search

julz0815 / test-action

0 stars 1 forks source link

Fixtest #837

Closed julz0815 closed 3 months ago

github-actions[bot] commented 3 months ago



Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: b7b2ad69-5715-4bac-819a-49dbbd330022
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details


-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------


=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 3 months ago

undefined

[!CAUTION] Breaking Flaws identified in code!

Fixes for src/main/java/com/veracode/verademo/controller/UserController.java: Falws found for this file: CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 231 for issue 1136 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 495 for issue 1141 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 253 for issue 1016 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 508 for issue 1025 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 710 for issue 1135 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 497 for issue 1017 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 114 for issue 1139 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 239 for issue 1155 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 386 for issue 1010 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 318 for issue 1015 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 660 for issue 1137 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 805 for issue 1143 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 257 for issue 1140 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 696 for issue 1148 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 387 for issue 1138 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 251 for issue 1149 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 506 for issue 1150 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 861 for issue 1142

Fix suggestions:

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,10 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;
+import java.util.*;
+import org.apache.commons.text.StringEscapeUtils;
+import java.net.URLEncoder;

 /**
  * @author johnadmin
@@ -111,7 +115,7 @@
            target = "";
        }

-       logger.info("Entering showLogin with username " + username + " and target " + target);
+       logger.info("Entering showLogin with username " + StringEscapeUtils.escapeJava(username) + " and target " + target);

        model.addAttribute("username", username);
        model.addAttribute("target", target);
@@ -228,7 +232,7 @@
        }

        // Redirect to the appropriate place based on login actions above
-       logger.info("Redirecting to view: " + nextView);
+       logger.info("Redirecting to view: " + StringUtils.normalizeSpace(nextView));
        return nextView;
    }

@@ -236,7 +240,7 @@
    @ResponseBody
    public String showPasswordHint(String username)
    {
-       logger.info("Entering password-hint with username: " + username);
+       logger.info("Entering password-hint with username: " + StringUtils.normalizeSpace(username));

        if (username == null || username.isEmpty()) {
            return "No username provided, please type in your username first";
@@ -249,8 +253,13 @@

            String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
            logger.info(sql);
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
            Statement statement = connect.createStatement();
            ResultSet result = statement.executeQuery(sql);
+
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -361,7 +370,7 @@
        }

        Connection connect = null;
-       Statement sqlStatement = null;
+       PreparedStatement sqlStatement = null;

        try {
            // Get the Database Connection
@@ -382,9 +391,16 @@
            query.append("'" + blabName + "'");
            query.append(");");

-           sqlStatement = connect.createStatement();
-           sqlStatement.execute(query.toString());
-           logger.info(query.toString());
+
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
+
+           sqlStatement = connect.prepareStatement(query.toString());
+
+           sqlStatement.execute();
+
+           logger.info(URLEncoder.encode(query.toString()));
            /* END BAD CODE */

            emailUser(username);
@@ -453,7 +469,7 @@
    {
        logger.info("Entering showProfile");

-       String username = (String) httpRequest.getSession().getAttribute("username");
+       String username = (String) StringUtils.normalizeSpace(httpRequest.getSession().getAttribute("username"));
        // Ensure user is logged in
        if (username == null) {
            logger.info("User is not Logged In - redirecting...");
@@ -502,10 +518,13 @@
            }

            // Get the users information
-           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = ?";
            logger.info(sql);
            myInfo = connect.prepareStatement(sql);
+           myInfo.setString(1, username);
+
            ResultSet myInfoResults = myInfo.executeQuery();
+
            myInfoResults.next();

            // Send these values to our View
@@ -657,7 +676,7 @@
                String extension = file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf("."));
                String path = imageDir + username + extension;

-               logger.info("Saving new profile image: " + path);
+               logger.info("Saving new profile image: " + StringEscapeUtils.escapeJava(path));

                file.transferTo(new File(path)); // will delete any existing file first
            }
@@ -693,7 +712,7 @@

        String path = context.getRealPath("/resources/images") + File.separator + imageName;

-       logger.info("Fetching profile image: " + path);
+       logger.info("Fetching profile image: " + StringUtils.normalizeSpace(path));

