PatchWork AutoFix

[CTY-git]

This pull request from patched fixes 6 issues.

---

• File changed: src/main/java/io/shiftleft/controller/CustomerController.java
  Fix path traversal vulnerability in saveSettings method

  - Added input validation to prevent path traversal vulnerability by using org.apache.commons.io.FilenameUtils.getName to only retrieve the file name from the path.

  • Changed the way the file path is constructed to avoid path manipulation.
  • Ensured strict file access controls and sanitized the input data.

• File changed: src/main/java/io/shiftleft/controller/AdminController.java
  Fix object deserialization vulnerability and add secure flag to cookies

  Fixed the object deserialization vulnerability by adding a check to ensure that the deserialized object is of type AuthToken. Added the 'secure' flag to the 'auth' cookie by calling 'cookie.setSecure(true)'.

• File changed: src/main/java/io/shiftleft/controller/AppErrorController.java
  Add HTTP method to @RequestMapping annotation to prevent CSRF vulnerability

  Added 'method = RequestMethod.POST' to the @RequestMapping annotation to specify the HTTP method as POST for the error method to prevent CSRF vulnerability.

• File changed: src/main/java/io/shiftleft/controller/SearchController.java
  Fix code injection vulnerability in SearchController

  Avoided passing user input directly to SpEL expression parser to prevent code injection vulnerability.

• File changed: src/main/java/io/shiftleft/data/DataBuilder.java
  Fix potential debug code vulnerabilities

  Removed System.out.println statements which can potentially expose sensitive information or create unintended entry points.

• File changed: src/main/resources/config/application-aws.properties
  Fix hardcoding AWS Access Key ID

  Read AWS Access Key ID from environment variable instead of hardcoding it.