Skip to content

Feedback #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
github-classroom wants to merge 3 commits into
base: feedback
Choose a base branch
from
Open

Feedback #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fced144
Setting up GitHub Classroom Feedback
github-classroom[bot] Apr 14, 2026
1b06b55
add deadline
github-classroom[bot] Apr 14, 2026
8ce6e9e
Добавлены тесты и отчет
Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions .github/workflows/semgrep.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
name: Semgrep Security Scan

on:
push:
branches: [ main, master, develop ]
pull_request:
branches: [ main, master, develop ]
schedule:
# Запуск каждый день в 00:00 UTC
- cron: '0 0 * * *'

jobs:
semgrep:
name: Security Scan
runs-on: ubuntu-latest

permissions:
contents: read
security-events: write
actions: read

steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Run Semgrep with custom rules
uses: returntocorp/semgrep-action@v1
with:
config: .semgrep.yml
generateSarif: true

- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: semgrep.sarif

- name: Run Semgrep with OWASP rules
uses: returntocorp/semgrep-action@v1
with:
config: p/owasp-top-ten
generateSarif: true

- name: Save reports as artifacts
uses: actions/upload-artifact@v3
if: always()
with:
name: semgrep-reports
path: |
semgrep.sarif
*.sarif
80 changes: 80 additions & 0 deletions .semgrep-enhanced.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
# Enhanced Semgrep config - combines custom rules with best community rules

extends:
- p/owasp-top-ten
- p/security-audit

rules:
# Custom rules for this specific project
- id: path-traversal-file-access
patterns:
- pattern-either:
- pattern: new File($BASE + $PATH)
- pattern: new File($PATH)
- pattern: Paths.get($PATH)
- pattern: new FileWriter($PATH)
- pattern: new FileOutputStream($PATH)
- pattern-not: new File("...")
- pattern-not: Paths.get("...")
message: Potential path traversal vulnerability. User input may allow access to arbitrary files.
languages: [java]
severity: ERROR
metadata:
cwe: "CWE-22"
owasp: "A01:2021 - Broken Access Control"
category: security

- id: xss-response-body
patterns:
- pattern-either:
- pattern: $CTX.result("..." + $USER_INPUT + "...")
- pattern: $CTX.result($USER_INPUT + "...")
- pattern: $CTX.result("..." + $USER_INPUT)
- pattern: $CTX.html($USER_INPUT)
- pattern-not: $CTX.result("...")
- pattern-not: $CTX.html("...")
message: Potential XSS vulnerability. User input rendered without sanitization.
languages: [java]
severity: ERROR
metadata:
cwe: "CWE-79"
owasp: "A03:2021 - Injection"
category: security

- id: information-disclosure-exception
pattern-either:
- pattern: $CTX.status(...).result($EX.getMessage())
- pattern: $CTX.result(... + $EX.getMessage() + ...)
- pattern: $CTX.result("..." + $EX + ...)
message: Exception details exposed in response. May reveal sensitive information.
languages: [java]
severity: WARNING
metadata:
cwe: "CWE-209"
owasp: "A04:2021 - Insecure Design"
category: security

- id: missing-null-check
pattern: $CTX.queryParam($NAME).$METHOD(...)
message: Query parameter used without null check. May cause NullPointerException.
languages: [java]
severity: WARNING
metadata:
category: security

- id: ssrf-url-connection
patterns:
- pattern-either:
- pattern: new URL($URL).openConnection()
- pattern: HttpClient.newHttpClient().send(...)
- pattern: $CLIENT.send($REQUEST, ...)
- pattern-inside: |
$PARAM = $CTX.queryParam(...);
...
message: Potential SSRF vulnerability. User-controlled URL may allow requests to internal resources.
languages: [java]
severity: ERROR
metadata:
cwe: "CWE-918"
owasp: "A10:2021 - Server-Side Request Forgery"
category: security
122 changes: 122 additions & 0 deletions .semgrep.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
rules:
# CWE-22: Path Traversal
- id: path-traversal-file-access
patterns:
- pattern-either:
- pattern: new File($PATH)
- pattern: Paths.get($PATH)
- pattern: new FileWriter($PATH)
- pattern: new FileOutputStream($PATH)
- pattern-not: new File("...")
- pattern-not: Paths.get("...")
message: Potential path traversal vulnerability. User input may allow access to arbitrary files.
languages: [java]
severity: ERROR
metadata:
cwe: "CWE-22"
owasp: "A01:2021 - Broken Access Control"
category: security

