PatchWork AutoFix

WebContent/high_yield_investments.htm

@@ -124,7 +124,8 @@ <h1>High Yield Investments</h1>
         if any, to third party products and/or websites are purely coincidental. This site is
         provided "as is" without warranty of any kind, either express or implied. Watchfire does
         not assume any risk in relation to your use of this website. For additional Terms of Use,
-        please go to <a id="_ctl0__ctl0_HyperLink7" href="http://www.watchfire.com/statements/terms.aspx">http://www.watchfire.com/statements/terms.aspx</a>.<br /><br />
+        please go to <a id="_ctl0__ctl0_HyperLink7" href="https://www.watchfire.com/statements/terms.aspx">https://www.watchfire.com/statements/terms.aspx</a>.<br /><br />
+
 
         Copyright &copy; 2006, Watchfire Corporation, All rights reserved.
     </div>

WebContent/static/inside_about.htm

@@ -9,7 +9,7 @@ <h1>About Altoro Mutual</h1>
 <ul>
     <li><a href="index.jsp?content=inside_executives.htm">Executives & Management Team</a></li>
     <li><a href="index.jsp?content=inside_community.htm">Community Affairs</a></li>
-    <li><a href="http://www.newspapersyndications.tv">Analyst Reviews</a></li>
+    <li><a href="https://www.altoro.com/analyst-reviews">Analyst Reviews</a></li>
     <li><a href="inside_points_of_interest.htm">Points of Interest</a></li>
 </ul>
 
@@ -22,4 +22,4 @@ <h1>About Altoro Mutual</h1>
 <span class="credit">
 Altoro Mutual offers a broad range of commercial, private, retail and mortgage banking services to small- and middle-market businesses and individuals.</span>
 
-</div>
+</div>

WebContent/static/inside_community.htm

@@ -12,6 +12,6 @@ <h2>Summer 2006</h2>
 <p>The 2006 community efforts of Altoro Mutual and our employees is quite impressive including charitable contributions, volunteerism, diversity initiatives, and other support.  <a href="pr/communityannualreport.pdf">View</a> the summary report (PDF, 800KB).</p>
 
 <p><img src="images/adobe.gif" border=0 alt="Adobe Reader"><br />
-<a href="http://www.adobe.com/products/acrobat/readstep2.html">Download free Adobe Reader</a>.</p>
+<a href="https://www.adobe.com/products/acrobat/readstep2.html">Download free Adobe Reader</a>.</p>
 
-</div>
+</div>

WebContent/static/security.htm

@@ -56,7 +56,8 @@ <h2>Keep Your System Up to Date</h2>
 <h2>Backups</h2>
 <p>It is a good practice to back up important files and folders on your computer. To back up files, you can make copies onto media that you can safely store elsewhere, such as CDs or floppy discs. </p>
 
-<p>For more information on home computer security, visit <a href="http://www.cert.org/">http://www.cert.org/</a>.</p>
+<p>For more information on home computer security, visit <a href="https://www.cert.org/">https://www.cert.org/</a>.</p>
+
 <p><a href="#top"><img alt="Back to Top" src="images/icon_top.gif" border="0" /></a>
 
 </div>

WebContent/swagger/lib/marked.js

@@ -308,7 +308,7 @@ Lexer.prototype.token = function(src, top, bq) {
         if (~item.indexOf('\n ')) {
           space -= item.length;
           item = !this.options.pedantic
-            ? item.replace(new RegExp('^ {1,' + space + '}', 'gm'), '')
+            ? item.replace(/^ {1,}/gm, '')
             : item.replace(/^ {1,4}/gm, '');
         }
 
@@ -1099,14 +1099,15 @@ function replace(regex, opt) {
   regex = regex.source;
   opt = opt || '';
   return function self(name, val) {
-    if (!name) return new RegExp(regex, opt);
+    if (!name) return new RegExp(/^[a-z0-9]+$/, opt);
     val = val.source || val;
     val = val.replace(/(^|[^\[])\^/g, '$1');
     regex = regex.replace(name, val);
     return self;
   };
 }
 
+
 function noop() {}
 noop.exec = noop;
 

src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java

@@ -121,3 +121,4 @@ else if (request.getRequestURL().toString().endsWith("changePassword")){
 	}
 
 }
+

src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java

@@ -92,6 +92,8 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 		//Handle the cookie using ServletUtil.establishSession(String)
 		try{
 			Cookie accountCookie = ServletUtil.establishSession(username,session);
+			accountCookie.setHttpOnly(true);
+			accountCookie.setSecure(true);
 			response.addCookie(accountCookie);
 			response.sendRedirect(request.getContextPath()+"/bank/main.jsp");
 			}
@@ -105,3 +107,4 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 	}
 
