Skip to content

Test2 #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

Test2 #3

wants to merge 21 commits into from

Conversation

davewichers
Copy link
Owner

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 29, 2024
View reviewed changes
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java

ProcessBuilder pb = new ProcessBuilder();

pb.command(argList);

Check failure

Code scanning / CodeQL

Uncontrolled command line

This command line depends on a [user-provided value](1).
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 9, 2024
View reviewed changes
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java
} catch (IOException e) {
System.out.println("Problem executing cmdi - TestCase");
response.getWriter()
.println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage()));

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java
try {
java.sql.Connection connection =
org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
java.sql.CallableStatement statement = connection.prepareCall(sql);

Check failure

Code scanning / CodeQL

Query built from user-controlled sources

This query depends on a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java
Comment on lines +102 to +108
"Sensitive value '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' hashed and stored<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java
Comment on lines +102 to +107
user
+ " has been remembered with cookie: "
+ rememberMe.getName()
+ " whose value is: "
+ rememberMe.getValue()
+ "<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1). Cross-site scripting vulnerability due to a [user-provided value](2).
@davewichers
Copy link
Owner Author

@pixeebot next

@pixeebot pixeebot
Copy link
Contributor

pixeebot bot commented Apr 9, 2024

@davewichers, I don't have any suggestions at this time, but I am always learning, and I will let you know if anything comes up!

github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 9, 2024
View reviewed changes
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java
.encoder()
.encodeForHTML(fileTarget.toString())
+ "' created.");
if (fileTarget.exists()) {

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression

This path depends on a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00015.java

ProcessBuilder pb = new ProcessBuilder();

pb.command(argList);

Check failure

Code scanning / CodeQL

Uncontrolled command line

This command line depends on a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java

response.setHeader("X-XSS-Protection", "0");
Object[] obj = {"a", "b"};
response.getWriter().format(java.util.Locale.US, param, obj);

Check failure

Code scanning / CodeQL

Use of externally-controlled format string

Format string depends on a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java

response.setHeader("X-XSS-Protection", "0");
Object[] obj = {"a", "b"};
response.getWriter().format(param, obj);

Check failure

Code scanning / CodeQL

Use of externally-controlled format string

Format string depends on a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java
(javax.naming.directory.InitialDirContext) ctx;
boolean found = false;
javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results =
idc.search(base, filter, filters, sc);

Check failure

Code scanning / CodeQL

LDAP query built from user-controlled sources

This LDAP query depends on a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java

response.setHeader("X-XSS-Protection", "0");
Object[] obj = {"a", "b"};
response.getWriter().format(java.util.Locale.US, param, obj);

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java
Comment on lines +93 to +94
"LDAP query results: nothing found for query: "
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(filter));

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java

response.setHeader("X-XSS-Protection", "0");
Object[] obj = {"a", "b"};
response.getWriter().format(param, obj);

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java
Comment on lines +57 to +63
"Access to file: '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(fileTarget.toString())
+ "' created.");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
@davewichers
Copy link
Owner Author

@pixeebot next

@pixeebot pixeebot
Copy link
Contributor

pixeebot bot commented Apr 9, 2024

@davewichers, I don't have any suggestions at this time, but I am always learning, and I will let you know if anything comes up!

davewichers and others added 2 commits April 9, 2024 16:56
@davewichers
Merge pull request #8 from davewichers/main
94ac178 
Backport changes from main into this branch
@davewichers
Add 5 more test cases.
e9017d3
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 10, 2024
View reviewed changes
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00017.java
} catch (IOException e) {
System.out.println("Problem executing cmdi - TestCase");
response.getWriter()
.println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage()));

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00019.java
javax.crypto.Cipher c = javax.crypto.Cipher.getInstance(algorithm);

// Prepare the cipher to encrypt
javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey();

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm

Cryptographic algorithm [DES](1) is weak and should not be used.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
javax.crypto.Cipher c =
javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding", "SunJCE");
// Prepare the cipher to encrypt
javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey();

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm

Cryptographic algorithm [DES](1) is weak and should not be used.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00016.java
cookie.setHttpOnly(true);
cookie.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet
// e.g., /benchmark/sql-01/BenchmarkTest01001
response.addCookie(cookie);

Check warning

Code scanning / CodeQL

HTTP response splitting

This header depends on a [user-provided value](1), which may cause a response-splitting vulnerability.
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00016.java
Comment on lines +79 to +81
"Created cookie: 'SomeCookie': with value: '"
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(str)
+ "' and secure flag set to: true");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
Comment on lines +96 to +102
"Sensitive value: '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' encrypted and stored<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
@davewichers
Copy link
Owner Author

@pixeebot next

@pixeebot pixeebot
Copy link
Contributor

pixeebot bot commented Apr 10, 2024

@davewichers, I don't have any suggestions at this time, but I am always learning, and I will let you know if anything comes up!

github-advanced-security[bot]
github-advanced-security bot found potential problems May 1, 2024
View reviewed changes
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java
// System.out.println("Filter " + filter);
boolean found = false;
javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results =
ctx.search(base, filter, filters, sc);

Check failure

Code scanning / CodeQL

LDAP query built from user-controlled sources

This LDAP query depends on a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java
Comment on lines +84 to +85
"LDAP query results: nothing found for query: "
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(filter));

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00025.java
Comment on lines +58 to +59
"No results returned for query: "
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(sql));

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00022.java
Comment on lines +79 to +85
"Sensitive value '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' hashed and stored<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java
Comment on lines +86 to +91
user
+ " has been remembered with cookie: "
+ rememberMe.getName()
+ " whose value is: "
+ rememberMe.getValue()
+ "<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1). Cross-site scripting vulnerability due to a [user-provided value](2).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00024.java
org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
java.sql.PreparedStatement statement =
connection.prepareStatement(
sql,

Check failure

Code scanning / CodeQL

Query built from user-controlled sources

This query depends on a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00025.java
// org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForLong(sql);
Long results =
org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForObject(
sql, Long.class);

Check failure

Code scanning / CodeQL

Query built from user-controlled sources

This query depends on a [user-provided value](1).
src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java
response.getWriter().println("Welcome back: " + user + "<br/>");
} else {
javax.servlet.http.Cookie rememberMe =
new javax.servlet.http.Cookie(cookieName, rememberMeKey);

Check failure

Code scanning / CodeQL

Insecure randomness

Potential Insecure randomness due to a [Insecure randomness source.](1).
@davewichers
Copy link
Owner Author

@pixeebot next

@pixeebot pixeebot
Copy link
Contributor

pixeebot bot commented May 2, 2024

@davewichers, I don't have any suggestions at this time, but I am always learning, and I will let you know if anything comes up!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@davewichers