute(); sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'"; - Statement sqlStatement = connect.createStatement(); logger.info(sqlQuery); ResultSet result = sqlStatement.executeQuery(sqlQuery); result.next(); /* START BAD CODE ------*/ String event = "Removed account for blabber " + result.getString(1); - sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')"; + sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)"; logger.info(sqlQuery); - sqlStatement.execute(sqlQuery); + Set
whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1))) + throw new IllegalArgumentException(); + + PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery); + sqlStatement.setString(1, blabberUsername); + sqlStatement.setString(2, event); + + sqlStatement.execute(); sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'"; logger.info(sqlQuery);
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1013
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/commands/ListenCommand.java
Source Line: 40
Function Name: execute
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/commands/ListenCommand.java +++ src/main/java/com/veracode/verademo/commands/ListenCommand.java @@ -34,10 +34,12 @@ action.setString(2, username); action.execute(); - sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'"; - Statement sqlStatement = connect.createStatement(); + sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); + PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery); + sqlStatement.setString(1, blabberUsername); + + ResultSet result = sqlStatement.executeQuery(); result.next(); /* START BAD CODE -----*/
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestions
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1012
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/commands/IgnoreCommand.java
Source Line: 40
Function Name: execute
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java +++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java @@ -34,10 +34,12 @@ action.setString(2, username); action.execute(); - sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'"; - Statement sqlStatement = connect.createStatement(); + sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); + PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery); + sqlStatement.setString(1, blabberUsername); + + ResultSet result = sqlStatement.executeQuery(); result.next(); /* START BAD CODE */
github-actions[bot]
commented
7 months ago
Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 04ccf8ef-a724-4c8f-98b3-71ba53e85f1d
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================
==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 184 issues.
====================details
-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------
=========================
FAILURE: Found 18 issues!
=========================
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestionsfor CWE 89
on file com/veracode/verademo/controller/UserController.java
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1016
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 253
Function Name: showPasswordHint
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -247,10 +248,19 @@ Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString()); - String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"; + String sql = "SELECT password_hint FROM users WHERE username = ?"; logger.info(sql); - Statement statement = connect.createStatement(); - ResultSet result = statement.executeQuery(sql); + Set
whitelistPasswordLength2 = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!(password.length() - 2).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPasswordLength2.contains((password.length() - 2))) + throw new IllegalArgumentException(); + Set whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); + + PreparedStatement statement = connect.prepareStatement(sql); + statement.setString(1, username); + + ResultSet result = statement.executeQuery(); if (result.first()) { String password= result.getString("password_hint"); String formatString = "Username '" + username + "' has password: %.2s%s"; @@ -263,6 +273,6 @@ } else { return "No password found for " + username; } } catch (ClassNotFoundException e) { e.printStackTrace();
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestionsfor CWE 89
on file com/veracode/verademo/controller/UserController.java
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1010
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 386
Function Name: processRegisterFinish
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -50,6 +50,7 @@ import com.veracode.verademo.utils.Constants; import com.veracode.verademo.utils.User; import com.veracode.verademo.utils.UserFactory; +import java.util.*; /** * @author johnadmin @@ -382,6 +383,21 @@ query.append("'" + blabName + "'"); query.append(");"); + Set
whitelistRealname = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!realName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistRealname.contains(realName)) + throw new IllegalArgumentException(); + Set whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username)) + throw new IllegalArgumentException(); + Set whitelistMysqlcurrentdatetime = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!mysqlCurrentDateTime.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistMysqlcurrentdatetime.contains(mysqlCurrentDateTime)) + throw new IllegalArgumentException(); + Set whitelistPassword = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!password.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistPassword.contains(password)) + throw new IllegalArgumentException(); + Set whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName)) + throw new IllegalArgumentException(); sqlStatement = connect.createStatement(); sqlStatement.execute(query.toString()); logger.info(query.toString()); @@ -411,6 +427,6 @@ } } return "redirect:login?username=" + username; } private void emailUser(String username)