        InputStream inputStream = null;
        OutputStream outStream = null;
@@ -707,7 +726,7 @@
                // set to binary type if MIME mapping not found
                mimeType = "application/octet-stream";
            }
-           logger.info("MIME type: " + mimeType);
+           logger.info("MIME type: " + StringUtils.normalizeSpace(mimeType));

            // Set content attributes for the response
            response.setContentType(mimeType);
@@ -802,7 +821,7 @@
            }
        }

-       logger.info("Username: " + username + " already exists. Try again.");
+       logger.info("Username: " + StringEscapeUtils.escapeJava(username) + " already exists. Try again.");
        return true;
    }

@@ -858,7 +877,7 @@
            if (oldImage != null) {
                String extension = oldImage.substring(oldImage.lastIndexOf("."));

-               logger.info("Renaming profile image from " + oldImage + " to " + newUsername + extension);
+               logger.info("Renaming profile image from " + oldImage + " to " + StringUtils.normalizeSpace(newUsername) + extension);
                String path = context.getRealPath("/resources/images") + File.separator;

                File oldName = new File(path + oldImage);
github-actions[bot] commented 3 months ago



Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: ad2b62fa-d9d5-41c7-99c8-ab85a5558751
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details


-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------


=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 3 months ago

undefined

[!CAUTION] Breaking Flaws identified in code!

Fixes for src/main/java/com/veracode/verademo/controller/UserController.java: Falws found for this file: CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 231 for issue 1136 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 495 for issue 1141 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 253 for issue 1016 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 508 for issue 1025 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 710 for issue 1135 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 497 for issue 1017 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 114 for issue 1139 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 239 for issue 1155 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 386 for issue 1010 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 318 for issue 1015 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 660 for issue 1137 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 805 for issue 1143 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 257 for issue 1140 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 696 for issue 1148 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 387 for issue 1138 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 251 for issue 1149 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 506 for issue 1150 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 861 for issue 1142

Fix suggestions:

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,9 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;
+import java.util.*;
+import org.apache.commons.text.StringEscapeUtils;

 /**
  * @author johnadmin
@@ -111,7 +114,7 @@
            target = "";
        }

-       logger.info("Entering showLogin with username " + username + " and target " + target);
+       logger.info("Entering showLogin with username " + StringEscapeUtils.escapeJava(username) + " and target " + target);

        model.addAttribute("username", username);
        model.addAttribute("target", target);
@@ -228,7 +231,7 @@
        }

        // Redirect to the appropriate place based on login actions above
-       logger.info("Redirecting to view: " + nextView);
+       logger.info("Redirecting to view: " + StringUtils.normalizeSpace(nextView));
        return nextView;
    }

@@ -236,7 +239,7 @@
    @ResponseBody
    public String showPasswordHint(String username)
    {
-       logger.info("Entering password-hint with username: " + username);
+       logger.info("Entering password-hint with username: " + StringUtils.normalizeSpace(username));

        if (username == null || username.isEmpty()) {
            return "No username provided, please type in your username first";
@@ -249,8 +252,13 @@

            String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
            logger.info(sql);
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
            Statement statement = connect.createStatement();
            ResultSet result = statement.executeQuery(sql);
+
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -361,7 +369,7 @@
        }

        Connection connect = null;
-       Statement sqlStatement = null;
+       PreparedStatement sqlStatement = null;

        try {
            // Get the Database Connection
@@ -382,9 +390,16 @@
            query.append("'" + blabName + "'");
            query.append(");");

-           sqlStatement = connect.createStatement();
-           sqlStatement.execute(query.toString());
-           logger.info(query.toString());
+
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
+
+           sqlStatement = connect.prepareStatement(query.toString());
+
+           sqlStatement.execute();
+
+           logger.info(StringUtils.normalizeSpace(query.toString()));
            /* END BAD CODE */

            emailUser(username);
@@ -453,7 +468,7 @@
    {
        logger.info("Entering showProfile");

-       String username = (String) httpRequest.getSession().getAttribute("username");
+       String username = (String) StringUtils.normalizeSpace(httpRequest.getSession().getAttribute("username"));
        // Ensure user is logged in
        if (username == null) {
            logger.info("User is not Logged In - redirecting...");
@@ -502,10 +517,13 @@
            }

