Skip to content

Test2 #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

Test2 #3

wants to merge 21 commits into from

Conversation

davewichers
Copy link
Owner

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 29, 2024
View reviewed changes
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java

ProcessBuilder pb = new ProcessBuilder();

pb.command(argList);

Check failure

Code scanning / CodeQL

Uncontrolled command line Critical test

This command line depends on a
user-provided value
Loading
.
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 9, 2024
View reviewed changes
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java
} catch (IOException e) {
System.out.println("Problem executing cmdi - TestCase");
response.getWriter()
.println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage()));

Check warning

Code scanning / CodeQL

Information exposure through a stack trace Medium test

Error information
Loading
can be exposed to an external user.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java
try {
java.sql.Connection connection =
org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
java.sql.CallableStatement statement = connection.prepareCall(sql);

Check failure

Code scanning / CodeQL

Query built from user-controlled sources High test

This query depends on a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java
Comment on lines +102 to +108
"Sensitive value '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' hashed and stored<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java
Comment on lines +102 to +107
user
+ " has been remembered with cookie: "
+ rememberMe.getName()
+ " whose value is: "
+ rememberMe.getValue()
+ "<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
Cross-site scripting vulnerability due to a
user-provided value
Loading
.
@davewichers
Copy link
Owner Author

@pixeebot next

@pixeebot pixeebot
Copy link
Contributor

pixeebot bot commented Apr 9, 2024

@davewichers, I don't have any suggestions at this time, but I am always learning, and I will let you know if anything comes up!

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 9, 2024
View reviewed changes
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java
.encoder()
.encodeForHTML(fileTarget.toString())
+ "' created.");
if (fileTarget.exists()) {

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High test

This path depends on a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00015.java

ProcessBuilder pb = new ProcessBuilder();

pb.command(argList);

Check failure

Code scanning / CodeQL

Uncontrolled command line Critical test

This command line depends on a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java

response.setHeader("X-XSS-Protection", "0");
Object[] obj = {"a", "b"};
response.getWriter().format(java.util.Locale.US, param, obj);

Check failure

Code scanning / CodeQL

Use of externally-controlled format string Critical test

Format string depends on a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java

response.setHeader("X-XSS-Protection", "0");
Object[] obj = {"a", "b"};
response.getWriter().format(param, obj);

Check failure

Code scanning / CodeQL

Use of externally-controlled format string Critical test

Format string depends on a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java
(javax.naming.directory.InitialDirContext) ctx;
boolean found = false;
javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results =
idc.search(base, filter, filters, sc);

Check failure

Code scanning / CodeQL

LDAP query built from user-controlled sources Critical test

This LDAP query depends on a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java

response.setHeader("X-XSS-Protection", "0");
Object[] obj = {"a", "b"};
response.getWriter().format(java.util.Locale.US, param, obj);

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java
Comment on lines +93 to +94
"LDAP query results: nothing found for query: "
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(filter));

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java

response.setHeader("X-XSS-Protection", "0");
Object[] obj = {"a", "b"};
response.getWriter().format(param, obj);

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java
Comment on lines +57 to +63
"Access to file: '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(fileTarget.toString())
+ "' created.");

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
@davewichers
Copy link
Owner Author

@pixeebot next

@pixeebot pixeebot
Copy link
Contributor

pixeebot bot commented Apr 9, 2024

@davewichers, I don't have any suggestions at this time, but I am always learning, and I will let you know if anything comes up!

davewichers and others added 2 commits April 9, 2024 16:56
@davewichers
Merge pull request #8 from davewichers/main
94ac178 
Backport changes from main into this branch
@davewichers
Add 5 more test cases.
e9017d3
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 10, 2024
View reviewed changes
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00017.java
} catch (IOException e) {
System.out.println("Problem executing cmdi - TestCase");
response.getWriter()
.println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage()));

