Skip to content

Test1 #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
davewichers wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Test1 #3

davewichers wants to merge 5 commits into from

Conversation

@davewichers
Copy link
Member

@davewichers davewichers commented Apr 15, 2024

Prepare 1st 10 test cases to merge in.

Dave Wichers and others added 4 commits April 15, 2024 13:04
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 15, 2024
View reviewed changes
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 29, 2024
View reviewed changes
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java

try {
fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param;
fis = new java.io.FileInputStream(new java.io.File(fileName));

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression

This path depends on a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java
try {
fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param;

fos = new java.io.FileOutputStream(fileName, false);

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression

This path depends on a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java
Comment on lines +88 to +93
"Problem getting FileInputStream: "
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(e.getMessage()));

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java
byte[] iv = random.generateSeed(8); // DES requires 8 byte keys

try {
javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding");

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm

Cryptographic algorithm [DES/CBC/PKCS5Padding](1) is weak and should not be used.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java
javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding");

// Prepare the cipher to encrypt
javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey();

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm

Cryptographic algorithm [DES](1) is weak and should not be used.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java
Comment on lines +101 to +107
"Sensitive value: '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' encrypted and stored<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java
Comment on lines +102 to +108
"Sensitive value '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' hashed and stored<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java
}

// javax.servlet.http.HttpSession.setAttribute(java.lang.String^,java.lang.Object)
request.getSession().setAttribute(param, "10340");

Check failure

Code scanning / CodeQL

Trust boundary violation

This servlet reads data from a remote source and writes it to a session variable.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java
benchmarkprops.load(
this.getClass().getClassLoader().getResourceAsStream("benchmark.properties"));
String algorithm = benchmarkprops.getProperty("hashAlg1", "SHA512");
java.security.MessageDigest md = java.security.MessageDigest.getInstance(algorithm);

Check failure

Code scanning / CodeQL

Use of a potentially broken or risky cryptographic algorithm

Cryptographic algorithm [MD5](1) may not be secure, consider using a different algorithm.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00005.java
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davewichers