AutoFix PR

src/main/java/io/shiftleft/controller/AdminController.java

@@ -81,47 +81,51 @@ public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "not
    * @return redirect to company numbers
    * @throws Exception
    */
-  @RequestMapping(value = "/admin/login", method = RequestMethod.POST)
-  public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") String auth, @RequestBody String password, HttpServletResponse response, HttpServletRequest request) throws Exception {
+@RequestMapping(value = "/admin/login", method = RequestMethod.POST)
+public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") String auth, @RequestBody String password, HttpServletResponse response, HttpServletRequest request) throws Exception {
     String succ = "redirect:/admin/printSecrets";
+    String fail = "redirect:/admin/fail";
 
     try {
-      // no cookie no fun
-      if (!auth.equals("notset")) {
-        if(isAdmin(auth)) {
-          request.getSession().setAttribute("auth",auth);
-          return succ;
+        // no cookie no fun
+        if (!auth.equals("notset")) {
+            if(isAdmin(auth)) {
+                HttpSession session = request.getSession();
+                session.setAttribute("auth",auth);
+                return succ;
+            }
         }
-      }
 
-      // split password=value
-      String[] pass = password.split("=");
-      if(pass.length!=2) {
+        // split password=value
+        String[] pass = password.split("=");
+        if(pass.length!=2 || pass[1] == null || pass[1].length()==0) {
+            return fail;
+        }
+        // compare pass
+        if(pass[1].equals("shiftleftsecret"))
+        {
+            AuthToken authToken = new AuthToken(AuthToken.ADMIN);
+            ByteArrayOutputStream bos = new ByteArrayOutputStream();
+            ObjectOutputStream oos = new ObjectOutputStream(bos);
+            oos.writeObject(authToken);
+            String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray()));
+            response.addCookie(new Cookie("auth", cookieValue ));
+
+            HttpSession session = request.getSession();
+            session.setAttribute("auth",cookieValue);
+
+            return succ;
+        }
         return fail;
-      }
-      // compare pass
-      if(pass[1] != null && pass[1].length()>0 && pass[1].equals("shiftleftsecret"))
-      {
-        AuthToken authToken = new AuthToken(AuthToken.ADMIN);
-        ByteArrayOutputStream bos = new ByteArrayOutputStream();
-        ObjectOutputStream oos = new ObjectOutputStream(bos);
-        oos.writeObject(authToken);
-        String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray()));
-        response.addCookie(new Cookie("auth", cookieValue ));
-
-        // cookie is lost after redirection
-        request.getSession().setAttribute("auth",cookieValue);
-
-        return succ;
-      }
-      return fail;
     }
     catch (Exception ex)
     {
-      ex.printStackTrace();
-      // no succ == fail
-      return fail;
+        ex.printStackTrace();
+        // no succ == fail
+        return fail;
     }
+}
+
   }
 
   /**
@@ -135,3 +139,4 @@ public String doGetLogin(HttpServletResponse response, HttpServletRequest reques
     return "redirect:/";
   }
 }
+

src/main/java/io/shiftleft/controller/CustomerController.java

@@ -216,52 +216,58 @@ public void loadSettings(HttpServletResponse httpResponse, WebRequest request) t
    * @param request
    * @throws Exception
    */
-  @RequestMapping(value = "/saveSettings", method = RequestMethod.GET)
-  public void saveSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception {
+@RequestMapping(value = "/saveSettings", method = RequestMethod.GET)
+public void saveSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception {
     // "Settings" will be stored in a cookie
     // schema: base64(filename,value1,value2...), md5sum(base64(filename,value1,value2...))
 
     if (!checkCookie(request)){
-      httpResponse.getOutputStream().println("Error");
-      throw new Exception("cookie is incorrect");
+        httpResponse.getOutputStream().println("Error");
+        throw new Exception("cookie is incorrect");
     }
 
     String settingsCookie = request.getHeader("Cookie");
     String[] cookie = settingsCookie.split(",");
-	if(cookie.length<2) {
-	  httpResponse.getOutputStream().println("Malformed cookie");
-      throw new Exception("cookie is incorrect");
+    if(cookie.length<2) {
+        httpResponse.getOutputStream().println("Malformed cookie");
+        throw new Exception("cookie is incorrect");
     }
 
     String base64txt = cookie[0].replace("settings=","");
 
     // Check md5sum
     String cookieMD5sum = cookie[1];
     String calcMD5Sum = DigestUtils.md5Hex(base64txt);
-	if(!cookieMD5sum.equals(calcMD5Sum))
+    if(!cookieMD5sum.equals(calcMD5Sum))
     {
-      httpResponse.getOutputStream().println("Wrong md5");
-      throw new Exception("Invalid MD5");
+        httpResponse.getOutputStream().println("Wrong md5");
+        throw new Exception("Invalid MD5");
     }
 
     // Now we can store on filesystem
     String[] settings = new String(Base64.getDecoder().decode(base64txt)).split(",");
-	// storage will have ClassPathResource as basepath
+    // storage will have ClassPathResource as basepath
     ClassPathResource cpr = new ClassPathResource("./static/");
-	  File file = new File(cpr.getPath()+settings[0]);
+    File file = new File(cpr.getPath()+settings[0]);
     if(!file.exists()) {
-      file.getParentFile().mkdirs();
+        file.getParentFile().mkdirs();
     }
 
-    FileOutputStream fos = new FileOutputStream(file, true);
-    // First entry is the filename -> remove it
-    String[] settingsArr = Arrays.copyOfRange(settings, 1, settings.length);
-    // on setting at a linez
-    fos.write(String.join("\n",settingsArr).getBytes());
-    fos.write(("\n"+cookie[cookie.length-1]).getBytes());
-    fos.close();
+    try (FileOutputStream fos = new FileOutputStream(file, false)) { // Open file with false to overwrite
+        // First entry is the filename -> remove it
+        String[] settingsArr = Arrays.copyOfRange(settings, 1, settings.length);
+        // on setting at a line
+        fos.write(String.join("\n",settingsArr).getBytes());
+        fos.write(("\n"+cookie[cookie.length-1]).getBytes());
+    } catch (IOException e) {
+        throw new Exception("Failed to write to file", e);
+    }
     httpResponse.getOutputStream().println("Settings Saved");
-  }
+}
+
+    httpResponse.getOutputStream().println("Settings Saved");
+}
+
 
   /**
    * Debug test for saving and reading a customer
@@ -388,3 +394,5 @@ public void removeCustomer(@PathVariable("customerId") Long customerId, HttpServ
 	}
 
 }
+
+

src/main/java/io/shiftleft/controller/SearchController.java

@@ -17,16 +17,21 @@
 @Controller
 public class SearchController {
 
-  @RequestMapping(value = "/search/user", method = RequestMethod.GET)
-  public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) {
+@RequestMapping(value = "/search/user", method = RequestMethod.GET)
+@Secured("ROLE_USER")
+public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) {
     java.lang.Object message = new Object();
     try {
-      ExpressionParser parser = new SpelExpressionParser();
-      Expression exp = parser.parseExpression(foo);
-      message = (Object) exp.getValue();
+        ExpressionParser parser = new SpelExpressionParser();
+        Expression exp = parser.parseExpression(foo);
+        message = (Object) exp.getValue();
     } catch (Exception ex) {
-      System.out.println(ex.getMessage());
+        logger.error(ex.getMessage());
     }
+    return message.toString();
+}
+
     return message.toString();
   }
 }
+