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestionsfor CWE 89
on file com/veracode/verademo/controller/UserController.java
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1025
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/controller/UserController.java
Source Line: 508
Function Name: showProfile
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/controller/UserController.java +++ src/main/java/com/veracode/verademo/controller/UserController.java @@ -490,11 +490,12 @@ ArrayList
events = new ArrayList (); /* START BAD CODE */ - String sqlMyEvents = "select event from users_history where blabber=\"" + username - + "\" ORDER BY eventid DESC; "; + String sqlMyEvents = "select event from users_history where blabber=? ORDER BY eventid DESC; "; logger.info(sqlMyEvents); - Statement sqlStatement = connect.createStatement(); - ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents); + PreparedStatement sqlStatement = connect.prepareStatement(sqlMyEvents); + sqlStatement.setString(1, username); + + ResultSet userHistoryResult = sqlStatement.executeQuery(); /* END BAD CODE */ while (userHistoryResult.next()) {
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestionsfor CWE 89
on file com/veracode/verademo/commands/RemoveAccountCommand.java
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1014
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/commands/RemoveAccountCommand.java
Source Line: 40
Function Name: execute
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java +++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java @@ -34,10 +34,12 @@ action.setString(2, blabberUsername); action.execute(); - sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'"; - Statement sqlStatement = connect.createStatement(); + sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); + PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery); + sqlStatement.setString(1, blabberUsername); + + ResultSet result = sqlStatement.executeQuery(); result.next(); /* START BAD CODE ------*/
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestionsfor CWE 89
on file com/veracode/verademo/commands/RemoveAccountCommand.java
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1011
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/commands/RemoveAccountCommand.java
Source Line: 51
Function Name: execute
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java +++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java @@ -8,6 +8,7 @@ import org.apache.log4j.LogManager; import org.apache.log4j.Logger; +import java.util.*; public class RemoveAccountCommand implements BlabberCommand { private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand"); @@ -35,16 +36,23 @@ action.execute(); sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'"; - Statement sqlStatement = connect.createStatement(); logger.info(sqlQuery); ResultSet result = sqlStatement.executeQuery(sqlQuery); result.next(); /* START BAD CODE ------*/ String event = "Removed account for blabber " + result.getString(1); - sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')"; + sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (?, ?)"; logger.info(sqlQuery); - sqlStatement.execute(sqlQuery); + Set
whitelistResultGetstring1 = new HashSet<>(Arrays.asList("item1", "item2", "item3")); + if (!result.getString(1).matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistResultGetstring1.contains(result.getString(1))) + throw new IllegalArgumentException(); + + PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery); + sqlStatement.setString(1, blabberUsername); + sqlStatement.setString(2, event); + + sqlStatement.execute(); sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'"; logger.info(sqlQuery);
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestionsfor CWE 89
on file com/veracode/verademo/commands/ListenCommand.java
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1008
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/commands/ListenCommand.java
Source Line: 47
Function Name: execute
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/commands/ListenCommand.java +++ src/main/java/com/veracode/verademo/commands/ListenCommand.java @@ -34,10 +34,12 @@ action.setString(2, username); action.execute(); - sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'"; - Statement sqlStatement = connect.createStatement(); + sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); + PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery); + sqlStatement.setString(1, blabberUsername); + + ResultSet result = sqlStatement.executeQuery(); result.next(); /* START BAD CODE -----*/
github-actions[bot]
commented
7 months ago Veracode Fix - Fix Suggestionsfor CWE 89
on file com/veracode/verademo/commands/IgnoreCommand.java
Veracode STATIC Finding:
----------------------------------------------------------------STATIC Finding
Issue ID: 1007
CWE ID: 89
Severity: 4
Issue Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Display Text: This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
Source File: com/veracode/verademo/commands/IgnoreCommand.java
Source Line: 47
Function Name: execute
DIFF:
----------------------------------------------------------------Fix Suggestion
--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java +++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java @@ -34,10 +34,12 @@ action.setString(2, username); action.execute(); - sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'"; - Statement sqlStatement = connect.createStatement(); + sqlQuery = "SELECT blab_name FROM users WHERE username = ?"; logger.info(sqlQuery); - ResultSet result = sqlStatement.executeQuery(sqlQuery); + PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery); + sqlStatement.setString(1, blabberUsername); + + ResultSet result = sqlStatement.executeQuery(); result.next(); /* START BAD CODE */
julz0815
commented
7 months ago 
[!CAUTION] Breaking Flaw identified in code!
