aaaa #2
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| name: Sample Orca SAST Scan Workflow | ||
| on: | ||
| # Trigger the workflow on push request, | ||
| # but only for the main branch | ||
| push: | ||
| branches: | ||
| - main | ||
| pull_request: | ||
| branches: [ "main" ] | ||
|
|
||
|
|
||
|
|
||
| jobs: | ||
| orca-iac_scan: | ||
| name: Orca SAST Scan | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| env: | ||
| PROJECT_KEY: default # Set the desired project to run the cli scanning with | ||
| steps: | ||
| # Checkout your repository under $GITHUB_WORKSPACE, so your job can access it | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Run Orca SAST Scan | ||
| uses: orcasecurity/shiftleft-sast-action@v1 | ||
| id: orcasecurity_sast_scan | ||
| with: | ||
| api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }} | ||
| project_key: ${{ env.PROJECT_KEY }} | ||
| path: | ||
| # scanning directories: ./terraform/ ./sub-dir/ and a file: ./Dockerfile | ||
| "." | ||
| format: "sarif" | ||
| output: "results/" | ||
| - name: Upload SARIF file | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| if: ${{ always() && steps.orcasecurity_sast_scan.outputs.exit_code != 1 }} | ||
| with: | ||
| sarif_file: results/sast.sarif |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,147 @@ | ||
| /* | ||
| * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/ | ||
| * | ||
| * Copyright (c) 2002 - 2019 Bruce Mayhew | ||
| * | ||
| * This program is free software; you can redistribute it and/or modify it under the terms of the | ||
| * GNU General Public License as published by the Free Software Foundation; either version 2 of the | ||
| * License, or (at your option) any later version. | ||
| * | ||
| * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without | ||
| * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
| * General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU General Public License along with this program; if | ||
| * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA | ||
| * 02111-1307, USA. | ||
| * | ||
| * Getting Source ============== | ||
| * | ||
| * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects. | ||
| */ | ||
|
|
||
| package org.owasp.webgoat.webwolf; | ||
|
|
||
| import static java.util.Comparator.comparing; | ||
| import static org.springframework.http.MediaType.ALL_VALUE; | ||
|
|
||
| import jakarta.servlet.http.HttpServletRequest; | ||
| import java.io.File; | ||
| import java.io.IOException; | ||
| import java.io.InputStream; | ||
| import java.nio.file.Files; | ||
| import java.nio.file.attribute.FileTime; | ||
| import java.time.ZonedDateTime; | ||
| import java.time.format.DateTimeFormatter; | ||
| import java.util.ArrayList; | ||
| import java.util.TimeZone; | ||
| import lombok.extern.slf4j.Slf4j; | ||
| import org.apache.commons.io.FileUtils; | ||
| import org.springframework.beans.factory.annotation.Value; | ||
| import org.springframework.http.MediaType; | ||
| import org.springframework.security.core.Authentication; | ||
| import org.springframework.stereotype.Controller; | ||
| import org.springframework.ui.ModelMap; | ||
| import org.springframework.web.bind.annotation.GetMapping; | ||
| import org.springframework.web.bind.annotation.PostMapping; | ||
| import org.springframework.web.bind.annotation.RequestMapping; | ||
| import org.springframework.web.bind.annotation.RequestParam; | ||
| import org.springframework.web.bind.annotation.ResponseBody; | ||
| import org.springframework.web.multipart.MultipartFile; | ||
| import org.springframework.web.servlet.ModelAndView; | ||
| import org.springframework.web.servlet.view.RedirectView; | ||
|
|
||
| /** Controller for uploading a file */ | ||
| @Controller | ||
| @Slf4j | ||
| public class FileServer { | ||
|
|
||
| private static final DateTimeFormatter dateTimeFormatter = | ||
| DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm:ss"); | ||
|
|
||
| @Value("${webwolf.fileserver.location}") | ||
| private String fileLocation; | ||
|
|
||
| @Value("${server.address}") | ||
| private String server; | ||
|
|
||
| @Value("${server.servlet.context-path}") | ||
