From 086249e30c2f0fcbd74044fe105e8a34989616b7 Mon Sep 17 00:00:00 2001
From: "github-classroom[bot]"
 <66690702+github-classroom[bot]@users.noreply.github.com>
Date: Tue, 7 Apr 2026 14:15:44 +0000
Subject: [PATCH 1/3] Setting up GitHub Classroom Feedback


From 442ece6be410b1f7861fae3c3fe2d175535875f7 Mon Sep 17 00:00:00 2001
From: "github-classroom[bot]"
 <66690702+github-classroom[bot]@users.noreply.github.com>
Date: Tue, 7 Apr 2026 14:15:48 +0000
Subject: [PATCH 2/3] add deadline

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 18eee9a..21b4d8d 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,4 @@
+[![Review Assignment Due Date](https://classroom.github.com/assets/deadline-readme-button-22041afd0340ce965d47ae6ef1cefeee28c7c493a6346c4f15d667ab976d596c.svg)](https://classroom.github.com/a/NSTTkgmb)
 # Лабораторная работа №4 — Анализ и тестирование безопасности веб-приложения
 
 ## Цель

From c6e806ffe73f9250e1d9396b1d8ee39930ad6bcb Mon Sep 17 00:00:00 2001
From: Nikolay Ignatov <nickigna610@gmail.com>
Date: Tue, 14 Apr 2026 11:14:26 +0300
Subject: [PATCH 3/3] Security findings

---
 Findings.md                                   | 403 ++++++++++++++++++
 img.png                                       | Bin 0 -> 60165 bytes
 security.http                                 |  36 ++
 semgrep-report.sarif                          |   1 +
 .../lab4/pentest/SecurityPentestSuite.java    | 385 +++++++++++++++++
 5 files changed, 825 insertions(+)
 create mode 100644 Findings.md
 create mode 100644 img.png
 create mode 100644 security.http
 create mode 100644 semgrep-report.sarif
 create mode 100644 src/test/java/ru/itmo/testing/lab4/pentest/SecurityPentestSuite.java

diff --git a/Findings.md b/Findings.md
new file mode 100644
index 0000000..9b4e7ad
--- /dev/null
+++ b/Findings.md
@@ -0,0 +1,403 @@
+### **1. Инвентаризация активов (Asset Inventory)**
+
+| Актив                                        | Тип            | Ценность        | Примечание                                                                                                                               |
+|----------------------------------------------|----------------|-----------------|------------------------------------------------------------------------------------------------------------------------------------------|
+| Данные пользователей (`userId`, `userName`)  | Данные         | **Высокая**     | Идентификаторы и отображаемые имена – основа для аутентификации и персонализации. Утечка может привести к компрометации учётных записей. |
+| Данные о сессиях (`loginTime`, `logoutTime`) | Данные         | **Средняя**     | Поведенческие метрики. Утечка нарушает конфиденциальность, но не даёт прямого доступа к действиям.                                       |
+| Файловая система сервера                     | Инфраструктура | **Критическая** | `/exportReport` записывает файлы произвольных имён. Атака может привести к чтению/записи системных файлов, RCE.                          |
+| Внутренняя сеть / метаданные окружения       | Инфраструктура | **Высокая**     | `/notify` совершает запросы по произвольному URL. SSRF может раскрыть внутренние сервисы, метаданные облака.                             |
+
+> **Наиболее критичны:** файловая система (риск полной компрометации хоста) и внутренняя сеть (риск горизонтального
+> перемещения). За ними следуют данные пользователей (GDPR, утечка PII).
+
+### **2. Моделирование угроз (STRIDE)**
+
+| Категория                  | Применимо? | Источник угрозы   | Поверхность атаки                                              | Потенциальный ущерб                                           |
+|----------------------------|------------|-------------------|----------------------------------------------------------------|---------------------------------------------------------------|
+| **S**poofing               | Да         | Внешний атакующий | Отсутствие аутентификации → любой может вызвать любой эндпоинт | Подмена пользователя, инъекция вредоносных данных             |
+| **T**ampering              | Да         | Внешний атакующий | `/register` (запись имени), `/exportReport` (запись файлов)    | Изменение профиля, создание произвольных файлов на сервере    |
+| **R**epudiation            | Да         | Внешний атакующий | `/notify` в `callBackUrl` не передаются данные об инициаторе   | Нет аудита действий; доказать, кто создал сессию, невозможно  |
+| **I**nformation Disclosure | Да         | Внешний атакующий | `/totalActivity`, `/monthlyActivity`, `/userProfile`           | Просмотр чужих сессий, профилей, активности                   |
+| **D**enial of Service      | Да         | Внешний атакующий | `/exportReport` (запись больших файлов), `/notify`             | Исчерпание дискового пространства, памяти, блокировка потоков |
+| **E**levation of Privilege | Нет        | –                 | –                                                              | Нет ролей; привилегии не разграничены                         |
+
+### **3. Ручное тестирование (выборочные результаты)**
+
+- **`/userProfile`** – HTML без экранирования: `<script>alert(1)</script>` исполняется в браузере (XSS).
+- **`/exportReport`** – параметр `filename` не фильтруется: `?filename=../../config/application.properties` – удаётся
+  прочитать файл (path traversal). Повторные вызовы с разными именами создают файлы, засоряя диск (DoS).
+- **`/notify`** – параметр `callbackUrl` может указывать на `http://169.254.169.254/latest/meta-data/` (SSRF). Также
+  отсутствует аутентификация – любой может заставить сервер отправлять запросы.
+- **`/totalActivity?userId=other_user`** – возвращает чужие данные (IDOR, broken access control).
+- **CSRF** – все эндпоинты принимают GET/POST без токенов, браузер может инициировать запросы с другого сайта.
+
+### **4. Статический анализ (Semgrep)**
+
+Запуск:
+
+```bash
+semgrep --config "p/java" src/
+semgrep --config "p/owasp-top-ten" src/
+```
+
+**Найденные уязвимости (SARIF):**
+
+-
+
+### **5. Детальные отчёты об уязвимостях**
+
+#### Finding #1 – Reflected XSS в `/userProfile`
+
+| Поле          | Значение                                                                                                               |
+|---------------|------------------------------------------------------------------------------------------------------------------------|
+| **Компонент** | `GET /userProfile`                                                                                                     |
+| **Тип**       | Reflected Cross-Site Scripting                                                                                         |
+| **CWE**       | [CWE-79](https://cwe.mitre.org/data/definitions/79.html) – Improper Neutralization of Input During Web Page Generation |
+| **CVSS v3.1** | `6.1 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)`                                                                     |
+| **Статус**    | Confirmed                                                                                                              |
+
+**Описание:**  
+Эндпоинт возвращает HTML-страницу, вставляя `userName` из хранилища без экранирования. Злоумышленник регистрирует
+вредоносное имя, и любой, кто откроет профиль, выполнит JavaScript.
+
+**Шаги воспроизведения:**
+
+```bash
+curl -X POST "http://localhost:7000/register?userId=xss&userName=<script>alert(document.cookie)</script>"
+curl "http://localhost:7000/userProfile?userId=xss"
+```
+
+Фактический результат: в теле ответа присутствует `<script>alert(document.cookie)</script>`.  
+Ожидаемый: `&lt;script&gt;alert(document.cookie)&lt;/script&gt;`.
+
+**Влияние:** кража cookie, выполнение действий от имени жертвы, фишинг.
+
+**Рекомендации:**
+
+- Экранировать HTML: `StringEscapeUtils.escapeHtml4(userName)`.
+- Установить `Content-Security-Policy: default-src 'self'`.
+- Не использовать `text/html` для вывода пользовательских данных; перейти на JSON API.
+
+**Security Test Case:** (приведён в исходном `XssPentestTest.java`)
+
+---
+
+#### Finding #2 – Path Traversal в `/exportReport`
+
+| Поле          | Значение                                                                  |
+|---------------|---------------------------------------------------------------------------|
+| **Компонент** | `GET /exportReport?userId=&filename=`                                     |
+| **Тип**       | Path Traversal                                                            |
+| **CWE**       | [CWE-35](https://cwe.mitre.org/data/definitions/35.html) – Path Traversal |
+| **CVSS v3.1** | `7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)`                          |
+| **Статус**    | Confirmed                                                                 |
+
+**Описание:**  
+Параметр `filename` используется для создания файла отчёта на сервере. Атакующий может указать
+`../../etc/password` и записать данные в нецелевые директории.
+
+**Шаги воспроизведения:**
+
+```bash
+curl "http://localhost:7000/exportReport?userId=any&filename=../../../../etc/passwd"
+```
+
+Фактический результат: файл записан в системную директорию.
+
+**Влияние:** перезапись системных файлов.
+
+**Рекомендации:**
+
+- Использовать белый список разрешённых путей.
+- Нормализовать путь и проверить, что он начинается с разрешённой базовой директории.
+- Запретить символы `..`, `~`, `/`, `\`.
+
+**Security Test Case:**
+
+```java
+
+@Test
+@DisplayName("[SECURITY] Path traversal in /exportReport")
+void exportReportPathTraversal() throws Exception {
+    send("GET", "/exportReport?userId=1&filename=../../../../etc/passwd");
+    // Проверить, что ответ не содержит "root:" или не возвращает 403/400
+    assertNotContains(response.body(), "root:");
+}
+```
+
+---
+
+#### Finding #3 – DoS через `/exportReport` (безлимитная запись)
+
+| Поле          | Значение                                                                                       |
+|---------------|------------------------------------------------------------------------------------------------|
+| **Компонент** | `GET /exportReport`                                                                            |
+| **Тип**       | Uncontrolled Resource Consumption                                                              |
+| **CWE**       | [CWE-400](https://cwe.mitre.org/data/definitions/400.html) – Uncontrolled Resource Consumption |
+| **CVSS v3.1** | `7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)`                                               |
+| **Статус**    | Confirmed                                                                                      |
+
+**Описание:**  
+Каждый вызов `/exportReport` создаёт новый файл на сервере. Атакующий может отправлять тысячи запросов с разными
+`filename`, заполняя диск.
+
+**Шаги воспроизведения:**  
+Цикл из 1000 запросов с разными именами. Через некоторое место на диске заканчивается.
+
+**Влияние:** отказ в обслуживании (сервер не может писать логи, создавать сессии).
+
+**Рекомендации:**
+
+- Ограничить количество файлов на пользователя.
+- Установить максимальный размер всех отчётов.
+- Добавить rate limiting (например, `bucket4j`).
+
+**Security Test Case:**
+
+```java
+
+@Test
+@DisplayName("[SECURITY] DoS via many /exportReport calls")
+void dosViaManyExports() {
+    for (int i = 0; i < 5000; i++) {
+        send("GET", "/exportReport?userId=1&filename=file" + i);
+    }
+    // После теста проверить, что сервер ещё отвечает (или что ответы 429 после лимита)
+}
+```
+
+---
+
+#### Finding #4 – SSRF в `/notify`
+
+| Поле          | Значение                                                                                 |
+|---------------|------------------------------------------------------------------------------------------|
+| **Компонент** | `POST /notify?userId=&callbackUrl=`                                                      |
+| **Тип**       | Server-Side Request Forgery                                                              |
+| **CWE**       | [CWE-918](https://cwe.mitre.org/data/definitions/918.html) – Server-Side Request Forgery |
+| **CVSS v3.1** | `10.0 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)`                                    |
+| **Статус**    | Confirmed                                                                                |
+
+**Описание:**  
+Сервер делает HTTP-запрос по предоставленному `callbackUrl` без валидации. Атакующий может обратиться к внутренним
+сервисам (метаданные AWS, Redis, etc.) или к localhost. Кроме того, возможен редирект на уязвимый сайт.
+
+**Шаги воспроизведения:**
+
+```bash
+curl -X POST "http://localhost:7000/notify?userId=1&callbackUrl=http://169.254.169.254/latest/meta-data/"
+```
+
+Фактический результат: в ответе сервера содержится метаинформация облака.
+
+**Влияние:** компрометация внутренней инфраструктуры, раскрытие секретов, атаки на внутренние API.
+
+**Рекомендации:**
+
+- Валидировать URL: разрешить только HTTPS, белый список доменов.
+- Запретить доступ к зарезервированным IP (localhost, link-local, private ranges).
+- Запрет редиректов.
+
+**Security Test Case:**
+
+```java
+
+@Test
+@DisplayName("[SECURITY] SSRF via /notify")
+void ssrfViaNotify() throws Exception {
+    HttpResponse<String> response = send("POST", "/notify?userId=1&callbackUrl=http://127.0.0.1:7000/register");
+    // Не должно быть успешного запроса к внутреннему эндпоинту
+    assertNotEquals(200, response.statusCode());
+}
+```
+
+---
+
+#### Finding #5 – IDOR (Insecure Direct Object Reference) в `/userProfile`, `/totalActivity`, `/monthlyActivity`
+
+| Поле          | Значение                                                                                                      |
+|---------------|---------------------------------------------------------------------------------------------------------------|
+| **Компонент** | `GET /userProfile`, `/totalActivity`, `/monthlyActivity`                                                      |
+| **Тип**       | Authorization Bypass Through User-Controlled Key                                                              |
+| **CWE**       | [CWE-639](https://cwe.mitre.org/data/definitions/639.html) – Authorization Bypass Through User-Controlled Key |
+| **CVSS v3.1** | `7.6 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)`                                                              |
+| **Статус**    | Confirmed                                                                                                     |
+
+**Описание:**  
+Любой аутентифицированный (фактически – любой, т.к. аутентификации нет) пользователь может указать чужой `userId` и
+получить его данные.
+
+**Шаги воспроизведения:**
+
+```bash
+curl "http://localhost:7000/totalActivity?userId=admin"
+```
+
+**Влияние:** утечка всех данных о сессиях и профилей.
+
+**Рекомендации:**
+
+- Внедрить аутентификацию (например, JWT или сессионные cookie).
+- На каждом эндпоинте проверять, что `userId` из параметра совпадает с `userId` аутентифицированного пользователя (или
+  он администратор).
+
+**Security Test Case:**
+
+```java
+
+@Test
+@DisplayName("[SECURITY] IDOR on /totalActivity")
+void idorTotalActivity() {
+    // Предположим, есть пользователь A и пользователь B
+    send("POST", "/register?userId=A&userName=Alice");
+    send("POST", "/register?userId=B&userName=Bobby");
+    // A пытается получить активность B
+    HttpResponse<String> response = sendAsUser("A", "GET", "/totalActivity?userId=B");
+    assertEquals(403, response.statusCode()); // должно быть запрещено
+}
+```
+
+---
+
+#### Finding #6 – CSRF (GET) в `/exportReport`
+
+| Поле          | Значение                                                                                |
+|---------------|-----------------------------------------------------------------------------------------|
+| **Компонент** | `GET /exportReport`                                                                     |
+| **Тип**       | Cross-Site Request Forgery                                                              |
+| **CWE**       | [CWE-352](https://cwe.mitre.org/data/definitions/352.html) – Cross-Site Request Forgery |
+| **CVSS v3.1** | `8.1 HIGH (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)`                                        |
+| **Статус**    | Confirmed                                                                               |
+
+**Описание:**  
+Эндпоинт изменяет состояние (создаёт файл) через GET-запрос. Любой сайт может вставить
+`<img src="http://server/exportReport?...">` и заставить жертву создать вредоносный отчёт.
+
+**Шаги воспроизведения:**  
+Злоумышленник отправляет жертве ссылку на страницу с `<img>` на
+`http://server/exportReport?userId=victim&filename=malicious`. Жертва заходит, её браузер создаёт файл.
+
+**Влияние:** запись вредоносных файлов от имени жертвы.
+
+**Рекомендации:**
+
+- Не использовать GET для изменения состояния.
+- Внедрить CSRF-токены для POST запросов.
+- Установить `SameSite=Lax` для cookie сессии.
+- Проверять Origin и Referrer заголовки
+
+**Security Test Case:**
+
+```java
+
+@Test
+@DisplayName("[SECURITY] CSRF on GET /exportReport")
+void csrfGetExport() {
+    // Проверить, что GET-запрос не изменяет состояние (например, не создаёт файл)
+    // После GET-запроса файл не должен появляться в ожидаемой директории
+}
+```
+
+#### Finding #7 – Missing Authorization (CWE-862)
+
+| Поле          | Значение                                                                           |
+|---------------|------------------------------------------------------------------------------------|
+| **Компонент** | Все эндпоинты, особенно `/notify`, `/recordSession`                                |
+| **Тип**       | Missing Authorization                                                              |
+| **CWE**       | [CWE-862](https://cwe.mitre.org/data/definitions/862.html) – Missing Authorization |
+| **CVSS v3.1** | `8.2 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)`                                   |
+| **Статус**    | Confirmed                                                                          |
+
+**Описание:**  
+Ни один эндпоинт не проверяет, авторизован ли пользователь. Любой может записать сессию за другого или вызвать
+уведомление.
+
+**Влияние:** подделка данных, нарушение целостности, использование сервера как прокси для атак.
+
+**Рекомендации:**  
+Внедрить middleware аутентификации и проверки прав.
+
+---
+
+#### Finding #8 – DDoS через `/notify`
+
+| Поле          | Значение                                         |
+|---------------|--------------------------------------------------|
+| **Компонент** | `POST /notify`                                   |
+| **Тип**       | Uncontrolled Resource Consumption                |
+| **CWE**       | CWE-400                                          |
+| **CVSS v3.1** | `8.9 HIGH (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)` |
+| **Статус**    | Confirmed                                        |
+
+**Описание:**  
+Для `callbackUrl` никак не проверяется протокол взаимодействия. 
+Атакующий может указать в качестве url большой файл, который будет считываться в память на каждом таком запросе.
+При большом количестве таких нагрузок, DDOS обеспечен.
+
+**Влияние:** исчерпание памяти, отказ в обслуживании всех эндпоинтов.
+
+**Рекомендации:**  
+* Валидация протокола в callback-url
+* Не вычитывать ответ в память через `in.readAllBytes()`, вместо этого использовать stream-write
+---
+
+#### Finding #9 – CSRF на POST-запросах (`/register`, `/recordSession`)
+
+| Поле          | Значение                                           |
+|---------------|----------------------------------------------------|
+| **Компонент** | `POST /register`, `/recordSession`                 |
+| **Тип**       | CSRF                                               |
+| **CWE**       | CWE-352                                            |
+| **CVSS v3.1** | `6.8 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)` |
+| **Статус**    | Confirmed                                          |
+
+**Описание:**  
+Любой внешний сайт может отправить POST-форму от имени жертвы и зарегистрировать нового пользователя или записать
+фальшивую сессию.
+
+**Влияние:** создание поддельных аккаунтов, искажение аналитики.
+
+**Рекомендации:**  
+CSRF-токены + проверка `Referer` заголовка.
+
+---
+
+#### Finding #10 – Supply Chain: Javalin CVE-2024-8184 (CWE-400)
+
+| Поле          | Значение                                         |
+|---------------|--------------------------------------------------|
+| **Компонент** | Все эндпоинты, использующие Javalin              |
+| **Тип**       | Uncontrolled Resource Consumption                |
+| **CWE**       | CWE-400                                          |
+| **CVSS v3.1** | `8.2 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)` |
+| **Статус**    | Confirmed (версия уязвима)                       |
+
+**Описание:**  
+Javalin до версии 6.2.0 уязвим к DoS через большие заголовки или параметры. Используемая версия – 5.x, подвержена.
+
+**Рекомендации:**  
+* Обновить Javalin до последней версии (≥6.2.0).
+* Настроить rate limiter
+
+---
+
+#### Finding #11 – Supply Chain: Javalin CVE-2024-6763 (CWE-1286)
+
+| Поле          | Значение                                                     |
+|---------------|--------------------------------------------------------------|
+| **Компонент** | Все эндпоинты                                                |
+| **Тип**       | Improper Validation of Syntactic Correctness of Input        |
+| **CWE**       | [CWE-1286](https://cwe.mitre.org/data/definitions/1286.html) |
+| **CVSS v3.1** | `6.3 MEDIUM (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)`           |
+| **Статус**    | Confirmed                                                    |
+
+**Описание:**  
+Уязвимость в обработке multipart/form-data может привести к XSS или обходу валидации.
+
+**Рекомендации:**  
+Обновить Javalin.
+
+После исправлений необходимо повторно выполнить тесты из `SecurityPentestSuite.java` и убедиться, что все проверки
+проходят успешно.
+
+![img.png](img.png)
\ No newline at end of file
diff --git a/img.png b/img.png
new file mode 100644
index 0000000000000000000000000000000000000000..9fd7d3a080f266611c32e250d19df7beb080db85
GIT binary patch
literal 60165
zcmeFZXHb(}xHhWNi_)Y?2}MNd0TrYKK@<fMK}r;XND&kPks1P_Nk>qr3Ir7q>7k<}
zgbo7Idr5!@p@+~CAixQ}@Ba4wzS-yeJagvE{=*C_&yZ)WyIuEnUyJDb_w-M*o?|_6
z;>77YxAja<oS-i}apGhQGb3$9{P|eRi4(ym?&#^5`Pr<XeMhBkR_+`e9$A<8b28{{
zD0vD*h_gRyzh-#mz1~}~+nfwsdOGI~?q5HnqeHKElIy&zi4HxBL?|<3qe*BZ5Z3*p
z8(MPkyQFQX+~0c}i_SXmBBGtvwBaLN1Li~4wY3HQL)HZr2U$l%TfRkR@z<QX|NH>T
zP_z85|K~!~6Nv_c|NJ%XEO+7mdRDyow)p>i`2WE}0Q!UuF{Y!9|I=>lA>Rishttdc
zr=d+^X)7(GtQMr2zqU^kc5r7A|9CwxmJ@F@;R+5-{=0lp3}(pON55qCTEKnWt?6Iu
z>zy34(v7-sA1Bf5H{c_b0+IUb6s+x7Zr#fvdwk-p=~WZRf4|P;`c4Yx7nZ?lW+1j=
zDnbg(a{Lxir^>2da~gfByBS6Lwt7|WUq?Fo7A^JK`P8<&Zk(!X^%EA0zkc~8ctu`Z
zkLSBPmmTU^?P)_K_uplP|9R#Ar&HDg$o-gP&2-HD-31O<%nPqrEGQiNfkyzmZ2Y%>
zci&76EHbN7@PUK>pgU9g!#Te^`}aHzHRP)PBu%C~e!3KA`je9<=O6n3^H8gqu|6pu
zm9?DUJdY14<fB#UBH&07Us-)<aT_*0)3$k8jk2C?I0q}8>V}=|CiNy{$;{>1Nste%
zi4T9?pI>EDw76~S{7#B>k&7PX*DW*q14}9<r))5b-=Z6{+T<uD&Jok}qpI%XOtU_e
zKlP2@-y*1|T0>p0iu+GhyAv~D4LO-_sz-~HR5xOA)GCOvf_C7Xsi^n`-G7|c&UB0%
z%)t+OYphL9H$`}~9#vfgqxa@**%no&e0=i)6svHKC5_kMlu=_tXujI?TS->OtbqA&
zQ$+iLc0l3%`PYf}6u;UF?{1w9qD~xn+4wCEb^ET>RG0T0MkW=Tco!QgV16d)GXu}H
zV?PGfY!%olZlOo8FAXmxaJqi3%Tb+JtARajx(Vytti>JuDDT`S%O_t!1d)8hsRK_7
zEjlEd^_>54;=3{cwRL18(}okquQbUigM^W1wHSFE<S8Cl?&>3#Ol%Pg9ny&mthm1;
z-E&x$B+ZR(1bJ@=hHovqFUf;%)~)As8jRe@jMXvgl6)<2+QI#|cEGL+?&202hay#(
zB6N0tyC1!UiV00=2JHWmo!1_$_KJ*da<=rwe|?~BtIl*A$!*m4PXwo#@i{caNI?My
z&C!|5?seJaEmaz+9m7xHoQ2a%%Wg8(vIs+3TF8!FDcX&^N?%}kw4T~{B`S+&^X~bQ
zv?H3yetSs6s~n64LFaG&i6BlsR8OUs?K}HV97o-8)Zr_<5N5((=(dlg`yk+iq+jos
zEnY-zryeQ%342(sy5O%s3-~yNvg&!jd2qCeZlK}0(Cpk7ml`jnjW*ANMxVJK&S4C8
zk(h&B+UMW?*D0du3yiAA>pYv=Kp*TQmg3AumNH(=Lo<m}M=uHa?vrUy8MJ4g9b|M-
zw#4LOYz<F|`wDUy8;*Klk@oPm^t5VdrxVE6g3xM(NoOe6JXlfmshW6}P<-;)fqQJ|
zP(-@xgPN!2*I%8=1i%`9jS(Fz*nQW`hr!Z@Lf#Ge1`ZNR7fTBRu(HK<a9skoE<51Z
zl@FLL0-SpG8gGvIk`MsR_s~vJPwJgtL<yYpKDOoLWrW0`2F}<f^v1sXqRqaD+0Uxd
z?uc~$jpEuqz8p=viu<_t^E<T|TW9|Dme{(-9ZVGixH?j<F4h)J^%plzhExvwr+amS
zj%K^C^R_QW{NQ0#POi)KHxfGHOFu$Jw8))%j4wvzt7S_re!@^F(#9PtleL(m?Cv7p
zsgd1&M@t{;z+mgO3FRHNw$cx!?$L>RMOJGad$FT{qH2=GL$#RNwZQM5b0e7KA&q!(
zQ>5?*sWe;6j7BC55OCQ_ya9ZIq%_aF`CrT+>x150WHuzF>2P}b{4Os8e%c2dQnPZF
zg}&~htlTj!h}J9i!CoAVh8cOv0d*I_PbT-b%uZ}%#~+xzVmwV*f1n!l;xWDK^{q`P
z5w_6A14`wzt2vId?~-63GkQM+z`FsZxB>fSI}6c=-*N&jr9~}DyJyra@)4Gzv$Sm6
zJ3pz-b7hC`rCjcFo12P<Y7%kedeeQK$<nQhU?7mXX^S?Mp;N@{SU8b#a#M;)``QPR
zJvTHS+h@KpxVmzj74Jt}6_8faQaoJa$TX^w(+;`-3aoPq+BM)a167{oR{XuKI;Or{
z?RKzskmGe-Ah(XB-ui)HGg^trb4;;Q_z!>2v29>Ak%FJs40zea7R&J<<3o$R>~IK#
z0OFWU%9%0YEit(%^EStrXo;Mq%iLS{7d={3WDQD4gm~|okMM4QHvXvmZwJuA5-GEz
zO^HI?)s`^RhF(*}Sq5eNLV%q#m1kAWI}x`4+wzXH4pMR|-nTB<(wnf6TGz3rCdeg6
z_oI!R5d)h$CP@FqAyvaU6ol8cLq?51vG?$i2~t-t_G-}GHWe9Bve>EFQbD4SO*YUy
zrl4+j)%0N>{BM0vGuz`WWPf@s&HK)8pJ~$<bNIV4#wu#_n@Ctz4w}@4;qRviNOA+0
z&z{CzyscBc<rd1@Nr$g|qgF64DBZvs(m`;%^GmNs>b1b%`1WV90E)m5I)pO!gD7Bv
zFXqT|Mh$nzDnCqZtI@FJY4e7haoOeOeE7zzH5d1qoVStg=2YuGETzRAZq*@qi-WdR
zaKt=r&P|qiiJL)|j_YE1H4o2s6M>yj^X3lQm%n%)VtWuCZps|1%B@9oOQnNJi@TLy
zAagw-YRUQTmyGS$b<k9IyC0CQ8wU%-g;=|DhF|e$>)w9>#$B1d;6h1oCavH=)f>;0
zYl03w5NtaJ9*z?RMnyG-L+n8bKj>9dRuUvl(Sb898?S0^v?Yir3?5E`iU18U^?yL8
z(~^~mKs(lE+-bZ7Sj7KNY0gjmrrfn3uQ{9acZR7q&VEHfTFAhiDZYYM$g?=(gwj`H
zXKvRrn3g1}`a1w?-azfTvIamw@Jk5-T7%U|(L6<?xj<vgS9;mmrbp^0C$q(jf_;PH
zlOW!mnPkVSvWtZQCk_G9w!5d{(RPoQ*sx)jq`)Mh72(kZW>;X(1MMU8dDlCln$2J2
z-?**?Jt&l(tufaA6P3W<&(&laI2d~OKdR`WCDMRJnf~P#l=>bNMao4@Ts|T{3z(F9
zBlbqN>#>$JqbvQXt9u*tzFUib_lsK`h~nigc{B0KE9l--mdrS3p^~V;iU7NS=`Aj-
z!_#K7%>S$&ZlUJF7t5P3q(rLSKfh3JTq3Evovvy#(DvnZ&5M`Oj=9O*;(txNh9WmK
z)^^2r(RQsjA;+7z*lvIC;-BcNu(O43bq9$4YhwQLTm+d)%~Y`s5FqqJP7ZxR4b<dp
zVtuS#@apOSiLdf<Xv_X(l)Al0$O$3{5He<uVEFJ4JZ=8kUjj+~$aQmJ9ZFf>^?K?M
zu=guBD>1i4z?|P^Z>WD)E6PFuTewfSaVs!zSD>vUcUuzNGWGcBZ|o;CehAaqEcZeB
z0`+y24~`JrUpf2ZJeURe^Eh8ETmZMYi)y?OdD+e-Ww-KiA>7>Z^^&wA&ONIq_E{fY
zK{xqc9OIHzN3*~ys>tS+;n~6f>NPq=*(^fx$WiuNQHBCDq*py+b5|5jT{IQ_RJ0!e
z!J3#L8{OjPN=E`kQ%<&OPF*Or*CL&Y4HVI9kcp@P|EKRBuv)B~;O;pI=YM|@EWShW
z<P7WR7lkeT(0wE`Dgnrj6b;N*{+8sVOkZ%Ze#S<4*+D55zZstn33u5^;_aU}+2(l%
z$!+KL4t?dQ*9d7>&%aMnKd!0aE`z+E_kMMfCkQt#mscEPp|^a#N@ufU_fnLZTMh#e
zaegmMkTEvzu7laLa?>G0zkS}295MdCPv>afdi=h6{L!*gTQ;OcA*A%h3XiF%>B_~W
zO}_@2;c|sI>sfC;hkx6QL<3AHuSRyW=XKQv)_@F|*?XkEn*tla?{@4bP<eJ;u{L)j
zAmPFI1j(cpoV{N4k`8@=AMrtRP7In}Hcqg)E>2HV`BY@9%m3kbk1Z_uQ+6nSxAA*_
zg-wxvV_aDhfXWQ<nw+{Dr$93aa=acx$V+oQ;ASWo<VOGEE}Z>C$a6BE2sJtH<m4V-
zEe>w+AD)ZO%~G^>()qW00p?Xmfir_hbK#p}Tc{u$9b4OMx7f<o%s@y2i41^C@H}9S
z6V?8jC=S+PpLbK}eW%j1Zz^u99coTJ@b>u-ZO9vV{oaC<@)Wr@fo)OXArNtW%9BO>
z7Sl19uzVaC_?fsJYCidu-k77VgiEiavlw;t2zFpprSLc#z?Gkc^7x>gC_!(#)3&#J
zFJ>mYE~l$XW6j1dHw0V&w58Wr!ZHDVKZ(xDsk{U(b?D9_?4=Vg&H=w@z1V(!0~xdJ
zV5hO;&8QJKaYWWwkjz<@YyY=fyO3N(U$9W=wQNmxY!F)|4i<~bS#CPczGsYD9+oyl
z##qhSWi-1qP2rAAX#0uqqmJH~oa;@Dk>U&+-{JnC7NprWXK8Ku(<1ZV{oqg5u9O9|
zuj53*=4R@MjwhZzGX`zyip#ft%QyU6+XMslR#$fA<&HMzNDA?D%?n@Zq>SSD!+oE0
z;m7=9S6O!(+;s=PL2hQv_T0d5Z(cu}QQ!aN^u%k3cY~DW+5WTX&+Y!p>&vbiGK^m9
zb?;fmKg#K5>AOAOB;qTUA=j`3BWpjtZEvCB|IkA*Ky*PL8CugR2G~q$<H1}xW2SVA
z(z_qvt#`qv{89$N{b=Cf^NuakI&~Vzi(@RSZl%)<3&i*zaR6k$mY>D4fu^M|bl0wz
z>7Mft!(Ta}_!LzbH`=Dp6+<Nn^Za5<(A>R?NX5+_&DV<he&x-6Ljx)B{-IArEdljw
zQ20YRz0y3RhUZgnsxA&`IpW%+po4w=v^;93Rf>O58_O*_vZsFGN%g1?!SuhTuy2s<
z#RuJT8J$fQXkgIRtDkEV)dUa4wB#?vB+W!AFqe=FVt<hUAGk(cz^gC6sDbivoR2Z;
zErGPS#}KA{0YUxGKB%4r>?Z_meC<~0!I*VK`dVt*ioA>VY(2>(>JGI1YdBhihHr3#
z5p9<`AD(LO7Yh~SaqrFTvxJ2>jXhH_JRr;aVl6qp#%qwu!!@Zm*sJT*I_1w52MVy{
z3lV$2+4723-qZpv230pZXV*!cZoJcR#-Z){YrgT-N6W77$LfGDuL;u-a`-0AL3P;k
zbRKG6{g9EP{c}l3HDzhVm(~3S^3-8G0a;J1XN^*W2CmQOrxurs{YyZknT?+<oHad3
z$C0&wrZ3c2oXdPrH{ljSI{=+6=lmPAY{J;17rJ0~K4(^HkoQBBC1=l%j&sX*7ar?I
z%}ByrG^efj?YVp;E6t?cMxU(9N0XjTf16lS$fWBjPU{(U%hkG&!7pH@&+*KjhOK4i
z_>b-PJgqs7=qDl?@JBkwvr-<MW5MDTmdt3Q>28SB%`jjIiweFZu9U*R`j^Xyx|3tn
zz)I~uA*m3pG}=F+D0G+WX3np(g=t#x<yYSw1Fl9KEp-RCS*UU;G)C6Se6z5A$3osx
zLq<=W7}27EVM;sp9N_BI^L<kc;#AK!8N~~zm-dHe<*JS48zh-w&rh+eBR)FY;EQ1Z
znK?%#k<I8n{Xj$CGa5@g$*Ynr;i>RSuQSe8$WwMrt$R83d}JG=-V_LfkXx0}uct;K
zzwdQTg5f&3|IzVt#y0xy(5sUdSK0{!56bhVowR?t64M{a^va7eir#)<ETnDLb)Oit
z&XuWX?c+G3X1E&wb=O-L-+TtV$6LG8vRqQyeQRvnJ~MhTWchOGO)6=y@Sz9=!gIau
zxy88}COJC27cp~hjv?Ot`7fPy79IA;S~FAxxonAWY#0fc3kq_A&wl(*;6VnFFA->N
zm)!7*R8!bCEySBDe3OFM{2ddvI{5mwHuR)%J~%fiH&q~TuzHKpM0E(H83ppN8*Dn`
z2MRLqiw+$!EU9~Vo1B>CO)op@M$j@y7Zx1dR1F|>o1)AhW1o5q7h=*PrMf^ILPpJ+
z&92+fV}zQc8H_e^jtA@4`&@vV%P<x?WByW5a!ANDex@bP=&sATs<~DO?io4o{jFw)
z5MZc|=ll=;rzASg<ZfC6m`Qi$ngm;`&?cKWJ<WW^l;YA@(J*<RwONfOU$OaRM!L2s
z^0iN%3-8*VhV|I!TC#R1=_EZu0P+&~OXbeUL@)FFW5&QJUVZA<@*a#@`Hb_3bQb*H
z{2jn%{JFak{YUqMUfdgZ!33HJah4>&<5^x_Kt%#C2&n$=teu_N_3N>vj?7G)o6)5I
zj_hL>(q%Sl34H91FEZF|@%!)ixd@}73zztV=9WxtfS~_|lZ$@B!yt<)`stc4(MtE<
zFnPci#}rIA(;3ae^0BKL&lBJ7GXFP^{SV>y|1zzbQ1tH?{v~tArIs!m{crsKpag9N
zSQTonsqpuS3p8Z%KP>S7?}_XDUwgTz-mw)b#{23XbvdVkAtXmtO=<rCIhg`b%)!`~
z&TVcDfnFK<yh!G-P6Sx_b*z{Q0*`>*JpqfS&vY!;QLjoT^-Cw_e7j2&_8F8`KjtR8
zQx$5<%4yiZ8(X(-mlMDyp&zi4n5liZ8l-$rYdJP&>uSyPd)W>36<B?w;i7KEZ=>p|
zOiW@yVd=d~XqE^^_tUW^3$Q9Id<1pI($@FECF`i&kSAO6h6>fX*eX#!3d!_m+K~X+
z>98QxwrA;Z32<m?AawOFIdf%<vZAV<ZcVYxG{R6uOvgj(^CKtU9>Bp~t@Alsj#o9+
zjBP!tJ<IIN&tT-WtJ+zGQaYk`6FlJaovw#{s5RM@fLoUW%W9U=acjpEcuBKW&@Qpt
zM}uh6VVmlUT1J0h-a+pJ)=<=Ot4!R{B7nBDgCLD#{!$$ih&Rr3LImY)&XojatJn`!
z8aV1l<BiqjG1AQXK=kQi>R$DRy6`by;3YmjPwNLIVE~|w{i6r$o!E1H*}deIjl;lA
z^~qO+K-v@YOc8z6avH8ru~mp;BKzNMFQo_lZes$vj{e2LLk_f7Z%kUVZ)}S#sGEWz
z-i1AQ8IZVnm^LRKbQi!Ulu06bGHnu$ijo)$L;}z}6;<u=Z_53|FSM#@Z_?OajkR5!
zLsCTo=a=^fzmI$;U`M7uY+lsj*D`Sjhdtq*zW6cQy8eeQXd?rHAj7REy`x_tl{CuS
zK|<nXW*Ue!?uH2e`4q6vqeIZ)3cq4Xf4UubXBa6EUYC2PA?D5-ZR)OexzE9tC+1R4
z!YTZHeV|&?f>o<Eit|8at><y*kmh;t-%Xsp7bFGXJi>+J9vCpiTZwM8Z9Q4vxtaQV
zxuQE4ZfX!otrmBdzf2xgi{-boi`!Ije}sHQ8*$77?!C@C-~dTzbeq<@Prb54>>Q6L
zl8a_DV--v;vSHwJZ@R6?pd|TcV>Ga*4qNrTPoND0h?58P31tb0k|r9*2UaH_1;cgh
z6GMk)^Z}_^`@=-6tpR|c^>aKMx8J?-&6<@C7sEv(pd8Ev9H)yLpdCW5gyA1TE1T-K
z|NCvxnDLZHN5QCjvTG*s%e393{2CZJ*g`ez{FhCrZ=~^Ta1f4X5lP+Lp#HRn@y{+{
zce-z?cyx6CD!e>v*2Ui`<^U}z{!1C*lxQ!SO<&Mgf)Ax{4A)A~NjXjKM6MJ)0kQ@r
z9Is~!WY7WzuV52(C`fivXm~ElUHJSxcOkfrj4-cSl`HRy)L@gpmTlHbNo~pX#+Ej-
zX1?k6zXIS)%(4&G=O)Y^30G_Wsn(>wLMHrikH;T4v{8;`%YByQs>j}CwpdPletVU<
zAYfq`nn^(e1AlpwI|rOruJzbUUb5-hEg~YS;7%WmK>ZJ&XL5M)+4xv21|SBB0d25v
z-9HGCUMW+Q-tGx(r9&S3%hOAa<WOZG2g-GZJWsB9{$YNC-`dR$5#t%0iFb{avo<LA
zlq=mqJVfJuOn%JSGN`fjTochD?xN+Yzjo&YC<NK?`?}X$Acv|ab$EriaFxgTW)OIB
zO}95b^vp~>7+I84C4AU?Z1=$p<@sSq-LM-A!)l;MlS~nAFVQ)}`w)wuZr%Yc8gg9A
zo3cebyGv|6riy~p6o0O`<ZNl)`i(oPPD%-dtoqbN0)o`7uAbdA19}dxP;W5T5<RaY
zsz%>GP^S$XK7`cscKRzZw(CO-HEwCC4HtlX-uR+(N1y&YeXhu@^RE0(b-HW0Jz<pR
zUiT?Jyf<G-@~NJy9U=$O#=d7j)P?S?<dOD)J+4CL;5XHi9$ANvosJulNj45qpTUEH
z+>8%d`^N(Z924A1&VC&Rz4aJR$0R!JE3CZ1qj^}vqdhU^Rj?|XwJhfS$5&-^{#>Lm
ziA0+{xIXB>e?F7v3mINHU55LC(*aycUS#YE>|FI(3)te3_Bo@zl0DYS2sBo$(U%MV
zbAT5mv%cuwE<A)c(PQ)M<F)h3v8`58L=~doc9V-tU7I<IQmg$Z@WxVxQC}5$j`(ba
zUt+i?Sfres3coZ@UN3&{PRfbJZMg*+4{gqC%|Hi01>^9TE5l<KU8GSZ$Gz&|<9)8e
zr5!D~@@y;$=Hr&~c7nJ#Y~goC?ixY0pMS%qO>^q|1ex7b-(_E4WIt~OZi=%Zau8yP
zCsyBit{W|wgBk-%31bDssJK_SfwQh;`TJ5f>k3L^Z5kbnYFm<}h3|fnCtXluBnO<`
zM5dwRrz~PNI^FzgQYG(qe`B-={{TCdXXV0Pyc=%kHfHB`hZ`QW@rD53k^$sR<X#_A
zAqWC!ET7;3bw_9a#*rxJVfNCl;IX3=Xt`kDq+$P=fL$Sl@`h0=6Aqp@4X_=)<9PW5
z?|GE1;=P~9Hplnq`J67|EY0b1RlJw+25pjuD4*4BV;E3KZU55(Bh=y=<)?u-BcE*`
zq5F%hPl999m6d=zPe+ZWgUyezMe4*cJ<_SZ5X$3H#BwGzwnLqQi>4rFK44^%-h_@M
zT_bxWdLG{Y$=C&2d)M8lQ;}9Tun66&AP0W)3Y`A&NVK^vE&h}JqKmMHzW8Zkg;`*k
zlM10OXDzpsn$p(wW5;T)%oE#?yz}#W5`fRvbzc*pi!VzTwfU}1)=s%o)+>?u0YF`v
zwBBsozJ@c{e{8C-sW|5ZvL^<0&X)3a0|^-gL4Sq=7M)qKlGs>3S1>-CymdBq^jH6Q
zVI-`2xJ~qS3Q-CyeqrB9Fw0v}>HbR7uddRgb~`2T_@?4vvDwu!8gWRlG4*@c;&nag
z<JIg(U+wGlPB?Wp1dqmR(<UWQYs$s8SBznD+DIhcok}8(0X6IF1j8D_lckDNjhC-F
zQ+G>jehnz`5f2X&HgMBF=J(QT;WgT{dFl`S^hj7jpRGP}oYupsV*(Z{`>#!Z*3Xg=
zOc##b)x_+sqMRT~^^`syZP~eSTk3rEhf=;yKczZb+H~0TAy#Bb^v!(qphx(J0)DI@
z2bof+_;p`KTM4tf15<7q(@u0FCPeyp9T-(h<LJ8EYB@Wb{mr!W;qJ*JUxM^GH6P{^
zQYTNfeuL^g8Qmj~5N0xC393|6yN<T43(qF7v(}}!j(INNRG4)BTxCe_F`cMAEPpEt
zE&JluOoHz+Y<BZoF)I7;VPm#2Xu|t#`+hx)x3kY(B4v=PaBmd`g0=q033%ssdT)d_
z*_9kC_H*KTYA0xn3GC5ZZhucP6S?LyK^AS-tg^d?Bue8z;}?jbian}VQ|^S+5T%3I
z_fGAtQRFnUvE<8lCIZ>?NTEboae>*unW-n98DP;_bOI5O7zsMkt4r9CE2s<cYnix~
zzjtRA^H6jN(#GWsRYa$vb%d__#S)Y+JWrtba(G0k#nr7WI;C2!eO;(F4xx0F!dy?a
zhn+Tr#m&8;1=0%->>KcKv9)<!Dx~F4b!Ox~lEgQWym9&F@r=UU2nDI!krq`r{aP!^
z*kUcyu;h_Jf?Q>HUFKZ%wK^}&*=2j(Go6ehTDxPWHa*V)_k2+<qJg#ur@b{oa{mmi
zWF!+F62CebE+QN9Fx~yxpXOR(lR0XBnkjPVcIX-=IrXmi&bp>>i=iM_91H9X7rDA;
zv~oBb<W7rA+Te2OBuu+h0!PX>w=P);X9DyKqel|fsirn|Q81wUd8u<V;SP(-h;@fM
zW<|2#qMdhE1|zY^OV_t%H+uqxZq%8};2$2eYZ#7%uOOsfD{~O-l1Hm2=k-%J^f?h<
zsx4`xcWDPE$VC)tY1vT33QF7Y_^}gVRc6m5>Tfn9*}h^W#}C~JPu--ZzqnSS?XV7~
z$s-g6dS67w&cq^Hys2W$HySoRcr2$XfDQ+2lZss_Q)kc~PNC-2Id8h|KOEB_1|r`M
zyY@zzI6MOe2mUz(fGmD0Kpa|8qM*H`O3Z^$Ub^6<nc2_9@Er|D0oWIT*Y`t^f}7Bq
zHuLgC0eAFLySvt`eOAUx5g;6YU9n}1VEZ^fi~kuAl6}(Ju~45=9=|OiK<rCrR6;IK
zW)CW(3hF%U5lo5|U<E~O0yQat&Vb|DvU{2L;<<Wu<Q)DZ5PfI7s+v0e#p<Y`t70xY
zbBx3U*u4V}Slw2YPgYs^0Q)TRb6e{Ws&ad)M^X1EoxAIU-olRPiP@q9Z7HzPSK_s~
zu1y1|1WCPFGY%@j7YS5;SLY<*y>;Nl8^us63=V42c*~u!#BAX=*!=3<2zJk^pUqx)
z4{_mHt@}wF267_@QA^k;D3;A^!tEz<&M_23!vR@-d%K#a6YyZB6=g%hLChkAm|~o3
z{D<gw(0(i%SPTdomBhLkPL->N4(aWkUGK?Y`Q?Vm+En>)uH<ysR%DbHdQBwYAcC0G
z;lop?fZ8g6jujU9atWn>I_BB(FPO-UEo_$fT1>7^zF-mUM14_>I{in`OtEwrA&9k#
zm^1g8OvxYx9fMsfgw*h8(fzE8dP?<K-lM-WX}#D*o~~i_ozJ>^gRa`<7md-Z7($_?
zAx01!?+E3D*s0sa=IHBm#_}^tbX17k`<1d><lpPfkWjE~4E=mww;31h%c09WJ2>cS
z+(mz7Lws*HpgaLqp|Tn%?bv2Hc9h?UwmtI1$VBN`L?)%-TQ1&?epH?iBxkG&WGDSj
zwa+`>Ig7pGJ#~#X!wtuYXw{+?=$T{v*h|m9ti0haGszS0E6c_lBfIJgz0fZ9x@Av)
z9a~oRm@VOgW+i9n@F9hRb)>DlCskf+^BQrkW8eB6THlYmTb;V2t1jwXr@30MU9f!*
zuCN)JZT(U-2&ZOQsNvd@l|?>XqF)^La=Ej7Ge^-%3M^mI9235y?b59hHB!WO>!m85
z#Af@m(Ck8}4rJH;=jxj7#{_TujQvvpO!3cjifh~Nf#{I<AuhU49gbr{c5s#(R-wFN
z&z11eVv)$LM5myKx1FLtDJEE^srsiq+us<ednb6#Z}zLtqqtCBEYFTmh#+QDu};(K
zc?fs`t*}PZD}=k?LBwzn{oVKwTZ7>Bg&?+DeA_orH56G(-(%60<{JX1^>}Vc+0)OW
za;gVQS5zG^JlPk|8P9X|8;c0O-6u4>0EW4)(J_8k%|A)xvej1v3o_dsH_R&{^^RDA
z@r+X~)RLso@E|tid_*aKgBxalKfDZ8jx~(*4LQk*+3YWYqc@LR-T`NhKKnL~$7Rbs
z(30;QhA@F(il>k!)6+qyEwuWeRzU0Y8=*Q+CxnxPM%0-`rIn&w_+bH+Tt}N-87@w@
zEG6DM2!NyH8(96Sqi)_ls^2)Pc=@DZRUmZF1h*Cd+nv2>+wJ4FJtxj;!Ltgx*akBK
z84@&yi?gMTpA5sh(O*_MN8%}waHZc`Q8uS(kL(pm@__0@14f+p<p?*LNv^V3{isvd
zdcw#t<mkhKi87^6_v)xUaFX5d8WceJ)&iUEj5ov$oToK{D8DB!OQHta_4vr$unRiW
z!!{U4fTSXN_Tx&eJ#kSCr?34^phfsa*u_ab6Sk6ThMPOd{NttK3)Sn?nQ9o(3~P-!
z1-TD9Kkizgwf7vWuPIx*J*3nJVleFyE`7frqtC1RL)%xz4J&pazEhC}nSWG`^|tlt
zd2j&YX{`%LhTME8dt+QlQ)=Q^2KjuJsgSB&dAW<p+-Z7JKCt)GvPt`$mK2HWKYMPx
z^va6AKIp=UkZ0R>5>4S~^-|>2OUSxtBX+rEgU$GZ_4+rRjP=DsUx~{(b^@h(16lU-
zOtBFXV(OHfXCMv)$VXE_@G)6MTb3GO)*D#6!<dW70Nh9_SB|<_%5I1)%-}FffDo2{
z%(@YhI=I<nN{rW^$A+3OA$-Hg?Wxi`54ytqKGM1wp}UvqkGk@#me39#^5<p_Hl8uR
zNr~VTK&NpYP|J6S4#Pf=ADtaIp%dqnmTK#YVDmIU>iX$rboW4~RSgI${BbvrLQa7U
z`oswCDa9><l0G}-ubA0=sQ4_+OWN_DjRQ`iN~oVizYw?#!D@$HG|bmV4Su`1M-2{n
zvdI21;1MmN2yJK$!~};Q@Oi*TU!yjB7fk#_1fS@$6s9i?OXxo}7I9geH%rwPig|h`
zF_Hp5JB@9ByzQPI5sLO0OILl{p8ANd=|%S3j0owO_fk8$Qd8irUxHU>7?5y!>>_wu
z!+HG42%2r~fx>phXX>6OA{y{|&o^X_o@71!!{1(60liJf4;Sj>4Nxb3D*;3VJQn@4
z%#R*n7ec*ylQeQKk-Z5!du?3nN%cV5nXC2F2#V7<ZLTQ%$<Ia`8QrPM=K7?2`+-MH
zz=1fceAteb_o<KjbK}!^p>v1(ocl*Q`v`UKt<DQ4xy0s4u55O9H5I{qRRyy_IiKPW
zLHa;pfy?{9E@38}AJeLg;4K_?3mf9eS-KE-+lJm}u^qZC!BS23jX=FmrFf4K=M=jA
zWxCn$9y~tXf4}8**QonB8@<g{_+P&@H)JXh_-Y*8BMejBNtgSubr5pYeP$e>EdKl%
z%KcLMHch10vDr+#Wq?#CHg;}MCwrdw-TteKJVs05{15I%(y)<ukBWT{o57+Hi-pJT
zdnRD>#!W?eMtsyGzfWciY^o-*tdfj2isl6JECWW$Tyz~<8sHLGsHV1o;qj17VbJ64
zyb+k){)9rgC&yBbw>e?=?3;)_bNO<K$KVuH^i-A=;^sH^3;=nSO(I#u82Zh8hHkX{
zkHR;hX5)_K^8S=v4@IzeK+7xidMAZ5#qMW=XWI>y{MnQupY`pWSJ&4)JMk^*DDJ>1
zH0S)2v7EV0!-piV3Vc+gIZ<f0aP8<PK5v&q6E(Q)zTu|)COtl=k1UtD#i?Qr#6Xp9
z&a^%KMXBH8C;_Zc97Cty6kY^#g@xdmulTU{obNmuebB?Z(Y6V^F+VWQUHIkQQzfNR
z&8~BMmxUbGOE}8bNTomOg#v0Q6CQBejs?2cw>sP6ei#=>GVThnnJX-T)PUvtK9fSu
zD9KAV1lM<(DE3twA&~&ZuS0p+WMpiZP68lfH;2&%xwKPkHuI)AU;Pw9ntH2#lmMO)
z{SD>Mw?lIY{o+tRc*TTcoIOyXDj>T4w0gDUeqmBot?KFeJM?eVoQ`<n4g@1%@BJ02
zup2>3$FG`Zo<N{KLM<=_e&p|ea4I&L+?hlJrh<XSBEWW7jP<MCp&YO2TKnxkHshpU
z3$UfZzUsi)j%KeWwo@c^c<}hD^_>vaxa2usy@p?e^18M<OME~1@^7WRl#4ccCAMLp
z_8=T}<9-m4OWW?DeJ?Q^3X|mArOrRR4S<j`sAK>N=_<N`%JzvPh@wCJ1V(9{!n(zF
z0$@PrEbc7m5OHUQ6LmuKb`bNSR()}dV~A4|IppW25DLP_APXS8i%y5{7ytVD58$yu
z+KCAboOI{tOk_wtbL@&!J{KK!Kg^}qb!v|6s^90YJ!2?puRdzpez%tu^DCBLb`|z4
zuMiVI7i-9~x|cWSA3+`^)t>#fj=eH3)%O0bM(c)Z=W?pkEYuOJ0h+$n7%`_KXOPUW
zwBY-@z%H4t<aZ}h82C-dMtD2q5DiIwR5!|Y6u*aiz<<<LE3aLlSs|;@>IV1G+$=Uo
zqEqxM^6t_s&0ZJX66Zc=gZzTxFR++gHq4<O)VFCCXOi98^B$V2TnN1Gg?xw<P#R^=
zNCQwI(ySK8LJga&!QJmxlh7VeBiy3b*$_D^OhN?{Lgz>kiQ1x0r4rbdNj8gS{&Kv4
zK<VS9M}6N{r5JZlT3v=q@O_=cxdg!hxLkn$P#;GZ?6ePcWd+Rv`UoI5(uF*>|6xOM
zYW`v8uSz90C5nH8p-4ohfrI++oRg)(6h9HHP`^D!(i?#0r#F<c_aC4U#v6u~vvF1Y
zvfxv5e|?_wPw7>`2{*VVDML$+zjWEJ;koi2Lf!5yIqCa2iJf|)XKmYIOUrv{VFH9m
z0ZxgXD4nyPCJfv~#^BKEz0%`Qs3PtATXTrdKGNtz6I2x9s%UyU9cDKUL-wm}d!;0Z
z)5mf6y=!fj+*1!-ow$N(f1>O3BFx6`3(=m%K6%}h{dq!g^~CH(iw*mDF2zZ7{{)B4
zlaz!Z7N3B(hn%HK7~i0*(K8qu<VJxkvV6ID%;o*DV5{KcpU|P*#S^~MXjg%nwyj(A
z1q$0I?Ou%S4pSG<Ia_X&9NSAoZbfHDgpv4EEPu0Y%%Uh}|071#2acIk(0wc=D`YQm
zGoY~are%gxZ`tHq`)1=Z`>M?^(awA?a7PwCqFvo>o-YyBeoi@|Gx%%GXA=EbazcwF
zm3ceF-sil8Qr*05kh;_u0x>*+WH#qLa{8#Nzz0sxa|R8$;#%7?xWBqah8bTw5|u;i
zsPEiSr3o$bHiq+K6YezVPlZaB)jmAbNw;SoJp(wr!LOCEf(I~3rW{2k98`D(B6S{}
zEqw7(z*qXRJ#!SBUE9H{`oT(C?B}QGi+_43is|Z8ykZcoBuZo<Fvz+qogi1RcJhRM
z+2IaTTG&G~j^0IQg&1aH&Y+hTQZvj>%beC@=v-zRw?Rtq-Ip6-Q>5JLtKfG+kaM6I
zV)3g0Ar9SlbB@1KMaXoi`ER(XpMbn^d|hJqPQQric`_HR$~}<&6uiTCkbST=sy*tN
zfMB921(F|~arOh^;!A})J9eHc!mDZZ&gd5Ifj+y;-LL1nMM_Tkd7Jpq916ZX>RK;?