            // Get the users information
-           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = ?";
            logger.info(sql);
            myInfo = connect.prepareStatement(sql);
+           myInfo.setString(1, username);
+
            ResultSet myInfoResults = myInfo.executeQuery();
+
            myInfoResults.next();

            // Send these values to our View
@@ -657,7 +675,7 @@
                String extension = file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf("."));
                String path = imageDir + username + extension;

-               logger.info("Saving new profile image: " + path);
+               logger.info("Saving new profile image: " + StringEscapeUtils.escapeJava(path));

                file.transferTo(new File(path)); // will delete any existing file first
            }
@@ -693,7 +711,7 @@

        String path = context.getRealPath("/resources/images") + File.separator + imageName;

-       logger.info("Fetching profile image: " + path);
+       logger.info("Fetching profile image: " + StringUtils.normalizeSpace(path));

        InputStream inputStream = null;
        OutputStream outStream = null;
@@ -707,7 +725,7 @@
                // set to binary type if MIME mapping not found
                mimeType = "application/octet-stream";
            }
-           logger.info("MIME type: " + mimeType);
+           logger.info("MIME type: " + StringUtils.normalizeSpace(mimeType));

            // Set content attributes for the response
            response.setContentType(mimeType);
@@ -802,7 +820,7 @@
            }
        }

-       logger.info("Username: " + username + " already exists. Try again.");
+       logger.info("Username: " + StringEscapeUtils.escapeJava(username) + " already exists. Try again.");
        return true;
    }

@@ -858,7 +876,7 @@
            if (oldImage != null) {
                String extension = oldImage.substring(oldImage.lastIndexOf("."));

-               logger.info("Renaming profile image from " + oldImage + " to " + newUsername + extension);
+               logger.info("Renaming profile image from " + oldImage + " to " + StringUtils.normalizeSpace(newUsername) + extension);
                String path = context.getRealPath("/resources/images") + File.separator;

                File oldName = new File(path + oldImage);
github-actions[bot] commented 3 months ago



Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 6b2110cf-f0bc-4ed6-8d86-b9a75f870ae2
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details


-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------


=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 3 months ago

undefined

[!CAUTION] Breaking Flaws identified in code!

Fixes for src/main/java/com/veracode/verademo/controller/UserController.java: Falws found for this file: CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 231 for issue 1136 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 495 for issue 1141 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 253 for issue 1016 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 508 for issue 1025 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 710 for issue 1135 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 497 for issue 1017 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 114 for issue 1139 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 239 for issue 1155 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 386 for issue 1010 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 318 for issue 1015 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 660 for issue 1137 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 805 for issue 1143 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 257 for issue 1140 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 696 for issue 1148 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 387 for issue 1138 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 251 for issue 1149 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 506 for issue 1150 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 861 for issue 1142

Fix suggestions:

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,9 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;
+import java.util.*;
+import org.apache.commons.text.StringEscapeUtils;

 /**
  * @author johnadmin
@@ -111,7 +114,7 @@
            target = "";
        }

-       logger.info("Entering showLogin with username " + username + " and target " + target);
+       logger.info("Entering showLogin with username " + StringEscapeUtils.escapeJava(username) + " and target " + target);

        model.addAttribute("username", username);
        model.addAttribute("target", target);
@@ -228,7 +231,7 @@
        }

        // Redirect to the appropriate place based on login actions above
-       logger.info("Redirecting to view: " + nextView);
+       logger.info("Redirecting to view: " + StringUtils.normalizeSpace(nextView));
        return nextView;
    }

@@ -236,7 +239,7 @@
    @ResponseBody
    public String showPasswordHint(String username)
    {
-       logger.info("Entering password-hint with username: " + username);
+       logger.info("Entering password-hint with username: " + StringUtils.normalizeSpace(username));

        if (username == null || username.isEmpty()) {
            return "No username provided, please type in your username first";
@@ -249,8 +252,13 @@

            String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
            logger.info(sql);
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
            Statement statement = connect.createStatement();
            ResultSet result = statement.executeQuery(sql);
+
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -361,7 +369,7 @@
        }

