Conversation
|
details
========================= FAILURE: Found 19 issues! ========================= |
|
Caution Breaking Flaws identified in code! Fixes for /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/controller/UserController.java: Fix suggestions: --- /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/controller/UserController.java
+++ /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,9 @@
import com.veracode.verademo.utils.Constants;
import com.veracode.verademo.utils.User;
import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
+import org.owasp.encoder.Encode;
/**
* @author johnadmin
@@ -227,7 +230,7 @@
}
// Redirect to the appropriate place based on login actions above
- logger.info("Redirecting to view: " + nextView);
+ logger.info("Redirecting to view: " + StringUtils.normalizeSpace(nextView));
return nextView;
}
@@ -235,7 +238,7 @@
@ResponseBody
public String showPasswordHint(String username)
{
- logger.info("Entering password-hint with username: " + username);
+ logger.info("Entering password-hint with username: " + StringEscapeUtils.escapeJava(username));
if (username == null || username.isEmpty()) {
return "No username provided, please type in your username first";
@@ -247,13 +250,13 @@
Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
- logger.info(sql);
+ logger.info(StringEscapeUtils.escapeJava(sql));
Statement statement = connect.createStatement();
ResultSet result = statement.executeQuery(sql);
if (result.first()) {
String password= result.getString("password_hint");
String formatString = "Username '" + username + "' has password: %.2s%s";
- logger.info(formatString);
+ logger.info(StringUtils.normalizeSpace(formatString));
return String.format(
formatString,
password,
@@ -383,7 +386,7 @@
sqlStatement = connect.createStatement();
sqlStatement.execute(query.toString());
- logger.info(query.toString());
+ logger.info(StringUtils.normalizeSpace(query.toString()));
/* END BAD CODE */
emailUser(username);
@@ -491,7 +494,7 @@
/* START BAD CODE */
String sqlMyEvents = "select event from users_history where blabber=\"" + username
+ "\" ORDER BY eventid DESC; ";
- logger.info(sqlMyEvents);
+ logger.info(StringUtils.normalizeSpace(sqlMyEvents));
Statement sqlStatement = connect.createStatement();
ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
/* END BAD CODE */
@@ -502,7 +505,7 @@
// Get the users information
String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'";
- logger.info(sql);
+ logger.info(StringEscapeUtils.escapeJava(sql));
myInfo = connect.prepareStatement(sql);
ResultSet myInfoResults = myInfo.executeQuery();
myInfoResults.next();
@@ -656,7 +659,7 @@
String extension = file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf("."));
String path = imageDir + username + extension;
- logger.info("Saving new profile image: " + path);
+ logger.info("Saving new profile image: " + StringUtils.normalizeSpace(path));
file.transferTo(new File(path)); // will delete any existing file first
}
@@ -692,7 +695,7 @@
String path = context.getRealPath("/resources/images") + File.separator + imageName;
- logger.info("Fetching profile image: " + path);
+ logger.info("Fetching profile image: " + StringUtils.normalizeSpace(path));
InputStream inputStream = null;
OutputStream outStream = null;
@@ -706,7 +709,7 @@
// set to binary type if MIME mapping not found
mimeType = "application/octet-stream";
}
- logger.info("MIME type: " + mimeType);
+ logger.info("MIME type: " + StringUtils.normalizeSpace(mimeType));
// Set content attributes for the response
response.setContentType(mimeType);
@@ -801,7 +804,7 @@
}
}
- logger.info("Username: " + username + " already exists. Try again.");
+ logger.info("Username: " + StringUtils.normalizeSpace(username) + " already exists. Try again.");
return true;
}
@@ -857,7 +860,7 @@
if (oldImage != null) {
String extension = oldImage.substring(oldImage.lastIndexOf("."));
- logger.info("Renaming profile image from " + oldImage + " to " + newUsername + extension);
+ logger.info("Renaming profile image from " + Encode.forJava(oldImage) + " to " + newUsername + extension);
String path = context.getRealPath("/resources/images") + File.separator;
File oldName = new File(path + oldImage);
|
|
Caution Breaking Flaws identified in code! Fixes for /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java: Fix suggestions: --- /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -8,6 +8,8 @@
