Skip to content

Add contact feedback form with security flows and CAPTCHA (Kaptcha, CVE-2019-16335)#72

Closed
sylvain-combe-sonarsource wants to merge 2 commits intomainfrom
feature/contact-feedback-form
Closed

Add contact feedback form with security flows and CAPTCHA (Kaptcha, CVE-2019-16335)#72
sylvain-combe-sonarsource wants to merge 2 commits intomainfrom
feature/contact-feedback-form

Conversation

@sylvain-combe-sonarsource
Copy link
Contributor

@sylvain-combe-sonarsource sylvain-combe-sonarsource commented Nov 26, 2025

This PR adds a new contact feedback form use case to the Java security demo project, including various security flows and optional CAPTCHA validation using the Kaptcha library (CVE-2019-16335). The implementation demonstrates how static analysis can help find vulnerabilities in basic web flows, including insecure input handling and CAPTCHA integration.

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 26, 2025
View reviewed changes
src/main/java/demo/security/servlet/CaptchaImageServlet.java
session.setAttribute("contactFeedbackCaptcha", capText);
BufferedImage bi = kaptchaProducer.createImage(capText);
response.setContentType("image/png");
ImageIO.write(bi, "png", response.getOutputStream());

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:b21c6b97-0572-4e74-a146-0a6daa755239-->Handle the following exception that could be thrown by "write": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&branch=feature%2Fcontact-feedback-form&issues=b21c6b97-0572-4e74-a146-0a6daa755239&open=b21c6b97-0572-4e74-a146-0a6daa755239">SonarQube</a></p>
src/main/java/demo/security/servlet/CaptchaImageServlet.java
session.setAttribute("contactFeedbackCaptcha", capText);
BufferedImage bi = kaptchaProducer.createImage(capText);
response.setContentType("image/png");
ImageIO.write(bi, "png", response.getOutputStream());

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:3661edae-ea3c-4c2d-a444-e0845192dac1-->Handle the following exception that could be thrown by "getOutputStream": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&branch=feature%2Fcontact-feedback-form&issues=3661edae-ea3c-4c2d-a444-e0845192dac1&open=3661edae-ea3c-4c2d-a444-e0845192dac1">SonarQube</a></p>
src/main/java/demo/security/servlet/ContactFeedbackServlet.java
String captcha = request.getParameter("captcha");
String captchaExpected = (String) request.getSession().getAttribute("contactFeedbackCaptcha");
response.setContentType("text/html");
PrintWriter out = response.getWriter();

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:40d77173-aa40-425e-97ac-c005cda4008f-->Handle the following exception that could be thrown by "getWriter": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&branch=feature%2Fcontact-feedback-form&issues=40d77173-aa40-425e-97ac-c005cda4008f&open=40d77173-aa40-425e-97ac-c005cda4008f">SonarQube</a></p>
src/main/java/demo/security/servlet/ContactFeedbackServlet.java
String email = request.getParameter("email");
String category = request.getParameter("category");
response.setContentType("text/html");
PrintWriter out = response.getWriter();

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods

<!--SONAR_ISSUE_KEY:6ebe0823-14f9-40d3-9d34-1f3b8e98c316-->Handle the following exception that could be thrown by "getWriter": IOException. <p>See more on <a href="https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&branch=feature%2Fcontact-feedback-form&issues=6ebe0823-14f9-40d3-9d34-1f3b8e98c316&open=6ebe0823-14f9-40d3-9d34-1f3b8e98c316">SonarQube</a></p>
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 26, 2025
View reviewed changes
src/main/java/demo/security/servlet/CaptchaImageServlet.java
session.setAttribute("contactFeedbackCaptcha", capText);
BufferedImage bi = kaptchaProducer.createImage(capText);
response.setContentType("image/png");
ImageIO.write(bi, "png", response.getOutputStream());

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods Low

Handle the following exception that could be thrown by "write": IOException. See more on SonarQube
src/main/java/demo/security/servlet/CaptchaImageServlet.java
session.setAttribute("contactFeedbackCaptcha", capText);
BufferedImage bi = kaptchaProducer.createImage(capText);
response.setContentType("image/png");
ImageIO.write(bi, "png", response.getOutputStream());

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods Low

Handle the following exception that could be thrown by "getOutputStream": IOException. See more on SonarQube
@sonar-nautilus
Copy link

sonar-nautilus bot commented Nov 26, 2025

Quality Gate failed Quality Gate failed

Failed conditions
5 New issues
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE SonarQube for IDE

@sylvain-combe-sonarsource sylvain-combe-sonarsource deleted the feature/contact-feedback-form branch November 26, 2025 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sylvain-combe-sonarsource