zHVF90Vo`ws7xULyTSAS@fC_=e1MJ!Eq}iJ<_PL083uwyH<o+)Th&$_7d{)5TWUrW<
zRi%BDGo0{jA4IV?0q5e%E_3Meow9!ZZ0yqxvtMnIZQs*gP>Z(b?8_FfCMG5F>^cpz
zbsDXLOUR#M^52}yM_risH_^aT>(idH)8tJd*^+GXS5&lZ4a}BWX#`b9s<qv!mf@le
zyJ5>4nJ9jheico|lN0j9#s|Y42_syE)G~d9&RsI{Pwz&Z?{BRQ{9*O09<`@Ele2u#
zk_)j+PaD}9%~5=zW>w7!%y+MO#<xug9=PYl+FGc7hnQP37d2{cx`{eoYLIDtTtK&7
zxp9c~=IP9*=>oY{K=UPR5w8Os(xgh|M^A_1AN_1`+#o^SP}{ZPR6eRQt>bO___4C(
zHgfZ31FPcs_%=Ua;c~UIjqoP0l$l$oWGDq<?np6Xv7o<Mi5HMA&1hp|phXLbCWU39
zLpO{0c*hXFhd~#hpMi|<Vnc23W;U^Jur!7WRI^JdK8)4k>U11kpE`vwx@^6E@+CU;
zL1swjr?6XqR7wA9RSn1$c_jE1maer;L3bs=@z@0ssx;9lrunBOjATQLfsb)@x$y!H
ztNDNzs+F{IvzKQdr<l~pq4t1~76qBJU)mB%aH2t;Z#2j=+rk!F(B_qJ1lrBKu>9B9
zPd)k%cjF&9(`g3Dm8|-^*ci!K<J|#q8jL5HUMp#boD)ZUAWsSoiiW8BSn-DKTsr*V
z3*$2n9TGeEoaGn2<8Pf$FI)G-9Fgey_x6H$q6u%IKMNbyFh=bz5G`b*X8@%uebLcB
z#-Q+xU$gM47Ak3tq|pR*Pf-s|=Kq{Bwmxn8vrRLvKGrI>sKOi`uq&Uii1J)C-^3V=
zO1y-@Gv9zFq2!9~O$_Nw%!o2YYmkk^8q(Jx0RQoUjFezJtFdVw65NVmj<kT^Z-}uL
zD57fcS=A+BV|D0diBDPrV=$`Q6VdvPb7Mw*9XzRWHs$;#$PJIqV3$^9@Acx=6`QjI
zyTP!LAa+ikcVa&?CoHgiy;W1LO0)QBzP^@j0z(09VA`YIPX8*-yS%>SPpM~FH^ScB
z@Dh!_z%oBKL`wLfMTor9LOsAvt2x>?*5}l*raWJFk4x+`WRFq#NJ8bg1Tze2t!@$s
zjwD1Zq2xx1y1%5xS}-pO*n(<M`wnr8P+u2qqb1G|hzz7Ga?G2SFVegj6~frhm4ojc
zy+{Wxyt1OzkW*Iq>{S{PJst5mp;9A!g@;hv3GTvxth1@F^aJ*bHjp2kk5j<Lsh(Wp
zYvo>UVN+XCKbnqQr!Uh03dVb7-ujMES%AspIX&bCjtTR)@C?3}T+u)SAB`JI{N*YP
z#Ok?KOSz0Vq9g?Ka#B<3_vQqf)o7A%IlM*pmf4sS<AF5r1E=YiNKVHO$n!W_9vCd0
z$QP(E7BoYi`>MS~)S(U!wy;@f+GB)2R=6G54*WaybYLi8BQeXYjZQxq(dw*j>~>1&
zFKG8EP$^v)v`y`AAbv{au0Z*{dt~bDP)j{f!9_UnrAiHP6|M)DZJ_P=q3*dC+tZ>N
zxoe*hH7@N3@uhdNIA2iveaub-C~bD+(_x=hp*RBqip@Db@<-<3((IMKLn;rSDbCM5
z(6HXI<7|kT%dn`jVlR-f*zLUn-L2V&h|su8?5`fjw$Yrvc%A1XO*Wh-`aw!?HXjZ<
z&RbD)DoW?^Yd86B^GP-lQ)a_~dY4q#mF`k47O<l~W;A@~+eW6Gu}@Di0&ESP?qvFU
zw1#WWGu2wCN>cD{`b|}|K;67o0%pF@5yD@HG7PL%Q=VFoV&t8*y;~1!cW3Ll`~2>)
zFYwJi@`85PSB<2Q*N8_KwL#w@b9j%hng>5;7$$9qp&TiJD=eF{48wvo?8?qtSiQc^
zGI`qMJ;c4_g3`qF=jWCxm@6>z7m^rF#WNB#X3qO>mRLWqGsiL5ByENc9pi{*F>SFW
z--4}wKxtd@A|EC`O(jK<^=ufk#qpgiI5sKQR<-pr@mUxRPXHs#&5;4?4OQrMD+1QI
zmCS{T3JrER$bzm1XGPfyit>b0wcXSPPNxiUvrjSY>Vu_R@5AVqMqSNmV1iu+e7Yat
z-yodd2&O?_i#P^~mW|%>PWs2cGTr<OiSpo?2A+WiHVePnV{mMd9MZ}!)B0iqp@xPK
zRAnPMIS0_6!rQq98fX9_L^mx43RxO%o7=U^C^}9Z>OWU+Me&1evU*ZAK(QfukH3z!
zX?;A%3Zf~pL9a5L%7;ri%n`970$inXNZ9$<qh#h2#w$`9RclTNg=Cc|#qBlTt6l4j
z6Q4qdx(+ZYsR=!e_O<j9N_%q%+IhI!zA&&!@j8s3V@FL;R&5Hmdr~(oR+XJ==}pOb
z6NofGLM{Ec2S6xRz+vj@wc9f{KRdtm6S%!Aa#M^K-&iZSKm9g|3{Z_@>voFxLB9PY
zVpNC=1d3p?Z+VJS3O*<{G+%2!M44-d?FN5wWwC%T3X;FdP^51~Co?I6cLlgJWMiU5
zXLY9E1DM!s*ki0Lgs`{s&-u}*_&sjYW`kq2JP#{toVnoIUpQtbr#Q~yI%(~1SnI;C
zC+l(4jWGN@>I=kGnjcM=n~OB~uzZyV_nIj_dYO<Pnp*ZSG%Ik2=t(OzVqv#%!}&hR
zE+3zaSw*aV3J+OhK;>tCE8d&0-qh@hX!BZcG)@mqCV$xmp46(a*8VZgP(X7a>UDKq
zI(E+Q@*Fm9z$u6etoY<r4`o`8$y9%3OCu!R$J}sOS^@^xM!CD03(HSPz4dLR5B6Aq
zjY9+iX&U?dJ!ZQof2$5AtrAb-lU|}Eg+&+et)6)5cWr71p5flKDv;#_{L28oMFnsI
z&iQ}%m2T#gI#=1cSN7T;vhMRqDNeAR8=2lu8h>r#UnZBP?uL?_m#P-eu)q7YaiVr0
zd4p<bf;<IC_*LI|9^l;b3&6A<`+M>N+llz<-p0;unXkV`H$zc!wbd=2_-A&D=8aMO
ziei=L-@)dCIxEP$sl&8fq)h6H*3R?0G1mR6yH;i{`brCnlh0JmpgU=(N^$Oq?@vDk
zJ-N=djfS-D?$;Jr82F~REU!=;E|%&29En^Q54j1|yQlewlP&O^L}Ie>0et<Gxc9d1
zAF)v0F3?OgN^@0eF1m)sCe1@R6E`ZtV{~YG<MU4qwWeUm1p}-3XXc^2tF1(V_OgB%
zlgr^*C-IUu;@+n*aYmxvu?VnwKmnudvE-Cf><rq5Pp2<*GhO)!rz5G&?rK%hzx(Ms
z5#75U7Co4P7Z5(QpZEruOMPS~+zjg!>*Wxj1tP>yF=RhW`7i(_2RJ$v@OCKwq+s!0
zN~GYx;HL;j(-i5SM?9Wg{os3?Q?0<Lb<<MK!I9jNJV}Y%xf!&9e8UEU`45S%Ry~wA
zLim<MBSXXYz>m0-?6dt3*Rkv#d4*(~+m$NCt8acUoHlWqR&M{)*Y+#Ar{p-339?^Y
z74_pV!%Q~gvwWXl1@UYj2@0{%l*9p9*B|AhHA%FKXrk+(yzJv-3OM5Jk|p&ubMqkw
zC56Jmd1S@7dfaEX(T5F|X&xyA%gbJ&)n@j+hkOZ~)B6fb3us}}+6;+T6k-u>$Y*dL
zaaDju05KHEoNOji_%KD@Yg+7kftOKEPxC>L#=7bPJ3zF+(`TdZd38-}s267-ZA_K=
zw8Zv0y8fQjHy6z#vA_;m+W2%Jo+#^+K}Z~b)(hKwlD$`v1YtOw0GpS5`+IjO|Ca-^
z#qr<>(ftWJ{8`npkr%5L?()O$p5K091u-Y{k`=FQ>qRh0HO#j;me=Q60rD}2KwR72
z9}PhF$(fGa-4nxnkV!n9gXL-$KZC5;x`y4ajR|4g@xY30R)<e>a<zhqHs8MfokV^u
zWgX=fb^my}+ojTKD=nqAE^HTQh`r1lBObN)zMOn1vols^kZp#ALo768Q!cRZqK~8;
zHD$<GAtTG_*MW_HSXh~3=;04iE%j9w&4#5})LoLr#-c|xNbhUjL{<h=k`%wY-&MQV
zc}51zCEbM+di}+G2P3l?GdtC~+%@u>?H+O=PM&q!{+cYXF=b+<y}Pi<O@aAQ)k@EI
z?!sy7&LVTawG7$AZ*CN+r}f+bkW#=XCsN4`b#mp&TW;$SG&3JvwcUy`UBK}OwD?A^
zujfr0n*LS&SXTD*I;2+_|G@FOzzbQxa#D=1BjnFMs%x+`gA;sf;f;**1EgK2uj0ZJ
z_WROy94|4bz9)J&f<L%rCFm#;Abh-%J+p8@_@`4{8T($02zs7vo6FRz+TR;)pSNHj
zGu~)nT8b2iJ3I56qYLOydTtMij9S3yBO)1Iu2#omU0(0U)I=j+H!NiFHao&-M~*qq
zJF9TZgK&AAl~DrAj=~*U+xISZ+Bx`pyr=R1^cqx1O}ZLeh0)V*fxGH-snKW7{iyb4
z95hmqgLT%+itX^TKeq#gIW28+S0D&bnuOjdta!Ao>Jqq*3Fgi^&bFGi)A-|n+ftI%
zf<|^u<DiT|6|psDS}`u{0%JvNJxa5?G))*Ik7xxk&q{w!G6*3J-w7a0vMKx?*Cs{<
zxsP5vZ<B4gulurWgA)Vo>kK)mV)M>V3qLc1tK_%wue|S*w2!FzClFSud!VTgL6P#!
zrnLfZHSZ}6{~#+Zko%AV=C>v<GojQN^P~o%zF>DgyZ_mbuI9TcAsTfk4EOw`v-(cm
zC!OpZ8%X^d6TIyGfY1b}zKz|xClfDiw1Etyzyj{V6X`=Evb@9Dcm9f?pDPQ7CgaR|
z$_Lf=`8LECnl-04{ls%ex?jlxUV7&#!0%*bN*nurxoa+5<ZbMythm2(v$OovbW5y_
zM!k4{PD=0)Z((r#JPE}G=jdFtd)UNuGl5hQ*T`LZZQBrfl4QkcIJ+&$>?dXN;tc)i
z1gK#b^p*#?g$5fqQaCO(c;p-?DB3F4zi(ftr1gjl#E(DS?wqCF0C;Sl=MB2wA*926
z<MqbePZkT$o?7=A;bfclER^Y6bUCby=b0~J1@8Txe)Q5vZM`?!U@`H|mikhaFawp{
zku?kZjrPZmZ@C6)3NXs4lwz_W3<8Xo+$(PjI|zC}So+!>s;*p#dgC_|$T6GIQvN*@
zcYk|rFi-Lpl1%^o6kZO2iHFQFF}?NYgD;b1j<1RRS-E1UU@96dx@PjcI_DopI#BqS
zCt&AFleTr@>GEzYiL6t^(3b?nz!R<ykf&b9T>N-50J(b+-0&$dK^r4IzZnSO^<&DZ
zV>o8bmv3XZHuYvruV<%1=Jus;Yq0@rb6K%KpTjqf`jy0Iu{7xCk$N5TLh<I=OP{;Z
zs*Jm!bNZs5y5fpFLBIrCb>?Q3H_+)n13i~Ulg+=Pl9@{N{l{G4VO+N>e?{+Hq7~i-
z8Vi8wAyTXuG$dNfrs!oalyNl`1x)CS{xh<%GeoUBM?Z_eT{%O{OFPqiF~&xMcKP+L
z1Xw*Zx`#mX1*Sg8JX4+N#!tImOg|_!36&B@le{>uxqp1nO`MHPjmZqlT(Y~Sq;oPv
z`kSEN=TT^ls-MJe&Z|}$k+UqP>4-h&VSK0|dkUk^SyUrUI+qa%S@K(NRu*m6l1=2^
z3$~`0H=gHBX-@<a>hM!|v_Ct&I^y9_d5GiH-P^A$b>M77OPSF++x&;-L3S=PKlDXY
zrp$*<8fy_(lSU3!RFyf((g3q635yX>l(=xq<!O<vFW)2aa!zj?HRbG$SRyoOS3Z-R
z?+76Sj(PGNuc$_sAy|570vn^x*&udMRTpB6smI;@j0aStd=);eyFRiIedQr#l)1~H
zZHsvu!l-bj`@3SfJ4isGT(7Q>+`HG98pD{)Z(<t3K}kDf-Vhyak9R6P&3?{KTxsBW
zTmCE)uxTw-z+Wvs7Df}Bt)$%{GlI{CK{{AfROpl(9h8;s$%m7aMrWWcWtvQkYk46_
zCe`sPy^;Dl`SD!=tu?}orAl(P=J!1`+18O_95y!QJsG|-b0U!^`DxcXMpF<E`@noO
zg$y@mXE4A_UviA5?9JWOtXej0PEn@lWM}oYq${V;{AbKc6vwflV1cF+t@0tO?6e+h
zIk!uO-CIRa|MVtc6n`<-K=9RPwL#GDY?$QL=~V$6RoeWepRDAkel*)@NaD5!t*MCK
zDCJ;6H09VH_?yySWn6?U4RZ<nF&}!D_SBphyKR{V`i+!I+mbiOvPJR1uf5mFq#%5S
zuE*Qq2KZ>BN{Ypp)|1ABx_b9lkoC3o!<LQv1Z<njy+8ZT6c)Ab{#h#;EK}p!tK9D-
zha)l9u<}TX-f=z?vUzKfAQ04<cKeu6zpJ`Hl(${-WgiEW>GAZ*Vl@tLeJb!z?J6&P
zKC-ID(r=7B(D_^M&vDC@H<ize7$yyYIT~ty@uSn;BlOvR^Zw?nr>M^D@;sRqMLT>W
z`ul*yoGw|&g;^%#l=$Bs8~Vu~b;~bZytp}Y?*dy2+2fEVEs(F}H$RD+2qhQ=ib<t-
zN!HpHxMoe23%I=C%s<u04|aB=Di*)Foiu*B?2aE1iYp`3G)DZ&$(Z^SSQ>Hy;beq%
z;R#8&sLPBnW4}%M{(bMQZ&<?{ejCbnAWvKax4i)5#Y>~7W3$kYuXA|Wo56=_?{K5%
z2j6_~YEG27f#k2ra{n>aJ?7s0X~{`iV2vq^rTMc!Tl0-`o!5RahNZ!m4d8mZ9V!n5
z2Wn}4)Z7fYAIT(ivaI0Lnlb&;JNQ!O?LXC}uan7Ha}G3_;)*C2CYB&LVVq8x<8LZ#
ztC_H3zYPWW6(7`b7&W~Y8fWQMZQD|(Ilzh4m^n<IBb0G9CQW%#f3E|+tbQ9ucQDLF
zIdTYesexyDdf57m2WG8^k^&PJrv!59a^-L3xz9|5-?#TM;Nb}}f&-*kPjO&=Jg568
z!&s@GKdm{X2gq`N3v%RST;*8R`m`q3Rya@{C-YZ>Zf{_U{CIxdPgzH%@@|5f!6tpt
ztLq-(dN9c28LqQVZZCEiE$y;~<sm<5m%eCFyL=c}Wb}Xh!<(VB{;v>6Qh0uf%Wu$H
z-(%!CsS;jsK8G}U`?3Fvz4r=hs$KWJRiubik>2G+MM^+krG+Lc3J3}Up_fP#0g>K9
zQ;L+RNR!?~dhel02|e@<0Rn^`LJJVe9=PUObME==eO>$DJ6H$n#DifN<LS?HKllCn
z-#p!un%!o8S=5d;X>{h!rlTX1f~w=@o(caZ(vv5aCD8m?VdC~v?Y8+fe(P(zLA2dU
z?`17RFN^fJ7#4h@Yx!h~z75GTw<!<(HyIu_tx|<q?78suIj$ix-YJ0yzcnX_D@I9m
zwRNa;Pn)Kp@cRWS5)$gK%cy!KO?{*A_SgR>eV;XdVK~F15DJ+O?Q%*KK!iIG7xa<t
zI>1Z+rw)-P9r>?E6lQ>a$)ld4ayvk~h>7ZdB!(^&pZ<SWMcM{bqW&Qd2E0DqC|!N%
zf0F@wEPU|<DhR2!#V`FKgC3LobC9uL(~*67=g!6R0il0tK0OW4rXBA5BL($$*guEW
zSJM#^mk)ow)_d!p(o=sy_7##6FBGXBm;KMHfjRKssX>B9I_=)Cfn*Ylw+VgiR*l9g
z26S<?6Y~?e;8mPV+V_T)(!9l0z#vt2eK*=XwuGFm8~mAd-~0@km~u4SJ0sJ80irOY
zI`0qZY^fR8MD%^rvb-4ys$Cr3I2>lpi|y*cU63yS!3I5?Mx4rVarqt}A!x#c#InAN
zJf1o^j+Q7T;H!Z6Gl2pdz^tbZgZu1cB7i%?*(U%<G;US}&@zU^0s{af>Y)X^PtAp;
zmHUCp04>72%Z)kf*(9C=xQsv+^~Gpqd3uLDA#s=3XUTk~YZbM7t`AfQa$1~Filzks
zQXc`INhamxRdGTsk4)w0E8sdd#?WH@Kar<TcJS_XIVjxeqDo<nUS+%4z9)@+B((Cc
zB+qhC$<ds_SurL#uSH0&jM-S3^dI3hV6#Uv+-K7syP)%tBMg8M>;}u9TVb<w(Hr2S
zp6f|NsG8!kjmARFdon81=Pk%xbi>F&UG(78T#d>3!y=LeGd1S)7owG$J|`2qpy<I1
zx7}#*VNZ?~mOw-|d~gw{r#_g*%^_&2d~n47B!=><yCyxRJl7^nq6gbfkk#_LKs=<a
z4x#Go7@bva#@C!n-m<c23SdJn@~2UKKTS@Y+UsJU(FRF2bTXfP{|7ddax}F;!1&x4
zGTm=!NTNN6)rTTC{)yhG7XNl4R}6*se~LBMdseq!NBaheKE%kYENLdXcj-+8_sDh3
z%>5w99%8;S7B0IruK__UeXWlHT`s`N$!L-sc2v9q=l0@m{4nB@wfB=Xrv8Bt@Uyoi
zSwAfpSj%x{6sayO!P1|b0Y}sQt%Xl3DUQC&H}aQxfv`%zCa`mEZ^V);xPin9zSCU5
zD)7}7)2|km%P#sjaSh=9A2wyEXuGBP!;uNp+RB2pnvF57*r)MY<nEt2kW2k?&>d^i
z9f@IN?Do(xvTf<pNFly}akc)!!uD}V3HFWI0I;6zR*81O^##KvE1gD}&xB=Suf5p@
zRE4apQch`wlbptTZ~-Hn1aMpmaRno%^`Ep*75X&r#AD;+j22*_{`6QJnl!I1R*zSn
zAXs#&EZ}qV|5mZ<rKS}pKZBQC^gU911+ze<Jr~D^sO4+=7$M`3P=LGx!uHm7O%Rgj
ze)khLh9G%;_#)%o0!=AsMTJDyZgY__tX|x!MOgI+?5-_#SaP2Nf}64^(rf_a9^W4R
zLA8uwn*}wSF3-e9E+*9VYdS4f9BX&UtXO=ytHYSnecMmtRf~TF15WwOt9fpq5^t;c
z3fE1wnVpOzf|^0z>vqVyuD3}9p+--u3{+zbZAd3dtcfo)%Wneh6p0NONj!-OPF+4r
zJn3~rq-?O9n^?}&%beHtmLyq>dHC|$(OGhS@G;J|7`;dPS1fw5#pC!M(fAv;Mi{e}
zv}!)W!fH~7dtGhfaIViwce>bFPGikYq;mRgl8pgJ^bElbRPpFvsUfdU-(H;K$o<|Y
zu}Se+x=AD(9AQHB<^sKaViqkVrJf);XojZe1Fcdo<$f<1s9QM4NeYcPIl?&-f^0v4
zeks+cJunQ5voK8f!wenAqdd68CDzrZjxiHXp%%3zhkN@n-FACvCsHD{8(mr8nU2}O
z7xIZCDNb$98l26ay`+m?sOS5{i|*oz&P(2VV}#v0<nzhB4>JJkQN#Ca9gJoio9-V|
zI0z)?{_15=vSHr-c74&N_4fjfQKxXL`_k74Z-s4lnMkvy68n-WmT<_#T?!Y5{Cs<@
zpD5eF#4xl|&$VplhZApuCkdDF_HZBCu7yuNb4@KW-9?gu8hL^cdLiFz*@JGxL?n2*
zweP0^?sXURJ!}nzR)Q~K&o)?1I&duu-Rhudu~B{B-9BDrjws>N>Gi<iJ<jkHPfk3Z
zK^h5LbDF3zuN8a7scT{t_3nr#@RWpBrgq)M&#BGL&nlRF;CXh^P}P?%S+g&w-Bu@2
z`#1g6YXK6saCC$atI0g?HKWC|5^uO`g6C62-qj(w`AqRrv@X^t%Wk5q$?N{lD#fXT
z7+(obS#mF{=EwoUwuH~C9^5=@n-#^()x2S^>j>N)36bMHWM@LR<m~6vqFq!2dNvex
zHLvzGaDT#md9o(d&AKtzO*%&Gcy(R#&1p-bt0J+ru6k{TJ2NtBB=YFMF;XM(uqJtl
z&xJU7Gio6Cccsi`yzHH|Z?&lDsTMg;L+mf8{LHQl`tSdwg-lhqBNz5(M}nSD6Q$9h
z^P~mY3G+H5RSzmJiF&&Q{6olyR~MmWr}ghZ!bgW2KEYK>p3QYizRHa)#4aNHu6uFK
zuV7znHJsdM5jt@SKuMYa^N?%RCvM4jWsl)DwEwKw#49V(w9Ti&it|o$!eiik6g1EY
zIPh3ni=3wUl3sugmF1dx2m6TdzHp<yyWhP~l<Q18nGpL75}6@4$s7QAK-rGX&h5pP
z`j^puw*O)kq12dk%@$8!=`O5tv&zw%ijMTE4oU*Kh`0uo*^0<|5l-B1g6KFyP>ky}
z^H}3w`GMz2A++pC`)||U-9-GvZO2QY)_MmYn9g8)r}ezss40)EHXPNH<)GLhl`-<<
zyd_2N@Kp-wn1%!8M%`yEGQ!&2FlIu5%3p!2xP&3rWTH-v5N<A)`|yK+ypW6+`~n*)
zFMtaSrx3ZjGvf#K_M2==`IEEOQBvq!Zp5uuKTmpeXK*`0TnQkQ)R^>6-v(O=qS>p}
zi@u23)_3D9*_>WRPd`C;*r%`FfH+Pbwd8e8C#3UCuieUsG^n%a{FESdfd80_3DI*s
z*@knbq=dmUmum2%d;3RzuHtf{9h)2*JyuBi;*CR<vQdC4Xm~%MyW@@anp2(-lkea;
z1a2`dBoupgU(u$Fz9_!`HG*fy`+JHnegs_9OrAt!C|aFQK3e+PPVn7(bC3Xho};^O
z9z0D&b)8JGgbLqbZcN)P31z+d0E{&^KAeYY=(3fPnMbiob8QV|$a_@2hTU>$UCGVm
zOQ00J6k_2gsTTuxOK>6*k2<1I-@7s)9ufOx2>fJ|g2cWMRWcM&*jyrm^AKf-H<#MR
zE&N!w`{9r}S928URkp)2$ZP_8u_~STNADwPs-<ag$7H`ZL1ophzp~zC>r?Df;}O6D
z>Z=gwFdaLS3M<XZuy5Q`re)<XE+2pw`oe%YbvUc3i?(8uhpp8V2DTa<oS5z;rBM&w
z8NEP<xW}FOmcv?Y)iR5AMYpT?x433~*0{(w7z!|N%ApPMi0cjBpdyP5bi=5)p3hwd
zU9lK`mjxp}`9_rQlsDJoLie+W)^!g4ca2S}z$b?&6~ZSs?7GCX<~>^cERq0%HR>2S
z1@_$jJa*}~ct5<=cDyXpH`GSq7rBhGw*2!GiEbs%4aqCQIEyZtbZTb<&%V?2cS7Xj
zZ$gwyr~r&;YA>F7d4w9`Lf8Edj41wYYA@2sRJ@-H>H$ov_vr^Jpyo9|X|fm9;uBKo
z6!olltyxrBYCB*=I>o#EZ@L2>IlY>;YywmM&v)K0t&St_#6~K6`>1u8P0W$qk=N~7
z*W2Y=jdVK@L!)+krirRq&h7-wp<VELQX*G~z58UCp65*<hCpn6&LL)PN%5HnYG;YH
z{KO4*R*`vWo-~iK^4wWK_O}!w`{u2<EZ#S*>qKXT$DciPW_M4(KA$$1L$8NCz#r2m
zn{=sCIf9lWG9U9Hz6kluXvk|bY1>j>ICGR&J?S5kh8TOF#TUWGd$aB*S41|{IUCI-
zXaAvxRKTAYD^K4D_+FhC@bm)qh2_uMyR(foE=5e!V63sI1KmUVo+-+fF)CInPI>Xb
z@!tw<v<rvD7>`zRrW5i3xkL^L94lGB&Ov}`gZ?pR5ObIi6I1uiO%{?$NPG3k+WM|{
zk2$d%@X(NHca3k0`h|><hDXGWwbY!>@$y4vWRQ~KOSjy?hxfsGamc{x`CakqXRJ@S
zk`;4dO+pSm+#aU|jf|FL!~(t`n<D9*o_9@)N5}i<&fQF^BkS$#rWK2tmqP4E%K*j{
zO?tH}PC}C(aqL!Nz)8pMS?}aFLueU1q9%J3183cin<cZGGJw5TG+`Q|KIZIJHYmo>
zo*rf&;i)Bx3ajetsBWI%?E|8H9a#T5#<G}w`TAq^>0J2lM~g9aTd4Dt8~L{f<r5wI
zV*jv046Ex@WRdl2&t!fJI)0H>e=4)g`Rtmy%hkNly^8iX`)RX+4}TvCpf{8F>;PF-
z5u*&7$t{B>0!aRRNw5>URkJh6u8Lj35<f}a{M3I_?aHw&o!ju>=u9<-J|;A!_urWz
z0jn6hyWnrNJ~%%)nI+*RyY^w(JU#$l(ztxya{&|<0_+ebhxHFT6gVz;ag*JWFXV!|
z{qUjx)jTe$jHtl7G4H$&)|2ABjN*iwq4BzVWF`LKz_q1^<MJ(D-NlHm$f<AQXDG*R
zC0KXa#xeKZ;X9P{RNG_Vh04C+URu=EGM7l=D_)=W$R`eDU@vd!fR`t|O&^5111~WQ
z(HjWKQtBHcMCo2xZg^T&8ae=8L?&?IL&^PEet5>A41P<ILNQU_F<a}tVuW`H?9)2O
zImD`6B-;w9E3-2ByB@t=j=uT$R-Ted58nJ{=Hr5Wx&6n<_U0@L2_U5A^O!baF{j<W
z@R`1QCtE8MOHb}7Kw6<87IwBAFx&a$_Xq<$g_nk#O1c&SRF5F}zE^R=g54F{*1xr`
z^I9L=fkCR}l6@N9c`qYk^L$p;He`QCy)Vevx|fOZU+x~FIVsaW|Be+0Nlubt@q`Gc
zw%Q?`lcO?%U95QNI?wd+&W87Dx6U=4uop&U{bwFz_}UrCy<eEp%QWtaAK}@Ya1tKh
z=@=pJt$fh(s=LYf5q+Yj_`#g472-=vaBpP7mo~LLPNj{{jU*>XH15rKjH$((hwD7Q
zuBEs+)qNA6U62RcQ!VGR_S4B&tDl>RfN#vOmY!OZ%;)AuN^w1>aFVNX3*aQcI3*>C
zsy&XEvm|v)!2XB{o-l~?=VqCYpHE>$&8LG*qGfRoKG?zlW#onV_>23!+&Oz(XDiFH
z8;o!ke0}Nk+c0dc;{zio{1%V-coZB<T-TlL7^*HB7;0lbAse$`29x<|8<UcuJ~anL
zFG<iRCQjJ9&b&EFlqZNGeJfv{)h29p47ux2dFnAW6FcTm>}>+gJPl#*U<w{vV(E@2
zcCK8>ymq~4=&zk7(IVACW^`L6OHloiM3iZ#y&Cys{!*GrIR*$MIWQa_iN^M21~C5s
zWIGy+?`othk_(5lexI*@R$oPjZVWx3{hs0DStQ#B-IS@U2|aLWs^U2icc-`?2UTDq
zw_lDJb>O^H$GHo3FLF;|QE)S0B4gOJH7g~)gb60g3khb@oJ}{-xbME_2I!^J)!T^@
zZKB6a4vj3+g60xCr*pF&sK4esj-6V)XmfDP0Ts+|y}hufJLwGWa3^l;-=C!>M1~Zr
zL(^lbmfV>)tE<FA;m;aBVQCv@ys~$;jxAhI(81{ndq?dNRTkZ=B6U0L9{EocQp32;
z2KbUIl}&nyAyyVu4Q#h3vlZ6jq4MudO1SB}PHVIrcga?1$t!e$ki;&1*1@280fGOp
zottPO;-I9~K~e74N&Ze%dy0XD%Dll4eKFe0gFajV8ARu+>BfQYV?OEqJ0yfNvKb1H
zpkDZ>L1<)16JTr!;s0^QQAQ)g_StV`F7_v2wsnu=tKYmojY<*z2PE{=3i0j#00~Js
z6<t@c2qm>xb*i6SrnXEsjjqMc@H~wN!Jjeh@+9}wouQou=uX75?Q`O+gtRKa2opK#
zw1GjoD;dlT=_$UWXGxixhvj#FUJhVEiGt+4{sj{{nr8<vA#!l+M$0mJT0H%Z2FVXN
zRET`}Gp8)A=(CNMw&1UD$$;0+Gm**4mcylqO_4_vO~a*3jc>>U+ajw3AiT$IaVk_~
z^<VqGv8rO^h&uxY6xGHYO^4W)`~(d?m=ZXc`*HTwM(NAF^>NKjvh9{UqY)B1r+&#<
zpihd=%sW|8!(mPXqz&qv^<MI*Tb~7nC)mv>KytEdCm~nyY%``xR|LCpZEf<)0L5Ol
z?D4CJlh9qzbiI*`geE0el3i}5@eW-6)H}y}?>MAvWSYA%|8j<Wav))9Pz$GN0MJ2?