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
+import org.apache.commons.text.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
public class RemoveAccountCommand implements BlabberCommand {
private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand");
@@ -36,18 +38,18 @@
sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
Statement sqlStatement = connect.createStatement();
- logger.info(sqlQuery);
+ logger.info(StringUtils.normalizeSpace(sqlQuery));
ResultSet result = sqlStatement.executeQuery(sqlQuery);
result.next();
/* START BAD CODE ------*/
String event = "Removed account for blabber " + result.getString(1);
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
- logger.info(sqlQuery);
+ logger.info(StringEscapeUtils.escapeJava(sqlQuery));
sqlStatement.execute(sqlQuery);
sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
- logger.info(sqlQuery);
+ logger.info(StringUtils.normalizeSpace(sqlQuery));
sqlStatement.execute(sqlQuery);
/* END BAD CODE */
|
|
Caution Breaking Flaws identified in code! Fixes for /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/commands/ListenCommand.java: Fix suggestions: --- /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -8,6 +8,8 @@
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
+import org.apache.commons.text.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
public class ListenCommand implements BlabberCommand {
private static final Logger logger = LogManager.getLogger("VeraDemo:ListenCommand");
@@ -36,14 +38,14 @@
sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
Statement sqlStatement = connect.createStatement();
- logger.info(sqlQuery);
+ logger.info(StringUtils.normalizeSpace(sqlQuery));
ResultSet result = sqlStatement.executeQuery(sqlQuery);
result.next();
/* START BAD CODE -----*/
String event = username + " started listening to " + blabberUsername + "(" + result.getString(1) + ")";
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
- logger.info(sqlQuery);
+ logger.info(StringEscapeUtils.escapeJava(sqlQuery));
sqlStatement.execute(sqlQuery);
/* END BAD CODE */
} catch (SQLException e) {
|
|
Caution Breaking Flaws identified in code! Fixes for /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java: Fix suggestions: --- /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -8,6 +8,8 @@
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
public class IgnoreCommand implements BlabberCommand {
private static final Logger logger = LogManager.getLogger("VeraDemo:IgnoreCommand");
@@ -36,14 +38,14 @@
sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
Statement sqlStatement = connect.createStatement();
- logger.info(sqlQuery);
+ logger.info(StringUtils.normalizeSpace(sqlQuery));
ResultSet result = sqlStatement.executeQuery(sqlQuery);
result.next();
/* START BAD CODE */
String event = username + " is now ignoring " + blabberUsername + "(" + result.getString(1) + ")";
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
- logger.info(sqlQuery);
+ logger.info(StringEscapeUtils.escapeJava(sqlQuery));
sqlStatement.execute(sqlQuery);
/* END BAD CODE */
} catch (SQLException e) {
|
|
Caution Breaking Flaws identified in code! Fixes for /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/controller/BlabController.java: Fix suggestions: --- /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/controller/BlabController.java
+++ /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/controller/BlabController.java
@@ -27,6 +27,7 @@
import com.veracode.verademo.model.Blabber;
import com.veracode.verademo.model.Comment;
import com.veracode.verademo.utils.Constants;
+import org.apache.commons.lang3.StringUtils;
@Controller
@Scope("request")
@@ -483,7 +484,7 @@
connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
// Find the Blabbers
- logger.info(blabbersSql);
+ logger.info(StringUtils.normalizeSpace(blabbersSql));
blabberQuery = connect.prepareStatement(blabbersSql);
blabberQuery.setString(1, username);
blabberQuery.setString(2, username);
@@ -555,8 +556,8 @@
return nextView = "redirect:login?target=blabbers";
}
- logger.info("blabberUsername = " + blabberUsername);
- logger.info("command = " + command);
+ logger.info("blabberUsername = " + StringUtils.normalizeSpace(blabberUsername));
