Skip to content

Test1 #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Test1 #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d4794f6
Change 1 test case and add 5 more.
Apr 15, 2024
882cca3
Undo change to test case 5.
davewichers Apr 15, 2024
568cccd
Merge pull request #2 from aspectsecurity/main
davewichers Apr 15, 2024
c4671c6
Add 1st 5 test cases.
davewichers Apr 15, 2024
dc3ac46
Remove 5 test cases so there will be under 20 issues, so hopefully
davewichers Apr 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 105 additions & 0 deletions src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
/**
* OWASP Benchmark v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/
package org.owasp.benchmark.testcode;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(value = "/pathtraver-00/BenchmarkTest00001")
public class BenchmarkTest00001 extends HttpServlet {

private static final long serialVersionUID = 1L;

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie userCookie =
new javax.servlet.http.Cookie("BenchmarkTest00001", "FileName");
userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
userCookie.setSecure(true);
userCookie.setPath(request.getRequestURI());
userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
response.addCookie(userCookie);
javax.servlet.RequestDispatcher rd =
request.getRequestDispatcher("/pathtraver-00/BenchmarkTest00001.html");
rd.include(request, response);
}

@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");

javax.servlet.http.Cookie[] theCookies = request.getCookies();

String param = "noCookieValueSupplied";
if (theCookies != null) {
for (javax.servlet.http.Cookie theCookie : theCookies) {
if (theCookie.getName().equals("BenchmarkTest00001")) {
param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8");
break;
}
}
}

String fileName = null;
java.io.FileInputStream fis = null;

try {
fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param;
fis = new java.io.FileInputStream(new java.io.File(fileName));

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression

This path depends on a [user-provided value](1).
byte[] b = new byte[1000];
int size = fis.read(b);
response.getWriter()
.println(
"The beginning of file: '"
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(fileName)
+ "' is:\n\n"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(b, 0, size)));
Comment on lines +76 to +83

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
} catch (Exception e) {
System.out.println("Couldn't open FileInputStream on file: '" + fileName + "'");
response.getWriter()
.println(
"Problem getting FileInputStream: "
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(e.getMessage()));
Comment on lines +88 to +93

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
} finally {
if (fis != null) {
try {
fis.close();
fis = null;
} catch (Exception e) {
// we tried...
}
}
}
}
}
92 changes: 92 additions & 0 deletions src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
/**
* OWASP Benchmark v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/
package org.owasp.benchmark.testcode;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(value = "/pathtraver-00/BenchmarkTest00002")
public class BenchmarkTest00002 extends HttpServlet {

private static final long serialVersionUID = 1L;

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie userCookie =
new javax.servlet.http.Cookie("BenchmarkTest00002", "FileName");
userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
userCookie.setSecure(true);
userCookie.setPath(request.getRequestURI());
userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
response.addCookie(userCookie);
javax.servlet.RequestDispatcher rd =
request.getRequestDispatcher("/pathtraver-00/BenchmarkTest00002.html");
rd.include(request, response);
}

@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");

javax.servlet.http.Cookie[] theCookies = request.getCookies();

String param = "noCookieValueSupplied";
if (theCookies != null) {
for (javax.servlet.http.Cookie theCookie : theCookies) {
if (theCookie.getName().equals("BenchmarkTest00002")) {
param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8");
break;
}
}
}

String fileName = null;
java.io.FileOutputStream fos = null;

try {
fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param;

fos = new java.io.FileOutputStream(fileName, false);

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression

This path depends on a [user-provided value](1).
response.getWriter()
.println(
"Now ready to write to file: "
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(fileName));
Comment on lines +75 to +76

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).

