Add Contact Feedback Form with Security Flows and CAPTCHA Validation#74
Add Contact Feedback Form with Security Flows and CAPTCHA Validation#74sylvain-combe-sonarsource wants to merge 1 commit intomainfrom
Conversation
- Implemented ContactFeedbackServlet with multiple security vulnerabilities: * SQL injection in feedback retrieval and storage * XSS vulnerability in feedback display * Path traversal in file viewing * Weak random token generation * Weak MD5 hashing for email * Logging of sensitive information * Sensitive data in URL parameters - Added CaptchaServlet using obsolete kaptcha library (2.3.2) with known CVEs - Created contact-feedback.jsp form with optional CAPTCHA validation - Added kaptcha dependency to pom.xml - Created GitHub Actions CI workflow for feature branches and main - Workflow runs on Java 17 and includes test and coverage artifacts
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if ("true".equals(success)) { | ||
| %> | ||
| <div class="success-message"> | ||
| Thank you for your feedback! Your submission token is: <%= token %> |
Check failure
Code scanning / SonarQube
Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks Critical
| message + "', '" + priority + "', '" + token + "', '" + emailHash + "')"; | ||
|
|
||
| Statement statement = connection.createStatement(); | ||
| statement.executeUpdate(query); |
Check failure
Code scanning / SonarQube
Database queries should not be vulnerable to injection attacks Critical
| String message, String priority, String token, String emailHash) throws Exception { | ||
| // SQL Injection vulnerability | ||
| Connection connection = DriverManager.getConnection( | ||
| "myJDBCUrl", "myJDBCUser", "myJDBCPass"); |
Check failure
Code scanning / SonarQube
Credentials should not be hard-coded Critical
|
|
||
| String query = "SELECT * FROM feedback WHERE id = " + feedbackId; | ||
| Statement statement = connection.createStatement(); | ||
| ResultSet resultSet = statement.executeQuery(query); |
Check failure
Code scanning / SonarQube
Database queries should not be vulnerable to injection attacks Critical
| private List<String> getFeedbackById(String feedbackId) throws Exception { | ||
| // SQL Injection vulnerability | ||
| Connection connection = DriverManager.getConnection( | ||
| "myJDBCUrl", "myJDBCUser", "myJDBCPass"); |
Check failure
Code scanning / SonarQube
Credentials should not be hard-coded Critical
| out.println("</body></html>"); | ||
| out.close(); | ||
| } catch (Exception e) { | ||
| throw new ServletException(e); |
Check notice
Code scanning / SonarQube
Exceptions should not be thrown from servlet methods Low
| ServletOutputStream out = response.getOutputStream(); | ||
| ImageIO.write(captchaImage, "jpg", out); | ||
| out.flush(); | ||
| out.close(); |
Check notice
Code scanning / SonarQube
Exceptions should not be thrown from servlet methods Low
| response.setContentType("image/jpeg"); | ||
| ServletOutputStream out = response.getOutputStream(); | ||
| ImageIO.write(captchaImage, "jpg", out); | ||
| out.flush(); |
Check notice
Code scanning / SonarQube
Exceptions should not be thrown from servlet methods Low
| // Send image response | ||
| response.setContentType("image/jpeg"); | ||
| ServletOutputStream out = response.getOutputStream(); | ||
| ImageIO.write(captchaImage, "jpg", out); |
Check notice
Code scanning / SonarQube
Exceptions should not be thrown from servlet methods Low
|
|
||
| // Send image response | ||
| response.setContentType("image/jpeg"); | ||
| ServletOutputStream out = response.getOutputStream(); |
Check notice
Code scanning / SonarQube
Exceptions should not be thrown from servlet methods Low
1 participant
Summary
This PR implements a new contact feedback form feature that demonstrates various security vulnerabilities for educational purposes in this Java security demo project.
Features Added
1. Contact Feedback Form (
contact-feedback.jsp)2. ContactFeedbackServlet
Demonstrates multiple security vulnerabilities:
Random3. CaptchaServlet
4. Dependencies
kaptcha 2.3.2- an obsolete CAPTCHA library with known CVEs5. GitHub Actions CI Workflow
.github/workflows/ci.ymlfor continuous integrationfeature/**)mvn clean verifySecurity Vulnerabilities (Intentional)
This feature demonstrates the following security issues that static analysis tools should detect:
Build Status
✅ All tests pass
✅ Maven clean verify succeeds
Testing
The feature has been built and verified locally with
mvn clean verify.