zhRe|Qs*!vE9Hi%NmiD6gv!ntZ0W-y*Wla4nYz*ZYvpdGP)BEo~JHG_bL9~-&N6oAx
z6T{!Yw{3-JABAb;X(2o9k$bPS@r{~PlVj?Z++DbkI_jZ2$LKycSxU^=ndm$aoBt<5
z3FIF1is~w`r!jmA7^i*h(+CV=4tHJG?iQzVh{|lTd1pE(&<;~X8^SC{YhIJ((cJqk
z^B<T{azlS4AENCG{kVy7`A#LTd-G@M*TS6n=3nIa<(xK##vMxE3=+s^Wn6({5uF#Q
zW<YcVpC3_*iuU;z(~&?k=MQs$a95nUv>F;;=E247J#DR0{JA?89Kw4v2X?m+V^JRd
zO_FsFQXQ)QibZVOGe^3S8C06(5W3?>h+InW>7k{x0jM_nwo<=e<{rNsZc0&cqeJ=4
zb_?Y-{%}Gmf**V9&nCI+Kq#d-r|z=h+^J<`{b9hfXl``T%GMM$cT+OI8^9dEG>uap
zU~3Y*nknZ6W7a>Jv<Da89HLH^;Zk|YSoLndWpL>l%-#b53D!+7s$>2Q7OE@vh6xBJ
zN4j$0i{Ezg0Hl!MrW|TKB!F=t27T8b&4C&LJq&9L&y|lfHRn#vU6Q9Nd`3_;ZL*w>
z-(P!J#z-o-+x2^7B2rA%`UurnjaVE`L3z!T3qZ7e5>IyoaW3;#>_@!=5HSQf`=R1T
zLNX7HuF&<wvGD6uQE{`XRKKJ82E`s}lJO^cPu6(IZDn&3N;*Z?7I-?a(4ZUXX;XQT
zvxgXo`!ejim&87unD&Ag?h56s>;Rn5labe){^&lxWOPTpD9JE;jJDWZ6YXEH?Pn$2
z2e?~evgUeMp{mGg`0CtLJaag;WrMJ6g<7gGzzN~=)u=)i!2R-*_01W**%kZ{u{<u+
zHDl{Nu3vMqNX`Eug{;rNBsB)H{Qb;CcZGYoJZhMS^U$?l#3rT0XCw#nrV3+^Q~9iT
zJlVOWgu&hSHdI4AGna<Q%o(?qUj%XAXbWRe9!jO%L9;rn51+!0c3uhXyW<Bn?BnX0
z8+rd=LJZvQgd?!=_(KP$*;g{{PVh=|32&C5Tz)6HNSl0k6+31Jc|m-%S{XB%&LHpa
zUbzU|r!p^6xS4;FDaIgidSDb4`X4785)ee}OT?;QRq#?g`|H}c+3%(!cEOKgQuG?)
zaUdFqm)IE8V#@`x!!pzy^Qe!p{PP7Rl(%KV$&kIB&@%YA4)(Std0y64^HCboYb-97
zL-qb9OE+4m$Rs%w8|{HR^utoH$B>uY)n@vYfqqc*d1NLsTu3>5HHcZ+C)F1O$%+9T
z{BF!RBMi3zk^J4X!nB)!uzErYXUe*fwg|cLws~keC&=A?{|_N#ev}6wLT61`Stkt5
za>imWZx^;5(0`s)3hIsYAo#dOm3)x%tDUcBOgFU<ua@^TH|`+~x9UcPN274^Cq0zJ
zazJF&n#%n|c8}zNFT!B^Ety{o?FmmSic4qn%GKGG(4fa4v5=%dAx;ecPj+`ph@5ZH
z>5*72v_^U_mk%jaKi20mYkg4GKRaioXDKvB9qu65E%S<BPG>%rW}|@+tOC^Rix`W~
zkNPl29y3v>gM}6sWDW;i(>q#H7upS7{S(;%G71%+G|mqp{1k4!N2$maM$SykJ#nXX
z^jo^+$_au{Ps%HBidlbY=xZEvG|v)oS(A+4j8ilb8Vmc6!E@Bm_F)c6I`6?e)Vu{P
zax1+Cs8c=0r%w@DkaT+qHN!_RkNMiM`u$neaRt|D0*P^^7(S#SvXiDRh*?T)CETw6
zy2hT5kXinX25K}HG=-@|PDK50Kp|MfWTP$B=d<r}3GMbAqvg@~X@4Z`AUDn1B0uJQ
zcl3t0TF7u{+1Ot<@;ybv)oIj<AC-sL1Q99$_xDf&U4HEdc}R%`)_{ni{XSSX9}CMu
zs3KAyjFsiYZMB6B58j8PeR|RCGL0to%!=j3rDC@=Taj!AZ$}Y?kforBQ!t_6ByJO7
zed`D56rnLXiM;H?gj3uY>wHo)We^-oC!@B&|DCcjvg37!JQg9~&DCg-#GFspxNzh(
z4+U#`%(%43@8%|PH-A(DK?<sOb1GnU=clt;eU0Q=5~^N`u0SyI*L%1o*!EMkL_7l5
z%x#6lT<U_7Ri>ov*q?52Fm$`)((ghhsJMU--ovs+Zz&Kamh^ZIkJkqdVA>=s+Y5;V
zeLTtZcM1$1Z-xLc3=Y$BZ8MKc8sxrP#^zrno~{`q$zSi2d>=kq@6U@o<7`TeTuo-T
zZxBbV$JTfTrYO1t0|!Lr;>Dc1jVeh<<Fd-Q7%wcP09+>hl$NI@j5g<Tk;(ly{j+|i
zmeMNka9Qp^(hb(1SAnSWyx|WDEw}kk6rz_PI+bHy>u%jZ2zcr#$uNB&+3NbqhP=;n
zup8%b0aR<Vnmur@!frpUAu>l{+%ynxoUX#~?^KXi<6mWKoDb<{go~Kd>$A6PtWea{
zze}}cf<m4m{vu92#Nv_Z#p;a~He4TtuGW4hNMDIUu@n7s<(j={Jeza>Pnghr>H(!Y
z+(3gviHhVOuAYBIgm8LhuCRvhzlI~U<s=<q>jc=D#ySF-TQnUr5bh;=Yg4g<vRB_#
zAyj+f2#y7OkRuB?I52L@tTS!N$o};7{|X7+RNY8#dh;H<)wklSYIIUst4Nwx`^cIR
zz*=_issd8@%le$ZilRXXa--JLdq4!3w%DwvzoUx6d+wWH;&!hX-KM+RF4C^fwHTgG
zySyF|3Mj`Rt`4y)y(%u<_1O_`OFfrUs9{F-xFppoSFHh^VILTFuer-14Y5zN8&mZ2
z*Cc;`A)3}PI1LyGaF>_N^8MS6T*ndgW_tj*fr#6}`$JjXC-Bl_zKq5lE0*3mW+<_C
z{^#@5Bg0a;vu!|u-#wp}FQSKzmG@roL9hX@ro-_k=-Q>atoy+Do0*;ZZd%b|Ph7UZ
z{|L1J!*2Y(4ulZWzEq}S%PbOy(}pNw*8!1(gm=gpmdql%Jlbee?e;L{tGaLi(%T!y
z{jG<cEfddJS{<3ie=9-EI?0Ab9iZI4zr4ZGvWwiAv;;4Yv<^NvJ7}(kUV5)Uv8#B>
z_wmJcvdmf4ULZhSg_u6DPFYCtsIq#+e*pmi>w-eGX`4iTms6=Q;4d|0N#Y34H62lf
zY#VE~ntfiK*}kRO#U5gz71Jm3UhIMw%(>tN#S`JOua%2;ZVi_UM+#+m^+Zu3sw?(>
z$SfhV8*#0D3qxZ`gsC%ucl6aWk@I4etz8Doz8KD%MHX{OO7(O_bSwqo^RWpYw1Vae
zCE_NG6xJtU@2!`}8S}?K4RnEO-+30eNs!U!BZ3(T0%x<s4tKbsqpc*K2x=IXy7wAC
zZtg+~lN7Rc?*;HH;+3>wtshUiA~w{P;8Syg6>1+Z!;?_gb>yD*-8Nv9_moS`uQBCI
z)Pn`oAlHW(^ARP01Iq;~yZbmUH;yrg)%WEE8PpmrN9tG{qSSnzAqKEPJ6tzg?}uOy
zim5*Op5n}GvZD#AEXQfOoTr!WF<Osfpr4QY^*93?DIKPjOVVi0q@E6p1X{m2T1c%P
zs{^Q^3t7Kq8+60w)_F=j;jAj_?(XTiA8tL;Nz9*ug2Pmj<Ada)HO*fnWG@vJo+v8P
zHD9t6yN-!#N&OX97D?~)n4{&_FK8V7uB7x@60w%hFzVLmm6A=!PAN3bBdnH<PF|Oj
zN0?wY3UjyCwsQ6Ny^nLU^)0MA5z7XCm$*^>R=>q24LJl!Rkws8cAmjC)Gt(v(+i&H
z4LY%s;zl~Amdq-oFeH2QfkELe`UJ#AJt(gLQ+|w>3<|F(V^b1_RJ_7pQ3PiTvJHKx
zFi$&EU*fza-dgn;q4)Bd17Z7nxRJH?xVf@gWLxzO{~_%aQ1jt)wc8)RZ}2|WyYe*(
z<ONxBO#OSykL-y17KEBpD~M7@sl6p_mk}Vr-158Ap0i7wy<oqt!w`q$A-B~o4v^V^
zK?G$@$Lc$(#son2S#JK;uaQNb2O9dTsWL0kSA`itDyo$0wsz-kf&}j;P7xotn<;63
z-IW(`{pu-Wp?Lf8&6sh!YMfK<IS9F|Pv8IO{p4Xa{NY02CtV%x?T2AYpHlHP2fllC
zYnZ$UDKaI}Jie6Op;~X7?C$4O^!boJRtscX@tXO0Sy4eZc7~h?#F5jZAd#{yA`y;M
zDs^0uBvnR+1rNBcw2JkcBE0v*Fz<8=v6Qsgh_Db5Zptx7p5h`H=PeQS%qI#uw;yF)
zYjrU}G>9N+8`xB{jC%i`TduC=s3rF0UlmM#&e6EciF1g)KK$z{W4`mZ;+iRPjT?c(
zMvZ^TsRyuFzG_(X84P~z@&=jqEaj%gqp1f|y-2(q!<oqNCDMqg0rCjtfr^^Tba}US
zELtoz4LI&WN?KlJ${ss1S9SG$^XRQoc(NTb#oVqmR%luKz)SZXpHXsbM2O8b9lGua
zDPuM#62>Kf3zL>p;1;v)fFK>zzqf_)WfRggIIRZYNU=BhNh2(8n{!`8nvF0DasNGD
zN!jR=?8CP;^wEmACecvQr)o{{LW`dCvOv51{%phC^Vks&NDy<0dW&Eltx#TDf^pyp
zU;ekz5ad1<FP2}+^8XnI{Atth&(@eNn@LFVk0vmg)c9ZkBNteT^L6p>DgJEodk`0L
zHj}ZCiOgilC{t|J-C(*eL)!h17CTl`7f2mb>3)9Tg82TnaB1MM%7dF`JwjH`PyneO
zypf1h*1y?qk==0oN>jIJJ92)cyIZ_h(p9!+Pg8%WnuIkcfBHC|Vgoq)#$IV+@DhmR
zbevET-Jrr}(S20-RFxJma%R<#C6a>vbmM|MTKj<F4Hy}f*))pfPil0kxrBSzS7ct$
zVA3~L(QUeM<Jk;B(#GP}H@9oy7`6-S2=h>iMfqfVu_$+=eGE(f!YISV?S4$cFVQx5
zyoh){K&k$CC(1j>-GtzDO;vRW;iWTY#frR;lw@-0aMZeaicg6)&GL6Unw;1V-<S1M
zx76+s5U!^h-(r>U?kEY~<H$NBVM_@J#Z=pkhCXP1FibZP$Be)fj*FByF$TG)sRTZE
zc@0f*8)V#zI><4xdyxDj<=VOA@dm6-X1QC8@chg@cFplu0`r^gcb~l{LgI#*f+=-s
zZC{VcBr@*)a3Gc5T8SI37`hqYyx6IlO2P=U6oA-V+5{hvhAguwYmnxpVMu=Q8hyS@
zrqnL&$`y9j+~~nUyFJNcPjjl}mh(x@CGm+o7xGJqs}A%RY2HJ<;x#rtikO1kzo<QD
zu@ixxb0>zxOlLE@cPWsmtH%bv?Mv{!)OM)}ZPr|jlKx%`e3uq$o~JIvllhH#7>os9
zN);C8dV|{mx}jgp;+N@zH{g%FyNrOOjH3|hXqUrW=Rb$gjezLS%IxYww5B0yU&+Ul
z3X`%0ApY%8%I*6()OO%c-!A)RM-U3G_+f;d0V-|Ei7()Zo~uJQcGeMdy0#}`_PFi(
zUE$}8@vHUkBx_hTvf-wm6tWgH1ZL@Ex^vvLI~i<GuW8tVL1(?Hr>@eA-*vcLv%9g6
zT0eVd`R#6~u`G?W+`F!qHEtU6$(`p3mye|nFx{DP%(POik6tKU{k)S!Bxj_^$)o(L
zbX8DtBS&I*X%)n;(OS>tt(~Oob}bWU-G4YJ5=zlFN#iQHk||vPEZpdoNPi*0%^OeZ
z=9DF1hC6==Ag<Il+$KlPU^0(6)`Usb)Nj40*@<?ru1*xhz`S{5c-H#vXC+aPB&9}I
zI*!g9^RU|u-N?Tu_Tu&#f7Om=B3aVk)<Re21U=-)8JLVT<6{4^xnwjG|Ejq~WM}Tc
z<OihTV9j<N%w`Zs90oaLWhJN~_Vp5-Rd(GnG&uM3<n12f-gYjk-m#eoOGSN5dH$fe
zGTu~fuV<NzGKBF}vg@nK8s)~wb*3pcRSK1Ek71H4=2H5iIl?sb`L7Q*rO$=p$Gini
z^TV;3_$B9>&~#kk-h<>1_m)wb#e*<aeJ<`fcC?;x9|HgZD7BNP`m7$Qns@e>MDou&
zCZfL}-h6Uoq^;>t^3gRw>g_@2+!*0zA1^Ux1w~erv0Ut4odMdhm(pb#ma<%Yl4a@s
zYHaA!l)1a_wm;0L@%->Lsz=jD0Tb4Kw8N59@;rVhx}Ap6J+zSxsVB{XJi4U67FGLQ
zcB}+$+Qt#S6h7vIKOQ{_4i^A6jWo>smm|vWR|Wgg?S-EIwS^fxDxP#dL#{iATYhBx
zD2Q<UJEh&}_mmZS2rW8!dbnKpw_fprL%3V(^_Xv~A7q<YQ2U`?S3U~97`ik{Z)!Mj
zX~IZm*P@w{;v^DMde+*VhfP~({;<8hY&xn8kOOQ!w}n=73!Q!sJ!MA`pDnRwj15@8
zF5`H|sy1Jg6~3|>KUxttz-qqw<jD)3zx-JA{cKkIXLE_)?e!cDH+mXsW3${kcW3uS
z;03b<4H8?bvCsqh{E*X3EYjfl(5}5t$TRjW;&c~#=)<3=_{tm$U_EHPHe?m}vK+1F
zkb_9Ko^nsJnR)#_fRhGX@=89Y>;~TkZp&j}CDloOoUYt_!la)c(p<?NX@hX<i^kb-
zusxH|F#O%b%cLk0J5VG$A@lhfrF{9x9D|_BOl*yuNxH+y>Wd5%>?mjr=e<Q$N4`dT
z>$~gMYlpdvM~7yX=7jO<A~`Tf<4Htx9CtIYXQpy_+Qq!OaVhzbLQUO?ioBznw6wYN
zFG`&F7D<{i>J?>ij+mHVC+m{Sl@?v+q(jq}W#I3iay1^Y<UJ0(_gyBlajizDm4w&L
z`X2Ic-{7epW=E>^4PXCwjgi5@wcYGDd!5FWF(vOo+r9Yhp&&k5hQ$++zk{eyoMs{8
z^awuc5UQGj#-07K{O?AdIuhQ5;Al5a2GuRy6z=Zb4>Pwb+IRz^DYNzR<H#?TP<PT5
z;-%SFea!t2AAm5No8Qjh16iBgz(T5h>!Z7tsb7EJ1mhQ{^<aOVDt}-(wMMrcDut(^
zZIgMSoXIBlC_l)$wkW;6b(_KXs^=C3SN){4dL1{P<P(oM4E!f8tF4t-kbd#oDAK&O
z+1SbZ+|+oOS&k9Svt(cSW3ZP(+^Zs$W1>~VUPNx=P~+=Xe{qylqYF(4i}qz~hsSG<
zz`<`ek6#(>AjhBmB1cq&*s#fHlh@AE64Gx8Hg*n&;lCXvof(t(Xcf&U7i+>R!R@rH
z7l$~}KPzvvNHgW%a)SF^c<by4(!6Uu&@X|)ypYvG&#qc%-`hnk-0dg3zrKjuSk;`O
zU<P?2?jgU-&^JHoJdQ7v)DM>3PjH!-!d2@Ea=u2ym6LGXGP1b_0dm1nyh}zU%)=n+
zvE5{BH)WASlx(W4+lGSfmmNVN{71*ER}qzWE1eks24j1-BX_pKfW;Njy$9xRc5GBO
zoT)Vq;{Q5f>i{eoQ=2ZaF?S)i!m68r64@{H@_gidWK-i9FtX!;dYhOrrCR!8BQh3x
z$=cfw0nWQ>GWXkb-lS5a&!h4tJG@#I6I^a<&MlhLAL@GTRP&)~Go|x$i)-POw;l0r
zOwTV3fMUD1+Ysf3!BA;4s#)T^#={-4)w|cM<KH!rvhAi_pVi9Q+$-QqR})D2E&JV7
zU`>1;6?Jq{!GbYCYcprLUV3NvW!G}&M!G3*c)JBz75S0HVqRuxyes^KB&Q`4)XA1v
zb(QSVUXdP<>*VFvCuQMe2`B)v<mBEvQR$O-laHz5i%EBDmUV8kUN=D696)FIX;g6L
z9T1sKvEcyi1ca*Tv@f$>=0`b{oGC0j`GXOU@nUK7r&w_P*H{nrzKlkx?NPUA`Cm6s
zT2Dqr=t@86EhqE8lFd-P7Wh0MdMo^TmRwB@v@3=#-?YPB@=e2i^<wkLT(NgnoF8Wb
zMy@W4btnqqe`oM#lh)cA+UT*-W!&`&ebY=S7HYamar=h`(Eowf#W>dUak|vpS`pS$
zqTI=T#zw`>4PyV;yDq|5y9mrZr&Ve^M<mvu;jA>(uPJKi3gYDg7|ag->YQWPv;!n(
z@-WOh*>Q=%<p^$jkqvyd`c~BJLGd$^Ttg&-XX{D)w|?@CTadB(9ZFlQo~6;!Oop+n
zi;wXhaV^QEo_&0Ci}|J-<D#*(NtP+`Drw5=|3ZdbM$&ecZ#ZOM`g)DFG?9Bp2DPf_
z4gf<-f2UIC-pzfVxRhTL{`>yuH`9)~RL<{@RgV=Gr{14qs|I<m7a46nWT>lK1Qh_j
zP2PQYL_0qVxgsiqN`6O5r#a@aFO?JB;f>armw_*RpT$qF$0`JTdaJkJZ+?{Vv+d2#
zy(Q76CiqUPdB<uKbHTT-O=EVjm3>>?=f&owZMu8k20GtRHm5C)a?j;FHt6rvV+!;u
zB2))qZ7(75t(_J(Zx62B;(qDS&|muaLF~2T(XX4+M?d0<E^pX>6!Z}xc^kgmY4OsI
zr8tM$MOf)ctND%iJ98(!AFI}<FGsZ$5}pZV4z{x0u6Q!TO5xC+NHZ+FvodJtgXKp>
z>4_H|#iY;XAQB1*>BSXwuoBwwy~}~OCUs_;RbzEb_PZn=4jz{qgt&u_FpvE%(bxG3
z41e-!b9xx*QgO<QA!%oTdQjLZ_DMMBW90CjT^1f9;br{vRuwKEZT6ud{BhnKYdgj)
z_eX&RT)Sv_952kU-;hP2Q@811daAa)U?$Z6g67Jk`j~e%sth&u#y-k7+fOb9qhs-R
z;#KF0Y>N3ym}B|VZyrX4w7yQ>hNgIGBB%Z}%^IP8T~$>lMOpc}W9Ykw_wCi|q@XG=
ztdy)N0`8qfWRd2w-}2@McUM1E4?LlN^Pu@4*u44em0gy_pO?Egw)1ORMC=~u@Ulo8
zl`?Bh>{=V~-{A4XJ9O^e37k)^e{%rq?|vJYm<6e!GM4=cYm&0lU4PEQHg6YH{mpG{
zO0yUN-^Dq%D#fNeQEnpWH4}fzwVvGz<;To<(948b#Xuvd(*$|Eqg=HAph2%EsXzSa
z-?DK)D1$3?*kwMSwUJ$MPkxbC&`VN@(tZ_ER2?Fwmg@wjqOy)*bFN9$xPBYsoz>UP
zx=j7(Ch8i7?rX6i1yM2%v2Ca!i%DGLitktgW9B$Z5aj+vwpYkQm_mLGM|V!XU011B
zm)gwFjZ~Zda4dN|N}opibv;~Jt}xg3AZXIC8pb^k1mQTALykPizyTc3+b##2bPXia
z(yrwI)_^4wp*wk}`?}LH*sPP<f6=T0qb%y|-9+>|lPyf4=3F=TPK|VbzPR^1zcSLG
zmfPu64$B5~t}T^OcYapMCp6thw#mD^>?+)OK{pz;THj=%Z0Sxt{F_>28H&N#5rJq+
zxqF&SuUu3;_IcVP7<>ZKpj~u9k-<vKg0|Ga<p4xAa2hOdUB`fodc{cpXE63fX6%*E
z?9iXI3^vp>lZS81-W*zj?p%>sc4C2!lCh`_=pr}0AF6`U_uJJ-;KJ=f4}pZbbBgxy
zHk3N_CckWJM$KZqUtBE^&d6tnKBR3Jrt|)qWUjK+<!6BZYs?ASbJEYkrs1jYR5k4}
ze-tBT$>#n}%(A4!^ucA?58Z02#pV;*A+L-at8ZV^Z;w0jH+WFk?*6Wr!=a-4akyBS
zvfKAT&L7L6ScCRBo4Jy<xVCm+sRVZjD{Wg}NnvP`&8GHG8k7Wmk0H`)2oBPEJ4^A@
ziM6vpkCiSN$KXpDwA2%rlO0&0KmCzRP^OFfk!>EUaNrl>M*n-AMAsEXVvwv*HOm<>
ztEzS?Xn2j3=sHm1<(U8a)3|+}SnAi%@M}U4R;Ybpk7t8Lc#Xxs6pIxKyjqPJRTVBa
z)C3I^3%l6M-M@$f1qzQB`F|?MoMIpFV=>EGci`pmWLyT}dhdiFFPZ`qFRIn!jQ8$l
z5vK-MvXqSjCYm3))Ws*`Ru}%gZ7)74Hq^E&4DI=Qd)&Oo912WNuEmS0Lw|<-TYG8_
z5#}ykdfW8;vEu8F|L&E*`~9iJpMQGZbxQY^7n@rA^O5IQmmfAI#R1xK_J1B$QvI{t
z6Z8mX*LD6h%}@V-wt?lS&v-!eMazWS%>A<=<6XEb|M6zFf9Va&nP6d{|ACjsk^RrB
zf#LbzszJ0hBHh~~GGrPzP#GC1=XpAl!u~Rx9+ocW#k(`f{VL~EcCI-?1g{=q9+U`P
z=-n@w%9qL1Zl6AZEV{w6`B1s*4c)RJyR4$1f=UDVNl#Q=#2M0Vt6!y#zl3SBr9Di}
zWNiL?DmTf#CqMM4^%aWvM9@xHtmtSIAxQ|h6LGeUJ=enL3mQ+Vq>vIM&tNW`v(B4d
z`m62J9C66;($l`WF`xBX5Uf7h-X11&EOS19f@zPO{zRYUL_c)+)0q2<am**4&e*&&
zFXw61^So$RRa3NbLq@IdxMz!z{;CX@i)&H?^3(*vIdxvboe!UZ5i;~GdV1kcU|1RS
z65eITP5!8+VDEW9=%Mjp&43u_7=8?Xzvu*$o7^=kVn2l&I1JqzBE7O*>tzU*KD?H~
z$?4PfA_HT*gB)<wJ#%s12s;;*UYL+)<veKxMY<ZPG>&Y#y^A(d&Hr@petf9GXw2*Z
zt|`vueV*Ou$R_@aYLP=$5&!Z7^bh7(!-I_h-?RO5ZNsCkv8q9<W*=^MeWPH4@1j<L
zGt{1@2l{TprmB9eVLt*lJ+2}lA<uN0gx;$=&s{qMAQqg?B;wE98;JsJATg-|DinV$
