Skip to content

Comments

feat: Improve security and code quality#45

Open
alexandravaron wants to merge 3 commits intomainfrom
server-changes
Open

feat: Improve security and code quality#45
alexandravaron wants to merge 3 commits intomainfrom
server-changes

Conversation

@alexandravaron
Copy link

@alexandravaron alexandravaron commented Oct 28, 2025

  • Fix null pointer vulnerability in HomeServlet by adding null checks
  • Add XSS protection by implementing HTML escaping in both servlets
  • Improve error handling with proper HTTP status codes and logging
  • Add input validation and sanitization for user inputs
  • Remove empty nested loops and TODO comments
  • Add security configuration file with recommended HTTP headers
  • Enhance session security with size limits and validation
  • Update README with security improvements documentation

These changes address common security vulnerabilities while maintaining the educational value of the demo project.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 28, 2025
View reviewed changes
src/main/java/demo/security/servlet/HomeServlet.java Outdated
response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.print("<h2>Hello "+name+ "</h2>");
out.print("<h2>Hello " + escapedName + "</h2>");

Check failure

Code scanning / SonarQube

Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks

<!--SONAR_ISSUE_KEY:0f79bfe7-c1c3-45cd-8b64-c089c4e8d8b4-->Change this code to not reflect unsanitized user-controlled data. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&branch=server-changes&issues=0f79bfe7-c1c3-45cd-8b64-c089c4e8d8b4&open=0f79bfe7-c1c3-45cd-8b64-c089c4e8d8b4">SonarQube</a></p>
src/main/java/demo/security/servlet/HomeServlet.java Outdated

// Add request validation
if (request.getContentLength() > 1024) {
response.sendError(HttpServletResponse.SC_REQUEST_ENTITY_TOO_LARGE,

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:fde2c3fd-3b69-40ec-9d78-d70be78901e0-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&branch=server-changes&issues=fde2c3fd-3b69-40ec-9d78-d70be78901e0&open=fde2c3fd-3b69-40ec-9d78-d70be78901e0">SonarQube</a></p>
src/main/java/demo/security/servlet/UserServlet.java Outdated

// Add input validation
if (user == null || user.trim().isEmpty()) {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Username parameter is required");

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:15d86e48-f70f-407d-ad1e-684abc8bdcbf-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&branch=server-changes&issues=15d86e48-f70f-407d-ad1e-684abc8bdcbf&open=15d86e48-f70f-407d-ad1e-684abc8bdcbf">SonarQube</a></p>
src/main/java/demo/security/servlet/UserServlet.java Outdated
}

if (user.length() > MAX_USERNAME_LENGTH) {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Username too long");

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:05d842a9-fa74-4718-8305-9b174f2098dc-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&branch=server-changes&issues=05d842a9-fa74-4718-8305-9b174f2098dc&open=05d842a9-fa74-4718-8305-9b174f2098dc">SonarQube</a></p>
src/main/java/demo/security/servlet/UserServlet.java Outdated
throw new RuntimeException(e);
// Log the error instead of throwing RuntimeException
System.err.println("Error retrieving users: " + e.getMessage());
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal server error");

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:5ea2b000-33a2-4a28-a549-6c527aec5064-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&branch=server-changes&issues=5ea2b000-33a2-4a28-a549-6c527aec5064&open=5ea2b000-33a2-4a28-a549-6c527aec5064">SonarQube</a></p>
src/main/java/demo/security/servlet/UserServlet.java Outdated
SessionHeader sessionHeader = getSessionHeader(request);
if (sessionHeader == null) return;
if (sessionHeader == null) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid session");

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:61f01dbd-6197-4fc9-a24a-cb7030fe9b4d-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&branch=server-changes&issues=61f01dbd-6197-4fc9-a24a-cb7030fe9b4d&open=61f01dbd-6197-4fc9-a24a-cb7030fe9b4d">SonarQube</a></p>
src/main/java/demo/security/servlet/UserServlet.java Outdated

String user = sessionHeader.getUsername();
if (user == null || user.trim().isEmpty()) {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid username in session");

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:c6c189d5-65c7-4f63-afe5-7921cec30e17-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&branch=server-changes&issues=c6c189d5-65c7-4f63-afe5-7921cec30e17&open=c6c189d5-65c7-4f63-afe5-7921cec30e17">SonarQube</a></p>
src/main/java/demo/security/servlet/UserServlet.java Outdated
throw new RuntimeException(e);
// Log the error instead of throwing RuntimeException
System.err.println("Error retrieving users: " + e.getMessage());
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal server error");

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:db380efa-1ec3-455a-8ebc-93e217998601-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&branch=server-changes&issues=db380efa-1ec3-455a-8ebc-93e217998601&open=db380efa-1ec3-455a-8ebc-93e217998601">SonarQube</a></p>
@sonar-nautilus
Copy link

sonar-nautilus bot commented Oct 28, 2025
edited
Loading

Quality Gate failed Quality Gate failed

Failed conditions
13 New issues
0.0% Coverage on New Code (required ≥ 80%)
18.3% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE SonarQube for IDE

