Skip to content

Vulnerable sample for Action test #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
souro1212 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Vulnerable sample for Action test #2

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions src/main/java/com/acme/DemoController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,9 @@
// safe baseline
public class DemoController {}
import org.springframework.web.bind.annotation.*;
Copy link

@coderabbitai coderabbitai bot Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Missing package declaration; class won’t compile under src/main/java/com/acme. Also replace wildcard import and add required imports.

Add the package and explicit imports (needed for the fix below).

+package com.acme;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+import java.util.Set;
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
import org.springframework.web.bind.annotation.*;
package com.acme;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import java.util.Set;
🤖 Prompt for AI Agents 
In src/main/java/com/acme/DemoController.java at lines 1-1, add the package
declaration "package com.acme;" at the top and replace the wildcard import with
explicit Spring MVC imports; e.g., import
org.springframework.web.bind.annotation.RestController; import
org.springframework.web.bind.annotation.RequestMapping; import
org.springframework.web.bind.annotation.GetMapping; import
org.springframework.web.bind.annotation.PostMapping; import
org.springframework.web.bind.annotation.PathVariable; import
org.springframework.web.bind.annotation.RequestBody; and any other specific
annotations or types used in the file (plus import
org.springframework.http.ResponseEntity if you return ResponseEntity). Ensure
the package line is the first statement and only the needed imports are listed
instead of the wildcard.

@RestController
public class DemoController {
@GetMapping("/items")
public String items(@RequestParam String sort) throws Exception {
Class<?> clazz = Class.forName(sort);
Comment on lines +5 to +6
Copy link

@coderabbitai coderabbitai bot Sep 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Uncontrolled reflection: Class.forName on user input is a critical vulnerability (classloader injection).

A user can cause arbitrary classes to load and run static initializers (DoS/side effects). Remove reflection and validate input via an allowlist, returning proper HTTP status.

-  public String items(@RequestParam String sort) throws Exception {
-    Class<?> clazz = Class.forName(sort);
-    return "ok";
-  }
+  public ResponseEntity<String> items(
+      @RequestParam(name = "sort", required = false, defaultValue = "name") String sort) {
+    // Allow-list acceptable sort keys only; do NOT reflectively load anything from user input.
+    Set<String> allowed = Set.of("name", "price", "createdAt");
+    if (!allowed.contains(sort)) {
+      return ResponseEntity.badRequest().body("invalid sort");
+    }
+    return ResponseEntity.ok("ok");
+  }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
public String items(@RequestParam String sort) throws Exception {
Class<?> clazz = Class.forName(sort);
public ResponseEntity<String> items(
@RequestParam(name = "sort", required = false, defaultValue = "name") String sort) {
// Allow-list acceptable sort keys only; do NOT reflectively load anything from user input.
Set<String> allowed = Set.of("name", "price", "createdAt");
if (!allowed.contains(sort)) {
return ResponseEntity.badRequest().body("invalid sort");
}
return ResponseEntity.ok("ok");
}
🤖 Prompt for AI Agents 
In src/main/java/com/acme/DemoController.java around lines 5-6, the code calls
Class.forName(sort) directly on user-provided input which enables uncontrolled
reflection and classloader injection; replace this by validating the incoming
'sort' parameter against a strict allowlist of permitted sort keys (e.g., map of
allowed names to concrete comparator/strategy classes or enums), do not call
Class.forName on raw input, and if the value is not in the allowlist return an
appropriate HTTP error (400 or 403) rather than loading a class; implement the
mapping server-side so only known, safe implementations are used and remove any
dynamic class loading or execution triggered by user input.

return "ok";
}
}
Loading