PatchWork AutoFix

src/main/java/io/shiftleft/controller/AdminController.java

@@ -1,6 +1,8 @@
 package io.shiftleft.controller;
 
 import io.shiftleft.model.AuthToken;
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -26,21 +28,46 @@
 @Controller
 public class AdminController {
   private String fail = "redirect:/";
+  private final String secretKey = "verySecretKey"; // Key for HMAC
 
   // helper
-  private boolean isAdmin(String auth)
-  {
+  private boolean isAdmin(String auth) throws Exception {
     try {
-      ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth));
+      String[] parts = auth.split("\\|");
+      if (parts.length != 2) {
+        return false;
+      }
+
+      String data = parts[0];
+      String hash = parts[1];
+
+      if (!verifyHMAC(data, hash)) {
+        return false;
+      }
+
+      ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(data));
       ObjectInputStream objectInputStream = new ObjectInputStream(bis);
       Object authToken = objectInputStream.readObject();
       return ((AuthToken) authToken).isAdmin();
     } catch (Exception ex) {
-      System.out.println(" cookie cannot be deserialized: "+ex.getMessage());
+      System.out.println(" cookie cannot be deserialized: " + ex.getMessage());
       return false;
     }
   }
 
+  private String createHMAC(String data) throws Exception {
+    Mac mac = Mac.getInstance("HmacSHA256");
+    SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
+    mac.init(secretKeySpec);
+    byte[] hmacBytes = mac.doFinal(data.getBytes(StandardCharsets.UTF_8));
+    return Base64.getEncoder().encodeToString(hmacBytes);
+  }
+
+  private boolean verifyHMAC(String data, String hash) throws Exception {
+    String calculatedHash = createHMAC(data);
+    return calculatedHash.equals(hash);
+  }
+
   //
   @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.POST)
   public String doPostPrintSecrets(HttpServletResponse response, HttpServletRequest request) {
@@ -56,7 +83,7 @@ public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "not
     }
 
     String authToken = request.getSession().getAttribute("auth").toString();
-    if(!isAdmin(authToken)) {
+    if (!isAdmin(authToken)) {
       return fail;
     }
 
@@ -88,36 +115,39 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset")
     try {
       // no cookie no fun
       if (!auth.equals("notset")) {
-        if(isAdmin(auth)) {
-          request.getSession().setAttribute("auth",auth);
+        if (isAdmin(auth)) {
+          request.getSession().setAttribute("auth", auth);
           return succ;
         }
       }
 
       // split password=value
       String[] pass = password.split("=");
-      if(pass.length!=2) {
+      if (pass.length != 2) {
         return fail;
       }
       // compare pass
-      if(pass[1] != null && pass[1].length()>0 && pass[1].equals("shiftleftsecret"))
-      {
+      if (pass[1] != null && pass[1].length() > 0 && pass[1].equals("shiftleftsecret")) {
         AuthToken authToken = new AuthToken(AuthToken.ADMIN);
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
         ObjectOutputStream oos = new ObjectOutputStream(bos);
         oos.writeObject(authToken);
-        String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray()));
-        response.addCookie(new Cookie("auth", cookieValue ));
+        String serializedToken = new String(Base64.getEncoder().encode(bos.toByteArray()));
+        String hmac = createHMAC(serializedToken);
+        String cookieValue = serializedToken + "|" + hmac;
+
+        Cookie authCookie = new Cookie("auth", cookieValue);
+        authCookie.setHttpOnly(true);
+        authCookie.setSecure(true);
+        response.addCookie(authCookie);
 
         // cookie is lost after redirection
-        request.getSession().setAttribute("auth",cookieValue);
+        request.getSession().setAttribute("auth", cookieValue);
 
         return succ;
       }
       return fail;
-    }
-    catch (Exception ex)
-    {
+    } catch (Exception ex) {
       ex.printStackTrace();
       // no succ == fail
       return fail;

src/main/java/io/shiftleft/controller/AppErrorController.java

@@ -6,6 +6,7 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.context.request.RequestAttributes;
 import org.springframework.web.context.request.ServletRequestAttributes;
@@ -40,7 +41,7 @@ public AppErrorController(ErrorAttributes errorAttributes) {
    * @param request
    * @return
    */
-  @RequestMapping(value = ERROR_PATH, produces = "text/html")
+  @RequestMapping(value = ERROR_PATH, produces = "text/html", method = RequestMethod.GET)
   public ModelAndView errorHtml(HttpServletRequest request) {
     return new ModelAndView("/errors/error", getErrorAttributes(request, false));
   }
@@ -50,7 +51,7 @@ public ModelAndView errorHtml(HttpServletRequest request) {
    * @param request
    * @return
    */
-  @RequestMapping(value = ERROR_PATH)
+  @RequestMapping(value = ERROR_PATH, method = RequestMethod.GET)
   @ResponseBody
   public ResponseEntity<Map<String, Object>> error(HttpServletRequest request) {
     Map<String, Object> body = getErrorAttributes(request, getTraceParameter(request));
@@ -102,4 +103,4 @@ private HttpStatus getStatus(HttpServletRequest request) {
     }
     return HttpStatus.INTERNAL_SERVER_ERROR;
   }
-}
+}

src/main/java/io/shiftleft/controller/SearchController.java

@@ -9,7 +9,7 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
-
+import org.apache.commons.lang3.StringEscapeUtils;
 
 /**
  * Search login
@@ -21,12 +21,22 @@ public class SearchController {
   public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) {
     java.lang.Object message = new Object();
     try {
-      ExpressionParser parser = new SpelExpressionParser();
-      Expression exp = parser.parseExpression(foo);
-      message = (Object) exp.getValue();
+      if (validateInput(foo)) {
+        ExpressionParser parser = new SpelExpressionParser();
+        String sanitizedFoo = StringEscapeUtils.escapeSql(foo);
+        Expression exp = parser.parseExpression(sanitizedFoo);
+        message = (Object) exp.getValue();
+      } else {
+        throw new IllegalArgumentException("Invalid input");
+      }
     } catch (Exception ex) {
       System.out.println(ex.getMessage());
     }
     return message.toString();
   }
+
+  private boolean validateInput(String input) {
+    // Basic validation logic; can be improved for specific use cases
+    return input.matches("^[a-zA-Z0-9_]*$");
+  }
 }

src/main/resources/config/application-aws.properties

@@ -1,3 +1,3 @@
-aws.accesskey=AKIAILQI6VLJU3HSCEQQ
-aws.secretkey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-aws.bucket=mysaas/customerid/account/date
+aws.accesskey=${AWS_ACCESS_KEY_ID}
+aws.secretkey=${AWS_SECRET_ACCESS_KEY}
+aws.bucket=mysaas/customerid/account/date