diff --git a/WebContent/high_yield_investments.htm b/WebContent/high_yield_investments.htm index 715a931..4a8a5a2 100644 --- a/WebContent/high_yield_investments.htm +++ b/WebContent/high_yield_investments.htm @@ -124,7 +124,7 @@

High Yield Investments

if any, to third party products and/or websites are purely coincidental. This site is provided "as is" without warranty of any kind, either express or implied. Watchfire does not assume any risk in relation to your use of this website. For additional Terms of Use, - please go to http://www.watchfire.com/statements/terms.aspx.

+ please go to https://www.watchfire.com/statements/terms.aspx.

Copyright © 2006, Watchfire Corporation, All rights reserved. diff --git a/WebContent/static/inside_about.htm b/WebContent/static/inside_about.htm index cd5517e..345c400 100644 --- a/WebContent/static/inside_about.htm +++ b/WebContent/static/inside_about.htm @@ -9,7 +9,7 @@

About Altoro Mutual

@@ -22,4 +22,4 @@

About Altoro Mutual

Altoro Mutual offers a broad range of commercial, private, retail and mortgage banking services to small- and middle-market businesses and individuals. - \ No newline at end of file + diff --git a/WebContent/static/inside_community.htm b/WebContent/static/inside_community.htm index a10d665..d3bfaa4 100644 --- a/WebContent/static/inside_community.htm +++ b/WebContent/static/inside_community.htm @@ -12,6 +12,6 @@

Summer 2006

The 2006 community efforts of Altoro Mutual and our employees is quite impressive including charitable contributions, volunteerism, diversity initiatives, and other support. View the summary report (PDF, 800KB).

Adobe Reader
-Download free Adobe Reader.

+Download free Adobe Reader.

- \ No newline at end of file + diff --git a/WebContent/static/security.htm b/WebContent/static/security.htm index 42646c0..b107860 100644 --- a/WebContent/static/security.htm +++ b/WebContent/static/security.htm @@ -56,7 +56,7 @@

Keep Your System Up to Date

Backups

It is a good practice to back up important files and folders on your computer. To back up files, you can make copies onto media that you can safely store elsewhere, such as CDs or floppy discs.

-

For more information on home computer security, visit http://www.cert.org/.

+

For more information on home computer security, visit https://www.cert.org/.