| private String contextPath; | ||
|
|
||
| @Value("${server.port}") | ||
| private int port; | ||
|
|
||
| @RequestMapping( | ||
| path = "/file-server-location", | ||
| consumes = ALL_VALUE, | ||
| produces = MediaType.TEXT_PLAIN_VALUE) | ||
| @ResponseBody | ||
| public String getFileLocation() { | ||
| return fileLocation; | ||
| } | ||
|
|
||
| @PostMapping(value = "/fileupload") | ||
| public ModelAndView importFile( | ||
| @RequestParam("file") MultipartFile multipartFile, Authentication authentication) | ||
| throws IOException { | ||
| var username = authentication.getName(); | ||
| var destinationDir = new File(fileLocation, username); | ||
| destinationDir.mkdirs(); | ||
| // DO NOT use multipartFile.transferTo(), see | ||
| // https://stackoverflow.com/questions/60336929/java-nio-file-nosuchfileexception-when-file-transferto-is-called | ||
| try (InputStream is = multipartFile.getInputStream()) { | ||
| var destinationFile = destinationDir.toPath().resolve(multipartFile.getOriginalFilename()); | ||
| Files.deleteIfExists(destinationFile); | ||
| Files.copy(is, destinationFile); | ||
| } | ||
| log.debug("File saved to {}", new File(destinationDir, multipartFile.getOriginalFilename())); | ||
|
Check failure on line 97 in fail.java
|
||
|
|
||
| return new ModelAndView( | ||
| new RedirectView("files", true), | ||
| new ModelMap().addAttribute("uploadSuccess", "File uploaded successful")); | ||
| } | ||
|
|
||
| @GetMapping(value = "/files") | ||
| public ModelAndView getFiles( | ||
| HttpServletRequest request, Authentication authentication, TimeZone timezone) { | ||
| String username = (null != authentication) ? authentication.getName() : "anonymous"; | ||
| File destinationDir = new File(fileLocation, username); | ||
|
|
||
| ModelAndView modelAndView = new ModelAndView(); | ||
| modelAndView.setViewName("files"); | ||
| File changeIndicatorFile = new File(destinationDir, username + "_changed"); | ||
| if (changeIndicatorFile.exists()) { | ||
| modelAndView.addObject("uploadSuccess", request.getParameter("uploadSuccess")); | ||
|
Check warning on line 114 in fail.java
|
||
Check warningCode scanning / Orca Shift-Left Security The Servlet can receive GET and POST parameters from multiple methods. These values are potentially unsafe and should be validated or sanitized before being used in sensitive APIs. Warning |
||
| } | ||
| changeIndicatorFile.delete(); | ||
|
|
||
| record UploadedFile(String name, String size, String link, String creationTime) {} | ||
|
|
||
| var uploadedFiles = new ArrayList<UploadedFile>(); | ||
| File[] files = destinationDir.listFiles(File::isFile); | ||
| if (files != null) { | ||
| for (File file : files) { | ||
| String size = FileUtils.byteCountToDisplaySize(file.length()); | ||
| String link = String.format("files/%s/%s", username, file.getName()); | ||
| uploadedFiles.add( | ||
| new UploadedFile(file.getName(), size, link, getCreationTime(timezone, file))); | ||
| } | ||
| } | ||
|
|
||
| modelAndView.addObject( | ||
| "files", | ||
| uploadedFiles.stream().sorted(comparing(UploadedFile::creationTime).reversed()).toList()); | ||
| modelAndView.addObject("webwolf_url", "http://" + server + ":" + port + contextPath); | ||
| return modelAndView; | ||
| } | ||
|
|
||
| private String getCreationTime(TimeZone timezone, File file) { | ||
| try { | ||
| FileTime creationTime = (FileTime) Files.getAttribute(file.toPath(), "creationTime"); | ||
| ZonedDateTime zonedDateTime = creationTime.toInstant().atZone(timezone.toZoneId()); | ||
| return dateTimeFormatter.format(zonedDateTime); | ||
| } catch (IOException e) { | ||
| return "unknown"; | ||
| } | ||
| } | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Check warning
Code scanning / Orca Shift-Left Security
User input is being used to control a file path, which can lead to directory traversal vulnerabilities (e.g., using '../' to access unintended directories). It's crucial to sanitize any user-controlled variables in file paths to mitigate this risk. Consider using utility methods, like org.apache.commons.io.FilenameUtils.getName(...), to extract only the file name from a given path. Warning