Skip to content

Adding code with some deep sinks#1

Open
jeff-zapotoczny-sonarsource wants to merge 1 commit intomainfrom
dsast_example
Open

Adding code with some deep sinks#1
jeff-zapotoczny-sonarsource wants to merge 1 commit intomainfrom
dsast_example

Conversation

@jeff-zapotoczny-sonarsource
Copy link

@jeff-zapotoczny-sonarsource jeff-zapotoczny-sonarsource commented Jun 22, 2023

Thank you for submitting a pull request to the WebGoat!

@sonar-nautilus
Copy link

sonar-nautilus bot commented Jun 22, 2023

SonarQube Quality Gate

Quality Gate failed

Failed condition E Security Rating on New Code (is worse than A)
Failed condition 0.0% 0.0% Coverage on New Code (is less than 90%)

See analysis details on SonarQube

Fix issues before they fail your Quality Gate with SonarLint SonarLint in your IDE.

github-advanced-security[bot]
github-advanced-security bot found potential problems May 30, 2024
View reviewed changes
src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/DSAST.java
String[] filenames = StringUtils.commaDelimitedListToStringArray(input);
for (String filename : filenames) {
var file = new File(directory, filename);
FileSystemUtils.deleteRecursively(file);

Check failure

Code scanning / SonarCloudsquad-2

I/O function calls should not be vulnerable to path injection attacks

<!--SONAR_ISSUE_KEY:AY_JeBOdxgMG6SZHnQ36-->Change this code to not construct the path from user-controlled data. <p>See more on <a href="https://squad-2-core.sc-dev.io/project/issues?id=SonarSource-Demos_WebGoat&issues=AY_JeBOdxgMG6SZHnQ36&open=AY_JeBOdxgMG6SZHnQ36&pullRequest=1">SonarCloud</a></p>
src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/DSAST.java

String directory = "./target/directory";
var file = new File(directory, filename);
FileUtil.getFileUtil().delete(filename);

Check failure

Code scanning / SonarCloudsquad-2

I/O function calls should not be vulnerable to path injection attacks

<!--SONAR_ISSUE_KEY:AY_JeBOdxgMG6SZHnQ37-->Change this code to not construct the path from user-controlled data. <p>See more on <a href="https://squad-2-core.sc-dev.io/project/issues?id=SonarSource-Demos_WebGoat&issues=AY_JeBOdxgMG6SZHnQ37&open=AY_JeBOdxgMG6SZHnQ37&pullRequest=1">SonarCloud</a></p>
src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/DSAST.java

String directory = "./target/directory";
var file = new File(directory, filename);
DataUtil.load(file, "utf-8", "uri://");

Check failure

Code scanning / SonarCloudsquad-2

I/O function calls should not be vulnerable to path injection attacks

<!--SONAR_ISSUE_KEY:AY_JeBOdxgMG6SZHnQ38-->Change this code to not construct the path from user-controlled data. <p>See more on <a href="https://squad-2-core.sc-dev.io/project/issues?id=SonarSource-Demos_WebGoat&issues=AY_JeBOdxgMG6SZHnQ38&open=AY_JeBOdxgMG6SZHnQ38&pullRequest=1">SonarCloud</a></p>
src/main/java/org/owasp/webgoat/lessons/vulnerablecomponents/DSAST.java
String[] filenames = StringUtils.commaDelimitedListToStringArray(input);
for (String filename : filenames) {
var file = new File(directory, filename);
FileSystemUtils.deleteRecursively(file);

Check warning

Code scanning / SonarCloudsquad-2

Accessing files should not lead to filesystem oracle attacks

<!--SONAR_ISSUE_KEY:AY_JeBOdxgMG6SZHnQ39-->Change this code to not construct the path from user-controlled data. <p>See more on <a href="https://squad-2-core.sc-dev.io/project/issues?id=SonarSource-Demos_WebGoat&issues=AY_JeBOdxgMG6SZHnQ39&open=AY_JeBOdxgMG6SZHnQ39&pullRequest=1">SonarCloud</a></p>
@ghost
Copy link

ghost commented May 30, 2024

Quality Gate Failed Quality Gate failed

Failed conditions
E Security Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jeff-zapotoczny-sonarsource