z)tyM__it9hFD&7(twv#uQoQEfOq|=n)cW(oQT8o;PJ`?1x$(kbCw;*bI&R}w<8EVc
zLRTzsA%x!G7v1#6?&dn)js^LLd{Ty{?Dhp#^mF|bfXv`iwbsOZP~?q>=msXpN9oyb
zzra!w6-e2w^K_kKeRF_d@o;ov&ObY-bmKTZfS=p$)yba{Rt(U@G2s7A>DR1-#Nj0t
z18vvKJb_vm6zew!Xlqn{H2swQ#7@#hh;hMvk=Iu}g}iFgGrLwjSneoDM|zlWyW4&=
zpyaJ(_pQd=UdH^&NthBpN5S4yO2mQtHX80)hqA~Z=_5Y#;h>RjoVqj*4mRAWkOpDF
z8#ZXRO{e3Lj3l^^+EO!cO3aRQtsjdLq!p~cZEQ5P<*T`#xN9j~9t`ZzBbuu(u(Q|=
zTZ2_w|0lmN!l6E>+DaJr)P@J)Uu#!cd+NGh<9pDJt{NP>682JAJkcXuI84MiZlr7l
zHytoS$&~N;L6s@rRdOM`R^2OcFmm0`O*s?u<OXu=U#bBVduZ)Lu;Iy4%-!_UY{AGu
z9hr@h?SAQ#9UR=gZ0M}OoAT5iEsoZYRcyK^JeG9FHcb{%tWR`7@cXCA+6zHcdu$sX
zfP^5uDNlZ7u=au5W1cXBde-#z-0Yj*l3v%56}YCuA}>TbiC<CHo~5r*+m^4IvD>Sf
z+B9xUzt-Y^!a;JoATjLR3B2<~eur-8DXJ6Afg}n<;(ZZ95Y6&U*qy%zgNjjng*of3
zr^|brv|f;;hIvKZ5oB2V+F<>xeHGtR87^Yn08Ox*bNVaeT2y0wOQ9<2<ZDJ!q{rTh
zgMFP(-bHR8MpVFkDcX}>yDf-3Mg)4GV}L^>W@9+$u!jj#=$vRK?D*Ckx%Pg;ejj<o
zpv=67u&hkD`c~{x%y3P##?F|_SF4r>9!$e&+Lly?*Xch#>?3w<ifVadRj2L8lmtP%
zv#KKEkp{SGv^7zQt90;ZmEKsFI89+y%RFt-8mi_)?Vxh;LVWw~QqqTw{yRPuB4aMT
zlLS?tXQ-0-%OJgI-ntooLQ#DIMBOk#AYm~5JlwX94x?e;GH`$~uDe?ywepr$JN^;+
zX)zYIa;Iu$zjzh}Ks*UPxUy+=8p)bh=-Gggd&iULX;^UX);k4ytlXR!H^hb=8e`p;
z`+_zH19YyDFn^}TyDGdQv`EV+@9#(vSq*TAYeV-@9+Rf7%+{OZ$n(pnTLgx!Kr6qw
z@YKZa*PB52T1I5~#Poq`f7OD~oNWBi7+YDg!;I(p=F@doblyUx+uidRvZ>8-gCvQ_
znX^b4ZC_~S;t8d{duP>V(vMB^MAIynx)D2__OCuPU}xuf{@4hv_iL;p9=jE_7g{CC
za4_Lo22vg`kf8*x?FRa+-o?fHK>*{J-06msGPC@Cd<Ic=#Vl#eDxP!SxRKxw41Roq
z{3xNUrFOsI{$<>}@g2F;TBLG{+rY{;R0qpgZHA7>80vE$URlTn`v7U1;YB!c@ytj>
zLfs5;aR4LY`C%WNgUdW<Ir_jp?l?w0BGu=+pmiq(wQacIvttYx3+_*|lg~PGPi6Od
zoNmY9-iEm~U_(c|(nYecJ!P`%iAZ>#$23EpSMO@sn^EX>=TPSIPvr6&`MD850s?Yf
z%rg=8@5!>L<Jmh&_iOh`vEf^uMNtM8ehtsj%WUOQ8C%{con)TL+fYOGz!ky%5%sDG
zm{HQ5Y|`?mFp+u$n@mT_P+jV#=&aaQzp+iD6#RzEz(b^y_qZNBCmET!6W;)(bgp-r
z#k0b}Rpt)}a?apk*Z1eaiL*y%0dfJ1s0XtT?D(=Z!u}khWM4IZ?%Zo;_DL)GiyRVD
zwvLaL=n}(^f%$VS<OtQ(F5nDoge`*~D@H9aoqTaV>{ybI8e_jM8)?U>Tm3Y#$hq+C
zo#Gc`t=8d~2}qlJQ)=ISYeHrojb{oA??!H>McLew)HSHd;ne7ZOSssnzglchpQCby
z@ZUSf$f?sK4&#Qz@^76sImu5yYZ(_9$@Y{`MHTFU1C6#^=Lai%(IR!jWOe2P@9NNa
z7rBq^Ns(UfGS0x~hCe&LiB*oZpkIb}w;mmU_oFxOpO>BXNq`r*bH}A3oP?4XT09b2
z6lKzl7HwPn;peT7FO%}g9_Rlqn{sb<Y1@gqD%kqQCl+65<3v%Bb-#H&*0)F`+b6Sj
zs|21ibl`c&ZeZbGiRKTwaz!IC(3KHc(OBYSCc-Rg|D@rRtG-lRyS&kH^Xb%i1Kit+
zPq>Qw#ZW^8<o%%qx?q<K0ZP_r`1xDB8!EO9tH#O&jJzeX*@<GcBfUrA1{RhxKP9pw
z!?}%I{*wQ#CPD(v=m>t<dS8cA=ArTSs!sf^1gWj7d7S5gPuXjFIdgkyJ|vje*n7u4
zdMs!Z{4fz6_^76%yL3LWVKi>vd;N1P0`X8p?qC&EIml?v@nlx?qug%W`Z|=I7K9S;
zGm7ol#WkLx+VQ|GAA6C9Rg&ug6jijQlAk5X<h{g>=Cu85mbj?(^!ymtXctY~2htse
z^7~xPivnijO0fK?#X86KQIU6<#fsc%4e0Gs_oA(7c;jh3cVS9&0R1P?sP4NgXA)<7
zKXoSLPnOPgTu@}h<xzYR?%cX0l7l#hEX)H}evnG#S|oOYU<Ry7<)p%m==L3Cc8^vH
z9x?grwWw&L^J$d<?$NxFTfOom#Vr*Pk{aQL;|PbG!tA9S2D^xpX>{Ys3bw%Z3;9>U
z6knzu&v*Vp#yoRAXL;y%vdoixBMx3}dEiB>lqocG<Ln7t3DKB5yx}AQS6+Cz5s1pv
z!8~hticoEjO(a9X&brr}oFk%IeZ#=RypeqUgCZHHf_s-gR(TitVV_JG(lneGog0TL
z*HBqcDRCSh5PS#k5)+xrb+^7lHsh`wCGDmG*Dol4Np;_zr9i;-Vb6Y$H~CbAeQfKV
z{PSYZqrCGHIa<_wT-|J4w3U8OEv-TES}5Q;fOj%zli~%sW{%Z~m4o6k9G;Wbv0lc5
z(#ZqIt#5u<1O^+;KHU3$%B9Wa9-7VIF)BaTR^U7*=(A{cKY8e~QqZ1|bxuhwfz{#d
zh-x#B2<xz8iu<qc;SU(|M`upcbv%QdR&<>|`aNq|=^h(%ZYu8e7)9eqU5;z(l1+e2
zL!D!&?K2gVWqQJgS+!30mIR(b+PXb<;SAfv?NquB852;;&r1_w8fdA7Cn6biXaN)E
zTq|Qy2;-!A?4h5sa$idGc+c!h%vC`uZ98A`B*H*RK*EQqB#DQ!fejAfQxwIKiiI|N
z<d4Z2Pv{!9!MVw(8}4q8VUPXqp$GBXRGPeARSd}!xdy4`U)z6E(g#Z~-ftfDnk^7X
zK>h$0r(4b;3r0Mni|bd+wfpkk+cTP~*jYLqPb$LC-w49LwWWHLua1m<g_A|Cb;wLv
z79C{1L`t_N8x|IsR@7i<-t`@FTNBaeiG<27(sC`t)DAu|Th*}eBjUvoOP<rQK6G?f
z_<;yr<_FKF*wv2Uw3|qI!V>!$hMe2cFwc<gDS1!;7xx{A(dnq$hz(09{`>|DYZhq6
zYt#3cDx?EJP)hlAZgL}^j$7qv)Nk=us01r8uB`wZ@0|oUA!O+!Q_ULH08uRJxqR&-
zHOyd}mz?sapNcAW-q2nDAVm?F^zh}4#N&$`LW>{bP0r3xPe4@RL^;&m$9JAgE!>eK
zF6q?No(vud$QSm0b!{ynSQ|knfuVkx)1<)*gZhj!@|YRf<lj5qP<`~BQYS=7k3tw9
z5L=(_7_r{CA1G~it`zxhWPbhp<WxH8AbN;*GUliF?H#uU*s=`@k?tY~{su`;*u57%
z!S5i@p3$M@3AkbNdRes;&_}eeov;!D>IgsFGZw^);k`AJX+=JU!1xrDVy@=p8Se+x
zz8e`shC~dRUf9{%8l{jAd%M2co7;ho!EQ=t_c$5eQqje{_JcKJRc$%o77`~WjZNQx
z1Z$uvy^yAU)AU}N#}t<Apkr^oB!yo6WX}g%*v|?21S%n;P%sO>6eo$yU|DKb`&++|
z(y42xUk$$*yme$1F6=<zKw<Qqr?QVI+B*vgo+|vmzS0h8>~em<>*l78aUh@dTluz%
z`wr8QrPJ_>DYxCd8>;W^0pAl1qGK=T;F1*LR(z)**-z|CHo7N$`S&d{neOk~umP)Y
z)JKL)qG|;1@%4L(WEk+6e8%hz!|MZAHH5>LH$41!(k%>d-Z@5Fr^REsn-m(qPq~R{
zPl3!r`pK|V9Hl=QNb;BzJAiGk`7pC8=n0!-pH(s>7Xzf<cC%tOZvf_iJ^bl8+64UN
zw!dGhg%j}=UxHUShC-e9s@2}n3eoCFn}e3u7T8Sl;CLaY(@RB)vQ<BO9~D!s#QM4|
zl-&by&yqslWjdY;ZCIw|tnCtD`ul~fd@3@+%Xof5Y=cikgPMU>TF^Suy+CztdE}?A
zmU7HVj_Bu=Qs6ACb95NjJkDVQ9-GRa8vg}-o`}^yd3xV|5nXgcsXd7oBmV{`2cz|9
zpRxm6lw)&>tY@Zn9yAzMD7IIgC_er4=96tyviw%Q_OclIc)9W9SMo>s?Q(I0)$Mr=
z@5(->i85eK0YWmgSt(T82LLxl=UY9BZmrkW0gb*cLk2Nf+;7Y0j1*a8tn2rdidcOJ
z!FIH9LXi2IPj_@OF?QRfx`;w)WCiZ*Wea9qE9Lxc28XI!2lHxTF!YP82b;-eZ1PC3
z+*$kp6xHaycVUW){`4T5$TK^YBY&`l-!(Z!u24I`lr4J9zF4#fBL;K~kW~oGX@n<_
zaS0-H$vZ^y?esF1Vxr|EL9s4f)=U8okU_)GyM2j7`J9jBlP$_}M>V73{iQ-jTC|E_
zIXY!YY~Jkq-W6qeqIObH+K+lt13Sl6WBiGk9<NKklP%}=^1Rew<^Iuo^wHVRUT`}T
zBj`%<2>IFSP;}Kzl)7w`A0Y?Zf#TYp_83`58(xbWP^Zt={xxu>PShN@wp|!*`-KZx
z7T2;<B{cm8NH$dSEJL{6k#W-3a|oB~cpb&PWmK<aQ&-y)d5+$m;T~NLk#m3%z4Dfv
zi`+L8a-E*AT`@8?&qiHd@d_U)2Qm>MBSwmApp@TdrOf$JjPQFOKghZX*w22!f1xEe
z1ns;pp!MF<8W9IY5V1z?HW}WrrceGCdG8t2<lC<Oiu7I-q$5q~O^_CPQ&5^xr6bZo
zdO`=KLl7xJfzU*H?_C4|iS&*XAwVG1(3|ky=>J*kdDq@+X3d_xXZFndg-;~8ll#1{
za$d*pIHtLjW<VfL+w1<<p>mw&rMWTvXNB<(Yw;Q^^qw*det8WNIFBYllCPrZSxr^J
zwIJ(f0A;l5DfYSQjv|fVo;zzpf0Giu`JwQ#sOe7P_dxD>;_g;>ZcPc%umY(_f39@n
z3MYHha~ySrW8@6ZXq<JVyAEC@7t9i(oir+cNGohS2yD#1>KmCVrjTYj1;gN{5_W3F
zZ7;!={u7Yh)oBj;&^8aWz5|T!SsbWF@M-5ztmxY>o8R72mhBk-d^zsJ!Ou_|49-%-
zTYB^<8He|+8nq^YJA7~&7d3hmGu3w}Mt+mV-U#rIigd3bkF~-n>}7e`Au^*$jqf-r
zY^s`8PELE206*Ua&d+hK7zK%R6wX5h@=DI4lGKEH50`u)>0@moHRTGK!K?dDqeJ;n
zsR4|@UVyHxm4FI!x7AbN$kAEO+?o-1jIxn(1wfa;_~`41gvC2pV5b>*fO7`)QOans
zuZ#K)Rs1CVeyVGwDBHaymfy>$7wZ&wczB^i#MQS;BC(SOi^E9~7NVrsydw>P+?oj!
zELB6HmW=iUev;nAl@(*D{h{W-MSyATm?HHO_X{i{?LON(q+9l;q%1G4Q$Q$;MN74q
zyrwzs-dqL|;D3w&OMWa19ghcWAqGy&ISX=SZAqrm@pFx2(mWdz1QM*c6MZ|ecJxS%
z(D~~#G>zmb>h@9y_`y6S<=%*LfGnTfSdEcTd?jbhot92MyqieP<?o6L%=okq+#y4k
z1CqOCjIfAfT1E1kPZ@2$=cHIlR+zC+2#S(hK|U4!qEURsERIb*T(j_irrYgpz3Ifx
z99INwc@DKz%I9JW6{e;XGH>CRPrmP@bN+<PzWn|PijQWJ_5}I&%eB>N=C%%tdz^}!
z0>MaHmvdZ%`hsofaj!r)3IyV?{5$CY8n_tl{7!-6mYRXi$@O$ufHe>_*A?<+H^1zQ
z6NVOigDsbFlCU}?$BKPX%G$VaC~+6e+xud0&<le>*8<pFR;q&CZUKbRLjvr$owqtv
zJ>y(9_OBRwzC>=Y0K&*g2thX^#HIZ*^{gRUF!H%u%kqbbFuV%ebq!5&p;YwQCZztX
zfk+>z94_EVXAW~CZt-c6%;I&K4zz7=)g#+ojRf&bEG8Ft8L&RFoVHmW%`2hrA;eS^
zw<ZXpp=w%;K<y|7<7uGa`;ATVLecKQ3MN#I$ct&|N+?t9n5M_VbEFip{$g@iy$xe0
zf^(1k)2h_ksr!=#BSL)$<W-i&<*sURIXB#Te54L4n+c1uPotfgw0KV|y7Q1U5naIS
zO&}L3ElGZNsX$28zx&a%4hLiyues;B$jezesmnJ<AtP0;ha7k*XDHBxfbv<kR$F#5
zv|j(y4rHd-c-=7p@}pjeMv;VzpO{1b^^=LH$xrsxR3#_CT8<Eh3JL<_+kf<hCgY@V
zl_Qd#S6D%G7*UN$B%0v8mBG^e#nN2+fUdiTxBXT&W>{|Ccq54ZULA{cV6?iC66<Nv
z$P|7bP6Y^uHsWezy`EzyG>AybXe-<`S0f#BbI!w=7t%>N?+r~{MKZH0hjl+N_Vorg
zEW68_Jfv>%EKIKZ=5LP0X0Y55!;!CafDKpCOnbOb`=Sb*ZT6JN`klba=t}n4CZ(MF
zv^>JL^0^L17q%q)(2XSI(SC$2tF?TW$Jb`y1ipevq18UuE%q4Rn$?{xoY|D}WBnCj
zqb!f%%1V49t<>jbpLwqZdc+glU%*PpPWlTkFAR5{w4Hn`!%w?|k651`l|U|D%+y@R
zQN7&>G}UrK^}cIhoro|)in2zy1B^q*8<>cU0%=Ys7JR;WwULi;mUS8&r;}CQuA-_L
zktwW{atSRvPKVv=KGZ-Q-aMQdHYL(1=%BuNQ$qwvi_m5(7Z~i?=V@DVq<Hl<t~Xcs
zaSfk#k5dI~3iYFY%*GI!I*LuLCN|Vgqz^eYVyTI9(Tt@IKp|6DRGH887)PgslJBc$
zGZy^H>vqd!DpBMhc@88IMe7w4zDq~K^|talBgx9i58qm=)o>MKjbV!oRa;P-3Gq3{
zSQAhrWP*J@ntzMdWyy@PIIMCf!5i`}Q-m_J9J`3(u@wAzP*dK)A#6AAOn+}&XY~G-
zN&dVQS|u-(8X@A*_?U#wCmec}6{<H0jjTMVDi&PZF{H^-kg1po5XvuC0b0u=dAz4F
zb<xy(AtN<FO&byD3JHBrB!!)w;9RppZcKpQ-G~orJ-h6V1%Hts$S`(YP)Tb*#L(E6
z7~41nnjX=*DTlRZYNj_mzy4+(Q70#mXFL_U5aq`yF8eZpv>-G}hj}NA_GAwd2o|N6
z73^lgK{GT)DM^TsZlbUI0{Kdyp2yDa^gsvu`;y90jSj(Q=F=%k0q90`(0oi^yEu=D
zmTw)p_2BzpK%Q(FGB{e4m05U#(n+o?n@x=%qmjI5w`;10s#{=DdgwB>r{+nl+o{r<
z>zlE}5f0@(8`!7K`bA9xfJQ=4ayoKK;tkvS188?`y#R0@TECs1+#R_;FfaN~d)&B!
z-rA(Fo;2K8Gc(#k?6a(VY^el`0@&kB!jn+-d$TfbDH`FeZeX39DkNz-%mh1_?mG2q
zG*x|bv6}jbE>0{Qrpg#U#YW$G|E7LKBu&TBp;?r*Zbtm^-5i{GqdbcfTIo%pC^Z#m
z?oG&d1J3u!??6o;6<l7DJ^#zccA)gl=~4Uul&Q3wB9om7u(z8tI~F)Dhf~dv34Prc
zyPqAZ_Zd;0*R_3Lu3W&tSn8AVxjw7%xhYfzA8ne1TTC$>*__*hIf)eE0V2YkXKP=v
z8pbi8o~Mu6K+y>g)=eER*aG5}&gq{}y;+_6Y-z=mM@nHJl+TNnEMk#=UZMC2v2suN
z<?J*S5-4cXCHFDm9!T-DgG!_zp?=ddyUCp^V{1SH6x!3>Wnx_+&xij5jxWU9QB=by
z6e);yD5zrO?emTj3fWG{4^5`$9Y2L_XUFs=Vv8J8z7d6M$hxl62OHe6Ioy!T(UkRJ
z0oI9bcs@rw!!;BoLXUu&EubA+5gY!tZ+3CaJGhp+HD%oQbN;YHN)YiB*-)qQ_J;{s
z4Kz=FilY03L&xU2Y;-Ve$G>BJd5Z3sXWEu)h&0c<4qju1=tbU>ea6^+A&FQdGOVNT
zp%{*Y-441H9}V*5Bi@L8k?{HMOV**}loVDW`*{$VXB;6~vH)lfsib9FN4Ej7L@NjK
z*r~-5pqHSRjrNRbV`NQhGqhO<NB5L}nh4uesiUC~0)5HXp0A3Tj*12isFJ(0J6_dG
zpD2`iQg^yPp|Fd*L-ng(+1ltm&cPPD;d+(Yyn?0yI%BNNA#i2FZ{>p<-#ny?Uso$8
z5})Qei>M9ABC;{OpIiTG9Xy|*vy&&-RN_)#F>XKrG->6tlW>X|Jxa;P#DNe#hWjaA
z!kQIqH+%*b!lJnoN!IKbnt?Hn`eH(w<vC0c5<BF=E<>#E*2Wa?+?3@Q>`vXo=1n;$
z+|%%8nm~UppczP?*#!s869%+7!oFk&klu?@*moJN_$b9zx9S-dC%{(Ty~+S&anSkH
zb)CpLcc@#Jt(=%UegL%lzpfA0KBgAq$94<&p8Ls;@jL*E0HGcB-oh&$xnltP=6DaL
zBU<;4NS~fKPtYiGjU8`Yx3R6u#bFVHCAsEruK%ou(Y)X-eR`gU6VxJ4*h`-wUTuM0
z)m_s-^yJ}^9^=j^%^$`i^cNa<((-zmMqg&y4i3a7*y;xLXx!VQ8svi-xQ#rl)w!AD
zK{A-xi=eWEh8f(_m^^v$#tn7jS1`qAh2Ial9y}XlYK4twA<*Fj`bs^wfw6gB1$Hga
z9wQe-c2&7~66#-sdjW#8=)ZkfqvFu<PlRp0jua8x`SD8kF`TY<#dHaXGDaDg^?PLM
zlFK|H3J1at;{?-~g6bFR>R{avdhw=Cdf_LLI#fXsmbn_mLZ7_WCmU>pX2}l~d*v-+
zMM4DZb<4>Cm`F+g&L5bFb_Ecy;^4*a@jXSXC(_>6=Hl#7Z`A>7o(5_hYi`2121OdU
z0Gi0Z|MANXbz}<G<PRJ5=WcTkA^lH8vO24U+KVaR>WE$n?Tz!>z^z%XV8}};>`s1)
zBC-CMs+`d7cxuPe;gHt4ZIo%NA4(m-4s~SU%64u-bUJvP{p<PHWzu`ggX?7=`Z+cF
z1)v>fMGmCUUgh%}ipg%Lw=Hp3P5>%sVzaBy^^=MF=W@#j=&9>{;F%$}p}T8`Ln5UJ
zZ%1?kw@%7|i7Mo1-&`NHwO7G5L5P4fS$v?qTBVf%CJbsY{45q#JHS+t#w_e}5=5(M
z?33cP>TzsY>$MsE7@IFK+TUoFp3N{|(ecV8(*PE8sG!0%<DqG=yBXEO<8o*pLsK#%
zniBE*NUPK{?1%|sz)Mp^kn9urgJOYa@0G%ewA_ik7qF9xn(kTPajIm$*JEW8^<_OV
zrAZ`^Dv^+t(~m$WMSgi1!K@Eq<cgEdQn&;THI;gj0FdGxM*FA2W$Ahhk$#J{DcRGR
z28`>>-$(rWN9vL?2fX(FiVd^nw1Y#FVZpC@+DJv_Iin&Dp!;WRtV_GL{dg1D2n56$
zi~YL)4Wi?k??f9G`L!w&Xnk)KCoqKG`Z?(6U$NVV2114^TPQ?j?`XI$oj6!SI{?sV
zYcux`-V=L^E9t#On7D2dKcQIS-T7xpgU#ee0IxUoEhYoGM4RL-!>D+`dO414^0%9l
z5h#nl#qji8*3FHLKNjQg*r;RebHA$O(s4m*6>xr8w+9H!qb9ZRT+1W||G+!}{!cP{
z9QpP_j#mEtL4TFa*(sxJ_M1Q$AZ<jpouV*7GojROn`o5Bn*COlW70LI<I~6HLf!Kf
zyf!obr2f@Tv@-xjR8a~8nZl8hR6RX(&OCjE7I_Fr_qPgqH5TDVq&ed*$(ll^Trqdl
zG<TFTr5sG?K$h;l@;^TG!f>MjLc&k>1asEHsnzaQ;rJpc<94DN_My4wdbF))W}V%C
zL-a&XwiOPXV+Q>T6F##M-PDZ@TI|3^neBd(B1i06-T!j^10x&=!^;#dDfJ&ab|KI9
zPiXZ`0d5Ld1^lV(Y@*dHx9+o?P-+duMi%Pf?zz#Lf1Qf+8zy_x-J~u#L8p&miy3Pm
z!g=Z(1R}oAV<9c@KXVxnUCbITRlIas_SCjco|1z6JhLzmmi0(4l~paJH$i%{cM+GA
z4etNMHt$mG_!a-_>qRl-YiF=eH6~}!=Wmjbx^$-k^;I#&4Z}Eu8`it1efQ?M_#*92
z#{!FQlUH1SP#!PVYm~?BW|%HjiA!yNQxo6%MFs*FT<^BSGl4!|X)%?q`UZ6vW7>Hy
z0sjN@u;Xjxx}`Ce(9Av69z;N`XL^KF>}`$X(N`LHCxP*hAnRw50y<B99xJ^gtt_E>
zA|2}~w%qI;|7`JkP(Vc^TM%WkgJqEk<f02hZ7G8~XhC2O5UPY$t>f&xCB5g)oE1>?
