Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patchwork PR: GenerateDocstring #23

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Patchwork PR: GenerateDocstring #23

wants to merge 6 commits into from

Conversation

patched-codes[bot]
Copy link

@patched-codes patched-codes bot commented Oct 10, 2024
edited
Loading

@patched-codes patched-codes bot force-pushed the patchwork-generatedocstring-main branch 5 times, most recently from 16d22d4 to 01f61a4 Compare October 10, 2024 10:52
@patched-codes patched.codes
Copy link
Author

patched-codes bot commented Oct 10, 2024

File Changed: src/com/ibm/security/appscan/altoromutual/model/Account.java

Details: There's a potential bug in the setAccountId method. The parameter type is int, but the accountId field is of type long.

Affected Code Snippet:

public void setAccountId(int accountId) {
    this.accountId = accountId;
}

Start Line: 83

End Line: 85

Details: There's a potential bug in the setBalance method. The parameter type is long, but the balance field is of type double.

Affected Code Snippet:

public void setBalance(long balance) {
    this.balance = balance;
}

Start Line: 101

End Line: 103

Details: There's a potential security vulnerability in the fromBase64List method. The method uses Base64.decodeBase64() without any input validation, which could lead to security issues if the input is not properly sanitized.

Affected Code Snippet:

public static Account[] fromBase64List (String b64accounts){
    String accounts = new String(Base64.decodeBase64(b64accounts)); 
    
    StringTokenizer outerTokens = new StringTokenizer(accounts, "|");
    ArrayList<Account> accountList = new ArrayList<Account>();
    while (outerTokens.hasMoreTokens()) {
        String accountString = outerTokens.nextToken();
        StringTokenizer accountTokens = new StringTokenizer(accountString, "~");
        
        long id = Long.parseLong(accountTokens.nextToken());
        String accountName = accountTokens.nextToken();
        double balance = Double.parseDouble(accountTokens.nextToken());
        
        Account account = new Account(id, accountName, balance);
        accountList.add(account);
    }
    
    return (accountList.toArray(new Account[accountList.size()]));
}

Start Line: 122

End Line: 148

File Changed: src/com/ibm/security/appscan/altoromutual/model/User.java

Details: A potential security vulnerability has been introduced in the getCreditCardNumber() method. This method returns the account ID of a credit card, which could be sensitive information. It should be properly secured or removed if not necessary.

Affected Code Snippet:

public long getCreditCardNumber(){
    for (Account account: getAccounts()){
        if (DBUtil.CREDIT_CARD_ACCOUNT_NAME.equals(account.getAccountName()))
            return account.getAccountId();
    }
    return -1L;
}

Start Line: 145

End Line: 152

File Changed: src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java

Details: Potential security vulnerability introduced in the getUser method. The method retrieves the access token from the Authorization header without proper validation, which could lead to security issues if the header is missing or malformed.

Affected Code Snippet:

public static User getUser(HttpServletRequest request) throws SQLException{
    
    String accessToken = request.getHeader("Authorization").replaceAll("Bearer ", "");
    UserDAO userDAO = new UserDAO();
    User user = userDAO.getUserByAccessToken(accessToken);
    
    return user;
    
}

Start Line: 168

End Line: 177

File Changed: src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java

Details: There is a potential bug in the sanitzieHtmlWithRegex method. The method name is misspelled, which could lead to confusion and errors if developers try to use this method.

Affected Code Snippet:

public static String sanitzieHtmlWithRegex(String input) {
    if (XSS_REGEXP.matcher(input).matches()) {
        return "";
    }
    return input;
}

Start Line: 257

End Line: 261

Details: There is a potential security vulnerability in the establishSession method. The method creates a cookie with user account information, but it's not clear if this information is properly encrypted or protected. Storing sensitive information in cookies without proper security measures can lead to security breaches.

Affected Code Snippet:

public static Cookie establishSession(String username, HttpSession session){
    try{
        User user = DBUtil.getUserInfo(username);
        String accountName = user.getAccounts()[0].getAccountName();
        session.setAttribute(ServletUtil.SESSION_ATTR_USER, user);
        Cookie cookie = new Cookie(ALTORO_COOKIE, "Edward|"+accountName);
        cookie.setPath("/");
        return cookie;
    } catch (SQLException e){
        // Log
        return null;
    }
}

Start Line: 356

End Line: 367

Details: The isLoggedin method has a potential bug. It always returns true at the end of the method, regardless of whether the user is actually logged in or not. This could lead to unauthorized access to protected resources.

Affected Code Snippet:

static public boolean isLoggedin(HttpServletRequest request){
    try {
        // Check user is logged in
        User user = (User)request.getSession().getAttribute(ServletUtil.SESSION_ATTR_USER);
        if (user == null){
            return false;
        }
    } catch (Exception e) {
        // Log
        return false;
    }
    return true;
}

Start Line: 377

End Line: 389

@codelion codelion mentioned this pull request Oct 11, 2024
Closed
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@patched-codes patched-codes bot force-pushed the patchwork-generatedocstring-main branch 5 times, most recently from 1f33285 to 12f288d Compare February 24, 2025 13:07
@patched-codes patched-codes bot force-pushed the patchwork-generatedocstring-main branch 2 times, most recently from 9a4bbb1 to 7aa003e Compare March 3, 2025 07:40
@patched-codes patched-codes bot force-pushed the patchwork-generatedocstring-main branch from 7aa003e to de5ddf5 Compare March 3, 2025 09:15
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Mar 3, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants