From b6155b7ae6775a77fda4b2c80f51b93bc0586a15 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Tue, 28 May 2024 12:19:43 +0800 Subject: [PATCH 1/4] Patched src/main/java/io/shiftleft/controller/AppErrorController.java --- .../java/io/shiftleft/controller/AppErrorController.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/main/java/io/shiftleft/controller/AppErrorController.java b/src/main/java/io/shiftleft/controller/AppErrorController.java index 68f4d669f..d4a31a94a 100644 --- a/src/main/java/io/shiftleft/controller/AppErrorController.java +++ b/src/main/java/io/shiftleft/controller/AppErrorController.java @@ -6,6 +6,7 @@ import org.springframework.http.ResponseEntity; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.context.request.RequestAttributes; import org.springframework.web.context.request.ServletRequestAttributes; @@ -40,7 +41,7 @@ public AppErrorController(ErrorAttributes errorAttributes) { * @param request * @return */ - @RequestMapping(value = ERROR_PATH, produces = "text/html") + @RequestMapping(value = ERROR_PATH, produces = "text/html", method = RequestMethod.GET) public ModelAndView errorHtml(HttpServletRequest request) { return new ModelAndView("/errors/error", getErrorAttributes(request, false)); } @@ -50,7 +51,7 @@ public ModelAndView errorHtml(HttpServletRequest request) { * @param request * @return */ - @RequestMapping(value = ERROR_PATH) + @RequestMapping(value = ERROR_PATH, method = RequestMethod.GET) @ResponseBody public ResponseEntity> error(HttpServletRequest request) { Map body = getErrorAttributes(request, getTraceParameter(request)); @@ -102,4 +103,4 @@ private HttpStatus getStatus(HttpServletRequest request) { } return HttpStatus.INTERNAL_SERVER_ERROR; } -} \ No newline at end of file +} From 314ee9c329fcd82867f25d16c6a611a6e0102d09 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Tue, 28 May 2024 12:19:43 +0800 Subject: [PATCH 2/4] Patched src/main/java/io/shiftleft/controller/AdminController.java --- .../shiftleft/controller/AdminController.java | 62 ++++++++++++++----- 1 file changed, 46 insertions(+), 16 deletions(-) diff --git a/src/main/java/io/shiftleft/controller/AdminController.java b/src/main/java/io/shiftleft/controller/AdminController.java index 296c26573..358b453ed 100644 --- a/src/main/java/io/shiftleft/controller/AdminController.java +++ b/src/main/java/io/shiftleft/controller/AdminController.java @@ -1,6 +1,8 @@ package io.shiftleft.controller; import io.shiftleft.model.AuthToken; +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; @@ -26,21 +28,46 @@ @Controller public class AdminController { private String fail = "redirect:/"; + private final String secretKey = "verySecretKey"; // Key for HMAC // helper - private boolean isAdmin(String auth) - { + private boolean isAdmin(String auth) throws Exception { try { - ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth)); + String[] parts = auth.split("\\|"); + if (parts.length != 2) { + return false; + } + + String data = parts[0]; + String hash = parts[1]; + + if (!verifyHMAC(data, hash)) { + return false; + } + + ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(data)); ObjectInputStream objectInputStream = new ObjectInputStream(bis); Object authToken = objectInputStream.readObject(); return ((AuthToken) authToken).isAdmin(); } catch (Exception ex) { - System.out.println(" cookie cannot be deserialized: "+ex.getMessage()); + System.out.println(" cookie cannot be deserialized: " + ex.getMessage()); return false; } } + private String createHMAC(String data) throws Exception { + Mac mac = Mac.getInstance("HmacSHA256"); + SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256"); + mac.init(secretKeySpec); + byte[] hmacBytes = mac.doFinal(data.getBytes(StandardCharsets.UTF_8)); + return Base64.getEncoder().encodeToString(hmacBytes); + } + + private boolean verifyHMAC(String data, String hash) throws Exception { + String calculatedHash = createHMAC(data); + return calculatedHash.equals(hash); + } + // @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.POST) public String doPostPrintSecrets(HttpServletResponse response, HttpServletRequest request) { @@ -56,7 +83,7 @@ public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "not } String authToken = request.getSession().getAttribute("auth").toString(); - if(!isAdmin(authToken)) { + if (!isAdmin(authToken)) { return fail; } @@ -88,36 +115,39 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") try { // no cookie no fun if (!auth.equals("notset")) { - if(isAdmin(auth)) { - request.getSession().setAttribute("auth",auth); + if (isAdmin(auth)) { + request.getSession().setAttribute("auth", auth); return succ; } } // split password=value String[] pass = password.split("="); - if(pass.length!