Skip to content

Test2#3

Open
davewichers wants to merge 21 commits into
mainfrom
test1
Open

Test2#3
davewichers wants to merge 21 commits into
mainfrom
test1

Conversation

@davewichers

@davewichers davewichers commented Mar 29, 2024

Copy link
Copy Markdown
Owner

No description provided.

github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 29, 2024
View reviewed changes
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java

ProcessBuilder pb = new ProcessBuilder();

pb.command(argList);

Check failure

Code scanning / CodeQL

Uncontrolled command line

This command line depends on a [user-provided value](1).
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 9, 2024
View reviewed changes
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00007.java
} catch (IOException e) {
System.out.println("Problem executing cmdi - TestCase");
response.getWriter()
.println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage()));

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java
try {
java.sql.Connection connection =
org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
java.sql.CallableStatement statement = connection.prepareCall(sql);

Check failure

Code scanning / CodeQL

Query built from user-controlled sources

This query depends on a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00009.java
Comment on lines +102 to +108
"Sensitive value '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' hashed and stored<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00010.java
Comment on lines +102 to +107
user
+ " has been remembered with cookie: "
+ rememberMe.getName()
+ " whose value is: "
+ rememberMe.getValue()
+ "<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1). Cross-site scripting vulnerability due to a [user-provided value](2).
@davewichers

davewichers commented Apr 9, 2024

Copy link
Copy Markdown
Owner Author

@pixeebot next

@pixeebot

pixeebot Bot commented Apr 9, 2024

Copy link
Copy Markdown
Contributor

@davewichers, I don't have any suggestions at this time, but I am always learning, and I will let you know if anything comes up!

github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 9, 2024
View reviewed changes
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java
.encoder()
.encodeForHTML(fileTarget.toString())
+ "' created.");
if (fileTarget.exists()) {

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression

This path depends on a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00015.java

ProcessBuilder pb = new ProcessBuilder();

pb.command(argList);

Check failure

Code scanning / CodeQL

Uncontrolled command line

This command line depends on a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java

response.setHeader("X-XSS-Protection", "0");
Object[] obj = {"a", "b"};
response.getWriter().format(java.util.Locale.US, param, obj);

Check failure

Code scanning / CodeQL

Use of externally-controlled format string

Format string depends on a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java

response.setHeader("X-XSS-Protection", "0");
Object[] obj = {"a", "b"};
response.getWriter().format(param, obj);

Check failure

Code scanning / CodeQL

Use of externally-controlled format string

Format string depends on a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java
(javax.naming.directory.InitialDirContext) ctx;
boolean found = false;
javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results =
idc.search(base, filter, filters, sc);

Check failure

Code scanning / CodeQL

LDAP query built from user-controlled sources

This LDAP query depends on a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00013.java

response.setHeader("X-XSS-Protection", "0");
Object[] obj = {"a", "b"};
response.getWriter().format(java.util.Locale.US, param, obj);

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java
Comment on lines +93 to +94
"LDAP query results: nothing found for query: "
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(filter));

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00014.java

response.setHeader("X-XSS-Protection", "0");
Object[] obj = {"a", "b"};
response.getWriter().format(param, obj);

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00011.java
Comment on lines +57 to +63
"Access to file: '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(fileTarget.toString())
+ "' created.");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
@davewichers

davewichers commented Apr 9, 2024

Copy link
Copy Markdown
Owner Author

@pixeebot next

@pixeebot

pixeebot Bot commented Apr 9, 2024

Copy link
Copy Markdown
Contributor

@davewichers, I don't have any suggestions at this time, but I am always learning, and I will let you know if anything comes up!

davewichers and others added 2 commits April 9, 2024 16:56
@davewichers
Merge pull request #8 from davewichers/main
94ac178 
Backport changes from main into this branch
@davewichers
Add 5 more test cases.
e9017d3
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 10, 2024
View reviewed changes
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00017.java
} catch (IOException e) {
System.out.println("Problem executing cmdi - TestCase");
response.getWriter()
.println(org.owasp.esapi.ESAPI.encoder().encodeForHTML(e.getMessage()));

