sa-ny · github-actions · Oct 9, 2024 · Oct 9, 2024
diff --git a/test/src/main/java/com/veracode/verademo/controller/UserController.java b/test/src/main/java/com/veracode/verademo/controller/UserController.java
@@ -52,6 +52,11 @@
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.multipart.MultipartHttpServletRequest;
+import org.apache.commons.text.StringEscapeUtils;
+import org.owasp.encoder.Encode;
+import java.net.URLEncoder;
+import org.springframework.web.util.HtmlUtils;
+import org.apache.commons.lang3.StringUtils;
 
 /**
  * @author johnadmin
@@ -112,7 +117,7 @@ public String showLogin(
 			target = "";
 		}
 		//test
-		logger.info("Entering showLogin with username " + username + " and target " + target);
+		logger.info("Entering showLogin with username " + StringEscapeUtils.escapeJava(username) + " and target " + target);
 
 		model.addAttribute("username", username);
 		model.addAttribute("target", target);
@@ -225,33 +230,30 @@ public String processLogin(
 		}
 
 		// Redirect to the appropriate place based on login actions above tt
-		logger.info("Redirecting to view: " + nextView);
+		logger.info("Redirecting to view: " + StringUtils.normalizeSpace(nextView));
 		return nextView;
 	}
 
 	@RequestMapping(value = "/password-hint", method = RequestMethod.GET)
 	@ResponseBody
 	public String showPasswordHint(String username) {
-		logger.info("Entering password-hint with username: " + username);
-
-		if (username == null || username.isEmpty()) {
-			return "No username provided, please type in your username first";
-		}
-
-		try {
-			Class.forName("com.mysql.jdbc.Driver");
-
-			Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
-
-			String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
-			logger.info(sql);
-			Statement statement = connect.createStatement();
-			ResultSet result = statement.executeQuery(sql);
+		logger.info("Entering password-hint with username: " + Encode.forHtml(username));
+		    if (username == null || username.isEmpty()) {
+		        return "No username provided, please type in your username first";
+		    }
+		    try {
+		        Class.forName("com.mysql.jdbc.Driver");
+		        Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
+		        String sql = "SELECT password_hint FROM users WHERE username =?";
+		        logger.info(sql);
+		        PreparedStatement statement = connect.prepareStatement(sql);
+		        statement.setString(1, username);
+		        ResultSet result = statement.executeQuery();
 			if (result.first()) {
 				String password = result.getString("password_hint");
 				String formatString = "Username '" + username + "' has password: %.2s%s";
 				logger.info(formatString);
-				return String.format(
+				return HtmlUtils.htmlEscape(String).format(
 						formatString,
 						password,
 						String.format("%0" + (password.length() - 2) + "d", 0).replace("0", "*"));
@@ -306,8 +308,8 @@ public String processRegister(
 			Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
 
 			String sql = "SELECT username FROM users WHERE username = '" + username + "'";
-			Statement statement = connect.createStatement();
-			ResultSet result = statement.executeQuery(sql);
+			PreparedStatement statement = connect.prepareStatement(sql);
+			ResultSet result = statement.executeQuery();
 			if (result.first()) {
 				model.addAttribute("error", "Username '" + username + "' already exists!");
 				return "register";
@@ -349,30 +351,23 @@ public String processRegisterFinish(
 		}
 
 		Connection connect = null;
-		Statement sqlStatement = null;
-
+		PreparedStatement sqlStatement = null;
 		try {
-			// Get the Database Connection
-			logger.info("Creating the Database connection");
-			Class.forName("com.mysql.jdbc.Driver");
-			connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
-
-			/* START EXAMPLE VULNERABILITY */
-			// Execute the query
-			String mysqlCurrentDateTime = (new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"))
-					.format(Calendar.getInstance().getTime());
-			StringBuilder query = new StringBuilder();
-			query.append("insert into users (username, password, created_at, real_name, blab_name) values(");
-			query.append("'" + username + "',");
-			query.append("'" + md5(password) + "',");
-			query.append("'" + mysqlCurrentDateTime + "',");
-			query.append("'" + realName + "',");
-			query.append("'" + blabName + "'");
-			query.append(");");
-
-			sqlStatement = connect.createStatement();
-			sqlStatement.execute(query.toString());
-			logger.info(query.toString());
+		    // Get the Database Connection
+		    logger.info("Creating the Database connection");
+		    Class.forName("com.mysql.jdbc.Driver");
+		    connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
+		    /* START EXAMPLE FIX */
+		    // Execute the query
+		    String mysqlCurrentDateTime = (new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"))
+		    .format(Calendar.getInstance().getTime());
+		    StringBuilder query = new StringBuilder();
+		    query.append("insert into users (username, password, created_at, real_name, blab_name) values(");
+		    query.append("'" + username + "', ");query.append("'" + md5(password) + "', ");query.append("'" + mysqlCurrentDateTime + "', ");query.append("'" + realName + "', ");query.append("'" + blabName + "'");
+		    query.append(");");
+		    sqlStatement = connect.prepareStatement(query.toString());
+		    sqlStatement.execute();
+			logger.info(URLEncoder.encode(query.toString()));
 			/* END EXAMPLE VULNERABILITY */
 
 			emailUser(username);
@@ -435,7 +430,7 @@ public String showProfile(
 			HttpServletRequest httpRequest) {
 		logger.info("Entering showProfile");
 