Check warning

Code scanning / CodeQL

Information exposure through a stack trace Medium test

Error information
Loading
can be exposed to an external user.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());

Check warning

Code scanning / CodeQL

Information exposure through a stack trace Medium test

Error information
Loading
can be exposed to an external user.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());

Check warning

Code scanning / CodeQL

Information exposure through a stack trace Medium test

Error information
Loading
can be exposed to an external user.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());

Check warning

Code scanning / CodeQL

Information exposure through a stack trace Medium test

Error information
Loading
can be exposed to an external user.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());

Check warning

Code scanning / CodeQL

Information exposure through a stack trace Medium test

Error information
Loading
can be exposed to an external user.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00019.java
javax.crypto.Cipher c = javax.crypto.Cipher.getInstance(algorithm);

// Prepare the cipher to encrypt
javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey();

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm High test

Cryptographic algorithm
DES
Loading
is weak and should not be used.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
javax.crypto.Cipher c =
javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding", "SunJCE");
// Prepare the cipher to encrypt
javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey();

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm High test

Cryptographic algorithm
DES
Loading
is weak and should not be used.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00016.java
cookie.setHttpOnly(true);
cookie.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet
// e.g., /benchmark/sql-01/BenchmarkTest01001
response.addCookie(cookie);

Check warning

Code scanning / CodeQL

HTTP response splitting Medium test

This header depends on a
user-provided value
Loading
, which may cause a response-splitting vulnerability.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00016.java
Comment on lines +79 to +81
"Created cookie: 'SomeCookie': with value: '"
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(str)
+ "' and secure flag set to: true");

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
Comment on lines +96 to +102
"Sensitive value: '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' encrypted and stored<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
@davewichers
Copy link
Owner Author

@pixeebot next

@pixeebot pixeebot
Copy link
Contributor

pixeebot bot commented Apr 10, 2024

@davewichers, I don't have any suggestions at this time, but I am always learning, and I will let you know if anything comes up!

github-advanced-security[bot]
github-advanced-security bot found potential problems May 1, 2024
View reviewed changes
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java
// System.out.println("Filter " + filter);
boolean found = false;
javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results =
ctx.search(base, filter, filters, sc);

Check failure

Code scanning / CodeQL

LDAP query built from user-controlled sources Critical test

This LDAP query depends on a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java
Comment on lines +84 to +85
"LDAP query results: nothing found for query: "
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(filter));

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00025.java
Comment on lines +58 to +59
"No results returned for query: "
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(sql));

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00022.java
Comment on lines +79 to +85
"Sensitive value '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' hashed and stored<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java
Comment on lines +86 to +91
user
+ " has been remembered with cookie: "
+ rememberMe.getName()
+ " whose value is: "
+ rememberMe.getValue()
+ "<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting Medium test

Cross-site scripting vulnerability due to a
user-provided value
Loading
.
Cross-site scripting vulnerability due to a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00024.java
org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
java.sql.PreparedStatement statement =
connection.prepareStatement(
sql,

Check failure

Code scanning / CodeQL

Query built from user-controlled sources High test

This query depends on a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00025.java
// org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForLong(sql);
Long results =
org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForObject(
sql, Long.class);

Check failure

Code scanning / CodeQL

Query built from user-controlled sources High test

This query depends on a
user-provided value
Loading
.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java
response.getWriter().println("Welcome back: " + user + "<br/>");
} else {
javax.servlet.http.Cookie rememberMe =
new javax.servlet.http.Cookie(cookieName, rememberMeKey);

Check failure

Code scanning / CodeQL

Insecure randomness High test

Potential Insecure randomness due to a
Insecure randomness source.
Loading
.
@davewichers
Copy link
Owner Author

@pixeebot next

@pixeebot pixeebot
Copy link
Contributor

pixeebot bot commented May 2, 2024

@davewichers, I don't have any suggestions at this time, but I am always learning, and I will let you know if anything comes up!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@davewichers