        Connection connect = null;
-       Statement sqlStatement = null;
+       PreparedStatement sqlStatement = null;

        try {
            // Get the Database Connection
@@ -382,9 +390,16 @@
            query.append("'" + blabName + "'");
            query.append(");");

-           sqlStatement = connect.createStatement();
-           sqlStatement.execute(query.toString());
-           logger.info(query.toString());
+
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
+
+           sqlStatement = connect.prepareStatement(query.toString());
+
+           sqlStatement.execute();
+
+           logger.info(StringUtils.normalizeSpace(query.toString()));
            /* END BAD CODE */

            emailUser(username);
@@ -453,7 +468,7 @@
    {
        logger.info("Entering showProfile");

-       String username = (String) httpRequest.getSession().getAttribute("username");
+       String username = (String) StringUtils.normalizeSpace(httpRequest.getSession().getAttribute("username"));
        // Ensure user is logged in
        if (username == null) {
            logger.info("User is not Logged In - redirecting...");
@@ -502,10 +517,13 @@
            }

            // Get the users information
-           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = ?";
            logger.info(sql);
            myInfo = connect.prepareStatement(sql);
+           myInfo.setString(1, username);
+
            ResultSet myInfoResults = myInfo.executeQuery();
+
            myInfoResults.next();

            // Send these values to our View
@@ -657,7 +675,7 @@
                String extension = file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf("."));
                String path = imageDir + username + extension;

-               logger.info("Saving new profile image: " + path);
+               logger.info("Saving new profile image: " + StringEscapeUtils.escapeJava(path));

                file.transferTo(new File(path)); // will delete any existing file first
            }
@@ -693,7 +711,7 @@

        String path = context.getRealPath("/resources/images") + File.separator + imageName;

-       logger.info("Fetching profile image: " + path);
+       logger.info("Fetching profile image: " + StringUtils.normalizeSpace(path));

        InputStream inputStream = null;
        OutputStream outStream = null;
@@ -707,7 +725,7 @@
                // set to binary type if MIME mapping not found
                mimeType = "application/octet-stream";
            }
-           logger.info("MIME type: " + mimeType);
+           logger.info("MIME type: " + StringUtils.normalizeSpace(mimeType));

            // Set content attributes for the response
            response.setContentType(mimeType);
@@ -802,7 +820,7 @@
            }
        }

-       logger.info("Username: " + username + " already exists. Try again.");
+       logger.info("Username: " + StringEscapeUtils.escapeJava(username) + " already exists. Try again.");
        return true;
    }

@@ -858,7 +876,7 @@
            if (oldImage != null) {
                String extension = oldImage.substring(oldImage.lastIndexOf("."));

-               logger.info("Renaming profile image from " + oldImage + " to " + newUsername + extension);
+               logger.info("Renaming profile image from " + oldImage + " to " + StringUtils.normalizeSpace(newUsername) + extension);
                String path = context.getRealPath("/resources/images") + File.separator;

                File oldName = new File(path + oldImage);
github-actions[bot] commented 3 months ago



Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 6ab5e332-3c68-4223-ad63-114d06a9b4dc
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details


-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------


=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 3 months ago



Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 1a42ee91-18e4-4e6b-81d0-0c2eec82e58f
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details


-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------


=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 3 months ago

undefined

[!CAUTION] Breaking Flaws identified in code!

Fixes for src/main/java/com/veracode/verademo/controller/UserController.java: Falws found for this file: CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 231 for issue 1136 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 495 for issue 1141 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 253 for issue 1016 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 508 for issue 1025 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 710 for issue 1135 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 497 for issue 1017 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 114 for issue 1139 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 239 for issue 1155 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 386 for issue 1010 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 318 for issue 1015 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 660 for issue 1137 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 805 for issue 1143 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 257 for issue 1140 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 696 for issue 1148 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 387 for issue 1138 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 251 for issue 1149 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 506 for issue 1150 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 861 for issue 1142

Fix suggestions:

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,9 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;
+import java.util.*;
+import org.apache.commons.text.StringEscapeUtils;