=2) { + if (pass.length != 2) { return fail; } // compare pass - if(pass[1] != null && pass[1].length()>0 && pass[1].equals("shiftleftsecret")) - { + if (pass[1] != null && pass[1].length() > 0 && pass[1].equals("shiftleftsecret")) { AuthToken authToken = new AuthToken(AuthToken.ADMIN); ByteArrayOutputStream bos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(bos); oos.writeObject(authToken); - String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray())); - response.addCookie(new Cookie("auth", cookieValue )); + String serializedToken = new String(Base64.getEncoder().encode(bos.toByteArray())); + String hmac = createHMAC(serializedToken); + String cookieValue = serializedToken + "|" + hmac; + + Cookie authCookie = new Cookie("auth", cookieValue); + authCookie.setHttpOnly(true); + authCookie.setSecure(true); + response.addCookie(authCookie); // cookie is lost after redirection - request.getSession().setAttribute("auth",cookieValue); + request.getSession().setAttribute("auth", cookieValue); return succ; } return fail; - } - catch (Exception ex) - { + } catch (Exception ex) { ex.printStackTrace(); // no succ == fail return fail; From 3b3ddfdfb795e556e027ddf769a012c646a946f5 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Tue, 28 May 2024 12:19:43 +0800 Subject: [PATCH 3/4] Patched src/main/resources/config/application-aws.properties --- src/main/resources/config/application-aws.properties | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main/resources/config/application-aws.properties b/src/main/resources/config/application-aws.properties index 6467531bd..4563e541e 100644 --- a/src/main/resources/config/application-aws.properties +++ b/src/main/resources/config/application-aws.properties @@ -1,3 +1,3 @@ -aws.accesskey=AKIAILQI6VLJU3HSCEQQ -aws.secretkey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY -aws.bucket=mysaas/customerid/account/date \ No newline at end of file +aws.accesskey=${AWS_ACCESS_KEY_ID} +aws.secretkey=${AWS_SECRET_ACCESS_KEY} +aws.bucket=mysaas/customerid/account/date From 83631d85e9a23baa34bba59924fb49aeaae0d777 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Tue, 28 May 2024 12:19:43 +0800 Subject: [PATCH 4/4] Patched src/main/java/io/shiftleft/controller/SearchController.java --- .../shiftleft/controller/SearchController.java | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/src/main/java/io/shiftleft/controller/SearchController.java b/src/main/java/io/shiftleft/controller/SearchController.java index faa409760..f1742efb7 100644 --- a/src/main/java/io/shiftleft/controller/SearchController.java +++ b/src/main/java/io/shiftleft/controller/SearchController.java @@ -9,7 +9,7 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; - +import org.apache.commons.lang3.StringEscapeUtils; /** * Search login @@ -21,12 +21,22 @@ public class SearchController { public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) { java.lang.Object message = new Object(); try { - ExpressionParser parser = new SpelExpressionParser(); - Expression exp = parser.parseExpression(foo); - message = (Object) exp.getValue(); + if (validateInput(foo)) { + ExpressionParser parser = new SpelExpressionParser(); + String sanitizedFoo = StringEscapeUtils.escapeSql(foo); + Expression exp = parser.parseExpression(sanitizedFoo); + message = (Object) exp.getValue(); + } else { + throw new IllegalArgumentException("Invalid input"); + } } catch (Exception ex) { System.out.println(ex.getMessage()); } return message.toString(); } + + private boolean validateInput(String input) { + // Basic validation logic; can be improved for specific use cases + return input.matches("^[a-zA-Z0-9_]*$"); + } }