diff --git a/WebContent/swagger/lib/marked.js b/WebContent/swagger/lib/marked.js index c2a678d..c446780 100644 --- a/WebContent/swagger/lib/marked.js +++ b/WebContent/swagger/lib/marked.js @@ -1099,13 +1099,22 @@ function replace(regex, opt) { regex = regex.source; opt = opt || ''; return function self(name, val) { - if (!name) return new RegExp(regex, opt); + if (!name) { + // Ensure regex is not susceptible to catastrophic backtracking + try { + new RegExp(regex); + } catch (e) { + throw new Error('Inefficient regular expression'); + } + return new RegExp(regex, opt); + } val = val.source || val; val = val.replace(/(^|[^\[])\^/g, '$1'); regex = regex.replace(name, val); return self; }; } +} function noop() {} noop.exec = noop; diff --git a/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java b/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java index bcc1c94..30925e4 100644 --- a/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java +++ b/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java @@ -39,75 +39,80 @@ public class AdminServlet extends HttpServlet { protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String message = null; - //add account - if (request.getRequestURL().toString().endsWith("addAccount")){ - String username = request.getParameter("username"); - String acctType = request.getParameter("accttypes"); - if (username == null || acctType == null || username.trim().length() == 0 || acctType.trim().length() == 0) - message = "An error has occurred. Please try again later."; - else { - String error = DBUtil.addAccount(username, acctType); - if (error != null) - message = error; - } - } - - //add user - else if (request.getRequestURL().toString().endsWith("addUser")){ - String firstname = request.getParameter("firstname"); - String lastname = request.getParameter("lastname"); - String username = request.getParameter("username"); - String password1 = request.getParameter("password1"); - String password2 = request.getParameter("password2"); - if (username == null || username.trim().length() == 0 - || password1 == null || password1.trim().length() == 0 - || password2 == null || password2.trim().length() == 0) - message = "An error has occurred. Please try again later."; - - if (firstname == null){ - firstname = ""; - } - - if (lastname == null){ - lastname = ""; - } - - if (message == null && !password1.equals(password2)){ - message = "Entered passwords did not match."; - } - - if (message == null){ - String error = DBUtil.addUser(username, password1, firstname, lastname); - - if (error != null) - message = error; + // Verify that the request comes from a trusted source + if (!isRequestFromTrustedSource(request)) { + message = "Request is not from a trusted source."; + } else { + //add account + if (request.getRequestURL().toString().endsWith("addAccount")){ + String username = request.getParameter("username"); + String acctType = request.getParameter("accttypes"); + if (username == null || acctType == null || username.trim().length() == 0 || acctType.trim().length() == 0) + message = "An error has occurred. Please try again later."; + else { + String error = DBUtil.addAccount(username, acctType); + if (error != null) + message = error; + } } - } - - //change password - else if (request.getRequestURL().toString().endsWith("changePassword")){ - String username = request.getParameter("username"); - String password1 = request.getParameter("password1"); - String password2 = request.getParameter("password2"); - if (username == null || username.trim().length() == 0 + //add user + else if (request.getRequestURL().toString().endsWith("addUser")){ + String firstname = request.getParameter("firstname"); + String lastname = request.getParameter("lastname"); + String username = request.getParameter("username"); + String password1 = request.getParameter("password1"); + String password2 = request.getParameter("password2"); + if (username == null || username.trim().length() == 0 || password1 == null || password1.trim().length() == 0 || password2 == null || password2.trim().length() == 0) message = "An error has occurred. Please try again later."; - - if (message == null && !password1.equals(password2)){ - message = "Entered passwords did not match."; + + if (firstname == null){ + firstname = ""; + } + + if (lastname == null){ + lastname = ""; + } + + if (message == null && !password1.equals(password2)){ + message = "Entered passwords did not match."; + } + + if (message == null){ + String error = DBUtil.addUser(username, password1, firstname, lastname); + + if (error != null) + message = error; + } + } - if (message == null) { - String error = DBUtil.changePassword(username, password1); + //change password + else if (request.getRequestURL().toString().endsWith("changePassword")){ + String username = request.getParameter("username"); + String password1 = request.getParameter("password1"); + String password2 = request.getParameter("password2"); + if (username == null || username.trim().length() == 0 + || password1 == null || password1.trim().length() == 0 + || password2 == null || password2.trim().length() == 0) + message = "An error has occurred. Please try again later."; - if (error != null) - message = error; + if (message == null && !password1.equals(password2)){ + message = "Entered passwords did not match."; + } + + if (message == null) { + String error = DBUtil.changePassword(username, password1); + + if (error != null) + message = error; + } + } + else { + message = "An error has occurred. Please try again later."; } - } - else { - message = "An error has occurred. Please try again later."; } if (message != null) @@ -119,5 +124,11 @@ else if (request.getRequestURL().toString().endsWith("changePassword")){ response.sendRedirect("admin.jsp"); return ; } - + + private boolean isRequestFromTrustedSource(HttpServletRequest request) { + // Implement the logic to check if the request is from a trusted source. + // This could include checking the IP address, requiring a secure connection, + // or any other business logic appropriate for the application. + return true; // Placeholder for actual implementation + } } diff --git a/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java b/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java index 55303c3..2229fa0 100644 --- a/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java +++ b/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java @@ -92,6 +92,8 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) //Handle the cookie using ServletUtil.establishSession(String) try{ Cookie accountCookie = ServletUtil.establishSession(username,session); + accountCookie.setHttpOnly(true); + accountCookie.setSecure(true); response.addCookie(accountCookie); response.sendRedirect(request.getContextPath()+"/bank/main.jsp"); } diff --git a/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java b/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java index 40b8984..02a7053 100644 --- a/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java +++ b/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java @@ -94,11 +94,15 @@ else if (step.equals("done")){ !request.getSession().getAttribute("surveyStep").equals(previousStep))){ content = "

Request Out of Order

"+ "

It appears that you attempted to skip or repeat some areas of this survey. Please return to the start page to begin again.

"; - } else { - request.getSession().setAttribute("surveyStep", step); + } else { + if (step != null && step.matches("^[a-zA-Z0-9]*$")) { + request.getSession().setAttribute("surveyStep", step); + } else { + throw new IllegalArgumentException("Invalid step parameter"); + } } response.setContentType("text/html"); - response.getWriter().write(content); + response.getWriter().write(ESAPI.encoder().encodeForHTML(content)); response.getWriter().flush(); } diff --git a/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java b/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java index 3031aa8..dd314c9 100644 --- a/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java +++ b/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java @@ -209,21 +209,22 @@ public static ArrayList getFeedback (long feedbackId){ * @return true if valid user, false otherwise * @throws SQLException */ - public static boolean isValidUser(String user, String password) throws SQLException{ - if (user == null || password == null || user.trim().length() == 0 || password.trim().length() == 0) - return false; - - Connection connection = getConnection(); - Statement statement = connection.createStatement(); - - ResultSet resultSet =statement.executeQuery("SELECT COUNT(*)FROM PEOPLE WHERE USER_ID = '"+ user +"' AND PASSWORD='" + password + "'"); /* BAD - user input should always be sanitized */ - - if (resultSet.next()){ - - if (resultSet.getInt(1) > 0) - return true; - } - return false; + public static boolean isValidUser(String user, String password) throws SQLException { + if (user == null || password == null || user.trim().length() == 0 || password.trim().length() == 0) + return false; + + Connection connection = getConnection(); + PreparedStatement preparedStatement = connection.prepareStatement("SELECT COUNT(*) FROM PEOPLE WHERE USER_ID = ? AND PASSWORD = ?"); + preparedStatement.setString(1, user); + preparedStatement.setString(2, password); + + ResultSet resultSet = preparedStatement.executeQuery(); + + if (resultSet.next()) { + if (resultSet.getInt(1) > 0) + return true; + } + return false; } @@ -238,9 +239,10 @@ public static User getUserInfo(String username) throws SQLException{ return null; Connection connection = getConnection(); - Statement statement = connection.createStatement(); - ResultSet resultSet =statement.executeQuery("SELECT FIRST_NAME,LAST_NAME,ROLE FROM PEOPLE WHERE USER_ID = '"+ username +"' "); /* BAD - user input should always be sanitized */ - + PreparedStatement preparedStatement = connection.prepareStatement("SELECT FIRST_NAME,LAST_NAME,ROLE FROM PEOPLE WHERE USER_ID = ?"); + preparedStatement.setString(1, username); + ResultSet resultSet = preparedStatement.executeQuery(); + String firstName = null; String lastName = null; String roleString = null; @@ -272,10 +274,11 @@ public static Account[] getAccounts(String username) throws SQLException{ return null; Connection connection = getConnection(); - Statement statement = connection.createStatement(); - ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = '"+ username +"' "); /* BAD - user input should always be sanitized */ + PreparedStatement preparedStatement = connection.prepareStatement("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = ?"); + preparedStatement.setString(1, username); + ResultSet resultSet = preparedStatement.executeQuery(); - ArrayList accounts = new ArrayList(3); + ArrayList accounts = new ArrayList(); while (resultSet.next()){ long accountId = resultSet.getLong("ACCOUNT_ID"); String name = resultSet.getString("ACCOUNT_NAME"); @@ -296,67 +299,97 @@ public static Account[] getAccounts(String username) throws SQLException{ * @return */ public static String transferFunds(String username, long creditActId, long debitActId, double amount) { + + try { - try { - - User user = getUserInfo(username); - - Connection connection = getConnection(); - Statement statement = connection.createStatement(); - - Account debitAccount = Account.getAccount(debitActId); - Account creditAccount = Account.getAccount(creditActId); - - if (debitAccount == null){ - return "Originating account is invalid"; - } - - if (creditAccount == null) - return "Destination account is invalid"; - - java.sql.Timestamp date = new Timestamp(new java.util.Date().getTime()); - - //in real life we would want to do these updates and transaction entry creation - //as one atomic operation - - long userCC = user.getCreditCardNumber(); - - /* this is the account that the payment will be made from, thus negative amount!*/ - double debitAmount = -amount; - /* this is the account that the payment will be made to, thus positive amount!*/ - double creditAmount = amount; - - /* Credit card account balance is the amount owed, not amount owned - * (reverse of other accounts). Therefore we have to process balances differently*/ - if (debitAccount.getAccountId() == userCC) - debitAmount = -debitAmount; - - //create transaction record - statement.execute("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES ("+debitAccount.getAccountId()+",'"+date+"',"+((debitAccount.getAccountId() == userCC)?"'Cash Advance'":"'Withdrawal'")+","+debitAmount+")," + - "("+creditAccount.getAccountId()+",'"+date+"',"+((creditAccount.getAccountId() == userCC)?"'Payment'":"'Deposit'")+","+creditAmount+")"); - - Log4AltoroJ.getInstance().logTransaction(debitAccount.getAccountId()+" - "+ debitAccount.getAccountName(), creditAccount.getAccountId()+" - "+ creditAccount.getAccountName(), amount); - - if (creditAccount.getAccountId() == userCC) - creditAmount = -creditAmount; - - //add cash advance fee since the money transfer was made from the credit card - if (debitAccount.getAccountId() == userCC){ - statement.execute("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES ("+debitAccount.getAccountId()+",'"+date+"','Cash Advance Fee',"+CASH_ADVANCE_FEE+")"); - debitAmount += CASH_ADVANCE_FEE; - Log4AltoroJ.getInstance().logTransaction(String.valueOf(userCC), "N/A", CASH_ADVANCE_FEE); + User user = getUserInfo(username); + + Connection connection = getConnection(); + connection.setAutoCommit(false); // Start transaction block + PreparedStatement pstmt = null; + + Account debitAccount = Account.getAccount(debitActId); + Account creditAccount = Account.getAccount(creditActId); + + if (debitAccount == null){ + return "Originating