zD|gHC8fm#+7F^Zf7I*h#Kz$l$t^tWirkd2O4fii)K<-cA&*lw~Kk49l*4IHkTwc<w
zfXiE%Gd%eI{N$Fz&nrew#As81uY=!}V=1Xk!!!0y;M)ysQZ6X$g(msb4BYVsYK8WY
zoHa6t&=-!tGGplK?>JvZPKw1H$a*a|D#IxrXaG%6mco4-VT(wMJWQAnSM!qHH-V6v
zD2f};h4RQuLlURGp30bu-qZeDNHir)-2|aF#oAd4gXbVWZ5=T`DZEJWCeRLW=-8T2
zCj71p(sPc!V)3g_MydYfUC{}-)o@?-ru@NVY_u)?jkcY8_%$}&Z(5!^17xb_6T0i!
zkUV?PC4;~S+@#~PSN!gy4<SxUYR?0#nU}ICzSL`l(;t;ZA^17bYZKN)vo#UsvDC1U
zG9~|nc+Wjll!yj|;06?>GCvU5`KGJ{kwQWdyYy&>N_EUIY~;N%{KGskR<KxWyv~a#
zTei!jB~rcS*HM*vXH?~83~qBRV_I>Sz0dZHwcW6CrSq*hR3V2IeTw?r4{48!;bdn&
zfSz`e+HzN<BHx%O^-c9-a)-OR2GndlgtyfnSA;4Fw6+Oo1#v^zw%xAoi~~tQ=$g`x
z9cdbf*`hr72w7zNZF|#D>ffq9BwdMx2rfLFn=`z-SLtPIRl0{MH$jGMPdlpPQ{7J`
zJfkPmA~_?`!@5+Tun*0+YgOhej~0MU#JB|aj@y-D=44)UNLxKH+K9ppC-K7}b@pp|
zYK>~jnHO#$s4T>K)!k9GijNZw)tuc|g+%%<4jngu4R3$_O_ILUq-v6Tm*t43w}Cef
zh|4$W>J9}|=H<S>(>C@#C8zM2U6rzoLF9p0n{CZc7?65+zL}c!&W-LIcsoam-7NL5
z533+rTS{sC1GA|QLeT0YZb73C+D;{bJ?(|@2_5TD1$!fS9d4veo&vyV=4NJGP~3c;
zlmkVt?B;ExF^>fIW`~ZpYWmA(e1<=Z!~$2^8Ic%@c~;-o|Bt%Dp_s$)3zlx|Z-(4G
zJ@iVMQ7CLL&S!?Gf6e!Om4e1*-7Jnw=y}vt@knWkJC2EGw@Ol;(RST}vFA<k*!^|$
zg!|X<j!Fq%%7Z|_<<&VOs5e#Qns;R0bK`{W2dYbx7Kty^w=a0!02CTo?Qy1uA0PhR
z;#P6u6u%ibx62q<reh~wByvsfuH}H=!dr#sw>s2pZ})en;__a04|Qa*1y=_S<IaV)
zv_Zi(cTMa+;#KkET2IKgnug?6Tj1gZ_Sj9Yz+tgu5<Bdq>^Ves>9JvLw*vmaJcWv$
zN^hmE1qzr))1Ddce*v*`ht7~u4kbEuMB&(tJTux(|Hb>SMRs(p>y{gYe=@&zM_#mO
zz>hPapkm{uPdjnvBP*!@|FE>Yc1rnFRA$F1yyIz>3rO6~`Yhc(&Da}Q(E^Jvu=85A
z0@n=cpqQ7OYUUwa$hh7q-FA@Un&64eLY`;t&xd1J5SO6<(&5s)-~Cy>%CpR0E5uCc
zTdx2Gh&|{CsyOw@EV8c#Yi>IB#IsAqT3r2%DhTCa>**14w>^k6=2eTiGRLphWjDK5
zq2p9PS&k~YYay9VR$o%1VVc|d@6La}Yr{*P)X61VDDO5;ahZUuPJKR~bPGWGM4YSk
zz7&7flKH%1#TP>839P9;A_s;rK_9PKn#z!#9HH`4{a}M&ddpy)#C=>^vX963a;GY_
z)}zz$GVLNw&tC=uwHrx+ej0)m>egKroc^LdoxI8-3>HVPI+i)ty8G+P7iE*-J)ZYC
z=#DT<1g+8qb${YFF%nhpjjs=4!LmGE%NAe3frVVXhf}2FI#H=lz?5r^?BD~3jYl_L
z$qXJYTz0If7_=3MP}sB2xXgq5rC&^@au~7#C=M8-SMKu3RuG?LRlMbtNzcLw1ga^W
zI~iTc_>4VMIM1%iy@cybJsf;YZ=a4|PRqZL&;M`G4g$6N7up%PN8k&U9b~3>HCFuo
z@^W3!zZAW5AV}@@E87-6Duu5cTNLcE4B~+**nbzzDG)fdcH$6Vo;ThUip0->Tlbh6
zII(Q2sOT&6qQ8NoUVoMNY~%6zKsGelw`N5+@K5Q7UN?AtNbga_#2Ol;8;HLSo}F*P
z;XMIPtsTcUDsp#b`W`&}tLA&DL7-0$*848ZPvPm#JOpysd^)q`u=8MktVrWf&p7U`
z7`;l;dUS4Hv*(<{#*qP*wzb!YixDkW-ik;->`ZWQ^J&Y6K0k{eb?g5D@uZ*)_ELWV
zotOQ?2Lxb#9Vfz@e5e-wlzE-`0N_c@>*h?tQJZUPBTi9%Ro)8B(IcFOSXiAJR!a9`
z8nD8_18E&M)ZUJ`14nc#`|t?~weK2K3QFhHSA+9BbZ|=o`ir!UTFyey(`DwfgJSgy
zZcwNEs4akg3Ka5%ybj5_6J(ox^I?5CuF>mI#$#7AXJ0X|mp=N3&v~jm$@yOVK<xnb
zf*!LWtjH@-Twdid3EA&R_fkM6nUWJSW;p_TNjmc4Cbs27GY%dBwUH>ouHux>5KHwj
z*?SW<Vo(U&{QIe)18o20E*TI1(^=FPr42(V)7Rv-vS)6kRmFwK>r*3r_!BcC+9y;c
zo-hfnR^qtwQC#QEFG}$)$u^BJA_7jZYF@_tS&a&@zVn_yNRv~!G7We3U^O{K)Y!8!
z;;tBzhY~wqH5ec)S6!>`gNE|n?5@_s<O<9#)9=*D-bj+~?X$rE)B&2#RQ>u>DE4d3
z{+;3J{mn|TdO_!{{KKXP7#C7l!_`iW@GUd{PO64WVlMT3rt{B?b8bE{tj4^<<&EVD
z&0|lslkLy#W=`};xn<*u9~&d16<~wH0p0A-)x=)gQ;{3!*fwfpe2WRYrgz#ddm!M4
zU^ZYg`s<xWTir{((h^Do^!X;i1-!#<@x!v?Yv#~GpKptV6vsJF9<O10Q^tZIY3Fzv
zgG^ckhrt9wzD1lCOgnf4uS{q3-uYz*B!_No==PVLA(<#OI(O^Vim=US(R8|#zj52k
zK)vpPy*r?M{6$P~LI#jpQ;<{e)vblboenp*k%M+mzz&}?SFbhda=Xj6_L|$t^NyK(
z_G$kr-7K_?(#Ab#cEnEJr~5-X+!FLvBX1lE>%K8Vps2}+Kz?gD8p?NdyvRE|_EX?x
zvWwx&#wBNMQPLX%IyDuN0sIzEI*1>)g4K^j;~z2|lp&dWpkx6f1}`Rql`{R6YSSD9
zu+I`Wui)cesY?yFoVHKO+rOJ0Mjx3wJ7_;L0Cto)ho=qI`oJPjV=>0#Nw2V>I-XW|
z>72&Tkf4La%yN=w3jaMaGd`@C7Qxf=&y_`N>JOunB9BL?vuLr{ysvZ%h>!cccil+J
z(@dCmw=LHn$>Iahl33%DV9dewfg{aCXnH&<wnzK11yZI3O*(lSCWJeC-%P8KZxDC5
zf@29lHi8o-_0+6Bdey>&-f7HpDe!f46_+CXu!a?3?6_luuBmQ#%Wgh$ZF{}FHX#qc
zx_>gkJFEF782I~z7yLii9qE!6=5n`Mz_i4kiEo1Il+F<=K+z6Pb|K3+ZV#h8W{YCC
zg@{bI2(`L;ACz5<3Q|hC2b`oKkvC(?e+HDRzw5IJX)`wdNQ^$69%sRX#`-Rwyy#es
z<vz_o9Ry=!_ma1**TB70PnF9rHcuEr%8L2JZ0RO@?cd3TmfV}V)c!MQ^%IhCgB&lt
zo9pO{DPq(7AvrG&G^ZSlL^~~hExbo*;j!NjD(x1ECG@sOfW@@W>6eLAfh}VsuVf@9
zC6p6L+OyFG#XL3>7!5yu8eoxbX_Vt@cFtrjQ_bk;L|}@w$lz4FncP_`T(JMXz+S02
zzf}(~KF^iHjSyHfce)#lny#5KCY&F2SkU8q8-0h&iWyI8UJ{6j`w3k!E}qkI=IYW|
zGJURS8eu6%Zg&TCA03{*;qddZP(itKZOaAJWBEAmNA1(&Qsf9&g()iNTRY#=e#k?Z
zQLMD1{YAX&+)8D0iqXL-4c<Dorc7=$!`Hp9>9Sge?n-wdUnqX82Ux5l=C%XeIXx|Z
zlzQLcX(1=rHZ@MUV^Ki)EF2X%Iqa|z9n!y_{~x%{m#bzH<oMUa^Yj>$`v|sXDV!4M
z4zZ|#a-V4hy*!llxX4apceHn6h2K&nbxt}_LVA<Wnl#|$ps=;1tI_-P%0Xs#cV7?U
z@D17{zj$o!T5p>rt32PL8rCO9(cM3@Yh(S(@(hy|NF#*LWBDDE|8#(e)paUn6n|l!
z2T=;}jk4DvqO-=yxLjhVK|-t2uwRxZpKWXarTfPT$yi}WY^wnk^SShR>HY5iL_;2I
z$U1d6D17*AL5*;1N^!i_N1z{{6t(X%Sl<h^B|vNt+?+R#t|v^HqykIB#JWpJz2#0J
zUO_g~_L}A!|CNp4=K{!hPd`kVgh?U}z@Maq*?i*j>a>1iC|_)<`YQH=OkBLQ&zjjt
zjsCyUEPr|!#@amPF|gl_l(SwM+FMC=_Upr%J)ov!Gv|ah?tskda_2mTYdU7MtXiWz
zSq*f4zqCf>%YXSMeb?wqx9IMFk}`kZ`=dPc`n3T1lSE41QYD50#K!+d@ce;5#&Py=
zMz3G~ii@TsR=8gI4`}n}<syHu5z>F7hW;#X|1c&`u>TYJ=`T62z~%k(L8Je}EBin7
zty?Pop>F=5Hy`+o@;}gA|LlK$Y2eQj!79xM{51L%O<Q%+f9_o>_rLKue<89z|NK7%
zo&J9hH~n{n*8kBLE>y0t-D~^%wdZVd5FOKgsCn&(3*n|Osz?8rd}GJMo;P44<EU_y
zTxzFtyz=*8Tb-<Tk4(H{vM>OaoM!C!-mypCmu*dMqj#zQy`UGcbR@k!uKv?EzqPpL
zr*pjq@7C&%6#up~MEEna=aZHwc9wZ{@mCXTsf}A_?8fW+FaJOw9f<-AzZVCu@|Pfj
zfe_vRn)KIKqiCs?l?)cUJO&RB3ubFX83S3t`Gjq|zY^~p02CegTp}~Cnu^Y!wx2)a
zb)NsnQ$^w^tetM|wCIYN>AdR7A#aXK;#d0d^J8)!sb44hXD&W6<(dl{9R~V64`sL6
z4=cBh8`X+q8&4~Hcl?k2Oid=4EZOtR!+#I>BKE+QqAqI~XYcv)Haxc10+ZjM3_Ef&
zJCv@*Gy~=b=QCea<mE2*g6Ouc)_kbXSB$MRWEc8v79!d{mvsvCWQ<;aQO5n2pz;~^
z-;(+LX+TF~_1h@?F!V3LbJ6LzFa~f;<i1nWUQDtlm4h`SaR3+z5HIloWM$_Q;_c_T
z`c1&Kt?gXE+ONuswt+uabLwg004FLGuRsQnFkVy7Txpq(N96QpU7Af_tbf5+o9|`n
zG4G)cAj0;#0be9{%1Aq|eK4fzdY8hcLBLIOeXM{>8MV)N_NiPHy5l~Zi*|HszO2x1
z{PD1v`FRF=-;<>^)RlY9{&2iqhAn>uXXehT$kPsoQs`VC+ZZOL3vd_GtMBQApY`jX
zwE(L^N3+>k++t_%Dd&Tqa+l@9JC_Fwxvp2g@=FhDzp#xBlh^|HFDK^Ct3v?Es<)^O
z#Vv+A5q6;0P?s-cBwOdan`=ixkhPe`B)R-S>=ZGT46>k^dgFD9<2pXO(qbro71;9O
zHGcI%S38^KH9SDm&jxwYmfxOzEKzkSt5rCN4SvSt-;rP3v<040QuUEq#>$=B4(za7
zcyL+CoEeHe0C7dpJ`k*1-k&r1%xhTMS}9#k0Dv(H46(<R$4ZxN$+E70_$qNAi|8kl
zPx;{Qee+8--T?jz0x!|d4**-XwiIS06LUGhZ&+&4QFOolWk->4q3j`x@p}D&+o06%
zU4%YPsS1tYkJam1(jesVnMD?yfh0Al%x*VkCPi|Fy#^jJCg+AL>QWG$atR>6Z*H3H
z&}t}4wuL(tqNH(%^&Q)x^&Dj2F=_O%8{quooHzKVXu@!dPl3z*zr7C5j_9oK(k?9v
zc9YFAfu0d_59|7H0BNDCXM`zPLCQwgauUGp020$8o!_mVEf2X;_SBd|MK>f*(~$II
zAFixxF6U$f>9;)Buw$??#Up;RoE|l4c8z>rZ)R++`tevsy>IDT)3CSSLg^lfk<X9m
zWVg)0{G{zf3Hj!^L$`5{_BpcV`o0^JS!NhMuEhNt9hFErAO6vo(|GHqs9=ent(_V*
zUjBi~?ScnIzOK!SYx=(88%4HiE$n}JoeWpbpa8i&r-pljp;9#n&(7M&xUO1=c_Y)S
zz8(MdfK4ydu*)%6@zBiugB!)$R8AKRGoc}TKQ`9^zelF1=;~8&cK{AGd|f@0?^sZV
z+^Xzz<?R?`S8m@*s5FzOt|>gP;o4wBA1+X^kbNhpQJ@_Lb{3uSRcj~A>F?}ooD@8M
z<2Co&qH%M+RF)VC7aS}c>+zntlGWH+{mQ%*h}&(`hZ&&5_H;6fvly@6D)rvfZ&;wM
z_L1E?7-sU$Y<cpWRW65X#b@ejK6lrppQO+_7E5?_yJAeXr#_Qk8n46Q%<Z$Usv4-o
zAqa$gypq;V$jiXaSO1N+b7t^^ErRxObKh1&%(cTC+VrkEY(UcWmCVA7cm84SwPQf#
z?<UexPaBxbQTcv%C6o7b^%(;@C(3}JOQX$eBW=h28rk{jd!F3*wVQogq-hzzS2V9d
z`<7E<Q%1L088wvb;>fUyR^aMdYIBAVz@s5{g06|3z~#m}Q21UfuPS-q3A=RppolcO
zb*DQQ?QykKA5^kqTQ5WIluQUFzn`&Jfo2|T-sR3kZoBF74oZ+o983+<#rs~Yeb;KY
z@{GTwS@;jLgWNfOHyj3&&Gm(k`RJZ6`ZtmScD3DTMlJuo2mj9O6xkm1_ULWx{O}ma
zG;Ay8pWpa|ueTG`lmve;c$D5_4)UE<(JI{*%O8Ai6wg1zX*NW|9C*~I$IyDEG*Hl;
zVDgYl#t(k@o!tLqt;)9jwP)tJY=a)&TH1kgnSylVM(fUG-!0{zFJlq*6alzRGwaai
zEmPEYd#tVH5d{229MkgPy6KQN?GCMvU3twyy4v*m&QT#c+Zl=iPgn~S{BPV&?m%ln
z=-G<9DG3vKEmOMhS+4Yg`49k!HFh_Dc3wWPxBTnS05qcS)zF4L5wYGg&ucxAQ@wU7
zQkA@i_?X`{pq43V40ynmBI#sYP0|PjyYui=$a_70<u1&ndfIwRU9hH+WOy5AC89?f
zr&hSizKi5Zz`qg4QZMB%`!XN?V36L(I*!VIeLyWP*7vI8kGU8416PFU-uQ5xALDdy
z`(o0aiFF3eK<|ySFMe?#PHQG>ff4e+iynG=TEV=t*XE#lfdrBwPD{bFfMPypicV=%
zL<X5;-ay1qWM%mw>J%knGZA+rv)>=bX@4l0GEl$MX>QIn8i+cV-Snz`bnEp%916g3
zR0UXupmujoXTDT52vl-e+()!LDJwc3sg^#;8Kg$U-+F%IP0eBl$Ie+KqFq`FJ$+@I
zJsD&DZsS&u-f~`$3Ij@V&JuRS!L<0YnRHHWH&#nc=KOxz0A|uScIx#4YHU(=w-V`-
zIpRapecZh-XU4+d^V{yhYy_Zp@`nT_bU(1jAJ+YuI~TX{pn2i^y{aEMwB^Dt`4@0Y
zjDakXttrwP&Kb)A{4Ti-dU9;pBt}duOHJQiTcO{P%WS&T9`o)2Z!12Ovc6)OyJe+2
ztAC@%I3DmDxtdy!jHv6A&y8a|FK{Sio^&(`D%4!0{I>JH&b(hK4S^!32xb>t0k8#&
ziT%<$ribX6hLbMaG|ZJqmqc`nB|*S8LVT<T+T!8EVl~ORcX94|IVB;hS>ZccyHh&K
z?AO7mXBt&|yC<|faNo~5uIpTOZ810VV#%k}z5TM&oVW5*yoFbvy=`3JLA8190G9a)
zFcpSxdzgXsc+KybV_RRCvYZ(HF1a1c_4b2_YRB%?;$Yx3&v``q#X`~cw8g@#R2xbu
zlWQWun&q?$#S>p@LRNr(8VHD)d2$o$vR23?ixzrn^W}~?Yjp}OECN@;ck1TDzBX_B
z#@A3PCz;^6zwrN^wxDCGg?M&<hW@m%edqVd!i&kf<ZK4ASA405Q#XxT<iDIRO}5YZ
z3e;pc&SNh1A-#jL_3eT|Na?tXb7s%wwPNuLjSc$Uw5tpAaf$cklsoS+ocSHpf~OH@
zjHXBq%mN#^S0s|4rUqemMHFyjkw2677ewbF><!Ds@@I8WpN;%a=C4yeE+&NxpsT!c
zyJYUl8DZQ#X_OLHfNUnVTl!@x0$-`8vy~i_<G|49WYS!G!O?-%D-Y5LV1{?j#k)!;
zKOz3dvy;d0DN$&w8^sDiN&4u64XC7J4PaaLqUV8eCWX7<M2K+8J`cXkXV5OQ`=Tux
zgpSHy`$VtAlmCXkhsUlETzNI^>Ik4ck=%5s!vNVUm`bM#Zt+}vkOQwwr{uwgc(>{&
z%Nr{jj#78oRzQAoYc^g|cpi-ZB75eEBK;&?KXcG85>l=6$vH+9$;7GPyzy@(QAn%4
z69*`axK>1nZa!)g*!`iQTBZ1cFDk#{ycIsy2N*c_&6^={l5Hv-@_zGA1{l5m>D?(@
zx?hfWSf|($jU;$tj6VY>vT8xdu<V8oW5xUX9k#4RBpgHim<>=dHZ75*ZX^oogQdSP
zw@zyYS%5VX8ksH!BX;O;C>%s%+y=!%$2vcGC#o#U%gAU9-Qi*gf&uV}y&s^Xq<iKC
z0Ta$^!Ro24#y&~8mp9Mb*xczGpP)Q2@^b6F)jq^ip9efTTRp+QCQ)?BDT`a@6_XPX
ziV2U#<h`K6K3ic8*3##4zm)WrkspCR<hADq{T%{bNts^=&*e_-XkZ18mYeK}Z_@B-
z?Ogk!J%j{W=8p51ZBnG{!k6YZ*>ex_&a*n>9SMm)0Qp>_hgTYa|G(0AJ6-TSG-QAF
z&Se0v);)7n;;n7U-R-`W8=Y>tOu}UX;E_HPhzI)QgJ3{z^8Gi4?+^;Kn>8Wte~qbC
ze9gTFLtLPbg9LmnEoP4)s;pAnGc<CCr{%SM<14TMty4E=XpQv3{_=#_=l+r&njy@J
zdEm+ZlApo+Ns3SHK=xo8hjO7sm_$<85S1VV;&E}+?c-81N+$i8$ryR&TK;LY&0R|Q
z=ZI&w^5wwfAP5N&w9g=q=SW#wZ6UJu{{A8w!?l+LHv-O&Ji2cW`2-@hT<QI;(pj|n
z{het=nAt|2`g-ry`2-c{d8b<(Mo+dj3TVvrM8%DM`NzwOMuQ-@W%5mVQLJ=|`m$i7
zWv}&A1qs&Ji|{;bH&DvLZV*(Bc~1>~Atu3q^#o2Xb^IndA=JWq?VGv7Cszp!UECg+
z+s^l)0Cq~3GBZwUI&_L^-DpS`!}cY3`gJ=>uY2V(KG2{Oi3YZY6)Q3cJBfmav^9~>
z{L&9%`%c(da?FuZF#l4K6G<}&VQ+QMnn3~=T3h7P^Vrb$1zsnK<>jMFBuf6H?gW&4
zG1ibfn8<^+YFik+e{e-)J{H1qH+I<eE5^+Ri`5$NLNg`ABd~0|q&pNUh`k_|HHAF3
zkhjW0A7VB~t4=dU1t?$IsnOaoupAGo`qGfD;h&Z5vULzc13MrGjc#QoK4;PJb_dtv
z02eQ&w=ehy-KF_|au!rP%RIW;%y?_@tx~>x0o6d?4=5*OJFa(tI%b4B)UiJNop^+d
zlWnEW)H~|^ECm+Iaxq9iQ(fd|<f~Pq)Gad)Oi^WH3|99?g4^<L;xd0A@T!r1YibH*
zaw@E=Z>sb&MVf(a$Ku;M3_T7!g3R(4vr}NS3zo-9#?IiKh&G2)S*;)?4T4;k;&SAG
z-rXyyg?riY!ok7>lxmq`ZmBh!DYS3G53B(=DB`Yj2nOb{XBocm;ZZS8-ZFndDD~^|
z8kH1k-H1(Ldaqx{;iyMHT|k+6mq|P1M{*vVnoRqV>1{NrJ^mY+?Z@SZ92eQPWszll
zYI28RQiBi5!S(_E`k{I@clqelSWfacifmZ<v~;ow%}&o8=~s--vQ>%asgo?DCiKdE
zk!yZ(XZ5O(-cV}z3$T@n)I6SGQ2+S2<osz{{6kP%+4<68oIBqftNAAnW~jo^vb}$;
zxv%~;I-!O#zo;1oM4Efy!u=0=&43lFzh^G<)lsorEFc5%<FO`t!^hyV7*{tVWp)lH
z7e|MHzwO;i*=JoUa7)W%e@T989)BzP=q;8Ea4M&LpFe(*;4AjlVy5ixZ~uh?+L%8$
z8oq`oq)3&-{D|vjmPT5aPCKg<(OIYosbBq_9-o{y_7~gse?LtFEEagoa6rZ6K}#P0
z7Yb-=d{Y1BtD0vxj?@k{?W1kaJ#V(~BI!T%VE9%mF8GPXjmEw@3XIsrxS50<W&Ykf
z9&Z4Gg^tVS3u{bGU-evFotg)l<g=f(9GbF}q>Q!#NNni<wLO6+1d=U_pS2^bKgx_L
zVHDTzT!nIL`=TO~K?a~AioV0yyatF;w~{R5>(<`RTG<24p#ETs=(aid`zXUoGmtl=
zN;k5)$Zh}6T9S04Pb0rV^hq4<y&mL<h6Z<*tM)A4a)mMns>5OwBngLV&Q?=0SMc%e
zC6Snj@m2L`(Fm&F@*y$Ln6<v^&@_Kv@fkOiL?i2f@jP=no$F@K8+!VWYA~r4&Nq-k
zHSV=Q=PW_GG&d3*fj*0Z6%jt^Xm|Qxh7Qe*MqqGpO6G*Be-iYoEsgY_Hsq7pccaLC
zg0Rj4^b|I{lUEx2e|ey2NVmv%uhRL5=-ci`N+#bCc-2DL&hOhsMQ^8B(OWbWtKlHR
z*-AMI?t<7fCs9wjA$STRd#~6<XGZn{Y7s^GG+X(yP^`8>mR&(JJ?Txqa&`H!^Zrok
zZm*;$>z2XZg>jS;Nx@7?%TGX3QWFGMku8sQjuid)`F9P~r^I8Xukmeay?}VH4nLsV
zWm|ghuIQ_B-M609rF*G;hL!GdnRkNJ#*hyMnYICK`UrlcNhwGK?>U4+0I=t^vy*eF
z3A3G_av*M*WEVIeP>1Io<*f4<^2b~DFHCIeL{+51?xFX;FL_Y3w?jzGHGWvPeH)2P
zjSSjs5(LiaNJvO<sA&MBOiFyNOaoGelny(3JbeHT)J<nAm3x_u+bJ<Zapb;9V`W(=
zoQB&ji`9=28j_+YzK7E3pcsBKIwsNij-UT~=P2vm-5NXNOeu8LV|koj2nCraImTVo
z6t|e=>Zhv|GAKC<O4?!jJ-8nt^l`lUF^plIiaSN5P@HksZ2Vnb;KwrOgma6+q|eox
zk9U|TSp}btp*r`Jo~GgcK`}a{e^}iW+E#}1-ClMJ7G{UxZ|$UG@ASDr!10tCgdz8!
