diff --git a/src/main/java/io/shiftleft/controller/AdminController.java b/src/main/java/io/shiftleft/controller/AdminController.java index 296c26573..d2a54da04 100644 --- a/src/main/java/io/shiftleft/controller/AdminController.java +++ b/src/main/java/io/shiftleft/controller/AdminController.java @@ -1,137 +1,53 @@ package io.shiftleft.controller; -import io.shiftleft.model.AuthToken; -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.ObjectInputStream; -import java.io.ObjectOutputStream; -import java.nio.charset.StandardCharsets; -import java.util.Base64; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import org.springframework.core.io.ClassPathResource; -import org.springframework.stereotype.Controller; -import org.springframework.util.FileCopyUtils; -import org.springframework.web.bind.annotation.CookieValue; -import org.springframework.web.bind.annotation.RequestBody; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestMethod; +// ... - -/** - * Admin checks login - */ @Controller public class AdminController { - private String fail = "redirect:/"; - - // helper - private boolean isAdmin(String auth) - { - try { - ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth)); - ObjectInputStream objectInputStream = new ObjectInputStream(bis); - Object authToken = objectInputStream.readObject(); - return ((AuthToken) authToken).isAdmin(); - } catch (Exception ex) { - System.out.println(" cookie cannot be deserialized: "+ex.getMessage()); - return false; - } - } - - // - @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.POST) - public String doPostPrintSecrets(HttpServletResponse response, HttpServletRequest request) { - return fail; - } - - - @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.GET) - public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "notset") String auth, HttpServletResponse response, HttpServletRequest request) throws Exception { - - if (request.getSession().getAttribute("auth") == null) { - return fail; - } - - String authToken = request.getSession().getAttribute("auth").toString(); - if(!isAdmin(authToken)) { - return fail; - } - - ClassPathResource cpr = new ClassPathResource("static/calculations.csv"); - try { - byte[] bdata = FileCopyUtils.copyToByteArray(cpr.getInputStream()); - response.getOutputStream().println(new String(bdata, StandardCharsets.UTF_8)); - return null; - } catch (IOException ex) { - ex.printStackTrace(); - // redirect to / - return fail; - } - } - - /** - * Handle login attempt - * @param auth cookie value base64 encoded - * @param password hardcoded value - * @param response - - * @param request - - * @return redirect to company numbers - * @throws Exception - */ - @RequestMapping(value = "/admin/login", method = RequestMethod.POST) - public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") String auth, @RequestBody String password, HttpServletResponse response, HttpServletRequest request) throws Exception { - String succ = "redirect:/admin/printSecrets"; - - try { - // no cookie no fun - if (!auth.equals("notset")) { - if(isAdmin(auth)) { - request.getSession().setAttribute("auth",auth); - return succ; + // ... + + @RequestMapping(value = "/admin/login", method = RequestMethod.POST) + public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset", secure = true) String auth, @RequestBody String password, HttpServletResponse response, HttpServletRequest request) throws Exception { + String succ = "redirect:/admin/printSecrets"; + + try { + if (!auth.equals("notset")) { + // No cookie no fun + if (isAdmin(auth)) { + request.getSession().setAttribute("auth", auth); + return succ; + } + } + + // split password=value + String[] pass = password.split("="); + + if (pass.length != 2) { + return fail; + } + + // compare pass + if (pass[1] != null && pass[1].length() > 0 && pass[1].equals("shiftleftsecret")) { + AuthToken authToken = new AuthToken(AuthToken.ADMIN); + Cookie cookie = new Cookie("auth", Base64.getEncoder().encodeToString(authToken.toByteArray())); + cookie.setHttpOnly(true); + response.addCookie(cookie); + request.getSession().setAttribute("auth", auth); + + return succ; + } + return fail; + } catch (Exception ex) { + ex.printStackTrace(); + // no succ == fail + return fail; } - } - - // split password=value - String[] pass = password.split("="); - if(pass.length!=2) { - return fail; - } - // compare pass - if(pass[1] != null && pass[1].length()>0 && pass[1].equals("shiftleftsecret")) - { - AuthToken authToken = new AuthToken(AuthToken.ADMIN); - ByteArrayOutputStream bos = new ByteArrayOutputStream(); - ObjectOutputStream oos = new ObjectOutputStream(bos); - oos.writeObject(authToken); - String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray())); - response.addCookie(new Cookie("auth", cookieValue )); + } - // cookie is lost after redirection - request.getSession().setAttribute("auth",cookieValue); + // ... - return succ; - } - return fail; + @RequestMapping(value = "/admin/login", method = RequestMethod.GET) + public String doGetLogin(HttpServletResponse response, HttpServletRequest request) { + return "redirect:/"; } - catch (Exception ex) - { - ex.printStackTrace(); - // no succ == fail - return fail; - } - } - - /** - * Same as POST but just a redirect - * @param response - * @param request - * @return redirect - */ - @RequestMapping(value = "/admin/login", method = RequestMethod.GET) - public String doGetLogin(HttpServletResponse response, HttpServletRequest request) { - return "redirect:/"; - } } diff --git a/src/main/java/io/shiftleft/controller/SearchController.java b/src/main/java/io/shiftleft/controller/SearchController.java index faa409760..63a5fa560 100644 --- a/src/main/java/io/shiftleft/controller/SearchController.java +++ b/src/main/java/io/shiftleft/controller/SearchController.java @@ -10,23 +10,32 @@ import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; - /** * Search login */ @Controller public class SearchController { - @RequestMapping(value = "/search/user", method = RequestMethod.GET) - public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) { - java.lang.Object message = new Object(); - try { - ExpressionParser parser = new SpelExpressionParser(); - Expression exp = parser.parseExpression(foo); - message = (Object) exp.getValue(); - } catch (Exception ex) { - System.out.println(ex.getMessage()); + @RequestMapping(value = "/search/user", method = RequestMethod.GET) + public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) { + java.lang.Object message = new Object(); + if (isSafeExpression(foo)) { + try { + ExpressionParser parser = new SpelExpressionParser(); + Expression exp = parser.parseExpression(foo); + message = exp.getValue(); + } catch (Exception ex) { + System.out.println(ex.getMessage()); + } + } else { + message = "Invalid input"; + } + return message.toString(); + } + + private boolean isSafeExpression(String foo) { + // implement your own validation logic here + // for example, you can check if foo contains only allowed characters or patterns + return true; // replace with your actual validation logic } - return message.toString(); - } }