[!CAUTION] This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable sqlQuery. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, java.sql.PreparedStatement.executeQuery, and java.sql.Statement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
--- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -34,10 +34,12 @@
action.setString(2, username);
action.execute();
- sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
- Statement sqlStatement = connect.createStatement();
+ sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
logger.info(sqlQuery);
- ResultSet result = sqlStatement.executeQuery(sqlQuery);
+ PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+ sqlStatement.setString(1, blabberUsername);
+
+ ResultSet result = sqlStatement.executeQuery();
result.next();
/* START BAD CODE */
Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 8406ce3a-c583-42e6-b7c5-c68b7af3d60d
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================
==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 184 issues.
====================details
-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------
=========================
FAILURE: Found 18 issues!
=========================
github-actions[bot]
commented
7 months ago
> [!CAUTION]
Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/ced1fb232c158fccd1e1b366671c0a6968ee66fc/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52
> [!CAUTION]
89 - 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASPdiff
--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
import com.veracode.verademo.utils.Constants;
import com.veracode.verademo.utils.User;
import com.veracode.verademo.utils.UserFactory;
+import java.util.*;
/**
@author johnadmin @@ -247,10 +248,19 @@
Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
> [!CAUTION]
Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/ced1fb232c158fccd1e1b366671c0a6968ee66fc/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52
> [!CAUTION]
89 - 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASPdiff
--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
import com.veracode.verademo.utils.Constants;
import com.veracode.verademo.utils.User;
import com.veracode.verademo.utils.UserFactory;
+import java.util.*;
/**
throw new IllegalArgumentException(); sqlStatement = connect.createStatement(); sqlStatement.execute(query.toString()); logger.info(query.toString()); @@ -411,6 +427,6 @@ } } return "redirect:login?username=" + username; }
private void emailUser(String username)
```
github-actions[bot]
commented
7 months ago
> [!CAUTION]
Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/ced1fb232c158fccd1e1b366671c0a6968ee66fc/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52
> [!CAUTION]
89 - 4
This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASPdiff
--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -490,11 +490,12 @@
ArrayList
/* START BAD CODE */ResultSet userHistoryResult = sqlStatement.executeQuery(); / END BAD CODE /
while (userHistoryResult.next()) {
```
github-actions[bot]
commented
7 months ago
Scan Summary:
PIPELINE_SCAN_VERSION: 24.3.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: fe98ce82-130d-45f4-b574-a9f422b6af56
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 408283 bytes
====================
Analysis Successful.
====================
==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war
===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 184 issues.
====================details
-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------
=========================
FAILURE: Found 18 issues!
=========================
github-actions[bot]
commented
7 months ago
> [!CAUTION]Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/ced1fb232c158fccd1e1b366671c0a6968ee66fc/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52
> [!CAUTION]CWE: 89 - Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
```diff
--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
import com.veracode.verademo.utils.Constants;
import com.veracode.verademo.utils.User;
import com.veracode.verademo.utils.UserFactory;
+import java.util.*;
/**
@author johnadmin @@ -247,10 +248,19 @@
Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
> [!CAUTION]Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/ced1fb232c158fccd1e1b366671c0a6968ee66fc/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52
> [!CAUTION]CWE: 89 - Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
```diff
--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
import com.veracode.verademo.utils.Constants;
import com.veracode.verademo.utils.User;
import com.veracode.verademo.utils.UserFactory;
+import java.util.*;
/**
throw new IllegalArgumentException(); sqlStatement = connect.createStatement(); sqlStatement.execute(query.toString()); logger.info(query.toString()); @@ -411,6 +427,6 @@ } } return "redirect:login?username=" + username; }
private void emailUser(String username)
```
github-actions[bot]
commented
7 months ago
> [!CAUTION]Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/ced1fb232c158fccd1e1b366671c0a6968ee66fc/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52
> [!CAUTION]CWE: 89 - Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
```diff
--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -490,11 +490,12 @@
ArrayList
/* START BAD CODE */ResultSet userHistoryResult = sqlStatement.executeQuery(); / END BAD CODE /
while (userHistoryResult.next()) {
```
github-actions[bot]
commented
7 months ago
> [!CAUTION]Breaking Flaw identified in code!
https://github.com/julz0815/test-action/blob/ced1fb232c158fccd1e1b366671c0a6968ee66fc/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java#L40-L52
> [!CAUTION]CWE: 89 - Severity: 4
This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sqlQuery. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
```diff
--- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -34,10 +34,12 @@
action.setString(2, blabberUsername);
action.execute();
ResultSet result = sqlStatement.executeQuery(); result.next();
/* START BAD CODE ------*/
```