patched-codes · CTY-git · May 28, 2024 · May 28, 2024 · May 28, 2024 · May 28, 2024
diff --git a/src/main/java/io/shiftleft/tarpit/FileUploader.java b/src/main/java/io/shiftleft/tarpit/FileUploader.java
@@ -14,6 +14,8 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.Part;
 
+import org.apache.commons.io.FilenameUtils;
+
 import io.shiftleft.tarpit.util.Unzipper;
 
 /**
@@ -44,8 +46,8 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
     Part filePart = request.getPart("zipFile");
 
     InputStream input = filePart.getInputStream();
-
-    File targetFile = new File(productSourceFolder + filePart.getSubmittedFileName());
+    String safeFileName = FilenameUtils.getName(filePart.getSubmittedFileName());
+    File targetFile = new File(productSourceFolder + safeFileName);
 
     targetFile.createNewFile();
     OutputStream out = new FileOutputStream(targetFile);
@@ -66,4 +68,4 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
     doGet(request, response);
   }
 
-}
+}
diff --git a/src/main/java/io/shiftleft/tarpit/OrderProcessor.java b/src/main/java/io/shiftleft/tarpit/OrderProcessor.java
@@ -79,7 +79,8 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
     try {
       // read from file, convert it to user class
       Order order = deserializer.readValue(request.getReader(), Order.class);
-      out.println(order);
+      response.setContentType("application/json");
+      out.println(serializer.writeValueAsString(order));
     } catch (JsonGenerationException e) {
       e.printStackTrace();
     } catch (JsonMappingException e) {
@@ -96,3 +97,4 @@ private void getConnection() throws ClassNotFoundException, SQLException {
   }
 
 }
+
diff --git a/src/main/java/io/shiftleft/tarpit/OrderStatus.java b/src/main/java/io/shiftleft/tarpit/OrderStatus.java
@@ -52,8 +52,9 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
 
         getConnection();
 
-        String sql = "SELECT * FROM ORDER WHERE ORDERID = '" + orderId;
+        String sql = "SELECT * FROM ORDER WHERE ORDERID = ?";
         preparedStatement = connection.prepareStatement(sql);
+        preparedStatement.setString(1, orderId);
 
         resultSet = preparedStatement.executeQuery();
 
@@ -111,3 +112,4 @@ private void getConnection() throws ClassNotFoundException, SQLException {
   }
 
 }
+
diff --git a/src/main/java/io/shiftleft/tarpit/ServletTarPit.java b/src/main/java/io/shiftleft/tarpit/ServletTarPit.java
@@ -38,8 +38,8 @@ public class ServletTarPit extends HttpServlet {
   protected void doGet(HttpServletRequest request, HttpServletResponse response)
       throws ServletException, IOException {
 
-    String ACCESS_KEY_ID = "AKIA2E0A8F3B244C9986";
-    String SECRET_KEY = "7CE556A3BC234CC1FF9E8A5C324C0BB70AA21B6D";
+    String ACCESS_KEY_ID = System.getenv("ACCESS_KEY_ID");
+    String SECRET_KEY = System.getenv("SECRET_KEY");
 
     String txns_dir = System.getProperty("transactions_folder","/rolling/transactions");
 
@@ -60,20 +60,21 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
 
       ScriptEngineManager manager = new ScriptEngineManager();
       ScriptEngine engine = manager.getEngineByName("JavaScript");
-      engine.eval(request.getParameter("module"));
+      // engine.eval(request.getParameter("module"));
 
       /* FLAW: Insecure cryptographic algorithm (DES) 
       CWE: 327 Use of Broken or Risky Cryptographic Algorithm */
-      Cipher des = Cipher.getInstance("DES");
-      SecretKey key = KeyGenerator.getInstance("DES").generateKey();
-      des.init(Cipher.ENCRYPT_MODE, key);
+      Cipher aes = Cipher.getInstance("AES");
+      SecretKey key = KeyGenerator.getInstance("AES").generateKey();
+      aes.init(Cipher.ENCRYPT_MODE, key);
 
       getConnection();
 
-      String sql =
-          "SELECT * FROM USER WHERE LOGIN = '" + login + "' AND PASSWORD = '" + password + "'";
+      String sql = "SELECT * FROM USER WHERE LOGIN = ? AND PASSWORD = ?";
 
       preparedStatement = connection.prepareStatement(sql);
+      preparedStatement.setString(1, login);
+      preparedStatement.setString(2, password);
 
       resultSet = preparedStatement.executeQuery();
 
@@ -91,11 +92,13 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
             resultSet.getString("zipCode"));
 
         String creditInfo = resultSet.getString("userCreditCardInfo");
-        byte[] cc_enc_str = des.doFinal(creditInfo.getBytes());
+        byte[] cc_enc_str = aes.doFinal(creditInfo.getBytes());
 
         Cookie cookie = new Cookie("login", login);
         cookie.setMaxAge(864000);
         cookie.setPath("/");
+        cookie.setHttpOnly(true);
+        cookie.setSecure(true);
         response.addCookie(cookie);
 
         request.setAttribute("user", user.toString());
@@ -127,4 +130,4 @@ private void getConnection() throws ClassNotFoundException, SQLException {
     connection = DriverManager.getConnection("jdbc:mysql://localhost/DBPROD", "admin", "1234");
   }
 
-}
+}