Medium Severitys Remediation

.github/workflows/main.yml

@@ -0,0 +1,21 @@
+name: Checkmarx One Scan
+on:
+  push:
+    branches:
+      - master
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Checkmarx One CLI Action
+        uses: checkmarx/ast-github-action@main #Github Action version
+        with:
+          project_name: ${{ github.repository }}
+          cx_tenant: bradesco-poc
+          base_uri: https://deu.ast.checkmarx.net/
+          cx_client_id: ${{ secrets.CANARY_OATH }}
+          cx_client_secret: ${{ secrets.CANARY_SECRET }}
+          ## additional_params: --apikey ${{ secrets.API_KEY }}
+          additional_params: --async

.vs/ProjectSettings.json

@@ -0,0 +1,3 @@
+{
+  "CurrentProjectSetting": null
+}

.vs/VSWorkspaceState.json

@@ -0,0 +1,8 @@
+{
+  "ExpandedNodes": [
+    "",
+    "\\Controllers"
+  ],
+  "SelectedNode": "\\Controllers\\UsersController.cs",
+  "PreviewInSolutionExplorer": false
+}

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+    "githubPullRequests.ignoredPullRequestBranches": [
+        "master"
+    ]
+}

Controllers/AuthorizationsController.cs

@@ -40,7 +40,8 @@ public IActionResult Post([FromBody] AuthorizationRequest authorizationRequest)
       [HttpGet("GetTokenSSO")]
       public IActionResult GetTokenSSO()
       {
-         var ssoCookieData = HttpContext.Request.Cookies["sso_ctx"];
+         //var ssoCookieData = HttpContext.Request.Cookies["sso_ctx"];
+         HttpCookie ssoCookieData = new HttpCookie(HttpContext.Request.Cookies["sso_ctx"]);
 
          if(String.IsNullOrEmpty(ssoCookieData)) {
             return Unauthorized();

Controllers/UsersController.cs

@@ -36,7 +36,8 @@ public IActionResult Put(int id, [FromBody] Models.UserUpdateRequest user)
             return BadRequest(ModelState);
          }
 
-         var existingUser = _context.Users.SingleOrDefault(m => m.ID == id);
+         //var existingUser = _context.Users.SingleOrDefault(m => m.ID == id);
+         var existingUser = _context.Users.GetById(id);
          if(existingUser == null) {
             return NotFound();
          }

Damm-Vulnerable-CSharp-API.sln

@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.5.002.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "dvcsharp-core-api", "dvcsharp-core-api.csproj", "{86757448-E853-40A0-8BBD-13E8B77ACB38}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{86757448-E853-40A0-8BBD-13E8B77ACB38}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{86757448-E853-40A0-8BBD-13E8B77ACB38}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{86757448-E853-40A0-8BBD-13E8B77ACB38}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{86757448-E853-40A0-8BBD-13E8B77ACB38}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {8305D38D-03A2-4466-B287-430247E98B83}
+	EndGlobalSection
+EndGlobal

azure-pipelines.yml

@@ -0,0 +1,28 @@
+# Starter pipeline
+
+# Start with a minimal pipeline that you can customize to build and deploy your code.
+# Add steps that build, run tests, deploy, and more:
+# https://aka.ms/yaml
+
+trigger:
+- master
+- main
+
+pool:
+  vmImage: ubuntu-latest
+
+steps:
+- script: echo Hello, world!
+  displayName: 'Run a one-line script'
+
+- script: |
+    echo Add other tasks to build, test, and deploy your project.
+    echo See https://aka.ms/yaml
+  displayName: 'Run a multi-line script'
+
+- task: Checkmarx AST@2
+  inputs:
+    CheckmarxService: 'AST-admin'
+    projectName: '$(Build.Repository.Name)'
+    branchName: '$(Build.SourceBranchName)'
+    tenantName: 'beta_nova8'

docker-compose.yml

@@ -7,4 +7,4 @@ services:
       - .:/app
     ports:
       - "5000:5000"
-
+        host: "0.0.0.0"

dvcsharp-core-api.csproj

@@ -1,30 +1,26 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
-
   <PropertyGroup>
     <TargetFramework>netcoreapp2.0</TargetFramework>
   </PropertyGroup>
-
   <ItemGroup>
     <Folder Include="wwwroot\" />
   </ItemGroup>
-
   <ItemGroup>
+    <PackageReference Include="DiscordRichPresence" Version="1.2.1.24" />
     <PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.5" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="2.0.2" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="2.0.2" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="2.0.2" />
     <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.2.2" />
     <PackageReference Include="System.Security.Claims" Version="4.3.0" />
+    <PackageReference Include="Anarchy-Wrapper" Version="0.6.3" />
   </ItemGroup>
-
   <ItemGroup>
     <DotNetCliToolReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Tools" Version="2.0.2" />
     <DotNetCliToolReference Include="Microsoft.EntityFrameworkCore.Tools.DotNet" Version="2.0.0" />
   </ItemGroup>
-
   <ItemGroup>
     <DotNetCliToolReference Include="Microsoft.DotNet.Watcher.Tools" Version="2.0.0" />
   </ItemGroup>
-
-</Project>
+</Project>