From b7d1551068c10e37d000cf58ae0faa11afe5528e Mon Sep 17 00:00:00 2001
From: "pixee-b1171e79b0e16eb5[bot]"
<170462952+pixee-b1171e79b0e16eb5[bot]@users.noreply.github.com>
Date: Mon, 3 Jun 2024 20:49:28 +0000
Subject: [PATCH 1/2] (Sonar) Fixed finding: "Multiple variables should not be
declared on the same line"
---
src/main/java/org/owasp/webgoat/webwolf/FileServer.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/main/java/org/owasp/webgoat/webwolf/FileServer.java b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
index e3d6f24f..442bd421 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
@@ -135,7 +135,9 @@ public void print2() {
public static class EncryptionExample {
public byte[] encrypt(String text) throws Exception {
- int a, b, c;
+ int a;
+ int b;
+ int c;
a = 2;
b = 1;
From bf4c9579df303b984f7f21fbbccec5ca420a6330 Mon Sep 17 00:00:00 2001
From: "pixee-b1171e79b0e16eb5[bot]"
<170462952+pixee-b1171e79b0e16eb5[bot]@users.noreply.github.com>
Date: Mon, 3 Jun 2024 20:49:28 +0000
Subject: [PATCH 2/2] Sanitized user-provided file names in HTTP multipart
uploads
---
pom.xml | 10 ++++++++++
.../java/org/owasp/webgoat/webwolf/FileServer.java | 5 +++--
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/pom.xml b/pom.xml
index 15851ec3..21b0517e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -146,6 +146,7 @@
1.4.5
1.5.2
+ 1.1.3
@@ -248,6 +249,11 @@
jruby
9.3.6.0
+
+ io.github.pixee
+ java-security-toolkit
+ ${versions.java-security-toolkit}
+
@@ -393,6 +399,10 @@
rest-assured
test
+
+ io.github.pixee
+ java-security-toolkit
+
diff --git a/src/main/java/org/owasp/webgoat/webwolf/FileServer.java b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
index 442bd421..5203da17 100644
--- a/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
+++ b/src/main/java/org/owasp/webgoat/webwolf/FileServer.java
@@ -22,6 +22,7 @@
package org.owasp.webgoat.webwolf;
+import io.github.pixee.security.Filenames;
import static org.springframework.http.MediaType.ALL_VALUE;
import java.io.File;
@@ -79,8 +80,8 @@ public ModelAndView importFile(@RequestParam("file") MultipartFile myFile) throw
var user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
var destinationDir = new File(fileLocation, user.getUsername());
destinationDir.mkdirs();
- myFile.transferTo(new File(destinationDir, myFile.getOriginalFilename()));
- log.debug("File saved to {}", new File(destinationDir, myFile.getOriginalFilename()));
+ myFile.transferTo(new File(destinationDir, Filenames.toSimpleFileName(myFile.getOriginalFilename())));
+ log.debug("File saved to {}", new File(destinationDir, Filenames.toSimpleFileName(myFile.getOriginalFilename())));
return new ModelAndView(
new RedirectView("files", true),