Skip to content

Commit e6e9c2e

Browse files
author
Dave Wichers
committed
Eliminate some unintended vulns in the test cases.
1 parent 3f0c7a4 commit e6e9c2e

File tree

635 files changed

+906
-832
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

635 files changed

+906
-832
lines changed

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
3737
new javax.servlet.http.Cookie("BenchmarkTest00001", "FileName");
3838
userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
3939
userCookie.setSecure(true);
40+
userCookie.setHttpOnly(true);
4041
userCookie.setPath(request.getRequestURI());
4142
userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
4243
response.addCookie(userCookie);

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
3737
new javax.servlet.http.Cookie("BenchmarkTest00002", "FileName");
3838
userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
3939
userCookie.setSecure(true);
40+
userCookie.setHttpOnly(true);
4041
userCookie.setPath(request.getRequestURI());
4142
userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
4243
response.addCookie(userCookie);

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
3737
new javax.servlet.http.Cookie("BenchmarkTest00003", "someSecret");
3838
userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
3939
userCookie.setSecure(true);
40+
userCookie.setHttpOnly(true);
4041
userCookie.setPath(request.getRequestURI());
4142
userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
4243
response.addCookie(userCookie);

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
3737
new javax.servlet.http.Cookie("BenchmarkTest00004", "color");
3838
userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
3939
userCookie.setSecure(true);
40+
userCookie.setHttpOnly(true);
4041
userCookie.setPath(request.getRequestURI());
4142
userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
4243
response.addCookie(userCookie);

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
6161
} catch (java.sql.SQLException e) {
6262
if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) {
6363
response.getWriter().println("Error processing request.");
64-
return;
6564
} else throw new ServletException(e);
6665
}
6766
}

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -78,12 +78,18 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
7878
.println(
7979
"LDAP query results:<br>"
8080
+ "Record found with name "
81-
+ attr.get()
82-
+ "<br>"
83-
+ "Address: "
84-
+ attr2.get()
81+
+ org.owasp
82+
.esapi
83+
.ESAPI
84+
.encoder()
85+
.encodeForHTML(attr.get().toString())
86+
+ "<br>Address: "
87+
+ org.owasp
88+
.esapi
89+
.ESAPI
90+
.encoder()
91+
.encodeForHTML(attr2.get().toString())
8592
+ "<br>");
86-
// System.out.println("record found " + attr.get());
8793
found = true;
8894
}
8995
}

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00018.java

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
6161
} catch (java.sql.SQLException e) {
6262
if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) {
6363
response.getWriter().println("Error processing request.");
64-
return;
6564
} else throw new ServletException(e);
6665
}
6766
}

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
5353
sc.setSearchScope(javax.naming.directory.SearchControls.SUBTREE_SCOPE);
5454
String filter = "(&(objectclass=person))(|(uid=" + param + ")(street={0}))";
5555
Object[] filters = new Object[] {"The streetz 4 Ms bar"};
56-
// System.out.println("Filter " + filter);
5756
boolean found = false;
5857
javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results =
5958
ctx.search(base, filter, filters, sc);
@@ -69,12 +68,18 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
6968
.println(
7069
"LDAP query results:<br>"
7170
+ "Record found with name "
72-
+ attr.get()
73-
+ "<br>"
74-
+ "Address: "
75-
+ attr2.get()
71+
+ org.owasp
72+
.esapi
73+
.ESAPI
74+
.encoder()
75+
.encodeForHTML(attr.get().toString())
76+
+ "<br>Address: "
77+
+ org.owasp
78+
.esapi
79+
.ESAPI
80+
.encoder()
81+
.encodeForHTML(attr2.get().toString())
7682
+ "<br>");
77-
// System.out.println("record found " + attr.get());
7883
found = true;
7984
}
8085
}

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00024.java

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
6161
} catch (java.sql.SQLException e) {
6262
if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) {
6363
response.getWriter().println("Error processing request.");
64-
return;
6564
} else throw new ServletException(e);
6665
}
6766
}

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00026.java

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
5050
org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForRowSet(sql);
5151
response.getWriter().println("Your results are: ");
5252

53-
// System.out.println("Your results are");
5453
while (results.next()) {
5554
response.getWriter()
5655
.println(
@@ -60,7 +59,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
6059
.encoder()
6160
.encodeForHTML(results.getString("USERNAME"))
6261
+ " ");
63-
// System.out.println(results.getString("USERNAME"));
6462
}
6563
} catch (org.springframework.dao.EmptyResultDataAccessException e) {
6664
response.getWriter()

0 commit comments

Comments
 (0)