Conversation
Drop test cases that were already there so I can add them through a PR
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
GitHub AdvSec autofix will trigger.
|
|
||
| try { | ||
| fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param; | ||
| fis = new java.io.FileInputStream(new java.io.File(fileName)); |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression
| try { | ||
| fileName = org.owasp.benchmark.helpers.Utils.TESTFILES_DIR + param; | ||
|
|
||
| fos = new java.io.FileOutputStream(fileName, false); |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression
| "Problem getting FileInputStream: " | ||
| + org.owasp | ||
| .esapi | ||
| .ESAPI | ||
| .encoder() | ||
| .encodeForHTML(e.getMessage())); |
Check warning
Code scanning / CodeQL
Information exposure through a stack trace
| byte[] iv = random.generateSeed(8); // DES requires 8 byte keys | ||
|
|
||
| try { | ||
| javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding"); |
Check failure
Code scanning / CodeQL
Use of a broken or risky cryptographic algorithm
| javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("DES/CBC/PKCS5Padding"); | ||
|
|
||
| // Prepare the cipher to encrypt | ||
| javax.crypto.SecretKey key = javax.crypto.KeyGenerator.getInstance("DES").generateKey(); |
Check failure
Code scanning / CodeQL
Use of a broken or risky cryptographic algorithm
| "Sensitive value: '" | ||
| + org.owasp | ||
| .esapi | ||
| .ESAPI | ||
| .encoder() | ||
| .encodeForHTML(new String(input)) | ||
| + "' encrypted and stored<br/>"); |
Check warning
Code scanning / CodeQL
Cross-site scripting
| "Sensitive value '" | ||
| + org.owasp | ||
| .esapi | ||
| .ESAPI | ||
| .encoder() | ||
| .encodeForHTML(new String(input)) | ||
| + "' hashed and stored<br/>"); |
Check warning
Code scanning / CodeQL
Cross-site scripting
| } | ||
|
|
||
| // javax.servlet.http.HttpSession.setAttribute(java.lang.String^,java.lang.Object) | ||
| request.getSession().setAttribute(param, "10340"); |
Check failure
Code scanning / CodeQL
Trust boundary violation
| benchmarkprops.load( | ||
| this.getClass().getClassLoader().getResourceAsStream("benchmark.properties")); | ||
| String algorithm = benchmarkprops.getProperty("hashAlg1", "SHA512"); | ||
| java.security.MessageDigest md = java.security.MessageDigest.getInstance(algorithm); |
Check failure
Code scanning / CodeQL
Use of a potentially broken or risky cryptographic algorithm
| response.getWriter() | ||
| .println( | ||
| "Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case"); | ||
| e.printStackTrace(response.getWriter()); |
Check warning
Code scanning / CodeQL
Information exposure through a stack trace
1 participant
Prepare 1st 10 test cases to merge in.