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
response.getWriter()
.println(
"Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");
e.printStackTrace(response.getWriter());

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

[Error information](1) can be exposed to an external user.
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00019.java
javax.crypto.Cipher c = javax.crypto.Cipher.getInstance(algorithm);

// Prepare the cipher to encrypt
javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey();

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm

Cryptographic algorithm [DES](1) is weak and should not be used.
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
javax.crypto.Cipher c =
javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding", "SunJCE");
// Prepare the cipher to encrypt
javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey();

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm

Cryptographic algorithm [DES](1) is weak and should not be used.
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00016.java
cookie.setHttpOnly(true);
cookie.setPath(request.getRequestURI()); // i.e., set path to JUST this servlet
// e.g., /benchmark/sql-01/BenchmarkTest01001
response.addCookie(cookie);

Check warning

Code scanning / CodeQL

HTTP response splitting

This header depends on a [user-provided value](1), which may cause a response-splitting vulnerability.
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00016.java
Comment on lines +79 to +81
"Created cookie: 'SomeCookie': with value: '"
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(str)
+ "' and secure flag set to: true");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00020.java
Comment on lines +96 to +102
"Sensitive value: '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' encrypted and stored<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
@davewichers

davewichers commented Apr 10, 2024

Copy link
Copy Markdown
Owner Author

@pixeebot next

@pixeebot

pixeebot Bot commented Apr 10, 2024

Copy link
Copy Markdown
Contributor

@davewichers, I don't have any suggestions at this time, but I am always learning, and I will let you know if anything comes up!

github-advanced-security[bot]
github-advanced-security AI found potential problems May 1, 2024
View reviewed changes
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java
// System.out.println("Filter " + filter);
boolean found = false;
javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results =
ctx.search(base, filter, filters, sc);

Check failure

Code scanning / CodeQL

LDAP query built from user-controlled sources

This LDAP query depends on a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java
Comment on lines +84 to +85
"LDAP query results: nothing found for query: "
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(filter));

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00025.java
Comment on lines +58 to +59
"No results returned for query: "
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(sql));

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00022.java
Comment on lines +79 to +85
"Sensitive value '"
+ org.owasp
.esapi
.ESAPI
.encoder()
.encodeForHTML(new String(input))
+ "' hashed and stored<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java
Comment on lines +86 to +91
user
+ " has been remembered with cookie: "
+ rememberMe.getName()
+ " whose value is: "
+ rememberMe.getValue()
+ "<br/>");

Check warning

Code scanning / CodeQL

Cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1). Cross-site scripting vulnerability due to a [user-provided value](2).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00024.java
org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();
java.sql.PreparedStatement statement =
connection.prepareStatement(
sql,

Check failure

Code scanning / CodeQL

Query built from user-controlled sources

This query depends on a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00025.java
// org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForLong(sql);
Long results =
org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForObject(
sql, Long.class);

Check failure

Code scanning / CodeQL

Query built from user-controlled sources

This query depends on a [user-provided value](1).
Comment thread src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00023.java
response.getWriter().println("Welcome back: " + user + "<br/>");
} else {
javax.servlet.http.Cookie rememberMe =
new javax.servlet.http.Cookie(cookieName, rememberMeKey);

Check failure

Code scanning / CodeQL

Insecure randomness

Potential Insecure randomness due to a [Insecure randomness source.](1).
@davewichers

davewichers commented May 2, 2024

Copy link
Copy Markdown
Owner Author

@pixeebot next

@pixeebot

pixeebot Bot commented May 2, 2024

Copy link
Copy Markdown
Contributor

@davewichers, I don't have any suggestions at this time, but I am always learning, and I will let you know if anything comes up!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davewichers @github-advanced-security