PatchWork AutoFix

[CTY-git]

This pull request from patched fixes 4 issues.

---

• File changed: src/main/java/io/shiftleft/tarpit/FileUploader.java
  Fix: Sanitize file name to prevent path traversal

  Added sanitation for the user-provided filename to prevent potential path traversal vulnerabilities.

• File changed: src/main/java/io/shiftleft/tarpit/OrderProcessor.java
  Fix: Prevent potential XSS in OrderProcessor

  The doPost method in OrderProcessor was writing unsanitized user input directly to the response writer, posing a potential XSS vulnerability. This commit addresses the issue by using the HttpServletResponse#setContentType method to set the content type to "application/json" before serializing the Order object to JSON. This ensures that the response is treated as data and not as executable code by the browser, mitigating the XSS risk.

• File changed: src/main/java/io/shiftleft/tarpit/OrderStatus.java
  Fix: Mitigate SQL injection vulnerability

  The original code was vulnerable to SQL injection because it concatenated user input directly into the SQL query. This commit fixes the vulnerability by using a parameterized query instead. This ensures that user input is treated as data and not as part of the SQL command, preventing SQL injection attacks.

• File changed: src/main/java/io/shiftleft/tarpit/ServletTarPit.java
  Fix: Security vulnerabilities

  - Replaced DES with AES encryption algorithm.

  • Introduced parameterized SQL queries to prevent SQL injection.
  • Secured cookies with 'HttpOnly' and 'secure' flags.
  • Removed hardcoded AWS credentials.
  • Sanitized user input before logging.