Back to Top \ No newline at end of file diff --git a/WebContent/swagger/lib/marked.js b/WebContent/swagger/lib/marked.js index c2a678d..0e43f3f 100644 --- a/WebContent/swagger/lib/marked.js +++ b/WebContent/swagger/lib/marked.js @@ -308,7 +308,7 @@ Lexer.prototype.token = function(src, top, bq) { if (~item.indexOf('\n ')) { space -= item.length; item = !this.options.pedantic - ? item.replace(new RegExp('^ {1,' + space + '}', 'gm'), '') + ? item.replace(/^ {1, space}/gm, '') : item.replace(/^ {1,4}/gm, ''); } @@ -1095,9 +1095,11 @@ function unescape(html) { }); } -function replace(regex, opt) { - regex = regex.source; - opt = opt || ''; + +function replace(name, val) { + let regex = "^[a-zA-Z0-9]*$"; + let opt = (typeof val === 'string' && val.length > 0) ? val : ''; + return function self(name, val) { if (!name) return new RegExp(regex, opt); val = val.source || val; @@ -1107,6 +1109,7 @@ function replace(regex, opt) { }; } + function noop() {} noop.exec = noop; diff --git a/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java b/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java index bcc1c94..6d201b8 100644 --- a/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java +++ b/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java @@ -25,6 +25,7 @@ import javax.servlet.http.HttpServletResponse; import com.ibm.security.appscan.altoromutual.util.DBUtil; +import org.apache.commons.text.StringEscapeUtils; /** * This servlet handles site admin operations @@ -115,7 +116,8 @@ else if (request.getRequestURL().toString().endsWith("changePassword")){ else message = "Requested operation has completed successfully."; - request.getSession().setAttribute("message", message); + String safeMessage = StringEscapeUtils.escapeHtml4(message); + request.getSession().setAttribute("message", safeMessage); response.sendRedirect("admin.jsp"); return ; } diff --git a/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java b/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java index 55303c3..8f9bc2d 100644 --- a/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java +++ b/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java @@ -36,8 +36,8 @@ * @author Alexei */ public class LoginServlet extends HttpServlet { - private static final long serialVersionUID = 1L; - + private static final long serialVersionUID = 1L; + /** * @see HttpServlet#HttpServlet() */ @@ -45,63 +45,61 @@ public LoginServlet() { super(); } - /** - * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) - */ - protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - //log out - try { - HttpSession session = request.getSession(false); - session.removeAttribute(ServletUtil.SESSION_ATTR_USER); - } catch (Exception e){ - // do nothing - } finally { - response.sendRedirect("index.jsp"); - } - - } - - /** - * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) - */ - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - //log in - // Create session if there isn't one: - HttpSession session = request.getSession(true); + /** + * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) + */ + protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + //log out + try { + HttpSession session = request.getSession(false); + session.removeAttribute(ServletUtil.SESSION_ATTR_USER); + } catch (Exception e){ + // do nothing + } finally { + response.sendRedirect("index.jsp"); + } + + } - String username = null; - - try { - username = request.getParameter("uid"); - if (username != null) - username = username.trim().toLowerCase(); - - String password = request.getParameter("passw"); - password = password.trim().toLowerCase(); //in real life the password usually is case sensitive and this cast would not be done - - if (!DBUtil.isValidUser(username, password)){ - Log4AltoroJ.getInstance().logError("Login failed >>> User: " +username + " >>> Password: " + password); - throw new Exception("Login Failed: We're sorry, but this username or password was not found in our system. Please try again."); - } - } catch (Exception ex) { - request.getSession(true).setAttribute("loginError", ex.getLocalizedMessage()); - response.sendRedirect("login.jsp"); - return; - } + /** + * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) + */ + protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { + //log in + // Create session if there isn't one: + HttpSession session = request.getSession(true); + String username = null; - //Handle the cookie using ServletUtil.establishSession(String) - try{ - Cookie accountCookie = ServletUtil.establishSession(username,session); - response.addCookie(accountCookie); - response.sendRedirect(request.getContextPath()+"/bank/main.jsp"); - } - catch (Exception ex){ - ex.printStackTrace(); - response.sendError(500); - } - - - return; - } + try { + username = request.getParameter("uid"); + if (username != null) + username = username.trim().toLowerCase(); + + String password = request.getParameter("passw"); + password = password.trim().toLowerCase(); //in real life the password usually is case sensitive and this cast would not be done + + if (!DBUtil.isValidUser(username, password)){ + Log4AltoroJ.getInstance().logError("Login failed >>> User: " +username + " >>> Password: " + password); + throw new Exception("Login Failed: We're sorry, but this username or password was not found in our system. Please try again."); + } + } catch (Exception ex) { + request.getSession(true).setAttribute("loginError", ex.getLocalizedMessage()); + response.sendRedirect("login.jsp"); + return; + } + //Handle the cookie using ServletUtil.establishSession(String) + try { + Cookie accountCookie = ServletUtil.establishSession(username, session); + accountCookie.setHttpOnly(true); + accountCookie.setSecure(true); + response.addCookie(accountCookie); + response.sendRedirect(request.getContextPath()+"/bank/main.jsp"); + } catch (Exception ex) { + ex.printStackTrace(); + response.sendError(500); + } + + return; + } } diff --git a/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java b/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java index 40b8984..85f96f1 100644 --- a/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java +++ b/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java @@ -95,10 +95,19 @@ else if (step.equals("done")){ content = "

Request Out of Order

"+ "

It appears that you attempted to skip or repeat some areas of this survey. Please return to the start page to begin again.