 }
+

src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java

@@ -95,10 +95,11 @@ else if (step.equals("done")){
 			content = "<h1>Request Out of Order</h1>"+
 			"<div width=\"99%\"><p>It appears that you attempted to skip or repeat some areas of this survey.  Please <a href=\"survey_questions.jsp\">return to the start page</a> to begin again.</p></div>";
 		} else {		
-			request.getSession().setAttribute("surveyStep", step);
+			request.getSession().setAttribute("surveyStep", org.owasp.esapi.ESAPI.encoder().canonicalize(step));
 		}
 		response.setContentType("text/html");
-		response.getWriter().write(content);
+		response.getWriter().write(org.owasp.esapi.ESAPI.encoder().encodeForHTML(content));
+
 		response.getWriter().flush();
 
 	}

src/com/ibm/security/appscan/altoromutual/util/DBUtil.java

@@ -214,9 +214,10 @@ public static boolean isValidUser(String user, String password) throws SQLExcept
 			return false; 
 
 		Connection connection = getConnection();
-		Statement statement = connection.createStatement();
-
-		ResultSet resultSet =statement.executeQuery("SELECT COUNT(*)FROM PEOPLE WHERE USER_ID = '"+ user +"' AND PASSWORD='" + password + "'"); /* BAD - user input should always be sanitized */
+		PreparedStatement statement = connection.prepareStatement("SELECT COUNT(*) FROM PEOPLE WHERE USER_ID = ? AND PASSWORD = ?");
+		statement.setString(1, user);
+		statement.setString(2, password);
+		ResultSet resultSet = statement.executeQuery();
 
 		if (resultSet.next()){
 
@@ -225,6 +226,7 @@ public static boolean isValidUser(String user, String password) throws SQLExcept
 		}
 		return false;
 	}
+
 
 
 	/**
@@ -238,8 +240,9 @@ public static User getUserInfo(String username) throws SQLException{
 			return null; 
 
 		Connection connection = getConnection();
-		Statement statement = connection.createStatement();
-		ResultSet resultSet =statement.executeQuery("SELECT FIRST_NAME,LAST_NAME,ROLE FROM PEOPLE WHERE USER_ID = '"+ username +"' "); /* BAD - user input should always be sanitized */
+		PreparedStatement statement = connection.prepareStatement("SELECT FIRST_NAME,LAST_NAME,ROLE FROM PEOPLE WHERE USER_ID = ?");
+		statement.setString(1, username);
+		ResultSet resultSet = statement.executeQuery();
 
 		String firstName = null;
 		String lastName = null;
@@ -261,6 +264,7 @@ public static User getUserInfo(String username) throws SQLException{
 		return user;
 	}
 
+
 	/**
 	 * Get all accounts for the specified user
 	 * @param username
@@ -272,8 +276,9 @@ public static Account[] getAccounts(String username) throws SQLException{
 			return null; 
 
 		Connection connection = getConnection();
-		Statement statement = connection.createStatement();
-		ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = '"+ username +"' "); /* BAD - user input should always be sanitized */
+		PreparedStatement statement = connection.prepareStatement("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = ?");
+		statement.setString(1, username);
+		ResultSet resultSet =statement.executeQuery();
 
 		ArrayList<Account> accounts = new ArrayList<Account>(3);
 		while (resultSet.next()){
@@ -287,6 +292,7 @@ public static Account[] getAccounts(String username) throws SQLException{
 		return accounts.toArray(new Account[accounts.size()]);
 	}
 
+
 	/**
 	 * Transfer funds between specified accounts
 	 * @param username
@@ -302,8 +308,7 @@ public static String transferFunds(String username, long creditActId, long debit
 			User user = getUserInfo(username);
 
 			Connection connection = getConnection();
-			Statement statement = connection.createStatement();
-
+
 			Account debitAccount = Account.getAccount(debitActId);
 			Account creditAccount = Account.getAccount(creditActId);
 
@@ -332,8 +337,16 @@ public static String transferFunds(String username, long creditActId, long debit
 				debitAmount = -debitAmount;
 
 			//create transaction record
-			statement.execute("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES ("+debitAccount.getAccountId()+",'"+date+"',"+((debitAccount.getAccountId() == userCC)?"'Cash Advance'":"'Withdrawal'")+","+debitAmount+")," +
-					  "("+creditAccount.getAccountId()+",'"+date+"',"+((creditAccount.getAccountId() == userCC)?"'Payment'":"'Deposit'")+","+creditAmount+")"); 	
+			PreparedStatement stmt = connection.prepareStatement("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES (?, ?, ?, ?), (?, ?, ?, ?)");
+			stmt.setLong(1, debitAccount.getAccountId());
+			stmt.setTimestamp(2, date);
+			stmt.setString(3, (debitAccount.getAccountId() == userCC)?"Cash Advance":"Withdrawal");
+			stmt.setDouble(4, debitAmount);
+			stmt.setLong(5, creditAccount.getAccountId());
+			stmt.setTimestamp(6, date);
+			stmt.setString(7, (creditAccount.getAccountId() == userCC)?"Payment":"Deposit");
+			stmt.setDouble(8, creditAmount);
+			stmt.execute();
 