+ logger.info("command = " + StringUtils.normalizeSpace(command));
Connection connect = null;
PreparedStatement action = null;
|
|
Caution Breaking Flaws identified in code! Fixes for /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/controller/ResetController.java: Fix suggestions: --- /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/controller/ResetController.java
+++ /home/runner/work/test-action/test-action/src/main/java/com/veracode/verademo/controller/ResetController.java
@@ -26,6 +26,9 @@
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
+import org.apache.commons.text.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
+import java.net.URLEncoder;
@Controller
@Scope("request")
@@ -106,7 +109,7 @@
usersStatement = connect.prepareStatement(
"INSERT INTO users (username, password, password_hint, created_at, last_login, real_name, blab_name) values (?, ?, ?, ?, ?, ?, ?);");
for (int i = 0; i < users.length; i++) {
- logger.info("Adding user " + users[i].getUserName());
+ logger.info("Adding user " + StringUtils.normalizeSpace(users[i].getUserName()));
usersStatement.setString(1, users[i].getUserName());
usersStatement.setString(2, users[i].getPassword());
usersStatement.setString(3, users[i].getPasswordHint());
@@ -129,7 +132,7 @@
String blabber = users[i].getUserName();
String listener = users[j].getUserName();
- logger.info("Adding " + listener + " as a listener of " + blabber);
+ logger.info("Adding " + StringEscapeUtils.escapeJava(listener) + " as a listener of " + blabber);
listenersStatement.setString(1, blabber);
listenersStatement.setString(2, listener);
@@ -156,7 +159,7 @@
long vary = rand.nextInt(30 * 24 * 3600);
String username = users[randomUserOffset].getUserName();
- logger.info("Adding a blab for " + username);
+ logger.info("Adding a blab for " + StringEscapeUtils.escapeJava(username));
blabsStatement.setString(1, username);
blabsStatement.setString(2, blabContent);
@@ -190,8 +193,8 @@
// get the number or seconds until some time in the last 30 days.
long vary = rand.nextInt(30 * 24 * 3600);
- logger.info("Adding a comment from " + username + " on blab ID " + String.valueOf(i));
- logger.info("Adding another comment from " + username + " on blab ID " + String.valueOf(i));
+ logger.info("Adding a comment from " + username + " on blab ID " + String.valueOf(StringEscapeUtils.escapeJava(i)));
+ logger.info("Adding another comment from " + username + " on blab ID " + String.valueOf(URLEncoder.encode(i.toString())));
commentsStatement.setInt(1, i);
commentsStatement.setString(2, username);
commentsStatement.setString(3, comment);
|
Updated text in README.md for clarity.
|
details
========================= FAILURE: Found 19 issues! ========================= |
|
Caution Breaking Flaws identified in code! Fixes for src/main/java/com/veracode/verademo/controller/UserController.java: Fix suggestions: --- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,8 @@
import com.veracode.verademo.utils.Constants;
import com.veracode.verademo.utils.User;
import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
/**
* @author johnadmin
@@ -227,7 +229,7 @@
}
// Redirect to the appropriate place based on login actions above
- logger.info("Redirecting to view: " + nextView);
+ logger.info("Redirecting to view: " + StringUtils.normalizeSpace(nextView));
return nextView;
}
@@ -235,7 +237,7 @@
@ResponseBody
public String showPasswordHint(String username)
{
- logger.info("Entering password-hint with username: " + username);
+ logger.info("Entering password-hint with username: " + StringUtils.normalizeSpace(username));
if (username == null || username.isEmpty()) {
return "No username provided, please type in your username first";
@@ -247,13 +249,13 @@
Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
- logger.info(sql);
+ logger.info(StringEscapeUtils.escapeJava(sql));
Statement statement = connect.createStatement();
ResultSet result = statement.executeQuery(sql);
if (result.first()) {
String password= result.getString("password_hint");
String formatString = "Username '" + username + "' has password: %.2s%s";
- logger.info(formatString);
+ logger.info(StringUtils.normalizeSpace(formatString));
return String.format(
formatString,
password,
@@ -383,7 +385,7 @@
sqlStatement = connect.createStatement();
sqlStatement.execute(query.toString());
- logger.info(query.toString());