"; } else { - request.getSession().setAttribute("surveyStep", step); + String step = request.getParameter("step"); + public String sanitizeInput(String input) { + return input.replaceAll("[^a-zA-Z0-9]", ""); + } + String sanitizedStep = sanitizeInput(step); + request.getSession().setAttribute("surveyStep", sanitizedStep); + } response.setContentType("text/html"); - response.getWriter().write(content); + import org.owasp.esapi.ESAPI; + + String safeContent = ESAPI.encoder().encodeForHTML(content); + response.getWriter().write(safeContent); response.getWriter().flush(); } diff --git a/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java b/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java index 3031aa8..6836a03 100644 --- a/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java +++ b/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java @@ -209,22 +209,25 @@ public static ArrayList getFeedback (long feedbackId){ * @return true if valid user, false otherwise * @throws SQLException */ - public static boolean isValidUser(String user, String password) throws SQLException{ - if (user == null || password == null || user.trim().length() == 0 || password.trim().length() == 0) - return false; - - Connection connection = getConnection(); - Statement statement = connection.createStatement(); - - ResultSet resultSet =statement.executeQuery("SELECT COUNT(*)FROM PEOPLE WHERE USER_ID = '"+ user +"' AND PASSWORD='" + password + "'"); /* BAD - user input should always be sanitized */ - - if (resultSet.next()){ - - if (resultSet.getInt(1) > 0) - return true; + public static boolean isValidUser(String user, String password) throws SQLException { + if (user == null || password == null || user.trim().length() == 0 || password.trim().length() == 0) + return false; + + Connection connection = getConnection(); + + String selectSQL = "SELECT COUNT(*) FROM PEOPLE WHERE USER_ID = ? AND PASSWORD = ?"; + PreparedStatement preparedStatement = connection.prepareStatement(selectSQL); + preparedStatement.setString(1, user); + preparedStatement.setString(2, password); + + ResultSet resultSet = preparedStatement.executeQuery(); + + if (resultSet.next()){ + if (resultSet.getInt(1) > 0) + return true; + } + return false; } - return false; - } /** @@ -233,32 +236,34 @@ public static boolean isValidUser(String user, String password) throws SQLExcept * @return user information * @throws SQLException */ - public static User getUserInfo(String username) throws SQLException{ - if (username == null || username.trim().length() == 0) - return null; - - Connection connection = getConnection(); - Statement statement = connection.createStatement(); - ResultSet resultSet =statement.executeQuery("SELECT FIRST_NAME,LAST_NAME,ROLE FROM PEOPLE WHERE USER_ID = '"+ username +"' "); /* BAD - user input should always be sanitized */ - - String firstName = null; - String lastName = null; - String roleString = null; - if (resultSet.next()){ - firstName = resultSet.getString("FIRST_NAME"); - lastName = resultSet.getString("LAST_NAME"); - roleString = resultSet.getString("ROLE"); - } - - if (firstName == null || lastName == null) - return null; - - User user = new User(username, firstName, lastName); - - if (roleString.equalsIgnoreCase("admin")) - user.setRole(Role.Admin); - - return user; + public static User getUserInfo(String username) throws SQLException { + if (username == null || username.trim().length() == 0) + return null; + + Connection connection = getConnection(); + PreparedStatement preparedStatement = connection.prepareStatement("SELECT FIRST_NAME,LAST_NAME,ROLE FROM PEOPLE WHERE USER_ID = ?"); + preparedStatement.setString(1, username); + ResultSet resultSet = preparedStatement.executeQuery(); + + String firstName = null; + String lastName = null; + String roleString = null; + + if (resultSet.next()){ + firstName = resultSet.getString("FIRST_NAME"); + lastName = resultSet.getString("LAST_NAME"); + roleString = resultSet.getString("ROLE"); + } + + if (firstName == null || lastName == null) + return null; + + User user = new User(username, firstName, lastName); + + if (roleString != null && roleString.equalsIgnoreCase("admin")) + user.setRole(Role.Admin); + + return user; } /** @@ -272,8 +277,9 @@ public static Account[] getAccounts(String username) throws SQLException{ return null; Connection connection = getConnection(); - Statement statement = connection.createStatement(); - ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = '"+ username +"' "); /* BAD - user input should always be sanitized */ + PreparedStatement statement = connection.prepareStatement("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = ?"); + statement.setString(1, username); + ResultSet resultSet = statement.executeQuery(); ArrayList accounts = new ArrayList(3); while (resultSet.next()){ @@ -286,7 +292,7 @@ public static Account[] getAccounts(String username) throws SQLException{ return accounts.toArray(new Account[accounts.size()]); } - + /** * Transfer funds between specified accounts * @param username @@ -302,7 +308,6 @@ public static String transferFunds(String username, long creditActId, long debit User user = getUserInfo(username); Connection connection = getConnection(); - Statement statement = connection.createStatement(); Account debitAccount = Account.getAccount(debitActId); Account creditAccount = Account.getAccount(creditActId); @@ -316,40 +321,51 @@ public static String transferFunds(String username, long creditActId, long debit java.sql.Timestamp date = new Timestamp(new java.util.Date().getTime()); - //in real life we would want to do these updates and transaction entry creation - //as one atomic operation - long userCC = user.getCreditCardNumber(); - /* this is the account that the payment will be made from, thus negative amount!*/ double debitAmount = -amount; - /* this is the account that the payment will be made to, thus positive amount!*/ double creditAmount = amount; - /* Credit card account balance is the amount owed, not amount owned - * (reverse of other accounts). Therefore we have to process balances differently*/ if (debitAccount.getAccountId() == userCC) debitAmount = -debitAmount; - - //create transaction record - statement.execute("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES ("+debitAccount.getAccountId()+",'"+date+"',"+((debitAccount.getAccountId() == userCC)?"'Cash Advance'":"'Withdrawal'")+","+debitAmount+")," + - "("+creditAccount.getAccountId()+",'"+date+"',"+((creditAccount.getAccountId() == userCC)?"'Payment'":"'Deposit'")+","+creditAmount+")"); + + PreparedStatement statement1 = connection.prepareStatement("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES (?, ?, ?, ?), (?, ?, ?, ?)"); + + statement1.setLong(1, debitAccount.getAccountId()); + statement1.setTimestamp(2, date); + statement1.setString(3, (debitAccount.getAccountId() == userCC)?"Cash Advance":"Withdrawal"); + statement1.setDouble(4, debitAmount); + statement1.setLong(5, creditAccount.getAccountId()); + statement1.setTimestamp(6, date); + statement1.setString(7, (creditAccount.getAccountId() == userCC)?"Payment":"Deposit"); + statement1.setDouble(8, creditAmount); + statement1.execute(); Log4AltoroJ.getInstance().logTransaction(debitAccount.getAccountId()+" - "+ debitAccount.getAccountName(), creditAccount.getAccountId()+" - "+ creditAccount.getAccountName(), amount); if (creditAccount.getAccountId() == userCC) creditAmount = -creditAmount; - //add cash advance fee since the money transfer was made from the credit card if (debitAccount.getAccountId() == userCC){ - statement.execute("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES ("+debitAccount.getAccountId()+",'"+date+"','Cash Advance Fee',"+CASH_ADVANCE_FEE+")"); + PreparedStatement statement2 = connection.prepareStatement("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES (?, ?, ?, ?)"); + statement2.setLong(1, debitAccount.getAccountId()); + statement2.setTimestamp(2, date); + statement2.setString(3, "Cash Advance Fee"); + statement2.setDouble(4, CASH_ADVANCE_FEE); + statement2.execute(); debitAmount += CASH_ADVANCE_FEE; Log4AltoroJ.getInstance().logTransaction(String.valueOf(userCC), "N/A", CASH_ADVANCE_FEE); } - - //update account balances - statement.execute("UPDATE ACCOUNTS SET BALANCE = " + (debitAccount.getBalance()+debitAmount) + " WHERE ACCOUNT_ID = " + debitAccount.getAccountId()); - statement.execute("UPDATE ACCOUNTS SET BALANCE = " + (creditAccount.getBalance()+creditAmount) + " WHERE ACCOUNT_ID = " + creditAccount.getAccountId()); + + PreparedStatement statement3 = connection.prepareStatement("UPDATE ACCOUNTS SET BALANCE = ? WHERE ACCOUNT_ID = ?"); + statement3.setDouble(1, debitAccount.getBalance() + debitAmount); + statement3.setLong(2, debitAccount.getAccountId()); + statement3.execute(); + + PreparedStatement statement4 = connection.prepareStatement("UPDATE ACCOUNTS SET BALANCE = ? WHERE ACCOUNT_ID = ?"); + statement4.setDouble(1, creditAccount.getBalance() + creditAmount); + statement4.setLong(2, creditAccount.getAccountId()); + statement4.execute(); return null; @@ -359,6 +375,7 @@ public static String transferFunds(String username, long creditActId, long debit } + /** * Get transaction information for the specified accounts in the date range (non-inclusive of the dates) * @param startDate @@ -368,57 +385,58 @@ public static String transferFunds(String username, long creditActId, long debit * @return */ public static Transaction[] getTransactions(String startDate, String endDate, Account[] accounts, int rowCount) throws SQLException { - + if (accounts == null || accounts.length == 0) return null; - - Connection connection = getConnection(); - - - Statement statement = connection.createStatement(); - - if (rowCount > 0) - statement.setMaxRows(rowCount); - - StringBuffer acctIds = new StringBuffer(); - acctIds.append("ACCOUNTID = " + accounts[0].getAccountId()); - for (int i=1; i0){ - dateString = "DATE > '" + startDate +" 00:00:00'"; - } else if (endDate != null && endDate.length()>0){ - dateString = "DATE < '" + endDate + " 23:59:59'"; - } - - String query = "SELECT * FROM TRANSACTIONS WHERE (" + acctIds.toString() + ") " + ((dateString==null)?"": "AND (" + dateString + ") ") + "ORDER BY DATE DESC" ; - ResultSet resultSet = null; - - try { - resultSet = statement.executeQuery(query); - } catch (SQLException e){ + + Connection connection = getConnection(); + + String initialQuery = "SELECT * FROM TRANSACTIONS WHERE ACCOUNTID = ? "; + String dateCondition = "AND (DATE BETWEEN ? AND ?) "; + String orderBy = "ORDER BY DATE DESC"; + + PreparedStatement statement; + + if (startDate != null && startDate.length()>0 && endDate != null && endDate.length()>0){ + statement = connection.prepareStatement(initialQuery + dateCondition + orderBy); + statement.setString(2, startDate + " 00:00:00"); + statement.setString(3 , endDate + " 23:59:59"); + } else if (startDate != null && startDate.length()>0) { + statement = connection.prepareStatement(initialQuery + "AND DATE > ? " + orderBy); + statement.setString(2, startDate +" 00:00:00"); + } else if (endDate != null && endDate.length()>0) { + statement = connection.prepareStatement(initialQuery + "AND DATE < ? " + orderBy); + statement.setString(2, endDate + " 23:59:59"); + } else { + statement = connection.prepareStatement(initialQuery + orderBy); + } + + if (rowCount > 0) + statement.setMaxRows(rowCount); + + ArrayList transactions = new ArrayList(); + + for (Account account : accounts) { + statement.setLong(1, account.getAccountId()); + try (ResultSet resultSet = statement.executeQuery()) { + while (resultSet.next()) { + int transId = resultSet.getInt("TRANSACTION_ID"); + long acctId = resultSet.getLong("ACCOUNTID"); + Timestamp date = resultSet.getTimestamp("DATE"); + String desc = resultSet.getString("TYPE"); + double amount = resultSet.getDouble("AMOUNT"); + transactions.add(new Transaction(transId, acctId, date, desc, amount)); + } + } catch (SQLException e) { int errorCode = e.getErrorCode(); if (errorCode == 30000) throw new SQLException("Date-time query must be in the format of yyyy-mm-dd HH:mm:ss", e); - + throw e; } - ArrayList transactions = new ArrayList(); - while (resultSet.next()){ - int transId = resultSet.getInt("TRANSACTION_ID"); - long actId = resultSet.getLong("ACCOUNTID"); - Timestamp date = resultSet.getTimestamp("DATE"); - String desc = resultSet.getString("TYPE"); - double amount = resultSet.getDouble("AMOUNT"); - transactions.add(new Transaction(transId, actId, date, desc, amount)); - } - - return transactions.toArray(new Transaction[transactions.size()]); + } + + return transactions.toArray(new Transaction[transactions.size()]); } public static String[] getBankUsernames() { @@ -445,30 +463,33 @@ public static String[] getBankUsernames() { } public static Account getAccount(long accountNo) throws SQLException { - - Connection connection = getConnection(); - Statement statement = connection.createStatement(); - ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE ACCOUNT_ID = "+ accountNo +" "); /* BAD - user input should always be sanitized */ - - ArrayList accounts = new ArrayList(3); - while (resultSet.next()){ - String name = resultSet.getString("ACCOUNT_NAME"); - double balance = resultSet.getDouble("BALANCE"); - Account newAccount = new Account(accountNo, name, balance); - accounts.add(newAccount); - } - - if (accounts.size()==0) - return null; - - return accounts.get(0); + + Connection connection = getConnection(); + PreparedStatement statement = connection.prepareStatement("SELECT ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE ACCOUNT_ID = ?"); + statement.setLong(1, accountNo); + ResultSet resultSet = statement.executeQuery(); + + ArrayList accounts = new ArrayList(3); + while (resultSet.next()){ + String name = resultSet.getString("ACCOUNT_NAME"); + double balance = resultSet.getDouble("BALANCE"); + Account newAccount = new Account(accountNo, name, balance); + accounts.add(newAccount); + } + + if (accounts.size()==0) + return null; + + return accounts.get(0); } public static String addAccount(String username, String acctType) { try { Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("INSERT INTO ACCOUNTS (USERID,ACCOUNT_NAME,BALANCE) VALUES ('"+username+"','"+acctType+"', 0)"); + PreparedStatement statement = connection.prepareStatement("INSERT INTO ACCOUNTS (USERID,ACCOUNT_NAME,BALANCE) VALUES (?, ?, 