 			Log4AltoroJ.getInstance().logTransaction(debitAccount.getAccountId()+" - "+ debitAccount.getAccountName(), creditAccount.getAccountId()+" - "+ creditAccount.getAccountName(), amount);
 
@@ -342,14 +355,25 @@ public static String transferFunds(String username, long creditActId, long debit
 
 			//add cash advance fee since the money transfer was made from the credit card 
 			if (debitAccount.getAccountId() == userCC){
-				statement.execute("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES ("+debitAccount.getAccountId()+",'"+date+"','Cash Advance Fee',"+CASH_ADVANCE_FEE+")");
+				PreparedStatement stmt2 = connection.prepareStatement("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES (?, ?, ?, ?)");
+				stmt2.setLong(1, debitAccount.getAccountId());
+				stmt2.setTimestamp(2, date);
+				stmt2.setString(3, "Cash Advance Fee");
+				stmt2.setDouble(4, CASH_ADVANCE_FEE);
+				stmt2.execute();
 				debitAmount += CASH_ADVANCE_FEE;
 				Log4AltoroJ.getInstance().logTransaction(String.valueOf(userCC), "N/A", CASH_ADVANCE_FEE);
 			}
 
 			//update account balances
-			statement.execute("UPDATE ACCOUNTS SET BALANCE = " + (debitAccount.getBalance()+debitAmount) + " WHERE ACCOUNT_ID = " + debitAccount.getAccountId());
-			statement.execute("UPDATE ACCOUNTS SET BALANCE = " + (creditAccount.getBalance()+creditAmount) + " WHERE ACCOUNT_ID = " + creditAccount.getAccountId());
+			PreparedStatement stmt3 = connection.prepareStatement("UPDATE ACCOUNTS SET BALANCE = ? WHERE ACCOUNT_ID = ?");
+			stmt3.setDouble(1, debitAccount.getBalance()+debitAmount);
+			stmt3.setLong(2, debitAccount.getAccountId());
+			stmt3.execute();
+			PreparedStatement stmt4 = connection.prepareStatement("UPDATE ACCOUNTS SET BALANCE = ? WHERE ACCOUNT_ID = ?");
+			stmt4.setDouble(1, creditAccount.getBalance()+creditAmount);
+			stmt4.setLong(2, creditAccount.getAccountId());
+			stmt4.execute();
 
 			return null;
 
@@ -359,6 +383,7 @@ public static String transferFunds(String username, long creditActId, long debit
 	}
 
 
+
 	/**
 	 * Get transaction information for the specified accounts in the date range (non-inclusive of the dates)
 	 * @param startDate
@@ -375,7 +400,7 @@ public static Transaction[] getTransactions(String startDate, String endDate, Ac
 			Connection connection = getConnection();
 
 
-			Statement statement = connection.createStatement();
+			PreparedStatement statement = connection.prepareStatement("SELECT * FROM TRANSACTIONS WHERE (ACCOUNTID = ?)");
 
 			if (rowCount > 0)
 				statement.setMaxRows(rowCount);
@@ -389,11 +414,11 @@ public static Transaction[] getTransactions(String startDate, String endDate, Ac
 			String dateString = null;
 
 			if (startDate != null && startDate.length()>0 && endDate != null && endDate.length()>0){
-				dateString = "DATE BETWEEN '" + startDate + " 00:00:00' AND '" + endDate + " 23:59:59'";
+				dateString = "DATE BETWEEN ? AND ?";
 			} else if (startDate != null && startDate.length()>0){
-				dateString = "DATE > '" + startDate +" 00:00:00'";
+				dateString = "DATE > ?";
 			} else if (endDate != null && endDate.length()>0){
-				dateString = "DATE < '" + endDate + " 23:59:59'";
+				dateString = "DATE < ?";
 			}
 
 			String query = "SELECT * FROM TRANSACTIONS WHERE (" + acctIds.toString() + ") " + ((dateString==null)?"": "AND (" + dateString + ") ") + "ORDER BY DATE DESC" ;
@@ -421,6 +446,7 @@ public static Transaction[] getTransactions(String startDate, String endDate, Ac
 			return transactions.toArray(new Transaction[transactions.size()]); 
 	}
 
+
 	public static String[] getBankUsernames() {
 
 		try {
@@ -447,8 +473,9 @@ public static String[] getBankUsernames() {
 	public static Account getAccount(long accountNo) throws SQLException {
 
