Patchwork PR: GenerateDocstring

[patched-codes]

This pull request from patched fixes 23 issues.

---

• File changed: src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java

• File changed: src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java

• File changed: src/com/ibm/security/appscan/altoromutual/util/DBUtil.java

• File changed: src/com/ibm/security/appscan/altoromutual/servlet/TransferServlet.java

• File changed: src/com/ibm/security/appscan/altoromutual/model/User.java

• File changed: src/com/ibm/security/appscan/altoromutual/model/Account.java

[patched-codes]

File Changed: src/com/ibm/security/appscan/altoromutual/model/Account.java

Details: There's a potential bug in the setAccountId method. The parameter type is int, but the accountId field is of type long.

Affected Code Snippet:

public void setAccountId(int accountId) {
    this.accountId = accountId;
}

Start Line: 83

End Line: 85

---

Details: There's a potential bug in the setBalance method. The parameter type is long, but the balance field is of type double.

Affected Code Snippet:

public void setBalance(long balance) {
    this.balance = balance;
}

Start Line: 101

End Line: 103

---

Details: There's a potential security vulnerability in the fromBase64List method. The method uses Base64.decodeBase64() without any input validation, which could lead to security issues if the input is not properly sanitized.

Affected Code Snippet:

public static Account[] fromBase64List (String b64accounts){
    String accounts = new String(Base64.decodeBase64(b64accounts)); 
    
    StringTokenizer outerTokens = new StringTokenizer(accounts, "|");
    ArrayList<Account> accountList = new ArrayList<Account>();
    while (outerTokens.hasMoreTokens()) {
        String accountString = outerTokens.nextToken();
        StringTokenizer accountTokens = new StringTokenizer(accountString, "~");
        
        long id = Long.parseLong(accountTokens.nextToken());
        String accountName = accountTokens.nextToken();
        double balance = Double.parseDouble(accountTokens.nextToken());
        
        Account account = new Account(id, accountName, balance);
        accountList.add(account);
    }
    
    return (accountList.toArray(new Account[accountList.size()]));
}

Start Line: 122

End Line: 148

File Changed: src/com/ibm/security/appscan/altoromutual/model/User.java

Details: A potential security vulnerability has been introduced in the getCreditCardNumber() method. This method returns the account ID of a credit card, which could be sensitive information. It should be properly secured or removed if not necessary.

Affected Code Snippet:

public long getCreditCardNumber(){
    for (Account account: getAccounts()){
        if (DBUtil.CREDIT_CARD_ACCOUNT_NAME.equals(account.getAccountName()))
            return account.getAccountId();
    }
    return -1L;
}

Start Line: 145

End Line: 152

File Changed: src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java

Details: Potential security vulnerability introduced in the getUser method. The method retrieves the access token from the Authorization header without proper validation, which could lead to security issues if the header is missing or malformed.

Affected Code Snippet:

public static User getUser(HttpServletRequest request) throws SQLException{
    
    String accessToken = request.getHeader("Authorization").replaceAll("Bearer ", "");
    UserDAO userDAO = new UserDAO();
    User user = userDAO.getUserByAccessToken(accessToken);
    
    return user;
    
}

Start Line: 168

End Line: 177

File Changed: src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java

Details: There is a potential bug in the sanitzieHtmlWithRegex method. The method name is misspelled, which could lead to confusion and errors if developers try to use this method.

Affected Code Snippet:

public static String sanitzieHtmlWithRegex(String input) {
    if (XSS_REGEXP.matcher(input).matches()) {
        return "";
    }
    return input;
}

Start Line: 257

End Line: 261

---

Details: There is a potential security vulnerability in the establishSession method. The method creates a cookie with user account information, but it's not clear if this information is properly encrypted or protected. Storing sensitive information in cookies without proper security measures can lead to security breaches.

Affected Code Snippet:

public static Cookie establishSession(String username, HttpSession session){
    try{
        User user = DBUtil.getUserInfo(username);
        String accountName = user.getAccounts()[0].getAccountName();
        session.setAttribute(ServletUtil.SESSION_ATTR_USER, user);
        Cookie cookie = new Cookie(ALTORO_COOKIE, "Edward|"+accountName);
        cookie.setPath("/");
        return cookie;
    } catch (SQLException e){
        // Log
        return null;
    }
}

Start Line: 356

End Line: 367

---

Details: The isLoggedin method has a potential bug. It always returns true at the end of the method, regardless of whether the user is actually logged in or not. This could lead to unauthorized access to protected resources.

Affected Code Snippet:

static public boolean isLoggedin(HttpServletRequest request){
    try {
        // Check user is logged in
        User user = (User)request.getSession().getAttribute(ServletUtil.SESSION_ATTR_USER);
        if (user == null){
            return false;
        }
    } catch (Exception e) {
        // Log
        return false;
    }
    return true;
}

Start Line: 377

End Line: 389

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud