Skip to content

Commit

Permalink
ALS-8001: Low risk checkmarx changes (#215)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ramari16
ramari16 authored Dec 17, 2024
1 parent a485f0d commit c748ac2
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 27 deletions.
54 changes: 28 additions & 26 deletions pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/LoggerReaderInterceptor.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,37 +19,39 @@ public class LoggerReaderInterceptor implements ReaderInterceptor {
public Object aroundReadFrom(ReaderInterceptorContext interceptorContext)
throws IOException, WebApplicationException {
//Capture the request body to be logged when request completes
InputStream inputStream = interceptorContext.getInputStream();
String requestContent = IOUtils.toString(inputStream, "UTF-8");

//Totally manually redact resourceCredentials from this string
String requestString = requestContent;
while (requestString.contains("resourceCredentials")){
int rcBegin = requestString.indexOf("resourceCredentials");
int startBracket = requestString.indexOf("{", rcBegin);
int bracketCount = 0;
int endBracket = -1;
for (int i = startBracket; i < requestString.length(); i++){
if (requestString.charAt(i) == '{'){
bracketCount++;
} if (requestString.charAt(i) == '}'){
bracketCount--;
}
if (bracketCount < 1){
endBracket = i;
break;
try (InputStream inputStream = interceptorContext.getInputStream()) {

String requestContent = IOUtils.toString(inputStream, "UTF-8");

//Totally manually redact resourceCredentials from this string
String requestString = requestContent;
while (requestString.contains("resourceCredentials")){
int rcBegin = requestString.indexOf("resourceCredentials");
int startBracket = requestString.indexOf("{", rcBegin);
int bracketCount = 0;
int endBracket = -1;
for (int i = startBracket; i < requestString.length(); i++){
if (requestString.charAt(i) == '{'){
bracketCount++;
} if (requestString.charAt(i) == '}'){
bracketCount--;
}
if (bracketCount < 1){
endBracket = i;
break;
}
}
requestString = requestString.substring(0, rcBegin-1) +sentinel+ requestString.substring(endBracket+1);
}
requestString = requestString.substring(0, rcBegin-1) +sentinel+ requestString.substring(endBracket+1);
}

//Put string to context for logging
interceptorContext.setProperty("requestContent", requestString);
//Put string to context for logging
interceptorContext.setProperty("requestContent", requestString);

//Return original body to the request
interceptorContext.setInputStream(new ByteArrayInputStream(requestContent.getBytes()));
//Return original body to the request
interceptorContext.setInputStream(new ByteArrayInputStream(requestContent.getBytes()));

return interceptorContext.proceed();
return interceptorContext.proceed();
}
}

}
3 changes: 2 additions & 1 deletion pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/service/SystemService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@

import java.io.IOException;
import java.util.List;
import java.util.Locale;
import java.util.UUID;

import javax.annotation.PostConstruct;
Expand Down Expand Up @@ -88,7 +89,7 @@ public String status() {
// This because both are included in the database, but only one is actually deployed.
// if the name contains hpds and is not the default application uuid, remove it.
resourcesToTest.removeIf(
resource -> resource.getName().toLowerCase().contains("hpds") && !resource.getUuid().equals(defaultApplicationUUID)
resource -> resource.getName().toLowerCase(Locale.ENGLISH).contains("hpds") && !resource.getUuid().equals(defaultApplicationUUID)
);

// This proves the MySQL database is serving queries
Expand Down

0 comments on commit c748ac2

Please sign in to comment.