} catch (Exception e) {
System.out.println("Couldn't open FileOutputStream on file: '" + fileName + "'");
// System.out.println("File exception caught and swallowed: " + e.getMessage());
} finally {
if (fos != null) {
try {
fos.close();
fos = null;
} catch (Exception e) {
// we tried...
}
}
}
}
}
119 changes: 119 additions & 0 deletions src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
/**
* OWASP Benchmark v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/
package org.owasp.benchmark.testcode;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(value = "/hash-00/BenchmarkTest00003")
public class BenchmarkTest00003 extends HttpServlet {

private static final long serialVersionUID = 1L;

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie userCookie =
new javax.servlet.http.Cookie("BenchmarkTest00003", "someSecret");
userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
userCookie.setSecure(true);
userCookie.setPath(request.getRequestURI());
userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
response.addCookie(userCookie);
javax.servlet.RequestDispatcher rd =
request.getRequestDispatcher("/hash-00/BenchmarkTest00003.html");
rd.include(request, response);
}

@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");

javax.servlet.http.Cookie[] theCookies = request.getCookies();

String param = "noCookieValueSupplied";
if (theCookies != null) {
for (javax.servlet.http.Cookie theCookie : theCookies) {
if (theCookie.getName().equals("BenchmarkTest00003")) {
param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8");
break;
}
}
}

try {
java.util.Properties benchmarkprops = new java.util.Properties();
benchmarkprops.load(
this.getClass().getClassLoader().getResourceAsStream("benchmark.properties"));
String algorithm = benchmarkprops.getProperty("hashAlg1", "SHA512");
java.security.MessageDigest md = java.security.MessageDigest.getInstance(algorithm);

Check failure

Code scanning / CodeQL

Use of a potentially broken or risky cryptographic algorithm

Cryptographic algorithm [MD5](1) may not be secure, consider using a different algorithm.
byte[] input = {(byte) '?'};
Object inputParam = param;
if (inputParam instanceof String) input = ((String) inputParam).getBytes();
if (inputParam instanceof java.io.InputStream) {
byte[] strInput = new byte[1000];
int i = ((java.io.InputStream) inputParam).read(strInput);
if (i == -1) {
response.getWriter()
.println(
"This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");
return;
}
input = java.util.Arrays.copyOf(strInput, i);
}
md.update(input);

byte[] result = md.digest();
java.io.File fileTarget =
new java.io.File(
new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR),
"passwordFile.txt");
java.io.FileWriter fw =
new java.io.FileWriter(fileTarget, true); // the true will append the new data
fw.write(
"hash_value="
+ org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true)
+ "\n");
fw.close();
response.getWriter()
.println(
"Sensitive value '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' hashed and stored<br/>");
Comment on lines +102 to +108

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).

} catch (java.security.NoSuchAlgorithmException e) {
System.out.println("Problem executing hash - TestCase");
throw new ServletException(e);
}

response.getWriter()
.println(
"Hash Test java.security.MessageDigest.getInstance(java.lang.String) executed");
}
}
75 changes: 75 additions & 0 deletions src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
/**
* OWASP Benchmark v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/
package org.owasp.benchmark.testcode;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(value = "/trustbound-00/BenchmarkTest00004")
public class BenchmarkTest00004 extends HttpServlet {

private static final long serialVersionUID = 1L;

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
javax.servlet.http.Cookie userCookie =
new javax.servlet.http.Cookie("BenchmarkTest00004", "color");
userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
userCookie.setSecure(true);
userCookie.setPath(request.getRequestURI());
userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
response.addCookie(userCookie);
javax.servlet.RequestDispatcher rd =
request.getRequestDispatcher("/trustbound-00/BenchmarkTest00004.html");
rd.include(request, response);
}

@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");

javax.servlet.http.Cookie[] theCookies = request.getCookies();

String param = "noCookieValueSupplied";
if (theCookies != null) {
for (javax.servlet.http.Cookie theCookie : theCookies) {
if (theCookie.getName().equals("BenchmarkTest00004")) {
param = java.net.URLDecoder.decode(theCookie.getValue(), "UTF-8");
break;
}
}
}

// javax.servlet.http.HttpSession.setAttribute(java.lang.String^,java.lang.Object)
request.getSession().setAttribute(param, "10340");

Check failure

Code scanning / CodeQL

Trust boundary violation

This servlet reads data from a remote source and writes it to a session variable.

response.getWriter()
.println(
"Item: '"
+ org.owasp.benchmark.helpers.Utils.encodeForHTML(param)
+ "' with value: '10340' saved in session.");
Comment on lines +71 to +73

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
}
}
Loading