From 3bfd5b264f5d9391d0a16b5773f0fa79970bac17 Mon Sep 17 00:00:00 2001
From: "patched.codes[bot]"
 <298395+patched.codes[bot]@users.noreply.github.com>
Date: Tue, 28 May 2024 13:15:41 +0800
Subject: [PATCH 1/4] Patched
 src/main/java/io/shiftleft/controller/SearchController.java

---
 src/main/java/io/shiftleft/controller/SearchController.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/main/java/io/shiftleft/controller/SearchController.java b/src/main/java/io/shiftleft/controller/SearchController.java
index faa409760..37f57a184 100644
--- a/src/main/java/io/shiftleft/controller/SearchController.java
+++ b/src/main/java/io/shiftleft/controller/SearchController.java
@@ -21,8 +21,9 @@ public class SearchController {
   public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) {
     java.lang.Object message = new Object();
     try {
+      String sanitizedFoo = foo.replaceAll("[^a-zA-Z0-9\\s]", ""); // Sanitize input
       ExpressionParser parser = new SpelExpressionParser();
-      Expression exp = parser.parseExpression(foo);
+      Expression exp = parser.parseExpression(sanitizedFoo);
       message = (Object) exp.getValue();
     } catch (Exception ex) {
       System.out.println(ex.getMessage());
@@ -30,3 +31,4 @@ public String doGetSearch(@RequestParam String foo, HttpServletResponse response
     return message.toString();
   }
 }
+

From cf552919535d55fdf09596d32f9e12ef87f4a50d Mon Sep 17 00:00:00 2001
From: "patched.codes[bot]"
 <298395+patched.codes[bot]@users.noreply.github.com>
Date: Tue, 28 May 2024 13:15:41 +0800
Subject: [PATCH 2/4] Patched
 src/main/java/io/shiftleft/controller/AppErrorController.java

---
 .../java/io/shiftleft/controller/AppErrorController.java     | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main/java/io/shiftleft/controller/AppErrorController.java b/src/main/java/io/shiftleft/controller/AppErrorController.java
index 68f4d669f..f383ea3a5 100644
--- a/src/main/java/io/shiftleft/controller/AppErrorController.java
+++ b/src/main/java/io/shiftleft/controller/AppErrorController.java
@@ -6,6 +6,7 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.context.request.RequestAttributes;
 import org.springframework.web.context.request.ServletRequestAttributes;
@@ -50,7 +51,7 @@ public ModelAndView errorHtml(HttpServletRequest request) {
    * @param request
    * @return
    */
-  @RequestMapping(value = ERROR_PATH)
+  @RequestMapping(value = ERROR_PATH, method = RequestMethod.GET)
   @ResponseBody
   public ResponseEntity<Map<String, Object>> error(HttpServletRequest request) {
     Map<String, Object> body = getErrorAttributes(request, getTraceParameter(request));
@@ -102,4 +103,4 @@ private HttpStatus getStatus(HttpServletRequest request) {
     }
     return HttpStatus.INTERNAL_SERVER_ERROR;
   }
-}
\ No newline at end of file
+}

From 777f3c9829a67722d6a3ee15b781088e50c80317 Mon Sep 17 00:00:00 2001
From: "patched.codes[bot]"
 <298395+patched.codes[bot]@users.noreply.github.com>
Date: Tue, 28 May 2024 13:15:41 +0800
Subject: [PATCH 3/4] Patched
 src/main/resources/config/application-aws.properties

---
 src/main/resources/config/application-aws.properties | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/main/resources/config/application-aws.properties b/src/main/resources/config/application-aws.properties
index 6467531bd..4563e541e 100644
--- a/src/main/resources/config/application-aws.properties
+++ b/src/main/resources/config/application-aws.properties
@@ -1,3 +1,3 @@
-aws.accesskey=AKIAILQI6VLJU3HSCEQQ
-aws.secretkey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-aws.bucket=mysaas/customerid/account/date
\ No newline at end of file
+aws.accesskey=${AWS_ACCESS_KEY_ID}
+aws.secretkey=${AWS_SECRET_ACCESS_KEY}
+aws.bucket=mysaas/customerid/account/date

From 2870a9bb00c7ce9f774e793be3c2f118b2076895 Mon Sep 17 00:00:00 2001
From: "patched.codes[bot]"
 <298395+patched.codes[bot]@users.noreply.github.com>
Date: Tue, 28 May 2024 13:15:41 +0800
Subject: [PATCH 4/4] Patched
 src/main/java/io/shiftleft/controller/AdminController.java

---
 src/main/java/io/shiftleft/controller/AdminController.java | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/main/java/io/shiftleft/controller/AdminController.java b/src/main/java/io/shiftleft/controller/AdminController.java
index 296c26573..168f882ed 100644
--- a/src/main/java/io/shiftleft/controller/AdminController.java
+++ b/src/main/java/io/shiftleft/controller/AdminController.java
@@ -107,7 +107,10 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset")
         ObjectOutputStream oos = new ObjectOutputStream(bos);
         oos.writeObject(authToken);
         String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray()));
-        response.addCookie(new Cookie("auth", cookieValue ));
+        Cookie cookie = new Cookie("auth", cookieValue );
+        cookie.setHttpOnly(true);
+        cookie.setSecure(true);
+        response.addCookie(cookie);
 
         // cookie is lost after redirection
         request.getSession().setAttribute("auth",cookieValue);
@@ -135,3 +138,4 @@ public String doGetLogin(HttpServletResponse response, HttpServletRequest reques
     return "redirect:/";
   }
 }
+