+ logger.info(StringUtils.normalizeSpace(query.toString()));
/* END BAD CODE */
emailUser(username);
@@ -491,7 +493,7 @@
/* START BAD CODE */
String sqlMyEvents = "select event from users_history where blabber=\"" + username
+ "\" ORDER BY eventid DESC; ";
- logger.info(sqlMyEvents);
+ logger.info(StringUtils.normalizeSpace(sqlMyEvents));
Statement sqlStatement = connect.createStatement();
ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
/* END BAD CODE */
@@ -502,7 +504,7 @@
// Get the users information
String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'";
- logger.info(sql);
+ logger.info(StringEscapeUtils.escapeJava(sql));
myInfo = connect.prepareStatement(sql);
ResultSet myInfoResults = myInfo.executeQuery();
myInfoResults.next();
@@ -656,7 +658,7 @@
String extension = file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf("."));
String path = imageDir + username + extension;
- logger.info("Saving new profile image: " + path);
+ logger.info("Saving new profile image: " + StringUtils.normalizeSpace(path));
file.transferTo(new File(path)); // will delete any existing file first
}
@@ -692,7 +694,7 @@
String path = context.getRealPath("/resources/images") + File.separator + imageName;
- logger.info("Fetching profile image: " + path);
+ logger.info("Fetching profile image: " + StringEscapeUtils.escapeJava(path));
InputStream inputStream = null;
OutputStream outStream = null;
@@ -706,7 +708,7 @@
// set to binary type if MIME mapping not found
mimeType = "application/octet-stream";
}
- logger.info("MIME type: " + mimeType);
+ logger.info("MIME type: " + StringUtils.normalizeSpace(mimeType));
// Set content attributes for the response
response.setContentType(mimeType);
@@ -801,7 +803,7 @@
}
}
- logger.info("Username: " + username + " already exists. Try again.");
+ logger.info("Username: " + StringUtils.normalizeSpace(username) + " already exists. Try again.");
return true;
}
@@ -857,7 +859,7 @@
if (oldImage != null) {
String extension = oldImage.substring(oldImage.lastIndexOf("."));
- logger.info("Renaming profile image from " + oldImage + " to " + newUsername + extension);
+ logger.info("Renaming profile image from " + StringUtils.normalizeSpace(oldImage) + " to " + newUsername + extension);
String path = context.getRealPath("/resources/images") + File.separator;
File oldName = new File(path + oldImage);
|
|
Caution Breaking Flaws identified in code! Fixes for src/main/java/com/veracode/verademo/commands/IgnoreCommand.java: Fix suggestions: --- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -8,6 +8,8 @@
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
public class IgnoreCommand implements BlabberCommand {
private static final Logger logger = LogManager.getLogger("VeraDemo:IgnoreCommand");
@@ -36,14 +38,14 @@
sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
Statement sqlStatement = connect.createStatement();
- logger.info(sqlQuery);
+ logger.info(StringUtils.normalizeSpace(sqlQuery));
ResultSet result = sqlStatement.executeQuery(sqlQuery);
result.next();
/* START BAD CODE */
String event = username + " is now ignoring " + blabberUsername + "(" + result.getString(1) + ")";
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
- logger.info(sqlQuery);
+ logger.info(StringEscapeUtils.escapeJava(sqlQuery));
sqlStatement.execute(sqlQuery);
/* END BAD CODE */
} catch (SQLException e) {
|
|
Caution Breaking Flaws identified in code! Fixes for src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java: Fix suggestions: --- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -8,6 +8,8 @@
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
+import org.apache.commons.text.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
public class RemoveAccountCommand implements BlabberCommand {
private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand");
@@ -36,18 +38,18 @@
sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
Statement sqlStatement = connect.createStatement();
- logger.info(sqlQuery);
+ logger.info(StringUtils.normalizeSpace(sqlQuery));
ResultSet result = sqlStatement.executeQuery(sqlQuery);
result.next();
/* START BAD CODE ------*/
String event = "Removed account for blabber " + result.getString(1);
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
- logger.info(sqlQuery);
+ logger.info(StringEscapeUtils.escapeJava(sqlQuery));