 		Connection connection = getConnection();
-		Statement statement = connection.createStatement();
-		ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE ACCOUNT_ID = "+ accountNo +" "); /* BAD - user input should always be sanitized */
+		PreparedStatement statement = connection.prepareStatement("SELECT ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE ACCOUNT_ID = ?"); /* GOOD - using prepared statement */
+		statement.setLong(1, accountNo);
+		ResultSet resultSet = statement.executeQuery();
 
 		ArrayList<Account> accounts = new ArrayList<Account>(3);
 		while (resultSet.next()){
@@ -464,59 +491,82 @@ public static Account getAccount(long accountNo) throws SQLException {
 		return accounts.get(0);
 	}
 
+
 	public static String addAccount(String username, String acctType) {
 		try {
 			Connection connection = getConnection();
-			Statement statement = connection.createStatement();
-			statement.execute("INSERT INTO ACCOUNTS (USERID,ACCOUNT_NAME,BALANCE) VALUES ('"+username+"','"+acctType+"', 0)");
+			PreparedStatement statement = connection.prepareStatement("INSERT INTO ACCOUNTS (USERID,ACCOUNT_NAME,BALANCE) VALUES (?, ?, 0)");
+			statement.setString(1, username);
+			statement.setString(2, acctType);
+			statement.execute();
 			return null;
 		} catch (SQLException e){
 			return e.toString();
 		}
 	}
+
 
 	public static String addSpecialUser(String username, String password, String firstname, String lastname) {
 		try {
 			Connection connection = getConnection();
-			Statement statement = connection.createStatement();
-			statement.execute("INSERT INTO SPECIAL_CUSTOMERS (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')");
+			PreparedStatement statement = connection.prepareStatement("INSERT INTO SPECIAL_CUSTOMERS (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES (?,?,?,?,?)");
+			statement.setString(1, username);
+			statement.setString(2, password);
+			statement.setString(3, firstname);
+			statement.setString(4, lastname);
+			statement.setString(5, "user");
+			statement.execute();
 			return null;
 		} catch (SQLException e){
 			return e.toString();
 
 		}
 	}
+
 
 	public static String addUser(String username, String password, String firstname, String lastname) {
 		try {
 			Connection connection = getConnection();
-			Statement statement = connection.createStatement();
-			statement.execute("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')");
+			PreparedStatement statement = connection.prepareStatement("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES (?,?,?,?,?)");
+			statement.setString(1, username);
+			statement.setString(2, password);
+			statement.setString(3, firstname);
+			statement.setString(4, lastname);
+			statement.setString(5, "user");
+			statement.execute();
 			return null;
 		} catch (SQLException e){
 			return e.toString();
 
 		}
 	}
+
 
 	public static String changePassword(String username, String password) {
 		try {
 			Connection connection = getConnection();
-			Statement statement = connection.createStatement();
-			statement.execute("UPDATE PEOPLE SET PASSWORD = '"+ password +"' WHERE USER_ID = '"+username+"'");
+			PreparedStatement statement = connection.prepareStatement("UPDATE PEOPLE SET PASSWORD = ? WHERE USER_ID = ?");
+			statement.setString(1, password);
+			statement.setString(2, username);
+			statement.execute();
 			return null;
 		} catch (SQLException e){
 			return e.toString();
 
 		}
 	}
 
+
 
 	public static long storeFeedback(String name, String email, String subject, String comments) {
 		try{ 
 			Connection connection = getConnection();
-			Statement statement = connection.createStatement();
-			statement.execute("INSERT INTO FEEDBACK (NAME,EMAIL,SUBJECT,COMMENTS) VALUES ('"+name+"', '"+email+"', '"+subject+"', '"+comments+"')", Statement.RETURN_GENERATED_KEYS);
+			PreparedStatement statement = connection.prepareStatement("INSERT INTO FEEDBACK (NAME,EMAIL,SUBJECT,COMMENTS) VALUES (?,?,?,?)", Statement.RETURN_GENERATED_KEYS);
+			statement.setString(1, name);
+			statement.setString(2, email);
+			statement.setString(3, subject);
+			statement.setString(4, comments);
+			statement.execute();
 			ResultSet rs= statement.getGeneratedKeys();
 			long id = -1;
 			if (rs.next()){
@@ -528,4 +578,5 @@ public static long storeFeedback(String name, String email, String subject, Stri
 			return -1;
 		}
 	}
+
 }

src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java

@@ -145,10 +145,11 @@ public static User getUser(HttpServletRequest request) throws SQLException{
 
 	public static String makeRandomString() {
 	    byte[] array = new byte[7]; // length is bounded by 7
-	    new Random().nextBytes(array);
+	    new SecureRandom().nextBytes(array);
 	    String generatedString = new String(array, Charset.forName("UTF-8"));
 
 	    return generatedString;
 	}
 
  }
+