-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hardening suggestions for WebGoat_12_23 / objectmapper-2 #119
base: objectmapper-2
Are you sure you want to change the base?
Changes from all commits
4e0d06b
650b61f
a2e0626
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -22,6 +22,7 @@ | |
|
||
package org.owasp.webgoat.webwolf; | ||
|
||
import io.github.pixee.security.Filenames; | ||
import static org.springframework.http.MediaType.ALL_VALUE; | ||
|
||
import java.io.File; | ||
|
@@ -79,8 +80,8 @@ public ModelAndView importFile(@RequestParam("file") MultipartFile myFile) throw | |
var user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); | ||
var destinationDir = new File(fileLocation, user.getUsername()); | ||
destinationDir.mkdirs(); | ||
myFile.transferTo(new File(destinationDir, myFile.getOriginalFilename())); | ||
log.debug("File saved to {}", new File(destinationDir, myFile.getOriginalFilename())); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Wrapped the file name with a sanitizer call that takes out path escaping characters |
||
myFile.transferTo(new File(destinationDir, Filenames.toSimpleFileName(myFile.getOriginalFilename()))); | ||
log.debug("File saved to {}", new File(destinationDir, Filenames.toSimpleFileName(myFile.getOriginalFilename()))); | ||
|
||
return new ModelAndView( | ||
new RedirectView("files", true), | ||
|
@@ -126,18 +127,12 @@ public ModelAndView getFiles(HttpServletRequest request) { | |
return modelAndView; | ||
} | ||
|
||
private void print2() { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Removed unused private method. |
||
String x = "test"; | ||
if (x.equals("test")) { | ||
System.out.println("Hello, World!"); | ||
} | ||
System.out.println("Hola"); | ||
} | ||
|
||
public static class EncryptionExample { | ||
|
||
public byte[] encrypt(String text) throws Exception { | ||
int a, b, c; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Split variable declarations into their own statements. |
||
int a; | ||
int b; | ||
int c; | ||
System.out.println("Hola"); | ||
|
||
a = 2; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wrapped the file name with a sanitizer call that takes out path escaping characters