sqlStatement.execute(sqlQuery);
sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
- logger.info(sqlQuery);
+ logger.info(StringUtils.normalizeSpace(sqlQuery));
sqlStatement.execute(sqlQuery);
/* END BAD CODE */
|
|
Caution Breaking Flaws identified in code! Fixes for src/main/java/com/veracode/verademo/controller/BlabController.java: Fix suggestions: --- src/main/java/com/veracode/verademo/controller/BlabController.java
+++ src/main/java/com/veracode/verademo/controller/BlabController.java
@@ -27,6 +27,7 @@
import com.veracode.verademo.model.Blabber;
import com.veracode.verademo.model.Comment;
import com.veracode.verademo.utils.Constants;
+import org.apache.commons.lang3.StringUtils;
@Controller
@Scope("request")
@@ -483,7 +484,7 @@
connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
// Find the Blabbers
- logger.info(blabbersSql);
+ logger.info(StringUtils.normalizeSpace(blabbersSql));
blabberQuery = connect.prepareStatement(blabbersSql);
blabberQuery.setString(1, username);
blabberQuery.setString(2, username);
@@ -555,8 +556,8 @@
return nextView = "redirect:login?target=blabbers";
}
- logger.info("blabberUsername = " + blabberUsername);
- logger.info("command = " + command);
+ logger.info("blabberUsername = " + StringUtils.normalizeSpace(blabberUsername));
+ logger.info("command = " + StringUtils.normalizeSpace(command));
Connection connect = null;
PreparedStatement action = null;
|
|
Caution Breaking Flaws identified in code! Fixes for src/main/java/com/veracode/verademo/commands/ListenCommand.java: Fix suggestions: --- src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -8,6 +8,8 @@
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
+import org.apache.commons.text.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
public class ListenCommand implements BlabberCommand {
private static final Logger logger = LogManager.getLogger("VeraDemo:ListenCommand");
@@ -36,14 +38,14 @@
sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
Statement sqlStatement = connect.createStatement();
- logger.info(sqlQuery);
+ logger.info(StringUtils.normalizeSpace(sqlQuery));
ResultSet result = sqlStatement.executeQuery(sqlQuery);
result.next();
/* START BAD CODE -----*/
String event = username + " started listening to " + blabberUsername + "(" + result.getString(1) + ")";
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
- logger.info(sqlQuery);
+ logger.info(StringEscapeUtils.escapeJava(sqlQuery));
sqlStatement.execute(sqlQuery);
/* END BAD CODE */
} catch (SQLException e) {
|
|
Caution Breaking Flaws identified in code! Fixes for src/main/java/com/veracode/verademo/controller/ResetController.java: Fix suggestions: --- src/main/java/com/veracode/verademo/controller/ResetController.java
+++ src/main/java/com/veracode/verademo/controller/ResetController.java
@@ -26,6 +26,9 @@
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
+import org.apache.commons.text.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
+import java.net.URLEncoder;
@Controller
@Scope("request")
@@ -106,7 +109,7 @@
usersStatement = connect.prepareStatement(
"INSERT INTO users (username, password, password_hint, created_at, last_login, real_name, blab_name) values (?, ?, ?, ?, ?, ?, ?);");
for (int i = 0; i < users.length; i++) {
- logger.info("Adding user " + users[i].getUserName());
+ logger.info("Adding user " + StringUtils.normalizeSpace(users[i].getUserName()));
usersStatement.setString(1, users[i].getUserName());
usersStatement.setString(2, users[i].getPassword());
usersStatement.setString(3, users[i].getPasswordHint());
@@ -129,7 +132,7 @@
String blabber = users[i].getUserName();
String listener = users[j].getUserName();
- logger.info("Adding " + listener + " as a listener of " + blabber);
+ logger.info("Adding " + StringEscapeUtils.escapeJava(listener) + " as a listener of " + blabber);
listenersStatement.setString(1, blabber);
listenersStatement.setString(2, listener);
@@ -156,7 +159,7 @@
long vary = rand.nextInt(30 * 24 * 3600);
String username = users[randomUserOffset].getUserName();
- logger.info("Adding a blab for " + username);
+ logger.info("Adding a blab for " + StringEscapeUtils.escapeJava(username));
blabsStatement.setString(1, username);
blabsStatement.setString(2, blabContent);
@@ -190,8 +193,8 @@
// get the number or seconds until some time in the last 30 days.
