AutoFix PR

[nishfath]

Qwiet AI AutoFix

This PR was created automatically by the Qwiet AI AutoFix tool.
As long as it is open, subsequent scans and generated fixes to this same branch will be added to it as new commits.

Each commit fixes one vulnerability.

Some manual intervention might be required before merging this PR.

Project Information

• Name: shiftleft-java-demo
• Branch: main
• Pull Request Language: java

Findings/Vulnerabilities Fixed

Finding 4: Cross-Site Scripting: Attacker-Controlled Data Used as HTML Content via customerId in CustomerController.debug

Vulnerability Description

Attacker-Controlled data is used as HTML content. This indicates a Cross-Site-Scripting (XSS) vulnerability.

• Severity: critical
• CVSS Score: 8 (critical)
• CWE: CWE-79: Cross-Site Scripting

Commits/Files Changed

• Changed file src/main/java/io/shiftleft/controller/CustomerController.java

Finding 34: Sensitive Data Leak: Sensitive Data is Leaked to Log in CustomerController.getCustomer

Vulnerability Description

Sensitive data is logged in this flow.

• Severity: critical
• CVSS Score: 8 (critical)
• CWE: CWE-200: Sensitive Data Leak

Commits/Files Changed

• Changed file src/main/java/io/shiftleft/controller/CustomerController.java

Finding 6: Cross-Site Scripting: Attacker-Controlled Data Used as HTML Content via foo in SearchController.doGetSearch

Vulnerability Description

Attacker-Controlled data is used as HTML content. This indicates a Cross-Site-Scripting (XSS) vulnerability.

• Severity: critical
• CVSS Score: 8 (critical)
• CWE: CWE-79: Cross-Site Scripting

Commits/Files Changed

• Changed file src/main/java/io/shiftleft/controller/SearchController.java

Finding 14: Directory Traversal: Attacker-controlled Data Used in File Path via request in CustomerController.saveSettings

Vulnerability Description

Attacker-Controlled input data is used as part of a file path to write a file without escaping or validation. This indicates a directory traversal vulnerability.

• Severity: critical
• CVSS Score: 9 (critical)
• CWE: CWE-22: Directory Traversal

Commits/Files Changed

• Changed file src/main/java/io/shiftleft/controller/CustomerController.java

Finding 13: Deserialization: Attacker-controlled Data Used in Unsafe Deserialization Function via auth in AdminController.doPostLogin

Vulnerability Description

Attacker-controlled data is deserialized. This indicates an insecure deserialization vulnerability.

• Severity: critical
• CVSS Score: 8 (critical)
• CWE: CWE-502: Deserialization

Commits/Files Changed

• Changed file src/main/java/io/shiftleft/controller/AdminController.java

Finding 12: Remote Code Execution: Code Injection Through Attacker-controlled Data via foo in SearchController.doGetSearch

Vulnerability Description

Attacker-controlled data is used in a code execution context without undergoing escaping or validation. This indicates a remote code execution vulnerability.

• Severity: critical
• CVSS Score: 9 (critical)
• CWE: CWE-77: Remote Code Execution

Commits/Files Changed

• Changed file src/main/java/io/shiftleft/controller/SearchController.java

Finding 5: Cross-Site Scripting: Attacker-Controlled Data Used as HTML Content via firstName in CustomerController.debug

Vulnerability Description

Attacker-Controlled data is used as HTML content. This indicates a Cross-Site-Scripting (XSS) vulnerability.

• Severity: critical
• CVSS Score: 8 (critical)
• CWE: CWE-79: Cross-Site Scripting

Commits/Files Changed

• Changed file src/main/java/io/shiftleft/controller/CustomerController.java

Finding 7: Cross-Site Scripting: Attacker-Controlled Data Used as HTML Content via phoneNumber in CustomerController.debug

Vulnerability Description

Attacker-Controlled data is used as HTML content. This indicates a Cross-Site-Scripting (XSS) vulnerability.

• Severity: critical
• CVSS Score: 8 (critical)
• CWE: CWE-79: Cross-Site Scripting

Commits/Files Changed

• Changed file src/main/java/io/shiftleft/controller/CustomerController.java

Finding 3: Cross-Site Scripting: Attacker-Controlled Data Used as HTML Content via lastName in CustomerController.debug

Vulnerability Description

Attacker-Controlled data is used as HTML content. This indicates a Cross-Site-Scripting (XSS) vulnerability.

• Severity: critical
• CVSS Score: 8 (critical)
• CWE: CWE-79: Cross-Site Scripting

Commits/Files Changed

• Changed file src/main/java/io/shiftleft/controller/CustomerController.java
• Changed file src/main/java/io/shiftleft/model/Customer.java

Finding 8: Cross-Site Scripting: Attacker-Controlled Data Used as HTML Content via socialSecurityNum in CustomerController.debug

Vulnerability Description

Attacker-Controlled data is used as HTML content. This indicates a Cross-Site-Scripting (XSS) vulnerability.

• Severity: critical
• CVSS Score: 8 (critical)
• CWE: CWE-79: Cross-Site Scripting

Commits/Files Changed

• Changed file src/main/java/io/shiftleft/controller/CustomerController.java
• Changed file src/main/java/io/shiftleft/model/Customer.java