-
Notifications
You must be signed in to change notification settings - Fork 0
Test1 #3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Test1 #3
Conversation
Drop test cases that were already there so I can add them through a PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
GitHub AdvSec autofix will trigger.
|
||
try { | ||
fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param; | ||
fis = new java.io.FileInputStream(new java.io.File(fileName)); |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression
try { | ||
fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param; | ||
|
||
fos = new java.io.FileOutputStream(fileName, false); |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression
"Problem getting FileInputStream: " | ||
+ org.owasp | ||
.esapi | ||
.ESAPI | ||
.encoder() | ||
.encodeForHTML(e.getMessage())); |
Check warning
Code scanning / CodeQL
Information exposure through a stack trace
byte[] iv = random.generateSeed(8); // DES requires 8 byte keys | ||
|
||
try { | ||
javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding"); |
Check failure
Code scanning / CodeQL
Use of a broken or risky cryptographic algorithm
javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding"); | ||
|
||
// Prepare the cipher to encrypt | ||
javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey(); |
Check failure
Code scanning / CodeQL
Use of a broken or risky cryptographic algorithm
"Sensitive value: '" | ||
+ org.owasp | ||
.esapi | ||
.ESAPI | ||
.encoder() | ||
.encodeForHTML(new String(input)) | ||
+ "' encrypted and stored<br/>"); |
Check warning
Code scanning / CodeQL
Cross-site scripting
"Sensitive value '" | ||
+ org.owasp | ||
.esapi | ||
.ESAPI | ||
.encoder() | ||
.encodeForHTML(new String(input)) | ||
+ "' hashed and stored<br/>"); |
Check warning
Code scanning / CodeQL
Cross-site scripting
} | ||
|
||
// javax.servlet.http.HttpSession.setAttribute(java.lang.String^,java.lang.Object) | ||
request.getSession().setAttribute(param, "10340"); |
Check failure
Code scanning / CodeQL
Trust boundary violation
benchmarkprops.load( | ||
this.getClass().getClassLoader().getResourceAsStream("benchmark.properties")); | ||
String algorithm = benchmarkprops.getProperty("hashAlg1", "SHA512"); | ||
java.security.MessageDigest md = java.security.MessageDigest.getInstance(algorithm); |
Check failure
Code scanning / CodeQL
Use of a potentially broken or risky cryptographic algorithm
response.getWriter() | ||
.println( | ||
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); | ||
e.printStackTrace(response.getWriter()); |
Check warning
Code scanning / CodeQL
Information exposure through a stack trace
Prepare 1st 10 test cases to merge in.