-		String username = (String) httpRequest.getSession().getAttribute("username");
+		String username = (String) StringUtils.normalizeSpace(httpRequest.getSession().getAttribute("username"));
 		// Ensure user is logged in
 		if (username == null) {
 			logger.info("User is not Logged In - redirecting...");
@@ -484,9 +479,10 @@ public String showProfile(
 			}
 
 			// Get the users information
-			String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'";
-			logger.info(sql);
+			String sql = "SELECT username, real_name, blab_name FROM users WHERE username =?";
+			logger.info(StringEscapeUtils.escapeJava(sql));
 			myInfo = connect.prepareStatement(sql);
+			myInfo.setString(1, username);
 			ResultSet myInfoResults = myInfo.executeQuery();
 			myInfoResults.next();
 
@@ -538,7 +534,7 @@ public String processProfile(
 			return "{\"message\": \"<script>alert('Error - please login');</script>\"}";
 		}
 
-		logger.info("User is Logged In - continuing... UA=" + request.getHeader("User-Agent") + " U=" + sessionUsername);
+		logger.info("User is Logged In - continuing... UA=" + StringEscapeUtils.escapeJava(request.getHeader("User-Agent")) + " U=" + sessionUsername);
 
 		String oldUsername = sessionUsername;
 
@@ -624,7 +620,7 @@ public String processProfile(
 				String extension = file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf("."));
 				String path = imageDir + username + extension;
 
-				logger.info("Saving new profile image: " + path);
+				logger.info("Saving new profile image: " + StringUtils.normalizeSpace(path));
 
 				file.transferTo(new File(path)); // will delete any existing file first
 			} catch (IllegalStateException | IOException ex) {
@@ -654,11 +650,11 @@ public String downloadImage(
 			return Utils.redirect("login?target=profile");
 		}
 
-		logger.info("User is Logged In - continuing... UA=" + request.getHeader("User-Agent") + " U=" + sessionUsername);
+		logger.info("User is Logged In - continuing... UA=" + StringUtils.normalizeSpace(request.getHeader("User-Agent")) + " U=" + sessionUsername);
 
 		String path = context.getRealPath("/resources/images") + File.separator + imageName;
 
-		logger.info("Fetching profile image: " + path);
+		logger.info("Fetching profile image: " + StringUtils.normalizeSpace(path));
 
 		InputStream inputStream = null;
 		OutputStream outStream = null;
@@ -672,12 +668,12 @@ public String downloadImage(
 				// set to binary type if MIME mapping not found
 				mimeType = "application/octet-stream";
 			}
-			logger.info("MIME type: " + mimeType);
+			logger.info("MIME type: " + StringUtils.normalizeSpace(mimeType));
 
 			// Set content attributes for the response
-			response.setContentType(mimeType);
+			response.setContentType(URLEncoder.encode(mimeType, Charset.defaultCharset()));
 			response.setContentLength((int) downloadFile.length());
-			response.setHeader("Content-Disposition", "attachment; filename=" + imageName);
+			response.setHeader("Content-Disposition", "attachment; filename=" + URLEncoder.encode(imageName, Charset.defaultCharset()));
 
 			// get output stream of the response
 			outStream = response.getOutputStream();
@@ -757,7 +753,7 @@ private boolean usernameExists(String username) {
 			}
 		}
 
-		logger.info("Username: " + username + " already exists. Try again.");
+		logger.info("Username: " + StringEscapeUtils.escapeJava(username) + " already exists. Try again.");
 		return true;
 	}
 
@@ -811,7 +807,7 @@ private boolean updateUsername(String oldUsername, String newUsername) {
 			if (oldImage != null) {
 				String extension = oldImage.substring(oldImage.lastIndexOf("."));
 
-				logger.info("Renaming profile image from " + oldImage + " to " + newUsername + extension);
+				logger.info("Renaming profile image from " + URLEncoder.encode(oldImage.toString()) + " to " + newUsername + extension);
 				String path = context.getRealPath("/resources/images") + File.separator;
 
 				File oldName = new File(path + oldImage);