 /**
  * @author johnadmin
@@ -111,7 +114,7 @@
            target = "";
        }

-       logger.info("Entering showLogin with username " + username + " and target " + target);
+       logger.info("Entering showLogin with username " + StringEscapeUtils.escapeJava(username) + " and target " + target);

        model.addAttribute("username", username);
        model.addAttribute("target", target);
@@ -228,7 +231,7 @@
        }

        // Redirect to the appropriate place based on login actions above
-       logger.info("Redirecting to view: " + nextView);
+       logger.info("Redirecting to view: " + StringUtils.normalizeSpace(nextView));
        return nextView;
    }

@@ -236,7 +239,7 @@
    @ResponseBody
    public String showPasswordHint(String username)
    {
-       logger.info("Entering password-hint with username: " + username);
+       logger.info("Entering password-hint with username: " + StringUtils.normalizeSpace(username));

        if (username == null || username.isEmpty()) {
            return "No username provided, please type in your username first";
@@ -249,8 +252,13 @@

            String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
            logger.info(sql);
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
            Statement statement = connect.createStatement();
            ResultSet result = statement.executeQuery(sql);
+
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -361,7 +369,7 @@
        }

        Connection connect = null;
-       Statement sqlStatement = null;
+       PreparedStatement sqlStatement = null;

        try {
            // Get the Database Connection
@@ -382,9 +390,16 @@
            query.append("'" + blabName + "'");
            query.append(");");

-           sqlStatement = connect.createStatement();
-           sqlStatement.execute(query.toString());
-           logger.info(query.toString());
+
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
+
+           sqlStatement = connect.prepareStatement(query.toString());
+
+           sqlStatement.execute();
+
+           logger.info(StringUtils.normalizeSpace(query.toString()));
            /* END BAD CODE */

            emailUser(username);
@@ -453,7 +468,7 @@
    {
        logger.info("Entering showProfile");

-       String username = (String) httpRequest.getSession().getAttribute("username");
+       String username = (String) StringUtils.normalizeSpace(httpRequest.getSession().getAttribute("username"));
        // Ensure user is logged in
        if (username == null) {
            logger.info("User is not Logged In - redirecting...");
@@ -502,10 +517,13 @@
            }

            // Get the users information
-           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = ?";
            logger.info(sql);
            myInfo = connect.prepareStatement(sql);
+           myInfo.setString(1, username);
+
            ResultSet myInfoResults = myInfo.executeQuery();
+
            myInfoResults.next();

            // Send these values to our View
@@ -657,7 +675,7 @@
                String extension = file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf("."));
                String path = imageDir + username + extension;

-               logger.info("Saving new profile image: " + path);
+               logger.info("Saving new profile image: " + StringEscapeUtils.escapeJava(path));

                file.transferTo(new File(path)); // will delete any existing file first
            }
@@ -693,7 +711,7 @@

        String path = context.getRealPath("/resources/images") + File.separator + imageName;

-       logger.info("Fetching profile image: " + path);
+       logger.info("Fetching profile image: " + StringUtils.normalizeSpace(path));

        InputStream inputStream = null;
        OutputStream outStream = null;
@@ -707,7 +725,7 @@
                // set to binary type if MIME mapping not found
                mimeType = "application/octet-stream";
            }
-           logger.info("MIME type: " + mimeType);
+           logger.info("MIME type: " + StringUtils.normalizeSpace(mimeType));

            // Set content attributes for the response
            response.setContentType(mimeType);
@@ -802,7 +820,7 @@
            }
        }

-       logger.info("Username: " + username + " already exists. Try again.");
+       logger.info("Username: " + StringEscapeUtils.escapeJava(username) + " already exists. Try again.");
        return true;
    }

@@ -858,7 +876,7 @@
            if (oldImage != null) {
                String extension = oldImage.substring(oldImage.lastIndexOf("."));

-               logger.info("Renaming profile image from " + oldImage + " to " + newUsername + extension);
+               logger.info("Renaming profile image from " + oldImage + " to " + StringUtils.normalizeSpace(newUsername) + extension);
                String path = context.getRealPath("/resources/images") + File.separator;

                File oldName = new File(path + oldImage);
github-actions[bot] commented 3 months ago



Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 42c36339-a383-4281-8f9c-73f820d7d31a
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details


-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------


=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 3 months ago



Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: f2d529b8-2e0a-4a39-8452-af581f99a0ec
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details


-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------


=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 3 months ago



Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: b28f7fbc-e5d3-4cb3-af17-ff5222d32058
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details


-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------


=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaws identified in code!

