PatchWork AutoFix

[CTY-git]

This pull request from patched fixes 5 issues.

---

• File changed: src/main/java/io/shiftleft/tarpit/Insider.java
  Fix hard-coded secret in getConnection method

  Replaced hard-coded credentials with environment variables to securely provide credentials.

• File changed: src/main/java/io/shiftleft/tarpit/FileUploader.java
  Fix path traversal vulnerability in FileUploader servlet

  Sanitized the file path to prevent path traversal vulnerability by retrieving the file name using FilenameUtils.getName() method from Apache Commons IO library.

• File changed: src/main/java/io/shiftleft/tarpit/OrderProcessor.java
  Fixed potential vulnerabilities in OrderProcessor servlet

  Removed hard-coded credentials from the code and refactored to securely provide the credentials using environment variables or a secure vault.

• File changed: src/main/java/io/shiftleft/tarpit/OrderStatus.java
  Fix SQL injection vulnerability in OrderStatus servlet

  Prevented SQL injection vulnerability by using a PreparedStatement to execute the SQL query safely.

• File changed: src/main/java/io/shiftleft/tarpit/ServletTarPit.java
  Fix code injection vulnerability and sensitive credential issue

  - Removed the usage of insecure DES cryptographic algorithm and updated it to use AES cipher

  • Removed hardcoding of AWS Access Key ID and SECRET Key
  • Ensured user-controlled data from the request object is properly sanitized before using it in the SQL query