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 28, 2025
View reviewed changes
src/main/java/demo/security/servlet/HomeServlet.java Outdated
response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.print("<h2>Hello "+name+ "</h2>");
out.print("<h2>Hello " + escapedName + "</h2>");

Check failure

Code scanning / SonarQube

Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks

<!--SONAR_ISSUE_KEY:7cb987a0-f578-449f-8aa4-ba29a4bdc5d8-->Change this code to not reflect unsanitized user-controlled data. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=45&issues=7cb987a0-f578-449f-8aa4-ba29a4bdc5d8&open=7cb987a0-f578-449f-8aa4-ba29a4bdc5d8">SonarQube</a></p>
src/main/java/demo/security/servlet/HomeServlet.java Outdated

// Add request validation
if (request.getContentLength() > 1024) {
response.sendError(HttpServletResponse.SC_REQUEST_ENTITY_TOO_LARGE,

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:336161c6-6519-4a2a-a1b4-43abee823382-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=45&issues=336161c6-6519-4a2a-a1b4-43abee823382&open=336161c6-6519-4a2a-a1b4-43abee823382">SonarQube</a></p>
src/main/java/demo/security/servlet/UserServlet.java Outdated

// Add input validation
if (user == null || user.trim().isEmpty()) {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Username parameter is required");

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:bfcfb5b8-bef1-4910-83b8-d6c2157e9c89-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=45&issues=bfcfb5b8-bef1-4910-83b8-d6c2157e9c89&open=bfcfb5b8-bef1-4910-83b8-d6c2157e9c89">SonarQube</a></p>
src/main/java/demo/security/servlet/UserServlet.java Outdated
}

if (user.length() > MAX_USERNAME_LENGTH) {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Username too long");

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:3a06dcb0-50ba-4273-8bd9-6367e97236df-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=45&issues=3a06dcb0-50ba-4273-8bd9-6367e97236df&open=3a06dcb0-50ba-4273-8bd9-6367e97236df">SonarQube</a></p>
src/main/java/demo/security/servlet/UserServlet.java Outdated
throw new RuntimeException(e);
// Log the error instead of throwing RuntimeException
System.err.println("Error retrieving users: " + e.getMessage());
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal server error");

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:dfd95620-db37-4994-8bd6-ba5e5146d065-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=45&issues=dfd95620-db37-4994-8bd6-ba5e5146d065&open=dfd95620-db37-4994-8bd6-ba5e5146d065">SonarQube</a></p>
src/main/java/demo/security/servlet/UserServlet.java Outdated
SessionHeader sessionHeader = getSessionHeader(request);
if (sessionHeader == null) return;
if (sessionHeader == null) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid session");

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:dea62db1-7641-41c4-8d94-c8b5a51b1303-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=45&issues=dea62db1-7641-41c4-8d94-c8b5a51b1303&open=dea62db1-7641-41c4-8d94-c8b5a51b1303">SonarQube</a></p>
src/main/java/demo/security/servlet/UserServlet.java Outdated

String user = sessionHeader.getUsername();
if (user == null || user.trim().isEmpty()) {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid username in session");

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:8fa074ab-5319-41b6-98b1-229b43fd59c3-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=45&issues=8fa074ab-5319-41b6-98b1-229b43fd59c3&open=8fa074ab-5319-41b6-98b1-229b43fd59c3">SonarQube</a></p>
src/main/java/demo/security/servlet/UserServlet.java Outdated
throw new RuntimeException(e);
// Log the error instead of throwing RuntimeException
System.err.println("Error retrieving users: " + e.getMessage());
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Internal server error");

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:97d742e1-a3fc-4ac5-b8ad-bebce699c2c4-->Handle the following exception that could be thrown by "sendError": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=45&issues=97d742e1-a3fc-4ac5-b8ad-bebce699c2c4&open=97d742e1-a3fc-4ac5-b8ad-bebce699c2c4">SonarQube</a></p>
feat: Add comprehensive SonarQube demo issues
50a3f5a 
- Add SQL injection vulnerabilities with taint analysis examples
- Include XSS vulnerabilities with unescaped user input
- Add path traversal and command injection issues
- Include security hotspots (hardcoded passwords, weak crypto)
- Add code quality issues (dead code, duplicated code, magic numbers)
- Create complex data flow examples for taint analysis demos
- Add deserialization vulnerabilities and information disclosure
- Include performance issues and code smells
- Update README with comprehensive demo guide for sales engineers

Perfect for demonstrating SonarQube's comprehensive analysis capabilities
including taint analysis, security hotspots, and code quality metrics.
root and others added 2 commits October 28, 2025 16:47
refactor: Remove verbose comments and simplify README
359ad68 
- Remove all SonarQube issue comments from servlet files
- Simplify README to basic usage instructions
- Keep vulnerabilities intact for demo purposes
- Clean up code for better readability
@cursoragent
Update UserServlet
637cb93 
Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alexandravaron