Fixes for src/main/java/com/veracode/verademo/controller/UserController.java: Falws found for this file: CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 231 for issue 1136 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 495 for issue 1141 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 253 for issue 1016 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 508 for issue 1025 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 710 for issue 1135 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 497 for issue 1017 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 114 for issue 1139 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 239 for issue 1155 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 386 for issue 1010 CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 318 for issue 1015 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 660 for issue 1137 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 805 for issue 1143 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 257 for issue 1140 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 696 for issue 1148 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 387 for issue 1138 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 251 for issue 1149 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 506 for issue 1150 CWE 117 - Improper Output Neutralization for Logs - Severity 3 on line 861 for issue 1142

Fix suggestions:

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,9 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;
+import java.util.*;
+import org.apache.commons.text.StringEscapeUtils;

 /**
  * @author johnadmin
@@ -111,7 +114,7 @@
            target = "";
        }

-       logger.info("Entering showLogin with username " + username + " and target " + target);
+       logger.info("Entering showLogin with username " + StringEscapeUtils.escapeJava(username) + " and target " + target);

        model.addAttribute("username", username);
        model.addAttribute("target", target);
@@ -228,7 +231,7 @@
        }

        // Redirect to the appropriate place based on login actions above
-       logger.info("Redirecting to view: " + nextView);
+       logger.info("Redirecting to view: " + StringUtils.normalizeSpace(nextView));
        return nextView;
    }

@@ -236,7 +239,7 @@
    @ResponseBody
    public String showPasswordHint(String username)
    {
-       logger.info("Entering password-hint with username: " + username);
+       logger.info("Entering password-hint with username: " + StringUtils.normalizeSpace(username));

        if (username == null || username.isEmpty()) {
            return "No username provided, please type in your username first";
@@ -249,8 +252,13 @@

            String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
            logger.info(sql);
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
+
            Statement statement = connect.createStatement();
            ResultSet result = statement.executeQuery(sql);
+
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
@@ -361,7 +369,7 @@
        }

        Connection connect = null;
-       Statement sqlStatement = null;
+       PreparedStatement sqlStatement = null;

        try {
            // Get the Database Connection
@@ -382,9 +390,16 @@
            query.append("'" + blabName + "'");
            query.append(");");

-           sqlStatement = connect.createStatement();
-           sqlStatement.execute(query.toString());
-           logger.info(query.toString());
+
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
+
+           sqlStatement = connect.prepareStatement(query.toString());
+
+           sqlStatement.execute();
+
+           logger.info(StringUtils.normalizeSpace(query.toString()));
            /* END BAD CODE */

            emailUser(username);
@@ -453,7 +468,7 @@
    {
        logger.info("Entering showProfile");

-       String username = (String) httpRequest.getSession().getAttribute("username");
+       String username = (String) StringUtils.normalizeSpace(httpRequest.getSession().getAttribute("username"));
        // Ensure user is logged in
        if (username == null) {
            logger.info("User is not Logged In - redirecting...");
@@ -502,10 +517,13 @@
            }

            // Get the users information
-           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = ?";
            logger.info(sql);
            myInfo = connect.prepareStatement(sql);
+           myInfo.setString(1, username);
+
            ResultSet myInfoResults = myInfo.executeQuery();
+
            myInfoResults.next();

            // Send these values to our View
@@ -657,7 +675,7 @@
                String extension = file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf("."));
                String path = imageDir + username + extension;

-               logger.info("Saving new profile image: " + path);
+               logger.info("Saving new profile image: " + StringEscapeUtils.escapeJava(path));

                file.transferTo(new File(path)); // will delete any existing file first
            }
@@ -693,7 +711,7 @@

        String path = context.getRealPath("/resources/images") + File.separator + imageName;