long vary = rand.nextInt(30 * 24 * 3600);
- logger.info("Adding a comment from " + username + " on blab ID " + String.valueOf(i));
- logger.info("Adding another comment from " + username + " on blab ID " + String.valueOf(i));
+ logger.info("Adding a comment from " + username + " on blab ID " + String.valueOf(URLEncoder.encode(i.toString())));
+ logger.info("Adding another comment from " + username + " on blab ID " + String.valueOf(URLEncoder.encode(i.toString())));
commentsStatement.setInt(1, i);
commentsStatement.setString(2, username);
commentsStatement.setString(3, comment);
|
|
details
========================= FAILURE: Found 19 issues! ========================= |
|
Caution Breaking Flaws identified in code! Fixes for src/main/java/com/veracode/verademo/controller/UserController.java: Fix suggestions: --- src/main/java/com/veracode/verademo/controller/UserController.java
+++ src/main/java/com/veracode/verademo/controller/UserController.java
@@ -50,6 +50,8 @@
import com.veracode.verademo.utils.Constants;
import com.veracode.verademo.utils.User;
import com.veracode.verademo.utils.UserFactory;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
/**
* @author johnadmin
@@ -227,7 +229,7 @@
}
// Redirect to the appropriate place based on login actions above
- logger.info("Redirecting to view: " + nextView);
+ logger.info("Redirecting to view: " + StringUtils.normalizeSpace(nextView));
return nextView;
}
@@ -235,7 +237,7 @@
@ResponseBody
public String showPasswordHint(String username)
{
- logger.info("Entering password-hint with username: " + username);
+ logger.info("Entering password-hint with username: " + StringEscapeUtils.escapeJava(username));
if (username == null || username.isEmpty()) {
return "No username provided, please type in your username first";
@@ -247,13 +249,13 @@
Connection connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
String sql = "SELECT password_hint FROM users WHERE username = '" + username + "'";
- logger.info(sql);
+ logger.info(StringEscapeUtils.escapeJava(sql));
Statement statement = connect.createStatement();
ResultSet result = statement.executeQuery(sql);
if (result.first()) {
String password= result.getString("password_hint");
String formatString = "Username '" + username + "' has password: %.2s%s";
- logger.info(formatString);
+ logger.info(StringUtils.normalizeSpace(formatString));
return String.format(
formatString,
password,
@@ -383,7 +385,7 @@
sqlStatement = connect.createStatement();
sqlStatement.execute(query.toString());
- logger.info(query.toString());
+ logger.info(StringUtils.normalizeSpace(query.toString()));
/* END BAD CODE */
emailUser(username);
@@ -491,7 +493,7 @@
/* START BAD CODE */
String sqlMyEvents = "select event from users_history where blabber=\"" + username
+ "\" ORDER BY eventid DESC; ";
- logger.info(sqlMyEvents);
+ logger.info(StringUtils.normalizeSpace(sqlMyEvents));
Statement sqlStatement = connect.createStatement();
ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
/* END BAD CODE */
@@ -502,7 +504,7 @@
// Get the users information
String sql = "SELECT username, real_name, blab_name FROM users WHERE username = '" + username + "'";
- logger.info(sql);
+ logger.info(StringEscapeUtils.escapeJava(sql));
myInfo = connect.prepareStatement(sql);
ResultSet myInfoResults = myInfo.executeQuery();
myInfoResults.next();
@@ -656,7 +658,7 @@
String extension = file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf("."));
String path = imageDir + username + extension;
- logger.info("Saving new profile image: " + path);
+ logger.info("Saving new profile image: " + StringUtils.normalizeSpace(path));
file.transferTo(new File(path)); // will delete any existing file first
}
@@ -692,7 +694,7 @@
String path = context.getRealPath("/resources/images") + File.separator + imageName;
- logger.info("Fetching profile image: " + path);
+ logger.info("Fetching profile image: " + StringUtils.normalizeSpace(path));
InputStream inputStream = null;
OutputStream outStream = null;
