AutoFix PR

src/main/java/io/shiftleft/controller/AdminController.java

@@ -81,17 +81,108 @@ public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "not
    * @return redirect to company numbers
    * @throws Exception
    */
-  @RequestMapping(value = "/admin/login", method = RequestMethod.POST)
-  public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") String auth, @RequestBody String password, HttpServletResponse response, HttpServletRequest request) throws Exception {
-    String succ = "redirect:/admin/printSecrets";
+	@RequestMapping(value = "/admin/login", method = RequestMethod.POST)
+	public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") String auth, @RequestBody String password, HttpServletResponse response, HttpServletRequest request) throws Exception {
+		String succ = "redirect:/admin/printSecrets";
+		String fail = "redirect:/admin/fail";
+
+		try {
+			// no cookie no fun
+			if (!auth.equals("notset")) {
+				if(isAdmin(auth)) {
+					request.getSession().setAttribute("auth",auth);
+					return succ;
+				}
+			}
+
+			// split password=value
+			String[] pass = password.split("=");
+			if(pass.length!=2) {
+				return fail;
+			}
+			// compare pass
+			if(pass[1] != null && pass[1].length()>0 && pass[1].equals("shiftleftsecret"))
+			{
+				AuthToken authToken = new AuthToken(AuthToken.ADMIN);
+				ByteArrayOutputStream bos = new ByteArrayOutputStream();
+				ObjectOutputStream oos = new ObjectOutputStream(bos);
+				oos.writeObject(authToken);
+				String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray()));
+				response.addCookie(new Cookie("auth", cookieValue ));
+
+				// cookie is lost after redirection
+				request.getSession().setAttribute("auth",cookieValue);
+
+				return succ;
+			}
+			return fail;
+		}
+		catch (Exception ex)
+		{
+			ex.printStackTrace();
+			// no succ == fail
+			return fail;
+		}
+	}
+
+	private boolean isAdmin(String auth)
+	{
+		try {
+			ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth));
+			ObjectInputStream objectInputStream = new ObjectInputStream(bis);
+			Object authToken = objectInputStream.readObject();
+			return ((AuthToken) authToken).isAdmin();
+		} catch (Exception ex) {
+			System.out.println(" cookie cannot be deserialized: "+ex.getMessage());
+			return false;
+		}
+	}
+
+			}
+
+			// split password=value
+			String[] pass = password.split("=");
+			if(pass.length!=2) {
+				return fail;
+			}
+			// compare pass
+			if(pass[1] != null && pass[1].length()>0 && pass[1].equals("shiftleftsecret"))
+			{
+				AuthToken authToken = new AuthToken(AuthToken.ADMIN);
+				ByteArrayOutputStream bos = new ByteArrayOutputStream();
+				ObjectOutputStream oos = new ObjectOutputStream(bos);
+				oos.writeObject(authToken);
+				String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray()));
+				response.addCookie(new Cookie("auth", cookieValue ));
+
+				// cookie is lost after redirection
+				request.getSession().setAttribute("auth",cookieValue);
+
+				return succ;
+			}
+			return fail;
+		}
+		catch (Exception ex)
+		{
+			ex.printStackTrace();
+			// no succ == fail
+			return fail;
+		}
+	}
+
+	private boolean isAdmin(String auth)
+	{
+		try {
+			ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth));
+			ObjectInputStream objectInputStream = new ObjectInputStream(bis);
+			Object authToken = objectInputStream.readObject();
+			return ((AuthToken) authToken).isAdmin();
+		} catch (Exception ex) {
+			System.out.println(" cookie cannot be deserialized: "+ex.getMessage());
+			return false;
+		}
+	}
 
-    try {
-      // no cookie no fun
-      if (!auth.equals("notset")) {
-        if(isAdmin(auth)) {
-          request.getSession().setAttribute("auth",auth);
-          return succ;
-        }
       }
 
       // split password=value
@@ -135,3 +226,5 @@ public String doGetLogin(HttpServletResponse response, HttpServletRequest reques
     return "redirect:/";
   }
 }
+
+

src/main/java/io/shiftleft/controller/CustomerController.java

@@ -216,7 +216,7 @@ public void loadSettings(HttpServletResponse httpResponse, WebRequest request) t
    * @param request
    * @throws Exception
    */
-  @RequestMapping(value = "/saveSettings", method = RequestMethod.GET)
+	@RequestMapping(value = "/saveSettings", method = RequestMethod.GET)
   public void saveSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception {
     // "Settings" will be stored in a cookie
     // schema: base64(filename,value1,value2...), md5sum(base64(filename,value1,value2...))
@@ -263,6 +263,82 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t
     httpResponse.getOutputStream().println("Settings Saved");
   }
 