-       logger.info("Fetching profile image: " + path);
+       logger.info("Fetching profile image: " + StringUtils.normalizeSpace(path));

        InputStream inputStream = null;
        OutputStream outStream = null;
@@ -707,7 +725,7 @@
                // set to binary type if MIME mapping not found
                mimeType = "application/octet-stream";
            }
-           logger.info("MIME type: " + mimeType);
+           logger.info("MIME type: " + StringUtils.normalizeSpace(mimeType));

            // Set content attributes for the response
            response.setContentType(mimeType);
@@ -802,7 +820,7 @@
            }
        }

-       logger.info("Username: " + username + " already exists. Try again.");
+       logger.info("Username: " + StringEscapeUtils.escapeJava(username) + " already exists. Try again.");
        return true;
    }

@@ -858,7 +876,7 @@
            if (oldImage != null) {
                String extension = oldImage.substring(oldImage.lastIndexOf("."));

-               logger.info("Renaming profile image from " + oldImage + " to " + newUsername + extension);
+               logger.info("Renaming profile image from " + oldImage + " to " + StringUtils.normalizeSpace(newUsername) + extension);
                String path = context.getRealPath("/resources/images") + File.separator;

                File oldName = new File(path + oldImage);
github-actions[bot] commented 3 months ago



Scan Summary:
PIPELINE_SCAN_VERSION: 24.5.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 4dd8152c-07ac-4cc5-ba99-fd6a65fd78ae
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details


-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------


=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/9457b4f350c1f18c7e41ab720f969d4eba068907/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/9457b4f350c1f18c7e41ab720f969d4eba068907/src/main/java/com/veracode/verademo/controller/UserController.java#L381-L391

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/9457b4f350c1f18c7e41ab720f969d4eba068907/src/main/java/com/veracode/verademo/controller/UserController.java#L503-L513

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/9457b4f350c1f18c7e41ab720f969d4eba068907/src/main/java/com/veracode/verademo/controller/UserController.java#L246-L256

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/9457b4f350c1f18c7e41ab720f969d4eba068907/src/main/java/com/veracode/verademo/controller/UserController.java#L382-L392

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/9457b4f350c1f18c7e41ab720f969d4eba068907/src/main/java/com/veracode/verademo/controller/UserController.java#L490-L500

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sqlMyEvents. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/9457b4f350c1f18c7e41ab720f969d4eba068907/src/main/java/com/veracode/verademo/controller/UserController.java#L800-L810

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

github-actions[bot] commented 3 months ago



Scan Summary:
PIPELINE_SCAN_VERSION: 24.6.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 1115c9ef-7b85-42d5-bcda-41520c0882a7
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 938071 bytes
====================
Analysis Successful.
====================

==========================
Found 2 Scannable modules.
==========================
verademo.war
JS files within verademo.war

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 184 issues.
====================

details


-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:253
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:318
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:386
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:497
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:508
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
---------------------------------------
Skipping 119 issues of Medium severity.
---------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 17 issues of Informational severity.
---------------------------------------------


=========================
FAILURE: Found 18 issues!
=========================

github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/60893f4faeb4072741fc777e5ebbe93ae690bd73/src/main/java/com/veracode/verademo/controller/UserController.java#L248-L258

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to executeQuery() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -249,8 +250,11 @@

            String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
            logger.info(sql);
+           Set<String> whitelistUsername = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+           if (!username.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistUsername.contains(username))
+               throw new IllegalArgumentException();
            Statement statement = connect.createStatement();
            ResultSet result = statement.executeQuery(sql);
            if (result.first()) {
                String password= result.getString("password_hint");
                String formatString = "Username '" + username + "' has password: %.2s%s";
github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/60893f4faeb4072741fc777e5ebbe93ae690bd73/src/main/java/com/veracode/verademo/controller/UserController.java#L381-L391

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.Statement.execute() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to execute() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import java.util.*;

 /**
  * @author johnadmin
@@ -361,7 +362,7 @@
        }

        Connection connect = null;
-       Statement sqlStatement = null;
+       PreparedStatement sqlStatement = null;

        try {
            // Get the Database Connection
@@ -382,8 +383,13 @@
            query.append("'" + blabName + "'");
            query.append(");");