@@ -706,7 +708,7 @@
// set to binary type if MIME mapping not found
mimeType = "application/octet-stream";
}
- logger.info("MIME type: " + mimeType);
+ logger.info("MIME type: " + StringUtils.normalizeSpace(mimeType));
// Set content attributes for the response
response.setContentType(mimeType);
@@ -801,7 +803,7 @@
}
}
- logger.info("Username: " + username + " already exists. Try again.");
+ logger.info("Username: " + StringUtils.normalizeSpace(username) + " already exists. Try again.");
return true;
}
@@ -857,7 +859,7 @@
if (oldImage != null) {
String extension = oldImage.substring(oldImage.lastIndexOf("."));
- logger.info("Renaming profile image from " + oldImage + " to " + newUsername + extension);
+ logger.info("Renaming profile image from " + StringUtils.normalizeSpace(oldImage) + " to " + newUsername + extension);
String path = context.getRealPath("/resources/images") + File.separator;
File oldName = new File(path + oldImage);
|
|
Caution Breaking Flaws identified in code! Fixes for src/main/java/com/veracode/verademo/commands/IgnoreCommand.java: Fix suggestions: --- src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -8,6 +8,8 @@
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
public class IgnoreCommand implements BlabberCommand {
private static final Logger logger = LogManager.getLogger("VeraDemo:IgnoreCommand");
@@ -36,14 +38,14 @@
sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
Statement sqlStatement = connect.createStatement();
- logger.info(sqlQuery);
+ logger.info(StringUtils.normalizeSpace(sqlQuery));
ResultSet result = sqlStatement.executeQuery(sqlQuery);
result.next();
/* START BAD CODE */
String event = username + " is now ignoring " + blabberUsername + "(" + result.getString(1) + ")";
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
- logger.info(sqlQuery);
+ logger.info(StringEscapeUtils.escapeJava(sqlQuery));
sqlStatement.execute(sqlQuery);
/* END BAD CODE */
} catch (SQLException e) {
|
|
Caution Breaking Flaws identified in code! Fixes for src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java: Fix suggestions: --- src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
+++ src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java
@@ -8,6 +8,8 @@
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
+import org.apache.commons.text.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
public class RemoveAccountCommand implements BlabberCommand {
private static final Logger logger = LogManager.getLogger("VeraDemo:RemoveAccountCommand");
@@ -36,18 +38,18 @@
sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername +"'";
Statement sqlStatement = connect.createStatement();
- logger.info(sqlQuery);
+ logger.info(StringUtils.normalizeSpace(sqlQuery));
ResultSet result = sqlStatement.executeQuery(sqlQuery);
result.next();
/* START BAD CODE ------*/
String event = "Removed account for blabber " + result.getString(1);
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
- logger.info(sqlQuery);
+ logger.info(StringEscapeUtils.escapeJava(sqlQuery));
sqlStatement.execute(sqlQuery);
sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
- logger.info(sqlQuery);
+ logger.info(StringUtils.normalizeSpace(sqlQuery));
sqlStatement.execute(sqlQuery);
/* END BAD CODE */
|
|
Caution Breaking Flaws identified in code! Fixes for src/main/java/com/veracode/verademo/controller/BlabController.java: Fix suggestions: --- src/main/java/com/veracode/verademo/controller/BlabController.java
+++ src/main/java/com/veracode/verademo/controller/BlabController.java
@@ -27,6 +27,7 @@
import com.veracode.verademo.model.Blabber;
import com.veracode.verademo.model.Comment;
import com.veracode.verademo.utils.Constants;
+import org.apache.commons.lang3.StringUtils;
@Controller
@Scope("request")
@@ -483,7 +484,7 @@
connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
// Find the Blabbers
- logger.info(blabbersSql);
+ logger.info(StringUtils.normalizeSpace(blabbersSql));
