patched-codes · CTY-git · May 28, 2024 · May 28, 2024 · May 28, 2024 · May 28, 2024
diff --git a/src/main/java/io/shiftleft/controller/AdminController.java b/src/main/java/io/shiftleft/controller/AdminController.java
@@ -107,7 +107,10 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset")
         ObjectOutputStream oos = new ObjectOutputStream(bos);
         oos.writeObject(authToken);
         String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray()));
-        response.addCookie(new Cookie("auth", cookieValue ));
+        Cookie cookie = new Cookie("auth", cookieValue );
+        cookie.setHttpOnly(true);
+        cookie.setSecure(true);
+        response.addCookie(cookie);
 
         // cookie is lost after redirection
         request.getSession().setAttribute("auth",cookieValue);
@@ -135,3 +138,4 @@ public String doGetLogin(HttpServletResponse response, HttpServletRequest reques
     return "redirect:/";
   }
 }
+
diff --git a/src/main/java/io/shiftleft/controller/AppErrorController.java b/src/main/java/io/shiftleft/controller/AppErrorController.java
@@ -6,6 +6,7 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.context.request.RequestAttributes;
 import org.springframework.web.context.request.ServletRequestAttributes;
@@ -50,7 +51,7 @@ public ModelAndView errorHtml(HttpServletRequest request) {
    * @param request
    * @return
    */
-  @RequestMapping(value = ERROR_PATH)
+  @RequestMapping(value = ERROR_PATH, method = RequestMethod.GET)
   @ResponseBody
   public ResponseEntity<Map<String, Object>> error(HttpServletRequest request) {
     Map<String, Object> body = getErrorAttributes(request, getTraceParameter(request));
@@ -102,4 +103,4 @@ private HttpStatus getStatus(HttpServletRequest request) {
     }
     return HttpStatus.INTERNAL_SERVER_ERROR;
   }
-}
+}
diff --git a/src/main/java/io/shiftleft/controller/SearchController.java b/src/main/java/io/shiftleft/controller/SearchController.java
@@ -21,12 +21,14 @@ public class SearchController {
   public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) {
     java.lang.Object message = new Object();
     try {
+      String sanitizedFoo = foo.replaceAll("[^a-zA-Z0-9\\s]", ""); // Sanitize input
       ExpressionParser parser = new SpelExpressionParser();
-      Expression exp = parser.parseExpression(foo);
+      Expression exp = parser.parseExpression(sanitizedFoo);
       message = (Object) exp.getValue();
     } catch (Exception ex) {
       System.out.println(ex.getMessage());
     }
     return message.toString();
   }
 }
+
diff --git a/src/main/resources/config/application-aws.properties b/src/main/resources/config/application-aws.properties
@@ -1,3 +1,3 @@
-aws.accesskey=AKIAILQI6VLJU3HSCEQQ
-aws.secretkey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
-aws.bucket=mysaas/customerid/account/date
+aws.accesskey=${AWS_ACCESS_KEY_ID}
+aws.secretkey=${AWS_SECRET_ACCESS_KEY}
+aws.bucket=mysaas/customerid/account/date