z)h~4r6^w@0Nkkv<D?uaAUlX%Fh))ZNwwu|ZBSuPm{Rux8Z*8YU>eVRz81bYoDNvdm
z=@1CNKKrVEDIK52_hAep-)bEJjc^6;OK*tIFa$h+1tFy6v{B#N88|!8eFkmW1B3hN
z5fL2!bnCP`)M3V48(RLp8TVan$$_JdDolPsNMd`AH6N>k<<zR+X~(C>VsLy@lmRBk
z_)MRR+`lp2Kf>f>TJ__+Ei9o#RpPKe{8d(XD*Z9fjY`jZP(fl##H4|>X{$5^+0q|a
z=n$jFcRXbCl&=x79wIQwO5o0DVC^<rRW2~rjAzN6j}NdyL;x#9C+y-bDIXm5FH)#d
z`5#gUEY*#%v6f{h;yumTj+8ruBxZ%`l)xpCH}fV@?`#Sog|@U)rdtX>v!hMBY+{gp
z=@%ucbf#@ETwYW6+lsE7kuFr&>RU=b$>ClfAM$pnFGPiMQ9<_HN6z3Wms>M8usgW>
z08T;aC-VVaGduHLigSVdH+ZT&)m%{V6i<OT4L<Qfn-H6knxGk<K+OPjfwlbO3vvol
z_DnO|HCoY6EaI8N=0)VxjV8&isNeLVFoAX_KEh4Ix)KeKLvbY|`$XPQw=b?5Nj-^z
z`Q_9AIr`O*Ksc+0@7;|KVWazIiJ$w`E0&6VW$#lwlGyvj^vNDAsZV8?(<1Opw<CH*
z#VsABD<ZMDXWL#d5K*s*ypZ|B5&?KvX)+nDzm68%hS2~?fnD+P6E<Q?2!u&G*@UI-
zr~iM%62)<bEL@lsJ7uj@8x|FS3pFsbX%gY`pH4fg-wEGcl3bk2hdiHxX3f_OOLY4U
znrS14QngGqRz0iVny^rp?CteDCSiKEC%r>dQC9im`3+_f=FmFq7Qj^W*WB*8{9GeG
z^^YoxJU8ak*VQwXjvD`%FUsQ<8@@_djPa8hE)7)|AI;}9^rEx-vR4g+0AT;zc;8cb
zk>__R<zG0kPNBgH!!2EvDFk=8C!6S(KU?q+aYvrzt@wucZYI4|REbO4eUID#Gd^QC
zg$@3KP~%1V@)z{rgc}zEL=huFBMv4qheYG8yKmM~0p6J_0a@5eOybbPqT|s!*Fe#w
z@-<LoeWyZVekBZt2W(H05suQ2;1VUHer|YKWTkhsw$2v&dlqUh=O&O+xayu2px4Uk
zB?)9hv=EHIad{6@o((F<m>=DIRvF5v{ii5#4OJGJi6njfb$1<{7XWpmv!9Ut=7c9)
zN7KOSLq3u0=56E2N_O}!j(g*j2Xx6G4(#sg-u&O-KNYy~;A;#Iz>ess{ftHO7zz)p
zx_@bo2N7gTGA&7_;P4)P;eq@rqyB#xG&%^50OcezQv^%wS)SM%6X=_Ul=gH`RY?eL
zu>pGhOiHuolBPO~3Nnxy{wh9h7<L@>Ta>A01Q?n)vn&cYhQ0q5vuU48@kC~?lHG)H
z()Q{rFJfPjy6nEpi$k-sgF9_zER$~XDjzB0X*US!SSGa-*xwG!;_HE}HmwP*VY^Ir
zK|idG?*W0T*?>a3#ovwU4^{vn(cUGB@!t%j?TLtuhzvWde&MTzoOyAF$8dOl$={!1
z{g$ok$A1Pvf)0oD?Ckl6wA+#a^Z=uF7VK-mc=2|_cpYh{Sp*yr7$`VSR~LRLTT-#N
z|B%yMzFr-*zv12-OHU5@prvXZw@#*s`Ig=w;Kt`|M$#z_h)`Oq_AT_ve93v=P<~b9
zrj^Cx0@92M6J%cB-C^v8XxK56DwcM$Edkqk4$+5CV3R;zW=8zab-uSsVxAagw8xI`
z70(Dj*uCzbOn*zn^Fd(e%M&O0cjq7Rh6VW@!-SHm4b*Fllw(cstO`wNO1@e<PFtAS
zr};>&eQFYbD1}SGUo08}OX()K*p~1fMJ6vWj!8l>L^wF>y~WnwhU)MWySJUi8C%hg
z@?b(SZ%F#<Ow%Vt>}#|`EB1B%Wv2AUR6P+;1*J1#%#B<=VJeTN9J7iuVKrRdzu1py
z2gcgo_Ho4$wr0}8Y40?ix+y7OWK9WrcyE>d4X%}>#SthNST5wP1S|OK7$^Y|MmlvG
zZwWo?LDVH<hJ^#|p5&&=aK?9y@wA^XCVLQ#$r~+AT*c;BlwNy{=M^(j&<73G22r2G
zEW#8%BAzOK%MvJ$5-{^z>3g7<)Vtm%J%66?|CB@uIwDR{dQ;&f24&5m6y(0V$4m`5
zFr=BFt7m(v(5slm%g?W5G13BIT%*4==An&SJRbe<Pg!*>_N|BD2^qM7d%?Z#qY@7b
znLLMUh2>$B%Y49rZ3u+KJ*ydKwZ?)uRF6y|jrEahdN~JAoONbI`KEimu=-8vPIV2n
z=Phf-msABEMGCLa3G|yb6MWu{Ql~JgnjPL9{!b36{PS)w;UexLk2$ddQGBvfFdpL|
zBKpAWEC--x=wkxHh6I3`+2`UV)R$Z}W*MV(s(B-9WpoGFz?Xrw06%JW1$*o8tc?cx
zF4}&?@tFS+t5ph#c>!)IM^*(lPEYk~9G&}zCS#n{l6AB{)GN@&BR@F}zXg0X%WrAW
z)6~fZhTCjs@_TV}IFo~@HKi`?89)1yNbBOm6jERSawwk=Zubg_e&Ocycl_~7AETM7
zVc#o)jq>5}{!Z1|`)I-o7@pyZ|K8Rb?=q3G5cM9GUbxaK6}c`<5<P%qzCU|a)5K@?
zpfNV5G7M0q8*&AFS5yYL1z6u9r}s1Bc=BEa)OpoMsnruj&aq#78P*;+ym5uqGhome
zv+#SMC_CyY%a_1^l)!P(K=#q#dbEJdM8-WpVeb7Z7L<4<Z6=Zc1HW=>iB7C5jH9B+
zum)c$o23wV@U?t2Z0cU1kCn#1f&W&B6rITm|KPj5)>?vRsxPh#sDD4NNwXXaG~oaw
zPIe%e?tV&Ku13X@cnQM8{a*<ZhQ*<J4_zLhIm0?WjP?xg`f`D>E1h^ort^66i@^%%
z0A{(iZ9-oSv=sB$ZZ{XMc&b>(7c}IV-QU>RPvVh%65yKlmLJ5lL~F+6WWXGRno=ZU
zW*;NQ5QPZ$;WW)YktvD9QnA<)pcpzafO(OM(O7d+Iki56lpad}2o-wet4H7Qizc6?
zDP@TFv)DcGofSt-He!9AA$fbqJG{vSM$t=Hx7r9M<jc9&CC3F-L>Ue3dkbm|YIhBB
z_-frL{lSbD__pG_B<UHke%je)EDo;~Q8(r>R$FbHC&bWM^XHq#);>oSeJFlYY_=?M
z=~mTg0W2@7L^J`ZAfiS`ZQq1fx*xr>1T5tr$>~!T-7Ya*WY<{Mb90;t9d~DJT#<c`
z-BvCJ%sZh${u|93-%ktk<(i~aUvEh06Q#_)sF->A7N|Zp7xg4g8JJEP_`BQ~q#0Ba
z>GjneE?{`CyIoRM3#bTO_;tgy)B}I>v)T`)OP27&i42>J)7bz+XQpPWksF9lZ00oe
zz;9ySbSZrZ@oF?=c@E%Ij{h6CQ~(aS3m>JP@mV%4H7sCzKF=zm<X_yIhMT-|xobO)
z*-hej#S&Cp@eP{F7~{ryGhfRX-S<C;DpGRBKdt{P$YY3sdP$1fBfHz}uN`Rt!)S|A
z0E)l&<4c)eg6qf~Tijtg8(q`+l}A3-JcPzPW=ScxCnn$DsOdru*8oO8%-TAEx<76m
zdiRAsiR9v|j9C#kF~_Z;NS~T8vnIQaCZb@ng0L3Ah!KWMC#zr`5-}PvF3*2Li6|&?
zHX9@qO*ey%YQ0Y1M+|X1*N&3!<)Kl4uD`k4avjZ}T^Vo7(!&ZJy*y~}HMnc0B1>H*
z`jDATJCcAv0%z4+^0==okf7HsJ!|XKY<yn?06ln`&YHJBf5=qI!u)#0X}I3{Bzo&p
zsM~|^@rvtN#DxiUFTjo~+YO_?!Ow6#g$RTpm!^cFDzc!XrISBp;nLDW=&azAF-Fca
zN>ehH=yp|&P%xP!0w#=*?Ie|19%vY5sJ8fnOaDCe&qpwn4ZD?bC^dx#2Q>b{%=4sY
zz$RrsHpWs6Dr@zQUb%RVC&OY-hei;ZJ|7|LHP#>k{<?e+ocbU^kodL|PVu!9=OIJ`
z9*DG<tmBgAz88;&ZU-#oCVI~QsAb(ripwlcvpVYZPPX<p8Qe1OfqojaV@kc|wF1f-
zb(K_Z<9wpM`uYYR=wjM<F{dnk(+plr9>-4^ry?=^Z)1v-sDCIRV-Ep*IOVOo98XSM
zbN+wSfCjO?sWhliK_{9Wh$tCnvhz1(fAx&40z@VT7ryJ>L}VPv2m~3md;xD6pH*DG
zMWFp9kF;1i)Z=c$-3&+=#g@ju5Pc=+c*c2iZ?Akcs(h~{O-b-l7uC4y-|-ImWt(o^
zgZqa6LRJUu4uN9U*Pj;Fm><+`obAM%-h|2)&&xAeL#Zn>a`@IwE8&0gh`MvG^N6T}
z?t9<K-3Gtx!U!m+#64Tm@N#zlqDs8{9pUNa)6|mqD$%Pp>!Y~ykkk#Y_!gcd)|$ee
zMF|Wij_q3>u^h3;_8jKqjh$!k0<p6tVC0BA>H>${e<ncORT8rY1Y!Zp44@<Mn{<up
zcW}mKLpa{S>ZJk5@oHwey&<Uk<;<c2>R~+$=nDM4Av9q9v?m%MDP9No|CvvUEsSe%
zr=8@p$v1k4=bpZv0a6CaA_+bqO0RubiLCJX@2xd4RygJtULSu*k(+mVNEPfp(CARd
zwgbEo2c43!+fpJbaCr>vFX%}$E(cbyt%fTYxrnJ99>J`FL-20*Ao%m~oty{7g7@8H
zGkO#Wmdr!pDEHt=JU5SB+0&PM9|4vguCYugT;0_ycY={Jr@;os7kYDoH&wh)eIUsx
zjQ~p?_ZfPKTH=H0<k-H7_07L{B%n-ijJ<1EM}$j%&@xz!Ppwy-ZygNIMeM^b4tVL;
z>9N<H0e_$0SAOXgdkTql27S3V@4wda#|d65r=uPe1#ab2GCM>pKBRDlqQhbB4~!zh
zte80`MOn4$nY+Dgz$&&wMZhN<Z+o-myZ?ZZ#XqABpvC85u54k?7pyKDz&5?*LS1rq
zXARds1L}F$Mi5!})t$8^Oz55HQy59|y{#_2r~`rA|I9F=5H%PDRwM+^c`lPu5EacZ
zdM-{aK9J4<1mkLk&JPb*=EjwuXix#Ni)i(A%w$Tc-swe?h8q^lV*#)eZ45|oUN98b
zD*N;LfcbTB5of{Q;3DmK)-#Row{)y&#C#lHOd1Y6pUEc4HvAc~{b-W2V93?8M?M9U
zq&zI7Ek+RNHIK|RhGpFDl_jx67vvB!$5IZNDwwEL#I6LXbC!8++7U%+9?E>5x~(xJ
zayGBQESogyEvL~DZHmoKO35CB1ZkLhlR(~tTLO!h_&IcC&-r(xfSuEq7U?1)&X)6*
zm+_SfKM4<=;X&?9J`%fKs_>C2kTY?GB;q~BK{4rmnc;rDy`kJhW#w6L!pzM816a7N
zR*5}eZ;|Ub0v5WKsSpWqS?dmnq@J`3i0h2`<z1%{Q8Ew%U8vUUAf!KBR3K6sfq(!U
zV{n6XLiauw9o&~Gt`(a$#`hAi8*?)Vw*9zok*>1IIOKPV7H>CTvE_bdRuw879$~Va
z-Bw(h+l}+)&xKJS)ZYMegQ}eLDJxC^mkQH3Vv$$ezg~|fK?yfMQPb!{ZZYb%)eSQ~
zV;XFI(z(s3@qck60$9pE{s@f?AmiokqriZSJa29E4!Tec{(iR*{vq#7p5UCvYFU^{
zm~Vu_TirT>sKtql;!mm(<`>W5<1>Th?_QhihLpT9|25W#mBnC5Vkf_5G|P8C0M-2&
z`_bcyo4=hmizaLSSqN8f;_#a4cD`h=#09V@#{T?pYE{BpzOnPFa1KL^c%t1u;YLHw
z&Df+=8OT}Dd*fje_vmLIG6X8nl-y9dQ~C0D6wF{yDGs{wYq7thB;Ep-_VL-1UD3kp
zXd@n1>R6>#sK7okn7pyg+4Uo}V5$WwchD(AgY*SDZ1*kdhQeD2EN;b`dm>r@t9aXH
z-E^-dYP_>~{J1+{-TjAb_x~#IT*IMU*Eo(;4vC}^)`S*PA#y%VB1{aS<q!r*Ib>vM
z!Z_s+mK;J6#;L)`*=C#>MIjl+p~0BJ!VD(HVHk|b9__WReeI9?!~V2C-S7R}@AJOb
zb6wAu_kHgF|0nJ5Pu~wp^n{a?1q=bz;%%aTtDz3Pi=y?#jRZ5WvtR?l=gzT~_l10-
zgnPimKwYu%VnM&tYBBB;F4rvXOt8-blNh9JCx;1Tg^)|L#nvr&VNs0L!FS^Ept@QE
z4!nsek3X+lf=n5YMw~O8<$2hkW)sBcsSzyEH}^b^c{~#NM=QF&Hl-{^G_2ton;v6u
z?*)YY<rW+Cv^#1<{mi_-k0&9z&z;c{TX6HhBlOP+Ny&}%8`Y_qM=!P=N|Ef1%^h76
zaWW}w1OjawdL*6N^bgJ(h&ZrJJl>d4lBD|id2vID2Q$$??4pooYqoyT1v`JD7-J{r
zi`m<T1iQBhg9te#N?w)gCz=Unx*pxhCPQ*UIK5*yjltM+u9}`C@d&sLTSw)t)Kv7h
zj_M7M6iGx>QuNVxzTRe7|E?szZO}xin-Ob*$S-*Egn9QFg=%R~0l-N#B3`-M1*hxa
z)aCl1QBk)mo`Sq-eo{7(l9>?YltNq+dK2Flb1pJZC(5L{A-Ot~rIxfg#di8ihHNL`
z?T$(N8W9F^s(eEdEZ9O7#5-NK^)}f_E=0@qn#&=hDYABbZKz?pD_<>w-wOp#5iO2C
zSO1&Q5t2`lKcMY?edymx!Lkq+@BXX#UCbB7&$J}9awHeE{!9FklWrS&+)YT(NUvu#
zq<UO`>SaPjye*r6Bs?4AZ{9zwu{Ft7*=>3DyYIg`WY4jAWQId;1LtMVp0BOatcK2T
zG`GWeZP!vQD}o}ds@-WM`s18K?8IN~gvBn{H?SVWSTBkMP9Wnzw4&UF+x{x5Yd(la
zGGT{8s(^O@0U0FEAqt8A+%aRX^H^_L2DkbkW#9>LuEV?hL*|^<(IlDscEWRID}Q`w
zf3168g(t|@>I5xXu72ZTkck#g;01Rp0hQiZoy82AbIq?RAu9rBDqLIJSBHh-T6&G2
z71V~ebb8+UDWH187Eq08#=$|-knZ(;i+8`&+*Qi2i}`HKJRr2X+c{KepPV`P8Z9Cl
z%Of3M%NtdDhg+@JCN)kvK}blU`=-(36KB1-4MdPHB<&r%-dJ1_KR9VtIS{B$Ax}-`
zO-zJ^P)J#Amg`c%fe*K_SnU347A-G;TwMKQ)pOUm>~wz$_5}pE&M@`HfmfP(Ixl+<
zIW8c4X5A7=R5XR8h1S8F1MQ{|xan7K;V++Y?wgVfS*^eK=^HPbIHQ*1xYQ}51>w0~
z?Sc8-lOdB-&5fbw`kfMe%3@=sYDdaDEE3^l=zt-*5zaDNuBC&22ZCs(P@z?(d?Yw3
zK`i?>)`Ly8nuMv>qo6bs@6Hi=^>jJaqtw|Mb(>az8|qGJ+y5h{`6+o`FLZNjPRUwn
zq6hP1Wd#W<(-x_5;H%g}b$?o{TcqH#(gVIP*y+RSePctmI6s;u;}$`F6vRuea`!Fy
zNLEdIs+jd>t)32$=_uoMPWswAC?S-=1h$}88R2VlNZ4Ls^g0SN_2VXbw@)0SxyR-D
ztAQ<1y&Yp*2p<!ad7Qyj9<$2|PpaxeRmumRvj3#Eb&aOP>E?|2a{3gt0mW5LziK8*
zYQWGy<40}z0q=TmF>Q4;_+SnrKsBi9RRt9jD^^Jd$^KXKFAtV@&G)wUV0)5s8aI^m
zf~mF~FwaW|45Bz`j_cI!!#1^2Cg>4UN@^+hPNUBLk1nutZZ#^??<0XaKVBqfJ*`s!
