Patched src/main/java/io/shiftleft/controller/AdminController.java

patched.codes[bot] · patched.codes[bot] · commit 3f70ace5c876 · 2024-05-02T11:11:56.000+08:00
diff --git a/src/main/java/io/shiftleft/controller/AdminController.java b/src/main/java/io/shiftleft/controller/AdminController.java
@@ -20,34 +20,30 @@
 import org.springframework.web.bind.annotation.RequestMethod;
 
 
-/**
- * Admin checks login
- */
 @Controller
 public class AdminController {
   private String fail = "redirect:/";
 
-  // helper
-  private boolean isAdmin(String auth)
-  {
+  private boolean isAdmin(String auth) {
     try {
       ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth));
       ObjectInputStream objectInputStream = new ObjectInputStream(bis);
       Object authToken = objectInputStream.readObject();
-      return ((AuthToken) authToken).isAdmin();
+      if (authToken instanceof AuthToken) {
+        return ((AuthToken) authToken).isAdmin();
+      }
+      return false;
     } catch (Exception ex) {
-      System.out.println(" cookie cannot be deserialized: "+ex.getMessage());
+      System.out.println(" cookie cannot be deserialized: " + ex.getMessage());
       return false;
     }
   }
 
-  //
   @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.POST)
   public String doPostPrintSecrets(HttpServletResponse response, HttpServletRequest request) {
     return fail;
   }
 
-
   @RequestMapping(value = "/admin/printSecrets", method = RequestMethod.GET)
   public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "notset") String auth, HttpServletResponse response, HttpServletRequest request) throws Exception {
 
@@ -56,7 +52,7 @@ public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "not
     }
 
     String authToken = request.getSession().getAttribute("auth").toString();
-    if(!isAdmin(authToken)) {
+    if (!isAdmin(authToken)) {
       return fail;
     }
 
@@ -67,71 +63,45 @@ public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "not
       return null;
     } catch (IOException ex) {
       ex.printStackTrace();
-      // redirect to /
       return fail;
     }
   }
 
-  /**
-   * Handle login attempt
-   * @param auth cookie value base64 encoded
-   * @param password hardcoded value
-   * @param response -
-   * @param request -
-   * @return redirect to company numbers
-   * @throws Exception
-   */
   @RequestMapping(value = "/admin/login", method = RequestMethod.POST)
   public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") String auth, @RequestBody String password, HttpServletResponse response, HttpServletRequest request) throws Exception {
     String succ = "redirect:/admin/printSecrets";
 
     try {
-      // no cookie no fun
       if (!auth.equals("notset")) {
-        if(isAdmin(auth)) {
-          request.getSession().setAttribute("auth",auth);
+        if (isAdmin(auth)) {
+          request.getSession().setAttribute("auth", auth);
           return succ;
         }
       }
 
-      // split password=value
       String[] pass = password.split("=");
-      if(pass.length!=2) {
+      if (pass.length != 2) {
         return fail;
       }
-      // compare pass
-      if(pass[1] != null && pass[1].length()>0 && pass[1].equals("shiftleftsecret"))
-      {
+      if (pass[1] != null && pass[1].length() > 0 && pass[1].equals("shiftleftsecret")) {
         AuthToken authToken = new AuthToken(AuthToken.ADMIN);
         ByteArrayOutputStream bos = new ByteArrayOutputStream();
         ObjectOutputStream oos = new ObjectOutputStream(bos);
         oos.writeObject(authToken);
         String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray()));
-        response.addCookie(new Cookie("auth", cookieValue ));
+        Cookie authCookie = new Cookie("auth", cookieValue);
+        authCookie.setHttpOnly(true);
+        authCookie.setSecure(true);
+        response.addCookie(authCookie);
 
-        // cookie is lost after redirection
-        request.getSession().setAttribute("auth",cookieValue);
+        request.getSession().setAttribute("auth", cookieValue);
 
         return succ;
       }
       return fail;
-    }
-    catch (Exception ex)
-    {
+    } catch (Exception ex) {
       ex.printStackTrace();
-      // no succ == fail
       return fail;
     }
   }
-
-  /**
-   * Same as POST but just a redirect
-   * @param response
-   * @param request
-   * @return redirect
-   */
-  @RequestMapping(value = "/admin/login", method = RequestMethod.GET)
-  public String doGetLogin(HttpServletResponse response, HttpServletRequest request) {
-    return "redirect:/";
-  }
 }