account is invalid"; + } + + if (creditAccount == null) + return "Destination account is invalid"; + + java.sql.Timestamp date = new Timestamp(new java.util.Date().getTime()); + + long userCC = user.getCreditCardNumber(); + + double debitAmount = -amount; + double creditAmount = amount; + + if (debitAccount.getAccountId() == userCC) + debitAmount = -debitAmount; + + // Create transaction record + String sqlInsertTransactions = "INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES (?, ?, ?, ?), (?, ?, ?, ?)"; + pstmt = connection.prepareStatement(sqlInsertTransactions); + pstmt.setLong(1, debitAccount.getAccountId()); + pstmt.setTimestamp(2, date); + pstmt.setString(3, (debitAccount.getAccountId() == userCC) ? "Cash Advance" : "Withdrawal"); + pstmt.setDouble(4, debitAmount); + pstmt.setLong(5, creditAccount.getAccountId()); + pstmt.setTimestamp(6, date); + pstmt.setString(7, (creditAccount.getAccountId() == userCC) ? "Payment" : "Deposit"); + pstmt.setDouble(8, creditAmount); + pstmt.executeUpdate(); + + Log4AltoroJ.getInstance().logTransaction(debitAccount.getAccountId()+" - "+ debitAccount.getAccountName(), creditAccount.getAccountId()+" - "+ creditAccount.getAccountName(), amount); + + if (creditAccount.getAccountId() == userCC) + creditAmount = -creditAmount; + + // Add cash advance fee if the money transfer was made from the credit card + if (debitAccount.getAccountId() == userCC){ + String sqlInsertFee = "INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES (?, ?, 'Cash Advance Fee', ?)"; + pstmt = connection.prepareStatement(sqlInsertFee); + pstmt.setLong(1, debitAccount.getAccountId()); + pstmt.setTimestamp(2, date); + pstmt.setDouble(3, CASH_ADVANCE_FEE); + pstmt.executeUpdate(); + debitAmount += CASH_ADVANCE_FEE; + Log4AltoroJ.getInstance().logTransaction(String.valueOf(userCC), "N/A", CASH_ADVANCE_FEE); + } + + // Update account balances + String sqlUpdateDebit = "UPDATE ACCOUNTS SET BALANCE = ? WHERE ACCOUNT_ID = ?"; + pstmt = connection.prepareStatement(sqlUpdateDebit); + pstmt.setDouble(1, debitAccount.getBalance() + debitAmount); + pstmt.setLong(2, debitAccount.getAccountId()); + pstmt.executeUpdate(); + + String sqlUpdateCredit = "UPDATE ACCOUNTS SET BALANCE = ? WHERE ACCOUNT_ID = ?"; + pstmt = connection.prepareStatement(sqlUpdateCredit); + pstmt.setDouble(1, creditAccount.getBalance() + creditAmount); + pstmt.setLong(2, creditAccount.getAccountId()); + pstmt.executeUpdate(); + + connection.commit(); // Commit transaction block + return null; + + } catch (SQLException e) { + try { + connection.rollback(); // Rollback transaction on error + } catch (SQLException se) { + // Handle rollback error + } + return "Transaction failed. Please try again later."; + } finally { + try { + if (pstmt != null) pstmt.close(); + if (connection != null) connection.close(); + } catch (SQLException se) { + // Handle resources cleanup error + } } - - //update account balances - statement.execute("UPDATE ACCOUNTS SET BALANCE = " + (debitAccount.getBalance()+debitAmount) + " WHERE ACCOUNT_ID = " + debitAccount.getAccountId()); - statement.execute("UPDATE ACCOUNTS SET BALANCE = " + (creditAccount.getBalance()+creditAmount) + " WHERE ACCOUNT_ID = " + creditAccount.getAccountId()); - - return null; - - } catch (SQLException e) { - return "Transaction failed. Please try again later."; } - } /** @@ -368,57 +401,79 @@ public static String transferFunds(String username, long creditActId, long debit * @return */ public static Transaction[] getTransactions(String startDate, String endDate, Account[] accounts, int rowCount) throws SQLException { - - if (accounts == null || accounts.length == 0) - return null; - - Connection connection = getConnection(); - - - Statement statement = connection.createStatement(); - - if (rowCount > 0) - statement.setMaxRows(rowCount); - - StringBuffer acctIds = new StringBuffer(); - acctIds.append("ACCOUNTID = " + accounts[0].getAccountId()); - for (int i=1; i0){ - dateString = "DATE > '" + startDate +" 00:00:00'"; - } else if (endDate != null && endDate.length()>0){ - dateString = "DATE < '" + endDate + " 23:59:59'"; - } - - String query = "SELECT * FROM TRANSACTIONS WHERE (" + acctIds.toString() + ") " + ((dateString==null)?"": "AND (" + dateString + ") ") + "ORDER BY DATE DESC" ; - ResultSet resultSet = null; - - try { - resultSet = statement.executeQuery(query); - } catch (SQLException e){ - int errorCode = e.getErrorCode(); - if (errorCode == 30000) - throw new SQLException("Date-time query must be in the format of yyyy-mm-dd HH:mm:ss", e); - - throw e; - } - ArrayList