More risks and fix bad redirection

anderruiz · anderruiz · commit 1c2295675292 · 2023-05-26T15:06:39.000+02:00
diff --git a/src/main/java/org/hdivsamples/controllers/DashboardController.java b/src/main/java/org/hdivsamples/controllers/DashboardController.java
@@ -10,15 +10,22 @@
 import java.io.ObjectOutputStream;
 import java.io.OutputStream;
 import java.net.URL;
+import java.security.InvalidKeyException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.Principal;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.KeySpec;
 import java.util.List;
 
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.DESKeySpec;
+import javax.crypto.spec.SecretKeySpec;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.io.IOUtils;
@@ -219,8 +226,28 @@ public void getMaliciousCertificate(final HttpServletResponse response, final Ac
 
 	}
 	
-	private static byte [] getCipher(byte [] data) throws IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException {
+	private static byte [] getCipher(byte [] data) throws IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidKeySpecException {
 		Cipher cipher = Cipher.getInstance("DES");
+		
+		byte[] keyBytes = {
+			    0x01, 0x23, 0x45, 0x67, (byte) 0x89, (byte) 0xAB, (byte) (Math.random()*0xCD), (byte) 0xEF
+			};
+		
+	    // Create a DES key specification
+	    KeySpec keySpec = new DESKeySpec(keyBytes);
+
+	    // Create a SecretKeyFactory for DES
+	    SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
+
+	    // Generate a SecretKey object
+	    SecretKey secretKey = keyFactory.generateSecret(keySpec);
+
+	    // Create a SecretKeySpec object from the SecretKey
+	    SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getEncoded(), "DES");
+
+
+		
+		cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);
 		return cipher.doFinal(data);
 	}
 
diff --git a/src/main/java/org/hdivsamples/controllers/TransferController.java b/src/main/java/org/hdivsamples/controllers/TransferController.java
@@ -138,9 +138,14 @@ public String transferCheck(final OperationConfirm operationConfirm, final Bindi
 			return transferConfirmation(transfer, model, principal, accountType);
 		}
 		else {
-			return "redirect:/transfer";
+			return "redirect:/transfer/redirect/"+accountType;
 		}
 	}
+	
+	@RequestMapping(value = "/redirect/{accountType}", method = RequestMethod.GET)
+	public String transferRedirect() {
+		return "redirect:/transfer";
+	}
 
 	static class AccountType {
 		public static final String PERSONAL = "Personal";

Original file line number	Diff line number	Diff line change
`@@ -138,9 +138,14 @@ public String transferCheck(final OperationConfirm operationConfirm, final Bindi`
`138`	`138`	`return transferConfirmation(transfer, model, principal, accountType);`
`139`	`139`	`}`
`140`	`140`	`else {`
`141`		`- return "redirect:/transfer";`
	`141`	`+ return "redirect:/transfer/redirect/"+accountType;`
`142`	`142`	`}`
`143`	`143`	`}`
	`144`	`+`
	`145`	`+ @RequestMapping(value = "/redirect/{accountType}", method = RequestMethod.GET)`
	`146`	`+ public String transferRedirect() {`
	`147`	`+ return "redirect:/transfer";`
	`148`	`+ }`
`144`	`149`
`145`	`150`	`static class AccountType {`
`146`	`151`	`public static final String PERSONAL = "Personal";`