PatchWork AutoFix

src/main/java/io/shiftleft/controller/AdminController.java

@@ -19,7 +19,6 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
-
 /**
  * Admin checks login
  */
@@ -31,7 +30,7 @@ public class AdminController {
   private boolean isAdmin(String auth)
   {
     try {
-      ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth));
+      ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth).getBytes(StandardCharsets.UTF_8));
       ObjectInputStream objectInputStream = new ObjectInputStream(bis);
       Object authToken = objectInputStream.readObject();
       return ((AuthToken) authToken).isAdmin();
@@ -47,16 +46,15 @@ public String doPostPrintSecrets(HttpServletResponse response, HttpServletReques
     return fail;
   }
 
-
   @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.GET)
-  public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "notset") String auth, HttpServletResponse response, HttpServletRequest request) throws Exception {
+  public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "notset", maxAge = 1) String auth, HttpServletResponse response, HttpServletRequest request) throws Exception {
 
     if (request.getSession().getAttribute("auth") == null) {
       return fail;
     }
 
     String authToken = request.getSession().getAttribute("auth").toString();
-    if(!isAdmin(authToken)) {
+    if (!isAdmin(authToken)) {
       return fail;
     }
 
@@ -88,36 +86,32 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset")
     try {
       // no cookie no fun
       if (!auth.equals("notset")) {
-        if(isAdmin(auth)) {
-          request.getSession().setAttribute("auth",auth);
+        if (isAdmin(auth)) {
+          request.getSession().setAttribute("auth", auth);
           return succ;
         }
       }
 
       // split password=value
       String[] pass = password.split("=");
-      if(pass.length!=2) {
+      if (pass.length != 2) {
         return fail;
       }
       // compare pass
-      if(pass[1] != null && pass[1].length()>0 && pass[1].equals("shiftleftsecret"))
-      {
+      if (pass[1].equals("shiftleftsecret")) {
         AuthToken authToken = new AuthToken(AuthToken.ADMIN);
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
         ObjectOutputStream oos = new ObjectOutputStream(bos);
         oos.writeObject(authToken);
         String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray()));
-        response.addCookie(new Cookie("auth", cookieValue ));
+        response.addCookie(new Cookie("auth", cookieValue).setHttpOnly(true).setSecure(true));
+        request.getSession().setAttribute("auth", cookieValue);
 
         // cookie is lost after redirection
-        request.getSession().setAttribute("auth",cookieValue);
-
         return succ;
       }
       return fail;
-    }
-    catch (Exception ex)
-    {
+    } catch (Exception ex) {
       ex.printStackTrace();
       // no succ == fail
       return fail;

src/main/java/io/shiftleft/controller/AppErrorController.java

@@ -5,12 +5,13 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.context.request.RequestAttributes;
 import org.springframework.web.context.request.ServletRequestAttributes;
 import org.springframework.web.servlet.ModelAndView;
-
 import javax.servlet.http.HttpServletRequest;
 import java.util.Map;
 
@@ -40,7 +41,7 @@ public AppErrorController(ErrorAttributes errorAttributes) {
    * @param request
    * @return
    */
-  @RequestMapping(value = ERROR_PATH, produces = "text/html")
+  @GetMapping(value = ERROR_PATH, produces = "text/html")
   public ModelAndView errorHtml(HttpServletRequest request) {
     return new ModelAndView("/errors/error", getErrorAttributes(request, false));
   }
@@ -50,7 +51,7 @@ public ModelAndView errorHtml(HttpServletRequest request) {
    * @param request
    * @return
    */
-  @RequestMapping(value = ERROR_PATH)
+  @PostMapping(value = ERROR_PATH)
   @ResponseBody
   public ResponseEntity<Map<String, Object>> error(HttpServletRequest request) {
     Map<String, Object> body = getErrorAttributes(request, getTraceParameter(request));
@@ -102,4 +103,4 @@ private HttpStatus getStatus(HttpServletRequest request) {
     }
     return HttpStatus.INTERNAL_SERVER_ERROR;
   }
-}
+}

src/main/java/io/shiftleft/controller/SearchController.java

@@ -10,7 +10,6 @@
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 
-
 /**
  * Search login
  */
@@ -19,14 +18,17 @@ public class SearchController {
 
   @RequestMapping(value = "/search/user", method = RequestMethod.GET)
   public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) {
-    java.lang.Object message = new Object();
+    if (foo == null || foo.isEmpty()) {
+      return "Invalid input";
+    }
     try {
       ExpressionParser parser = new SpelExpressionParser();
       Expression exp = parser.parseExpression(foo);
-      message = (Object) exp.getValue();
+      String message = (String) exp.getValue();
+      return message;
     } catch (Exception ex) {
       System.out.println(ex.getMessage());
+      return "Error evaluating expression";
     }
-    return message.toString();
   }
 }

src/main/resources/config/application-aws.properties

@@ -1,3 +1,3 @@
-aws.accesskey=AKIAILQI6VLJU3HSCEQQ
-aws.secretkey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-aws.bucket=mysaas/customerid/account/date
+aws.accesskey=$(echo ${AWS_ACCESS_KEY_ID})
+aws.secretkey=$(echo ${AWS_SECRET_KEY})
+aws.bucket=mysaas/${customerid}/${date}/account