transactions = new ArrayList(); - while (resultSet.next()){ - int transId = resultSet.getInt("TRANSACTION_ID"); - long actId = resultSet.getLong("ACCOUNTID"); - Timestamp date = resultSet.getTimestamp("DATE"); - String desc = resultSet.getString("TYPE"); - double amount = resultSet.getDouble("AMOUNT"); - transactions.add(new Transaction(transId, actId, date, desc, amount)); - } - - return transactions.toArray(new Transaction[transactions.size()]); + + if (accounts == null || accounts.length == 0) + return null; + + Connection connection = getConnection(); + + PreparedStatement pstmt = null; + ResultSet resultSet = null; + + try { + if (rowCount > 0) + pstmt.setMaxRows(rowCount); + + StringBuilder acctIds = new StringBuilder(); + for (int i = 0; i < accounts.length; i++) { + acctIds.append((i > 0) ? ",?" : "?"); + } + + String dateString = ""; + + if (startDate != null && startDate.length() > 0 && endDate != null && endDate.length() > 0) { + dateString = "AND DATE BETWEEN ? AND ?"; + } else if (startDate != null && startDate.length() > 0) { + dateString = "AND DATE > ?"; + } else if (endDate != null && endDate.length() > 0) { + dateString = "AND DATE < ?"; + } + + String query = "SELECT * FROM TRANSACTIONS WHERE ACCOUNTID IN (" + acctIds.toString() + ") " + dateString + " ORDER BY DATE DESC"; + pstmt = connection.prepareStatement(query); + + int index = 1; + for (Account account : accounts) { + pstmt.setLong(index++, account.getAccountId()); + } + + if (startDate != null && startDate.length() > 0) { + pstmt.setString(index++, startDate + " 00:00:00"); + } + if (endDate != null && endDate.length() > 0) { + pstmt.setString(index++, endDate + " 23:59:59"); + } + + resultSet = pstmt.executeQuery(); + + ArrayList transactions = new ArrayList(); + while (resultSet.next()) { + int transId = resultSet.getInt("TRANSACTION_ID"); + long actId = resultSet.getLong("ACCOUNTID"); + Timestamp date = resultSet.getTimestamp("DATE"); + String desc = resultSet.getString("TYPE"); + double amount = resultSet.getDouble("AMOUNT"); + transactions.add(new Transaction(transId, actId, date, desc, amount)); + } + + return transactions.toArray(new Transaction[transactions.size()]); + } catch (SQLException e) { + int errorCode = e.getErrorCode(); + if (errorCode == 30000) + throw new SQLException("Date-time query must be in the format of yyyy-mm-dd HH:mm:ss", e); + + throw e; + } finally { + if (resultSet != null) { + resultSet.close(); + } + if (pstmt != null) { + pstmt.close(); + } + if (connection != null) { + connection.close(); + } + } } public static String[] getBankUsernames() { @@ -445,11 +500,12 @@ public static String[] getBankUsernames() { } public static Account getAccount(long accountNo) throws SQLException { - + Connection connection = getConnection(); - Statement statement = connection.createStatement(); - ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE ACCOUNT_ID = "+ accountNo +" "); /* BAD - user input should always be sanitized */ - + PreparedStatement preparedStatement = connection.prepareStatement("SELECT ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE ACCOUNT_ID = ?"); + preparedStatement.setLong(1, accountNo); + ResultSet resultSet = preparedStatement.executeQuery(); + ArrayList accounts = new ArrayList(3); while (resultSet.next()){ String name = resultSet.getString("ACCOUNT_NAME"); @@ -467,8 +523,11 @@ public static Account getAccount(long accountNo) throws SQLException { public static String addAccount(String username, String acctType) { try { Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("INSERT INTO ACCOUNTS (USERID,ACCOUNT_NAME,BALANCE) VALUES ('"+username+"','"+acctType+"', 0)"); + String sql = "INSERT INTO ACCOUNTS (USERID, ACCOUNT_NAME, BALANCE) VALUES (?, ?, 0)"; + PreparedStatement preparedStatement = connection.prepareStatement(sql); + preparedStatement.setString(1, username); + preparedStatement.setString(2, acctType); + preparedStatement.executeUpdate(); return null; } catch (SQLException e){ return e.toString(); @@ -476,56 +535,71 @@ public static String addAccount(String username, String acctType) { } public static String addSpecialUser(String username, String password, String firstname, String lastname) { - try { - Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("INSERT INTO SPECIAL_CUSTOMERS (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')"); - return null; - } catch (SQLException e){ - return e.toString(); - - } + try { + Connection connection = getConnection(); + String sql = "INSERT INTO SPECIAL_CUSTOMERS (USER_ID, PASSWORD, FIRST_NAME, LAST_NAME, ROLE) VALUES (?, ?, ?, ?, 'user')"; + PreparedStatement preparedStatement = connection.prepareStatement(sql); + preparedStatement.setString(1, username); + preparedStatement.setString(2, password); + preparedStatement.setString(3, firstname); + preparedStatement.setString(4, lastname); + preparedStatement.executeUpdate(); + return null; + } catch (SQLException e) { + return e.toString(); + } } public static String addUser(String username, String password, String firstname, String lastname) { try { Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')"); + String sql = "INSERT INTO PEOPLE (USER_ID, PASSWORD, FIRST_NAME, LAST_NAME, ROLE) VALUES (?, ?, ?, ?, 'user')"; + PreparedStatement preparedStatement = connection.prepareStatement(sql); + preparedStatement.setString(1, username); + preparedStatement.setString(2, password); + preparedStatement.setString(3, firstname); + preparedStatement.setString(4, lastname); + preparedStatement.executeUpdate(); return null; } catch (SQLException e){ return e.toString(); - } } public static String changePassword(String username, String password) { try { Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("UPDATE PEOPLE SET PASSWORD = '"+ password +"' WHERE USER_ID = '"+username+"'"); + String sql = "UPDATE PEOPLE SET PASSWORD = ? WHERE USER_ID = ?"; + PreparedStatement preparedStatement = connection.prepareStatement(sql); + preparedStatement.setString(1, password); + preparedStatement.setString(2, username); + preparedStatement.executeUpdate(); return null; } catch (SQLException e){ return e.toString(); - } } public static long storeFeedback(String name, String email, String subject, String comments) { - try{ - Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("INSERT INTO FEEDBACK (NAME,EMAIL,SUBJECT,COMMENTS) VALUES ('"+name+"', '"+email+"', '"+subject+"', '"+comments+"')", Statement.RETURN_GENERATED_KEYS); - ResultSet rs= statement.getGeneratedKeys(); - long id = -1; - if (rs.next()){ - id = rs.getLong(1); - } - return id; - } catch (SQLException e){ - Log4AltoroJ.getInstance().logError(e.getMessage()); - return -1; - } + try{ + Connection connection = getConnection(); + String sql = "INSERT INTO FEEDBACK (NAME,EMAIL,SUBJECT,COMMENTS) VALUES (?, ?, ?, ?)"; + PreparedStatement preparedStatement = connection.prepareStatement(sql, Statement.RETURN_GENERATED_KEYS); + preparedStatement.setString(1, name); + preparedStatement.setString(2, email); + preparedStatement.setString(3, subject); + preparedStatement.setString(4, comments); + preparedStatement.execute(); + ResultSet rs = preparedStatement.getGeneratedKeys(); + long id = -1; + if (rs.next()){ + id = rs.getLong(1); + } + return id; + } catch (SQLException e){ + Log4AltoroJ.getInstance().logError(e.getMessage()); + return -1; + } } } \ No newline at end of file diff --git a/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java b/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java index 5629335..a1574b2 100644 --- a/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java +++ b/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java @@ -12,6 +12,7 @@ import org.apache.commons.lang.StringEscapeUtils; import com.ibm.security.appscan.altoromutual.model.Account; import com.ibm.security.appscan.altoromutual.model.User; +import java.security.SecureRandom; public class OperationsUtil { @@ -143,11 +144,12 @@ public static User getUser(HttpServletRequest request) throws SQLException{ } + public static String makeRandomString() { byte[] array = new byte[7]; // length is bounded by 7 - new Random().nextBytes(array); + new SecureRandom().nextBytes(array); String generatedString = new String(array, Charset.forName("UTF-8")); - + return generatedString; } diff --git a/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java b/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java index 6524e35..629e033 100644 --- a/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java +++ b/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java @@ -343,6 +343,8 @@ public static Cookie establishSession(String username, HttpSession session){ Account[] accounts = user.getAccounts(); String accountStringList = Account.toBase64List(accounts); Cookie accountCookie = new Cookie(ServletUtil.ALTORO_COOKIE, accountStringList); + accountCookie.setSecure(true); // Ensure the cookie is sent only over a secure protocol like HTTPS + accountCookie.setHttpOnly(true); // Mitigate the risk of client side script accessing the protected cookie session.setAttribute(ServletUtil.SESSION_ATTR_USER, user); return accountCookie; }