-           sqlStatement = connect.createStatement();
-           sqlStatement.execute(query.toString());
+       Set<String> whitelistBlabname = new HashSet<>(Arrays.asList("item1", "item2", "item3"));
+       if (!blabName.matches("\\w+(\\s*\\.\\s*\\w+)*") && !whitelistBlabname.contains(blabName))
+           throw new IllegalArgumentException();
+
+           sqlStatement = connect.prepareStatement(query.toString());
+
+           sqlStatement.execute();
            logger.info(query.toString());
            /* END BAD CODE */
github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/60893f4faeb4072741fc777e5ebbe93ae690bd73/src/main/java/com/veracode/verademo/controller/UserController.java#L503-L513

[!CAUTION] CWE: 89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Severity: 4 This database query contains a SQL injection flaw. The call to java.sql.PreparedStatement.executeQuery() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. executeQuery() was called on the myInfo object, which contains tainted data. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -502,10 +502,11 @@
            }

            // Get the users information
-           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'";
+           String sql = "SELECT username, real_name, blab_name FROM users WHERE username = ?";
            logger.info(sql);
            myInfo = connect.prepareStatement(sql);
+           myInfo.setString(1, username);
            ResultSet myInfoResults = myInfo.executeQuery();
            myInfoResults.next();

            // Send these values to our View
github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/60893f4faeb4072741fc777e5ebbe93ae690bd73/src/main/java/com/veracode/verademo/controller/UserController.java#L246-L256

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sql. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;

 /**
  * @author johnadmin
@@ -236,7 +237,7 @@
    @ResponseBody
    public String showPasswordHint(String username)
    {
-       logger.info("Entering password-hint with username: " + username);
+       logger.info("Entering password-hint with username: " + StringUtils.normalizeSpace(username));

        if (username == null || username.isEmpty()) {
            return "No username provided, please type in your username first";
github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/60893f4faeb4072741fc777e5ebbe93ae690bd73/src/main/java/com/veracode/verademo/controller/UserController.java#L382-L392

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable query. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;

 /**
  * @author johnadmin
@@ -384,7 +385,7 @@

            sqlStatement = connect.createStatement();
            sqlStatement.execute(query.toString());
-           logger.info(query.toString());
+           logger.info(StringUtils.normalizeSpace(query.toString()));
            /* END BAD CODE */

            emailUser(username);
github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/60893f4faeb4072741fc777e5ebbe93ae690bd73/src/main/java/com/veracode/verademo/controller/UserController.java#L490-L500

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data from the variable sqlMyEvents. The tainted data originated from earlier calls to AnnotationVirtualController.vc_annotation_entry, and java.sql.PreparedStatement.executeQuery. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;

 /**
  * @author johnadmin
@@ -453,7 +454,7 @@
    {
        logger.info("Entering showProfile");

-       String username = (String) httpRequest.getSession().getAttribute("username");
+       String username = (String) StringUtils.normalizeSpace(httpRequest.getSession().getAttribute("username"));
        // Ensure user is logged in
        if (username == null) {
            logger.info("User is not Logged In - redirecting...");
github-actions[bot] commented 3 months ago

[!CAUTION] Breaking Flaw identified in code!

https://github.com/julz0815/test-action/blob/60893f4faeb4072741fc777e5ebbe93ae690bd73/src/main/java/com/veracode/verademo/controller/UserController.java#L800-L810

[!CAUTION] CWE: 117 Improper Output Neutralization for Logs
Severity: 3 This call to org.apache.log4j.Category.info() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to info() contains tainted data. The tainted data originated from an earlier call to AnnotationVirtualController.vc_annotation_entry. Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers

--- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,7 @@
 import com.veracode.verademo.utils.Constants;
 import com.veracode.verademo.utils.User;
 import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.text.StringEscapeUtils;

 /**
  * @author johnadmin
@@ -802,7 +803,7 @@
            }
        }

-       logger.info("Username: " + username + " already exists. Try again.");
+       logger.info("Username: " + StringEscapeUtils.escapeJava(username) + " already exists. Try again.");
        return true;
    }