0)"); + statement.setString(1, username); + statement.setString(2, acctType); + statement.execute(); return null; } catch (SQLException e){ return e.toString(); @@ -478,54 +499,66 @@ public static String addAccount(String username, String acctType) { public static String addSpecialUser(String username, String password, String firstname, String lastname) { try { Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("INSERT INTO SPECIAL_CUSTOMERS (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')"); + PreparedStatement statement = connection.prepareStatement("INSERT INTO SPECIAL_CUSTOMERS (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES (?,?,?,?, 'user')"); + statement.setString(1, username); + statement.setString(2, password); + statement.setString(3, firstname); + statement.setString(4, lastname); + statement.executeUpdate(); + return null; } catch (SQLException e){ return e.toString(); - } } public static String addUser(String username, String password, String firstname, String lastname) { - try { - Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')"); - return null; - } catch (SQLException e){ - return e.toString(); - - } + try { + Connection connection = getConnection(); + PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES (?, ?, ?, ?, 'user')"); + preparedStatement.setString(1, username); + preparedStatement.setString(2, password); + preparedStatement.setString(3, firstname); + preparedStatement.setString(4, lastname); + preparedStatement.execute(); + return null; + } catch (SQLException e) { + return e.toString(); + } } - public static String changePassword(String username, String password) { - try { - Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("UPDATE PEOPLE SET PASSWORD = '"+ password +"' WHERE USER_ID = '"+username+"'"); - return null; - } catch (SQLException e){ - return e.toString(); - - } - } + public static String changePassword(String username, String password) { + try { + Connection connection = getConnection(); + PreparedStatement preparedStatement = connection.prepareStatement("UPDATE PEOPLE SET PASSWORD = ? WHERE USER_ID = ?"); + preparedStatement.setString(1, password); + preparedStatement.setString(2, username); + preparedStatement.execute(); + return null; + } catch (SQLException e){ + return e.toString(); + } + } public static long storeFeedback(String name, String email, String subject, String comments) { - try{ - Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("INSERT INTO FEEDBACK (NAME,EMAIL,SUBJECT,COMMENTS) VALUES ('"+name+"', '"+email+"', '"+subject+"', '"+comments+"')", Statement.RETURN_GENERATED_KEYS); - ResultSet rs= statement.getGeneratedKeys(); - long id = -1; - if (rs.next()){ - id = rs.getLong(1); - } - return id; - } catch (SQLException e){ - Log4AltoroJ.getInstance().logError(e.getMessage()); - return -1; - } + try{ + Connection connection = getConnection(); + PreparedStatement statement = connection.prepareStatement("INSERT INTO FEEDBACK (NAME,EMAIL,SUBJECT,COMMENTS) VALUES (?,?,?,?)", Statement.RETURN_GENERATED_KEYS); + statement.setString(1, name); + statement.setString(2, email); + statement.setString(3, subject); + statement.setString(4, comments); + statement.executeUpdate(); + ResultSet rs= statement.getGeneratedKeys(); + long id = -1; + if (rs.next()){ + id = rs.getLong(1); + } + return id; + } catch (SQLException e){ + Log4AltoroJ.getInstance().logError(e.getMessage()); + return -1; + } } } \ No newline at end of file diff --git a/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java b/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java index 5629335..e1bef26 100644 --- a/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java +++ b/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java @@ -145,10 +145,10 @@ public static User getUser(HttpServletRequest request) throws SQLException{ public static String makeRandomString() { byte[] array = new byte[7]; // length is bounded by 7 - new Random().nextBytes(array); + new java.security.SecureRandom().nextBytes(array); String generatedString = new String(array, Charset.forName("UTF-8")); return generatedString; } - } +} diff --git a/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java b/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java index 6524e35..4dcfc92 100644 --- a/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java +++ b/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java @@ -343,6 +343,7 @@ public static Cookie establishSession(String username, HttpSession session){ Account[] accounts = user.getAccounts(); String accountStringList = Account.toBase64List(accounts); Cookie accountCookie = new Cookie(ServletUtil.ALTORO_COOKIE, accountStringList); + accountCookie.setSecure(true); session.setAttribute(ServletUtil.SESSION_ATTR_USER, user); return accountCookie; }