blabberQuery = connect.prepareStatement(blabbersSql);
blabberQuery.setString(1, username);
blabberQuery.setString(2, username);
@@ -555,8 +556,8 @@
return nextView = "redirect:login?target=blabbers";
}
- logger.info("blabberUsername = " + blabberUsername);
- logger.info("command = " + command);
+ logger.info("blabberUsername = " + StringUtils.normalizeSpace(blabberUsername));
+ logger.info("command = " + StringUtils.normalizeSpace(command));
Connection connect = null;
PreparedStatement action = null;
|
|
Caution Breaking Flaws identified in code! Fixes for src/main/java/com/veracode/verademo/commands/ListenCommand.java: Fix suggestions: --- src/main/java/com/veracode/verademo/commands/ListenCommand.java
+++ src/main/java/com/veracode/verademo/commands/ListenCommand.java
@@ -8,6 +8,8 @@
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
+import org.apache.commons.text.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
public class ListenCommand implements BlabberCommand {
private static final Logger logger = LogManager.getLogger("VeraDemo:ListenCommand");
@@ -36,14 +38,14 @@
sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
Statement sqlStatement = connect.createStatement();
- logger.info(sqlQuery);
+ logger.info(StringUtils.normalizeSpace(sqlQuery));
ResultSet result = sqlStatement.executeQuery(sqlQuery);
result.next();
/* START BAD CODE -----*/
String event = username + " started listening to " + blabberUsername + "(" + result.getString(1) + ")";
sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
- logger.info(sqlQuery);
+ logger.info(StringEscapeUtils.escapeJava(sqlQuery));
sqlStatement.execute(sqlQuery);
/* END BAD CODE */
} catch (SQLException e) {
|
|
Caution Breaking Flaws identified in code! Fixes for src/main/java/com/veracode/verademo/controller/ResetController.java: Fix suggestions: --- src/main/java/com/veracode/verademo/controller/ResetController.java
+++ src/main/java/com/veracode/verademo/controller/ResetController.java
@@ -26,6 +26,8 @@
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
@Controller
@Scope("request")
@@ -106,7 +108,7 @@
usersStatement = connect.prepareStatement(
"INSERT INTO users (username, password, password_hint, created_at, last_login, real_name, blab_name) values (?, ?, ?, ?, ?, ?, ?);");
for (int i = 0; i < users.length; i++) {
- logger.info("Adding user " + users[i].getUserName());
+ logger.info("Adding user " + StringUtils.normalizeSpace(users[i].getUserName()));
usersStatement.setString(1, users[i].getUserName());
usersStatement.setString(2, users[i].getPassword());
usersStatement.setString(3, users[i].getPasswordHint());
@@ -129,7 +131,7 @@
String blabber = users[i].getUserName();
String listener = users[j].getUserName();
- logger.info("Adding " + listener + " as a listener of " + blabber);
+ logger.info("Adding " + StringUtils.normalizeSpace(listener) + " as a listener of " + blabber);
listenersStatement.setString(1, blabber);
listenersStatement.setString(2, listener);
@@ -156,7 +158,7 @@
long vary = rand.nextInt(30 * 24 * 3600);
String username = users[randomUserOffset].getUserName();
- logger.info("Adding a blab for " + username);
+ logger.info("Adding a blab for " + StringEscapeUtils.escapeJava(username));
blabsStatement.setString(1, username);
blabsStatement.setString(2, blabContent);
@@ -190,8 +192,8 @@
// get the number or seconds until some time in the last 30 days.
long vary = rand.nextInt(30 * 24 * 3600);
- logger.info("Adding a comment from " + username + " on blab ID " + String.valueOf(i));
- logger.info("Adding another comment from " + username + " on blab ID " + String.valueOf(i));
+ logger.info("Adding a comment from " + username + " on blab ID " + String.valueOf(StringEscapeUtils.escapeJava(i)));
+ logger.info("Adding another comment from " + username + " on blab ID " + String.valueOf(StringEscapeUtils.escapeJava(i)));
commentsStatement.setInt(1, i);
commentsStatement.setString(2, username);
commentsStatement.setString(3, comment);
|
1 participant
No description provided.