zN{MbpC8HUt8mFGV87j+H-D!7U$9R?60`2-tKejgvTv~idpKO|7ytf-)*FK(70^vkc
z`s#r|<{&+5AWVIIN)B^9w9J)chONdWS(86GOdilLnGPmYq!(HSFt2Tq#pvdsUbc(#
zVnH|=7CZuN@+rm5OMExPLBjK9D_}VgsH#b%oBm6-&D)R){)QuMckqDj89X|J&TaGs
zG#EY)Ze>7PZ54wT4S)~i^`^+=o2|A7A~-`|@qGUFa~*4+D<R=vY@gR6(VXpdAIi+u
zY!rMS;G5gr+$?-^OV2Z#ZreX)5oUi~BVtJH=T;oPs2F*-aw65&q-zb%dvBQf9-8Bx
zpRLO0pB=zZhJ@~uo5I@zsvcO>;U2*(1QOJ_udB%#xH$tX1Aft18ptNa!U(1_S#n+9
zeE;0mQaQ=m3;xsCMbn5t)2~?$A(iwzCO-55l(mobYhWu4^29T60+w$~T2lbWe=r&k
zl!<rhJ5l-{t{8SswqW+RXnqP*!`E<|QJ>BBui!ffj(2*j^31Tlkb$`w!r(Bq1bShK
zm|l2sOHCR$xR%`lPR~KPu*iZMAMV-U`~59a3avUb24@>1_BWsK*rYSEAeJzKL}pAZ
zQiw7fmN+#(u;NZu&Czk06xb-$xIGf<T4G0VqP>VY%X(5I%Y03`mKBYHj<oG%;Y$GL
zVT4|-v{_SFjwZ!vpMoJ#$8dQ&wrEzkEmt`OvcpDlgOu_{qkc#o2V-*)5iq7EWgI`9
z1qehIT*8OuHkN(a9r3#!s9!91-;px9l}}ZXG9l*g>i~gjwL6;^_7+7<$9ym1mpwh9
zbUh%Ys)ru+m}y0s_RcFQ869j>^s}ZB;7EqQuijUoff&fv_`)>rA{kr!t?nuYsrYhF
zrdK9?#l_4OJtLJcC8qLKQGjR@@YM)<w+^!MNp&@t?#ahH+>4Dc(TgZk-SJV%I)~ZW
z%rS<AJq@8-#%Zg`(-1MnOTHQ6IeSGNt!Zvj!K|rQmOb|$eq=Dy26dR}%@_;fgQWQ&
zkJSo^Ivhg7lG-LTj~hi^#OP=&BT)ub@{}-aV`y?S=)%A+u-jGDx;G^Cw7+TNzrFJ5
z0Pjyj;Q{H0p~jO^*xlERw@(T?u-U>EV9F<*{K2sNb7m^@SM!6bn$4;k$&&$oRnHjK
znb!FmI>H5su`c;(TLgWwc4dDiqAtZoV5hT3P>oq~EJ-{!Q+u>v0pCK_hW1?A)Forg
z3_b9pg2%&pS(<nf!LeD2HJt7T-i&2?P&)s3r7|yjy3Yj4P2C81u-MQ39}~pa^859`
zC7aS=reu0ZN-SGZXw{EU(Mn!|JzeS`iyufFe0PU~Mi<N!i9NjsgG5o6%a{WMo_*@M
z((jU=Yz0lDZrDsJ!#9%fY=##WNDr?so=n?C2#?N74D1`C@&G&a>_x!C7ksAks&>PL
zS#fF4<!D-`Gw>d$BFgxc>hNci>V?bfE<liI;AOg3Ri!+>sR7WiDap*6eM=e5s1&wW
z7`ILhF`esNhE756UO?@#_GOX0pCVgR0ntc+VycuSI?jR!7*Ecb{m1pLfkxvHe*5T2
zE~aeFy@K9fD$d)Zn}Ot5pDjJ0BCA2X$s8UZy0)G(GBT|4wJP?mvcOUCuT<{GhQOYM
zsn?v2$o8WZ2ELJDr|lK)%%A+mSD`}pcyHA%;>k(<Qd4ol?~BAeB;-|R!@R+f6+h~*
zgok6{f6P!ZztnzN#lheCS(0wwm1=S1Y<L!}NMX9mCYfWVaDl&IyK%E^_sE63?Xxw<
z&_}nyuIL-7M>y;=|DDftymZRFa*Sg}G3<NXfj+zExt<C2;~f0!_QSI8T`rC(naDG1
z6?Yt6r@3wUMYK4c!@T@Beg04KNlq>f4vv}dF~ma!t}E<I4y<)RHu}3_&ChWb*!3uT
zth0ot;;=R@5_#q@=1Bi6yV`Ku9;S~II{Db)Irx-4Cp*^2|LaNWxBdr{HzHKqt+NqM
R?lOmO2HmnSs=DbK^-lmgpd0`I

literal 0
HcmV?d00001

diff --git a/security.http b/security.http
new file mode 100644
index 0000000..e2949ab
--- /dev/null
+++ b/security.http
@@ -0,0 +1,36 @@
+# Information Disclosure 1
+### register 1
+POST http://localhost:7000/register?userId=1&userName=aboba1
+Content-Type: application/json
+Accept: application/json
+
+### register 2
+POST http://localhost:7000/register?userId=2&userName=aboba2
+Content-Type: application/json
+Accept: application/json
+
+### profile 1
+GET http://localhost:7000/userProfile?userId=1
+Content-Type: application/json
+Accept: application/json
+
+### profile 2
+GET http://localhost:7000/userProfile?userId=2
+Content-Type: application/json
+Accept: application/json
+
+### Path traversal + DDos
+GET http://localhost:7000/exportReport?userId=1&filename=../../etc/password
+Accept: application/json
+
+### SSRF
+POST http://localhost:7000/notify?userId=1&callbackUrl=http://localhost:8080/admin
+Content-Type: application/json
+Accept: application/json
+
+
+
+
+
+
+
diff --git a/semgrep-report.sarif b/semgrep-report.sarif
new file mode 100644
index 0000000..b4ec910
--- /dev/null
+++ b/semgrep-report.sarif
@@ -0,0 +1 @@
+{"version":"2.1.0","runs":[{"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[]}],"results":[],"tool":{"driver":{"name":"Semgrep OSS","rules":[{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string","id":"java.aws-lambda.security.tainted-sql-string.tainted-sql-string","name":"java.aws-lambda.security.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.aws-lambda.security.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead."},"help":{"markdown":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.aws-lambda.security.tainted-sqli.tainted-sqli","id":"java.aws-lambda.security.tainted-sqli.tainted-sqli","name":"java.aws-lambda.security.tainted-sqli.tainted-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.aws-lambda.security.tainted-sqli.tainted-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify","id":"java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify","name":"java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","MEDIUM CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret","id":"java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret","name":"java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg","id":"java.java-jwt.security.jwt-none-alg.java-jwt-none-alg","name":"java.java-jwt.security.jwt-none-alg.java-jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.java-jwt.security.jwt-none-alg.java-jwt-none-alg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"help":{"markdown":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n","text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal","id":"java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal","name":"java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.jax-rs.security.jax-rs-path-traversal.jax-rs-path-traversal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"In $METHOD, $X is used to construct a SQL query via string concatenation."},"help":{"markdown":"In $METHOD, $X is used to construct a SQL query via string concatenation.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"In $METHOD, $X is used to construct a SQL query via string concatenation.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation","id":"java.jboss.security.session_sqli.find-sql-string-concatenation","name":"java.jboss.security.session_sqli.find-sql-string-concatenation","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.jboss.security.session_sqli.find-sql-string-concatenation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead."},"help":{"markdown":"Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size","id":"java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size","name":"java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead."},"help":{"markdown":"Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle)\n - [https://capec.mitre.org/data/definitions/463.html](https://capec.mitre.org/data/definitions/463.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\n - [https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY](https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY)\n","text":"Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle","id":"java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle","name":"java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.cbc-padding-oracle.cbc-padding-oracle"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."},"help":{"markdown":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","id":"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","name":"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","properties":{"precision":"very-high","tags":["CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information."},"help":{"markdown":"DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated)\n - [https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard](https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated","id":"java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated","name":"java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES."},"help":{"markdown":"Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated)\n - [https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA](https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA)\n","text":"Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated","id":"java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated","name":"java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.desede-is-deprecated.desede-is-deprecated"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY."},"help":{"markdown":"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.ecb-cipher.ecb-cipher","id":"java.lang.security.audit.crypto.ecb-cipher.ecb-cipher","name":"java.lang.security.audit.crypto.ecb-cipher.ecb-cipher","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.ecb-cipher.ecb-cipher"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"GCM IV/nonce is reused: encryption can be totally useless"},"help":{"markdown":"GCM IV/nonce is reused: encryption can be totally useless\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"GCM IV/nonce is reused: encryption can be totally useless\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse","id":"java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse","name":"java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse","properties":{"precision":"very-high","tags":["CWE-323: Reusing a Nonce, Key Pair in Encryption","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.gcm-nonce-reuse.gcm-nonce-reuse"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.no-null-cipher.no-null-cipher","id":"java.lang.security.audit.crypto.no-null-cipher.no-null-cipher","name":"java.lang.security.audit.crypto.no-null-cipher.no-null-cipher","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.no-null-cipher.no-null-cipher"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."},"help":{"markdown":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector)\n - [https://cwe.mitre.org/data/definitions/329.html](https://cwe.mitre.org/data/definitions/329.html)\n","text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector","id":"java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector","name":"java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector","properties":{"precision":"very-high","tags":["CWE-329: Generation of Predictable IV with CBC Mode","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using RSA without OAEP mode weakens the encryption."},"help":{"markdown":"Using RSA without OAEP mode weakens the encryption.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding)\n - [https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/](https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/)\n","text":"Using RSA without OAEP mode weakens the encryption.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding","id":"java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding","name":"java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.rsa-no-padding.rsa-no-padding"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead."},"help":{"markdown":"Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket","id":"java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket","name":"java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and  is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and  is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and  is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb","id":"java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb","name":"java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that  makes it vulnerable to birthday attacks, and is therefore considered non-compliant.  Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that  makes it vulnerable to birthday attacks, and is therefore considered non-compliant.  Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that  makes it vulnerable to birthday attacks, and is therefore considered non-compliant.  Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","id":"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","name":"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't  provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't  provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't  provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","id":"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","name":"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","id":"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","name":"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5","id":"java.lang.security.audit.crypto.use-of-md5.use-of-md5","name":"java.lang.security.audit.crypto.use-of-md5.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-md5.use-of-md5"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc2.use-of-rc2","id":"java.lang.security.audit.crypto.use-of-rc2.use-of-rc2","name":"java.lang.security.audit.crypto.use-of-rc2.use-of-rc2","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-rc2.use-of-rc2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-rc4.use-of-rc4","id":"java.lang.security.audit.crypto.use-of-rc4.use-of-rc4","name":"java.lang.security.audit.crypto.use-of-rc4.use-of-rc4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-rc4.use-of-rc4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1","id":"java.lang.security.audit.crypto.use-of-sha1.use-of-sha1","name":"java.lang.security.audit.crypto.use-of-sha1.use-of-sha1","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-sha1.use-of-sha1"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."},"help":{"markdown":"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n","text":"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha224.use-of-sha224","id":"java.lang.security.audit.crypto.use-of-sha224.use-of-sha224","name":"java.lang.security.audit.crypto.use-of-sha224.use-of-sha224","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-sha224.use-of-sha224"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RSA keys should be at least 2048 bits based on NIST recommendation."},"help":{"markdown":"RSA keys should be at least 2048 bits based on NIST recommendation.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"RSA keys should be at least 2048 bits based on NIST recommendation.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","id":"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","name":"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps)\n - [https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement](https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string.formatted-sql-string","id":"java.lang.security.audit.formatted-sql-string.formatted-sql-string","name":"java.lang.security.audit.formatted-sql-string.formatted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.formatted-sql-string.formatted-sql-string"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."},"help":{"markdown":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting)\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\n","text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting","id":"java.lang.security.audit.http-response-splitting.http-response-splitting","name":"java.lang.security.audit.http-response-splitting.http-response-splitting","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.http-response-splitting.http-response-splitting"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'."},"help":{"markdown":"Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection","id":"java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection","name":"java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection","properties":{"precision":"very-high","tags":["CWE-297: Improper Validation of Certificate with Host Mismatch","MEDIUM CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`."},"help":{"markdown":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory](https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory)\n - [https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html)\n","text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.md5-used-as-password.md5-used-as-password","id":"java.lang.security.audit.md5-used-as-password.md5-used-as-password","name":"java.lang.security.audit.md5-used-as-password.md5-used-as-password","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.md5-used-as-password.md5-used-as-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead."},"help":{"markdown":"Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request","id":"java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request","name":"java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values."},"help":{"markdown":"Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request","id":"java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request","name":"java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.tainted-cmd-from-http-request.tainted-cmd-from-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command.  Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`."},"help":{"markdown":"Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command.  Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command.  Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request","id":"java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request","name":"java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request","properties":{"precision":"very-high","tags":["CWE-454: External Initialization of Trusted Variables or Data Stores","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."},"help":{"markdown":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request)\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\n","text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","id":"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","name":"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls."},"help":{"markdown":"Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request","id":"java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request","name":"java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request","properties":{"precision":"very-high","tags":["CWE-501: Trust Boundary Violation","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.tainted-session-from-http-request.tainted-session-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can."},"help":{"markdown":"Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request","id":"java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request","name":"java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.tainted-xpath-from-http-request.tainted-xpath-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs."},"help":{"markdown":"Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect","id":"java.lang.security.audit.unvalidated-redirect.unvalidated-redirect","name":"java.lang.security.audit.unvalidated-redirect.unvalidated-redirect","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.unvalidated-redirect.unvalidated-redirect"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."},"help":{"markdown":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n","text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context","id":"java.lang.security.audit.weak-ssl-context.weak-ssl-context","name":"java.lang.security.audit.weak-ssl-context.weak-ssl-context","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.weak-ssl-context.weak-ssl-context"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views."},"help":{"markdown":"Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer)\n - [https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html](https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html)\n","text":"Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer","id":"java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer","name":"java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"help":{"markdown":"DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false","id":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false","name":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"help":{"markdown":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","id":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","name":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."},"help":{"markdown":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n","text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","id":"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","name":"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false."},"help":{"markdown":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n","text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true","id":"java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true","name":"java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true.documentbuilderfactory-external-parameter-entities-true"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory."},"help":{"markdown":"DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing","id":"java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing","name":"java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."},"help":{"markdown":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","id":"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","name":"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"help":{"markdown":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n","text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","id":"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","name":"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method."},"help":{"markdown":"JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization)\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf)\n","text":"JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization","id":"java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization","name":"java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization."},"help":{"markdown":"When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization)\n - [https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038](https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038)\n - [https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/](https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/)\n","text":"When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization","id":"java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization","name":"java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A8:2017 Insecure Deserialization","OWASP-A8:2021 Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.jackson-unsafe-deserialization.jackson-unsafe-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'."},"help":{"markdown":"Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss","id":"java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss","name":"java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"help":{"markdown":"XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser)\n","text":"XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe","id":"java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe","name":"java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.spring.security.audit.spring-sqli.spring-sqli","id":"java.spring.security.audit.spring-sqli.spring-sqli","name":"java.spring.security.audit.spring-sqli.spring-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.audit.spring-sqli.spring-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Application redirects a user to a destination URL specified by a user supplied parameter that is not validated."},"help":{"markdown":"Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect","id":"java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect","name":"java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"help":{"markdown":"Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path","id":"java.spring.security.injection.tainted-file-path.tainted-file-path","name":"java.spring.security.injection.tainted-file-path.tainted-file-path","properties":{"precision":"very-high","tags":["CWE-23: Relative Path Traversal","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-file-path.tainted-file-path"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."},"help":{"markdown":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string","id":"java.spring.security.injection.tainted-html-string.tainted-html-string","name":"java.spring.security.injection.tainted-html-string.tainted-html-string","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-html-string.tainted-html-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library."},"help":{"markdown":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\n","text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string","id":"java.spring.security.injection.tainted-sql-string.tainted-sql-string","name":"java.spring.security.injection.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."},"help":{"markdown":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command)\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\n","text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command","id":"java.spring.security.injection.tainted-system-command.tainted-system-command","name":"java.spring.security.injection.tainted-system-command.tainted-system-command","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-system-command.tainted-system-command"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters."},"help":{"markdown":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host","id":"java.spring.security.injection.tainted-url-host.tainted-url-host","name":"java.spring.security.injection.tainted-url-host.tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A01:2025 - Broken Access Control","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-url-host.tainted-url-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent  over an insecure channel. Instead, it is recommended to send requests over HTTPS."},"help":{"markdown":"Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent  over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n\n#### 💎 Enable cross-file analysis and Pro rules for free at <a href='https://sg.run/pro'>sg.run/pro</a>\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection())\n","text":"Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent  over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n💎 Enable cross-file analysis and Pro rules for free at sg.run/pro"},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request","id":"problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request","name":"problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request"}}],"semanticVersion":"1.159.0"}}}],"$schema":"https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"}
\ No newline at end of file
diff --git a/src/test/java/ru/itmo/testing/lab4/pentest/SecurityPentestSuite.java b/src/test/java/ru/itmo/testing/lab4/pentest/SecurityPentestSuite.java
new file mode 100644
index 0000000..1f3632c
--- /dev/null
+++ b/src/test/java/ru/itmo/testing/lab4/pentest/SecurityPentestSuite.java
@@ -0,0 +1,385 @@
+package ru.itmo.testing.lab4.pentest;
+
+import io.javalin.Javalin;
+import org.junit.jupiter.api.*;
+import ru.itmo.testing.lab4.controller.UserAnalyticsController;
+
+import java.io.InputStream;
+import java.net.URI;
+import java.net.URLEncoder;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
+import java.time.Duration;
+import java.util.concurrent.TimeUnit;
+import java.util.jar.Manifest;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * Единый пентest-класс, верифицирующий устранение всех найденных уязвимостей:
+ * <ul>
+ *   <li>#1 Reflected XSS (CWE-79) – см. отдельный XssPentestTest</li>
+ *   <li>#2 Path Traversal (CWE-35) – запись за пределы разрешённой директории</li>
+ *   <li>#3 DoS через /exportReport (CWE-400) – rate limiting / квотирование</li>
+ *   <li>#4 SSRF в /notify (CWE-918) – валидация URL, запрет внутренних адресов</li>
+ *   <li>#5 IDOR (CWE-639) – контроль доступа на основе аутентификации</li>
+ *   <li>#6 CSRF на GET /exportReport (CWE-352) – запрет изменения состояния через GET</li>
+ *   <li>#7 Missing Authorization (CWE-862) – обязательная аутентификация на всех эндпоинтах</li>
+ *   <li>#8 DDoS через /notify (CWE-400) – ограничение размера ответа, потоковая обработка</li>
+ *   <li>#9 CSRF на POST /register, /recordSession (CWE-352) – CSRF-токены / проверка Referer</li>
+ *   <li>#10 Supply Chain CVE-2024-8184 (CWE-400) – версия Javalin ≥ 6.2.0</li>
+ *   <li>#11 Supply Chain CVE-2024-6763 (CWE-1286) – обновлённая версия Javalin</li>
+ * </ul>
+ */
+@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
+class SecurityPentestSuite {
+
+    private static final int TEST_PORT = 7777;
+    private static final String BASE_URL = "http://localhost:" + TEST_PORT;
+
+    private static Javalin app;
+    private static HttpClient http;
+    private static String authToken; // имитация JWT после логина
+
+    @BeforeAll
+    static void startServer() throws Exception {
+        app = UserAnalyticsController.createApp();
+        app.start(TEST_PORT);
+        http = HttpClient.newBuilder()
+          .connectTimeout(Duration.ofSeconds(2))
+          .build();
+
+        // Предварительная регистрация тестовых пользователей (если приложение их хранит)
+        send("POST", "/register?userId=alice&userName=Alice");
+        send("POST", "/register?userId=bob&userName=Bob");
+        // Имитация аутентификации (в реальном приложении – POST /login)
+        authToken = "mock-jwt-token-for-alice";
+    }
+
+    @AfterAll
+    static void stopServer() {
+        app.stop();
+    }
+
+    // ------------------------------------------------------------------------
+    // #2 – Path Traversal (CWE-35) – запись за пределы разрешённой директории
+    // ------------------------------------------------------------------------
+    @Test
+    @Order(2)
+    @DisplayName("[CWE-35] Path traversal в /exportReport – запись вне разрешённой папки")
+    void pathTraversalWriteOutsideDirectory() throws Exception {
+        String maliciousFilename = "../../../config/application.properties";
+        HttpResponse<String> response = sendAsUser("alice", "GET",
+          "/exportReport?userId=alice&filename=" + enc(maliciousFilename));
+
+        // Ожидаем: 400 Bad Request или 403 Forbidden – запись запрещена
+        assertTrue(response.statusCode() == 400 || response.statusCode() == 403,
+          "Запись за пределы разрешённой директории должна быть заблокирована");
+        // Дополнительно: убедиться, что системный файл не был перезаписан (тест вне контейнера)
+    }
+
+    // ------------------------------------------------------------------------
+    // #3 – DoS через /exportReport (CWE-400) – ограничение количества/размера файлов
+    // ------------------------------------------------------------------------
+    @Test
+    @Order(3)
+    @DisplayName("[CWE-400] DoS: множество вызовов /exportReport с разными именами")
+    void dosManyExportReports() {
+        int excessiveRequests = 5000;
+        int rateLimitStatusCode = 429; // Too Many Requests
+
+        for (int i = 0; i < excessiveRequests; i++) {
+            try {
+                HttpResponse<String> response = sendAsUser("alice", "GET",
+                  "/exportReport?userId=alice&filename=file_" + i + ".txt");
+                if (response.statusCode() == rateLimitStatusCode) {
+                    // Rate limiting сработал – защита активна
+                    return;
+                }
+                // Если после 5000 запросов всё ещё 200 – скорее всего защиты нет
+                assertTrue(response.statusCode() < 500, "Сервер стабилен");
+            } catch (Exception e) {
+                fail("Сервер упал после " + i + " запросов: " + e.getMessage());
+            }
+        }
+        // Если дошли сюда без 429 – предупредить (можно упасть, т.к. уязвимость не исправлена)
+        fail("Отсутствует ограничение на количество создаваемых файлов – возможен DoS");
+    }
+
+    // ------------------------------------------------------------------------
+    // #4 – SSRF в /notify (CWE-918)
+    // ------------------------------------------------------------------------
+    @Test
+    @Order(4)
+    @DisplayName("[CWE-918] SSRF: блокировка внутренних IP и запрещённых протоколов")
+    void ssrfBlockInternalAndFileProtocol() throws Exception {
+        String[] maliciousUrls = {
+          "http://169.254.169.254/latest/meta-data/",   // AWS metadata
+          "http://127.0.0.1:7000/register",            // localhost
+          "http://192.168.1.1/admin",                  // private IP
+          "file:///etc/passwd",                        // file protocol
+          "http://[::1]/secret"                        // IPv6 localhost
+        };
+
+        for (String url : maliciousUrls) {
+            HttpResponse<String> response = sendAsUser("alice", "POST",
+              "/notify?userId=alice&callbackUrl=" + enc(url));
+            // Ожидаем: 400 Bad Request (невалидный URL) или 403 Forbidden
+            assertTrue(response.statusCode() == 400 || response.statusCode() == 403,
+              "SSRF не заблокирован для URL: " + url);
+        }
+    }
+
+    @Test
+    @Order(5)
+    @DisplayName("[CWE-918] SSRF: запрет редиректов на внутренние адреса")
+    void ssrfBlockRedirects() throws Exception {
+        // Предположим, внешний сервер возвращает редирект на 127.0.0.1
+        String redirectorUrl = "http://attacker.com/redirect-to-localhost";
+        HttpResponse<String> response = sendAsUser("alice", "POST",
+          "/notify?userId=alice&callbackUrl=" + enc(redirectorUrl));
+        // Ожидаем: ошибка, редирект не должен быть обработан
+        assertNotEquals(200, response.statusCode());
+    }
+
+    // ------------------------------------------------------------------------
+    // #5 – IDOR (CWE-639) – доступ к чужим данным запрещён
+    // ------------------------------------------------------------------------
+    @Test
+    @Order(6)
+    @DisplayName("[CWE-639] IDOR: попытка получить активность другого пользователя")
+    void idorTotalActivity() throws Exception {
+        // Пользователь alice пытается получить активность bob
+        HttpResponse<String> response = sendAsUser("alice", "GET",
+          "/totalActivity?userId=bob");
+        assertEquals(403, response.statusCode(),
+          "Доступ к чужой активности должен быть запрещён");
+    }
+
+    @Test
+    @Order(7)
+    @DisplayName("[CWE-639] IDOR: просмотр чужого профиля")
+    void idorUserProfile() throws Exception {
+        HttpResponse<String> response = sendAsUser("alice", "GET",
+          "/userProfile?userId=bob");
+        assertEquals(403, response.statusCode());
+        assertFalse(response.body().contains("Bob"), "Имя Bob не должно отображаться");
+    }
+
+    @Test
+    @Order(8)
+    @DisplayName("[CWE-639] IDOR: попытка изменить чужую сессию")
+    void idorRecordSession() throws Exception {
+        String payload = "?userId=bob&loginTime=2025-01-01T00:00&logoutTime=2025-01-01T01:00";
+        HttpResponse<String> response = sendAsUser("alice", "POST",
+          "/recordSession" + payload);
+        assertEquals(403, response.statusCode(),
+          "Запись сессии за другого пользователя запрещена");
+    }
+
+    // ------------------------------------------------------------------------
+    // #6 – CSRF на GET /exportReport (CWE-352) – GET не должен менять состояние
+    // ------------------------------------------------------------------------
+    @Test
+    @Order(9)
+    @DisplayName("[CWE-352] GET /exportReport не должен создавать файлы (идемпотентность)")
+    void getExportReportShouldNotChangeState() throws Exception {
+        String filename = "should_not_be_created.txt";
+        HttpResponse<String> response = sendAsUser("alice", "GET",
+          "/exportReport?userId=alice&filename=" + enc(filename));
+
+        // Ожидаем: 405 Method Not Allowed (если эндпоинт только POST) или 400
+        assertTrue(response.statusCode() == 405 || response.statusCode() == 400,
+          "GET-запрос не должен изменять состояние сервера");
+    }
+
+    // ------------------------------------------------------------------------
+    // #7 – Missing Authorization (CWE-862) – все эндпоинты требуют аутентификации
+    // ------------------------------------------------------------------------
+    @Test
+    @Order(10)
+    @DisplayName("[CWE-862] Доступ к защищённым эндпоинтам без аутентификации")
+    void allProtectedEndpointsRequireAuth() throws Exception {
+        String[] sensitivePaths = {
+          "/recordSession?userId=alice&loginTime=2025-01-01T00:00&logoutTime=2025-01-01T01:00",
+          "/totalActivity?userId=alice",
+          "/monthlyActivity?userId=alice&month=2025-01",
+          "/userProfile?userId=alice",
+          "/exportReport?userId=alice&filename=test",
+          "/notify?userId=alice&callbackUrl=https://example.com"
+        };
+
+        for (String path : sensitivePaths) {
+            HttpResponse<String> response = sendAnonymous("GET", path);
+            assertTrue(response.statusCode() == 401 || response.statusCode() == 403,
+              "Эндпоинт " + path + " доступен без аутентификации");
+        }
+    }
+
+    // ------------------------------------------------------------------------
+    // #8 – DDoS через /notify (CWE-400) – ограничение размера ответа, потоковая обработка
+    // ------------------------------------------------------------------------
+    @Test
+    @Order(11)
+    @DisplayName("[CWE-400] /notify не вычитывает большие ответы в память")
+    void notifyDoesNotLoadLargeResponseIntoMemory() throws Exception {
+        // Эмулируем внешний сервер, возвращающий 100 МБ данных
+        String largeFileUrl = "http://httpbin.org/bytes/104857600"; // 100 MB
+        long beforeMemory = getUsedMemory();
+        long start = System.nanoTime();
+
+        HttpResponse<String> response = sendAsUser("alice", "POST",
+          "/notify?userId=alice&callbackUrl=" + enc(largeFileUrl));
+
+        long duration = TimeUnit.NANOSECONDS.toSeconds(System.nanoTime() - start);
+        long afterMemory = getUsedMemory();
+
+        // Ожидаем: таймаут или ошибка, память не должна вырасти на ~100 МБ
+        assertTrue(duration < 10, "Запрос завис более 10 секунд – возможно, вычитывается весь ответ");
+        assertTrue(response.statusCode() >= 500 || response.statusCode() == 408,
+          "Должна быть ошибка таймаута или слишком большой ответ");
+        assertTrue((afterMemory - beforeMemory) < 50 * 1024 * 1024,
+          "Потребление памяти превысило 50 МБ – вероятно, весь ответ загружен в память");
+    }
+
+    // ------------------------------------------------------------------------
+    // #9 – CSRF на POST /register, /recordSession (CWE-352)
+    // ------------------------------------------------------------------------
+    @Test
+    @Order(12)
+    @DisplayName("[CWE-352] POST /register требует CSRF-токен или проверку Referer")
+    void csrfProtectionOnRegister() throws Exception {
+        // Отправляем POST без CSRF-токена (имитация межсайтового запроса)
+        HttpRequest request = HttpRequest.newBuilder()
+          .uri(URI.create(BASE_URL + "/register?userId=csrf_victim&userName=Hacked"))
+          .header("Content-Type", "application/x-www-form-urlencoded")
+          .POST(HttpRequest.BodyPublishers.noBody())
+          .build();
+        HttpResponse<String> response = http.send(request, HttpResponse.BodyHandlers.ofString());
+
+        // Ожидаем: 403 Forbidden (отсутствует CSRF-токен) или 400 (неверный Referer)
+        assertTrue(response.statusCode() == 403 || response.statusCode() == 400,
+          "Регистрация возможна без CSRF-защиты");
+    }
+
+    @Test
+    @Order(13)
+    @DisplayName("[CWE-352] POST /recordSession требует CSRF-защиту")
+    void csrfProtectionOnRecordSession() throws Exception {
+        String payload = "?userId=alice&loginTime=2025-01-01T00:00&logoutTime=2025-01-01T01:00";
+        HttpRequest request = HttpRequest.newBuilder()
+          .uri(URI.create(BASE_URL + "/recordSession" + payload))
+          .header("Content-Type", "application/x-www-form-urlencoded")
+          .POST(HttpRequest.BodyPublishers.noBody())
+          .build();
+        HttpResponse<String> response = http.send(request, HttpResponse.BodyHandlers.ofString());
+
+        assertTrue(response.statusCode() == 403 || response.statusCode() == 400,
+          "Запись сессии без CSRF-токена должна быть отклонена");
+    }
+
+    // ------------------------------------------------------------------------
+    // #10, #11 – Supply Chain: проверка версии Javalin (CWE-400, CWE-1286)
+    // ------------------------------------------------------------------------
+    @Test
+    @Order(14)
+    @DisplayName("[CWE-400] Версия Javalin >= 6.4.0 (CVE-2024-8184 исправлена)")
+    void javalinVersionCve20248184() throws Exception {
+        String version = getJavalinVersion();
+        assertNotNull(version, "Не удалось определить версию Javalin");
+        assertTrue(isVersionAtLeast(version, "6.4.0"),
+          "Установлена уязвимая версия Javalin " + version + ". Требуется >= 6.2.0");
+    }
+
+    @Test
+    @Order(15)
+    @DisplayName("[CWE-1286] Версия Javalin исправляет CVE-2024-6763")
+    void javalinVersionCve20246763() throws Exception {
+        String version = getJavalinVersion();
+        assertNotNull(version);
+        assertTrue(isVersionAtLeast(version, "6.4.0"), // CVE-2024-6763 исправлена в 6.1.0+
+          "Установлена версия Javalin " + version + ", подверженная CVE-2024-6763");
+    }
+
+    // ------------------------------------------------------------------------
+    // Вспомогательные методы
+    // ------------------------------------------------------------------------
+    private static String enc(String value) {
+        return URLEncoder.encode(value, StandardCharsets.UTF_8);
+    }
+
+    /** Отправка запроса от аутентифицированного пользователя (с токеном). */
+    private HttpResponse<String> sendAsUser(String userId, String method, String path) throws Exception {
+        HttpRequest.Builder builder = HttpRequest.newBuilder()
+          .uri(URI.create(BASE_URL + path))
+          .header("Authorization", "Bearer " + authToken);
+        if (method.equalsIgnoreCase("GET")) {
+            builder.GET();
+        } else if (method.equalsIgnoreCase("POST")) {
+            builder.POST(HttpRequest.BodyPublishers.noBody());
+        } else {
+            builder.method(method, HttpRequest.BodyPublishers.noBody());
+        }
+        return http.send(builder.build(), HttpResponse.BodyHandlers.ofString());
+    }
+
+    /** Анонимный запрос (без токена). */
+    private HttpResponse<String> sendAnonymous(String method, String path) throws Exception {
+        HttpRequest.Builder builder = HttpRequest.newBuilder()
+          .uri(URI.create(BASE_URL + path));
+        if (method.equalsIgnoreCase("GET")) {
+            builder.GET();
+        } else {
+            builder.method(method, HttpRequest.BodyPublishers.noBody());
+        }
+        return http.send(builder.build(), HttpResponse.BodyHandlers.ofString());
+    }
+
+    /** Симуляция обычного GET-запроса (для простоты). */
+    private static HttpResponse<String> send(String method, String path) throws Exception {
+        HttpRequest request = HttpRequest.newBuilder()
+          .uri(URI.create(BASE_URL + path))
+          .method(method, HttpRequest.BodyPublishers.noBody())
+          .build();
+        return http.send(request, HttpResponse.BodyHandlers.ofString());
+    }
+
+    /** Текущее использование памяти (приблизительное). */
+    private long getUsedMemory() {
+        Runtime rt = Runtime.getRuntime();
+        return rt.totalMemory() - rt.freeMemory();
+    }
+
+    /** Определение версии Javalin из манифеста JAR. */
+    private String getJavalinVersion() {
+        try {
+            Package pkg = Javalin.class.getPackage();
+            String version = pkg.getImplementationVersion();
+            if (version == null) {
+                // Fallback: читаем манифест
+                InputStream manifestStream = Javalin.class.getResourceAsStream("/META-INF/MANIFEST.MF");
+                if (manifestStream != null) {
+                    Manifest manifest = new Manifest(manifestStream);
+                    version = manifest.getMainAttributes().getValue("Implementation-Version");
+                }
+            }
+            return version;
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    /** Сравнение версий (формат x.y.z). */
+    private boolean isVersionAtLeast(String current, String required) {
+        String[] currParts = current.split("\\.");
+        String[] reqParts = required.split("\\.");
+        for (int i = 0; i < Math.min(currParts.length, reqParts.length); i++) {
+            int currNum = Integer.parseInt(currParts[i]);
+            int reqNum = Integer.parseInt(reqParts[i]);
+            if (currNum != reqNum) return currNum > reqNum;
+        }
+        return currParts.length >= reqParts.length;
+    }
+}
\ No newline at end of file