# CWE-918: SSRF
- id: ssrf-url-connection
patterns:
- pattern-either:
- pattern: new URL($URL).openConnection()
- pattern: HttpClient.newHttpClient().send(...)
- pattern: $CLIENT.send($REQUEST, ...)
- pattern-inside: |
$PARAM = $CTX.queryParam(...);
...
message: Potential SSRF vulnerability. User-controlled URL may allow requests to internal resources.
languages: [java]
severity: ERROR
metadata:
cwe: "CWE-918"
owasp: "A10:2021 - Server-Side Request Forgery"
category: security

# CWE-79: XSS
- id: xss-response-body
patterns:
- pattern-either:
- pattern: $CTX.result($USER_INPUT)
- pattern: $CTX.html($USER_INPUT)
- pattern-not: $CTX.result("...")
- pattern-not: $CTX.html("...")
message: Potential XSS vulnerability. User input rendered without sanitization.
languages: [java]
severity: ERROR
metadata:
cwe: "CWE-79"
owasp: "A03:2021 - Injection"
category: security

# CWE-400: DoS - Resource Exhaustion
- id: dos-unbounded-allocation
patterns:
- pattern-either:
- pattern: new $TYPE[$SIZE]
- pattern: new ArrayList<>($SIZE)
- pattern: ByteBuffer.allocate($SIZE)
- pattern-inside: |
$SIZE = Integer.parseInt(...);
...
message: Potential DoS vulnerability. Unbounded memory allocation from user input.
languages: [java]
severity: WARNING
metadata:
cwe: "CWE-400"
owasp: "A04:2021 - Insecure Design"
category: security

# CWE-209: Information Disclosure
- id: information-disclosure-exception
pattern-either:
- pattern: $CTX.status(...).result($EX.getMessage())
- pattern: $CTX.result(... + $EX.getMessage() + ...)
- pattern: $CTX.result("..." + $EX + ...)
message: Exception details exposed in response. May reveal sensitive information.
languages: [java]
severity: WARNING
metadata:
cwe: "CWE-209"
owasp: "A04:2021 - Insecure Design"
category: security

# Missing input validation
- id: missing-null-check
pattern: $CTX.queryParam($NAME).$METHOD(...)
message: Query parameter used without null check. May cause NullPointerException.
languages: [java]
severity: WARNING
metadata:
category: security

# Hardcoded secrets
- id: hardcoded-secret
patterns:
- pattern-either:
- pattern: $VAR = "...password..."
- pattern: $VAR = "...secret..."
- pattern: $VAR = "...api_key..."
- pattern: $VAR = "...token..."
message: Potential hardcoded secret detected.
languages: [java]
severity: WARNING
metadata:
cwe: "CWE-798"
category: security

# Unsafe deserialization
- id: unsafe-deserialization
patterns:
- pattern-either:
- pattern: new ObjectInputStream(...)
- pattern: $OBJ.readObject()
message: Unsafe deserialization detected. May lead to remote code execution.
languages: [java]
severity: ERROR
metadata:
cwe: "CWE-502"
owasp: "A08:2021 - Software and Data Integrity Failures"
category: security
17 changes: 17 additions & 0 deletions .semgrepignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Игнорируем тестовые файлы при сканировании
src/test/

# Игнорируем build артефакты
build/
.gradle/
bin/

# Игнорируем зависимости
gradle/

# Игнорируем IDE файлы
.idea/
*.iml

# Игнорируем отчёты
*.sarif
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
[![Review Assignment Due Date](https://classroom.github.com/assets/deadline-readme-button-22041afd0340ce965d47ae6ef1cefeee28c7c493a6346c4f15d667ab976d596c.svg)](https://classroom.github.com/a/NSTTkgmb)
# Лабораторная работа №4 — Анализ и тестирование безопасности веб-приложения

## Цель
Expand Down
Loading
Loading