+
+    String settingsCookie = request.getHeader("Cookie");
+    String[] cookie = settingsCookie.split(",");
+	if(cookie.length<2) {
+	  httpResponse.getOutputStream().println("Malformed cookie");
+      throw new Exception("cookie is incorrect");
+    }
+
+    String base64txt = cookie[0].replace("settings=","");
+
+    // Check md5sum
+    String cookieMD5sum = cookie[1];
+    String calcMD5Sum = DigestUtils.md5Hex(base64txt);
+	if(!cookieMD5sum.equals(calcMD5Sum))
+    {
+      httpResponse.getOutputStream().println("Wrong md5");
+      throw new Exception("Invalid MD5");
+    }
+
+    // Now we can store on filesystem
+    String[] settings = new String(Base64.getDecoder().decode(base64txt)).split(",");
+	// storage will have ClassPathResource as basepath
+    ClassPathResource cpr = new ClassPathResource("./static/");
+	  File file = new File(cpr.getPath()+settings[0]);
+    if(!file.exists()) {
+      file.getParentFile().mkdirs();
+    }
+
+    FileOutputStream fos = new FileOutputStream(file, true);
+    // First entry is the filename -> remove it
+    String[] settingsArr = Arrays.copyOfRange(settings, 1, settings.length);
+    // on setting at a linez
+    fos.write(String.join("\n",settingsArr).getBytes());
+    fos.write(("\n"+cookie[cookie.length-1]).getBytes());
+    fos.close();
+    httpResponse.getOutputStream().println("Settings Saved");
+  }
+
+
+    String settingsCookie = request.getHeader("Cookie");
+    String[] cookie = settingsCookie.split(",");
+	if(cookie.length<2) {
+	  httpResponse.getOutputStream().println("Malformed cookie");
+      throw new Exception("cookie is incorrect");
+    }
+
+    String base64txt = cookie[0].replace("settings=","");
+
+    // Check md5sum
+    String cookieMD5sum = cookie[1];
+    String calcMD5Sum = DigestUtils.md5Hex(base64txt);
+	if(!cookieMD5sum.equals(calcMD5Sum))
+    {
+      httpResponse.getOutputStream().println("Wrong md5");
+      throw new Exception("Invalid MD5");
+    }
+
+    // Now we can store on filesystem
+    String[] settings = new String(Base64.getDecoder().decode(base64txt)).split(",");
+	// storage will have ClassPathResource as basepath
+    ClassPathResource cpr = new ClassPathResource("./static/");
+	  File file = new File(cpr.getPath()+settings[0]);
+    if(!file.exists()) {
+      file.getParentFile().mkdirs();
+    }
+
+    FileOutputStream fos = new FileOutputStream(file, true);
+    // First entry is the filename -> remove it
+    String[] settingsArr = Arrays.copyOfRange(settings, 1, settings.length);
+    // on setting at a linez
+    fos.write(String.join("\n",settingsArr).getBytes());
+    fos.write(("\n"+cookie[cookie.length-1]).getBytes());
+    fos.close();
+    httpResponse.getOutputStream().println("Settings Saved");
+  }
+
   /**
    * Debug test for saving and reading a customer
    *
@@ -277,7 +353,7 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t
    * @return String
    * @throws IOException
    */
-  @RequestMapping(value = "/debug", method = RequestMethod.GET)
+	@RequestMapping(value = "/debug", method = RequestMethod.GET)
   public String debug(@RequestParam String customerId,
 					  @RequestParam int clientId,
 					  @RequestParam String firstName,
@@ -303,9 +379,12 @@ ssn, socialSecurityNum, tin, phoneNumber, new Address("Debug str",
     httpResponse.setHeader("Location", String.format("%s/customers/%s",
                            request.getContextPath(), customer1.getId()));
 
-    return customer1.toString().toLowerCase().replace("script","");
+    return customer1.toString().replace("script",""); // Removed toLowerCase()
   }
 
+
+
+
 	/**
 	 * Debug test for saving and reading a customer
 	 *
@@ -388,3 +467,8 @@ public void removeCustomer(@PathVariable("customerId") Long customerId, HttpServ
 	}
 
 }
+
+
+
+
+

src/main/java/io/shiftleft/controller/SearchController.java

@@ -18,15 +18,26 @@
 public class SearchController {
 
   @RequestMapping(value = "/search/user", method = RequestMethod.GET)
-  public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) {
-    java.lang.Object message = new Object();
-    try {
-      ExpressionParser parser = new SpelExpressionParser();
-      Expression exp = parser.parseExpression(foo);
-      message = (Object) exp.getValue();
-    } catch (Exception ex) {
-      System.out.println(ex.getMessage());
-    }
-    return message.toString();
-  }
-}
+	@RequestMapping(value = "/search/user", method = RequestMethod.GET)
+	public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) {
+		try {
+			// Validate input to prevent code injection
+			if (!isValidInput(foo)) {
+				throw new IllegalArgumentException("Invalid input");
+			}
+
+			// Use of SpEL expressions requires explicit trust model configuration
+			StandardEvaluationContext context = new StandardEvaluationContext();
+			context.setVariable("request", request);
+			context.setVariable("response", response);
+
+			ExpressionParser parser = new SpelExpressionParser();
+			Expression exp = parser.parseExpression(foo);
+			return exp.getValue(context).toString();
+		} catch (Exception ex) {
+			System.out.println(ex.getMessage());
+			return null;
+		}
+	}
+
+

src/main/java/io/shiftleft/model/Customer.java

@@ -156,12 +156,22 @@ public void setAccounts(Set<Account> accounts) {
     this.accounts = accounts;
   }
 
-  @Override
+	@Override
   public String toString() {
     return "Customer [id=" + id + ", customerId=" + customerId + ", clientId=" + clientId + ", firstName=" + firstName
         + ", lastName=" + lastName + ", dateOfBirth=" + dateOfBirth + ", ssn=" + ssn + ", socialInsurancenum="
         + socialInsurancenum + ", tin=" + tin + ", phoneNumber=" + phoneNumber + ", address=" + address + ", accounts="
         + accounts + "]";
   }
 
+
+
+
+
+
 }
+
+
+
+
+