Merge from upstream

.devcontainer/devcontainer.json

@@ -0,0 +1,7 @@
+{
+  // Name
+  "name": "Benchmark GitHub Codespace Config",
+
+  "postCreateCommand": "sdk install java 17.0.18-amzn"
+}
+

.github/workflows/codeql-analysis.yml

@@ -46,7 +46,7 @@ jobs:
       uses: github/codeql-action/analyze@v4
 
     - name: Upload Output
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       with:
         name: ${{ matrix.language }} SARIF
         path: ${{ runner.workspace }}/results/*.sarif

.gitignore

@@ -8,10 +8,7 @@
 *.iml
 .scannerwork/
 
-data/out.csv
-owasp-benchmark/
-reports/
-src.zip
+src/WEB-INF/
 src/main/resources/benchmark.properties
 target/
 testfiles/

data/openapi.yaml

@@ -6,8 +6,8 @@ info:
   contact:
     email: dave.wichers@owasp.org
   license:
-    name: GNU GPL 2.0
-    url: https://choosealicense.com/licenses/gpl-2.0/
+    name: GNU GPL 3.0
+    url: https://choosealicense.com/licenses/gpl-3.0/
   version: "1.2"
 servers:
 - url: https://localhost:8443/benchmark

pom.xml

@@ -614,6 +614,18 @@
             <scope>provided</scope>
         </dependency>
 
+        <!-- jaxb dependencies removed from Java 11+ -->
+        <dependency>
+            <groupId>javax.xml.bind</groupId>
+            <artifactId>jaxb-api</artifactId>
+            <version>2.3.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.xml.bind</groupId>
+            <artifactId>jaxb-impl</artifactId>
+            <version>2.3.9</version>
+        </dependency>
+
         <!-- mvn dependency:analyze says this is an unused declared dependency, but its wrong. I think the webapp needs it somehow. -->
         <dependency>
             <groupId>com.sun.jersey</groupId>
@@ -624,7 +636,7 @@
         <dependency>
             <groupId>commons-codec</groupId>
             <artifactId>commons-codec</artifactId>
-            <version>1.20.0</version>
+            <version>1.21.0</version>
         </dependency>
 
         <!-- mvn dependency:analyze says this is an unused declared dependency, but its wrong. Get this runtime error if it's not included: Caused by: org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.apache.commons.dbcp.BasicDataSource] for bean with name 'dataSource' defined in class path resource [context.xml]; nested exception is java.lang.ClassNotFoundException: org.apache.commons.dbcp.BasicDataSource -->
@@ -771,7 +783,7 @@
         <dependency>
             <groupId>org.apache.httpcomponents.core5</groupId>
             <artifactId>httpcore5</artifactId>
-            <version>5.4</version>
+            <version>5.4.2</version>
         </dependency>
 
         <dependency>
@@ -854,7 +866,7 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.20.1</version>
+            <version>2.21.2</version>
         </dependency>
     </dependencies>
 
@@ -890,7 +902,7 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-dependency-plugin</artifactId>
-                    <version>3.9.0</version>
+                    <version>3.10.0</version>
                     <configuration>
                         <usedDependencies>
                             <dependency>com.sun.jersey:jersey-servlet</dependency>
@@ -924,7 +936,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.14.1</version>
+                <version>3.15.0</version>
                 <configuration>
                     <fork>true</fork>
                     <meminitial>1000m</meminitial>
@@ -947,7 +959,7 @@
                     <dependency>
                         <groupId>org.codehaus.mojo</groupId>
                         <artifactId>extra-enforcer-rules</artifactId>
-                        <version>1.11.0</version>
+                        <version>1.12.0</version>
                     </dependency>
                 </dependencies>
                 <executions>
@@ -1017,7 +1029,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-resources-plugin</artifactId>
-                <version>3.4.0</version>
+                <version>3.5.0</version>
             </plugin>
 
             <plugin>
@@ -1038,7 +1050,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.5.4</version>
+                <version>3.5.5</version>
             </plugin>
 
             <plugin>
@@ -1053,13 +1065,13 @@
             <plugin>
                 <groupId>org.codehaus.cargo</groupId>
                 <artifactId>cargo-maven3-plugin</artifactId>
-                <version>1.10.26</version>
+                <version>1.10.27</version>
             </plugin>
 
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>versions-maven-plugin</artifactId>
-                <version>2.20.1</version>
+                <version>2.21.0</version>
             </plugin>
 
             <!-- SpotBugs Static Analysis - the successor to FindBugs -->
@@ -1104,7 +1116,7 @@
             <plugin>
                 <groupId>com.diffplug.spotless</groupId>
                 <artifactId>spotless-maven-plugin</artifactId>
-                <version>3.1.0</version>
+                <version>3.4.0</version>
                 <configuration>
                     <!-- optional: limit format enforcement to just the files changed by this feature branch -->
                     <ratchetFrom>origin/master</ratchetFrom>
@@ -1239,7 +1251,6 @@
         <tomcat.jvmargs.debug>
             -Xdebug
             -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5050
-            -Xnoagent
             -Djava.compiler=NONE
         </tomcat.jvmargs.debug>
         <log.directory>${project.build.directory}/log</log.directory>
@@ -1249,13 +1260,13 @@
         <version.fluido>2.1.0</version.fluido>
         <!-- hibernate is up to rev 6+. But 4.0.0. causes this error: symbol: org.hibernate.classic.Session not found -->
         <version.hibernate>3.6.10.Final</version.hibernate>
-        <version.spotbugs.maven>4.9.8.2</version.spotbugs.maven>
+        <version.spotbugs.maven>4.9.8.3</version.spotbugs.maven>
         <version.spotbugs>4.9.8</version.spotbugs>
         <!-- Spring 6.x requires Java 17 -->
         <version.springframework>5.3.39</version.springframework>
         <!-- Tomcat 10 moves from Java EE to Jakarta EE, moving packages javax.* to jakarta.* - code changes likely required to address this change. -->
         <tomcat.major.version>9</tomcat.major.version>
-        <version.tomcat>9.0.113</version.tomcat>
+        <version.tomcat>9.0.115</version.tomcat>
         <tomcat.url>https://archive.apache.org/dist/tomcat/tomcat-${tomcat.major.version}/v${version.tomcat}/bin/apache-tomcat-${version.tomcat}.zip</tomcat.url>
     </properties>
 

src/main/java/org/owasp/benchmark/helpers/DatabaseHelper.java

@@ -41,6 +41,7 @@ public class DatabaseHelper {
             new org.owasp.benchmark.helpers.HibernateUtil(true);
     public static final boolean hideSQLErrors =
             false; // If we want SQL Exceptions to be suppressed from being displayed to the user of
+
     // the web app.
 
     static {
@@ -168,7 +169,7 @@ public static java.sql.Connection getSqlConnection() {
         return conn;
     }
 
-    public static void executeSQLCommand(String sql) throws Exception {
+    private static void executeSQLCommand(String sql) throws Exception {
         Statement stmt = getSqlStatement();
         stmt.executeUpdate(sql);
     }

src/main/java/org/owasp/benchmark/helpers/LDAPManager.java

@@ -112,19 +112,20 @@ private boolean search(LDAPPerson person) {
 
             NamingEnumeration<SearchResult> results = ctx.search(base, filter, sc);
 
+            boolean foundUser = results.hasMore();
+
             while (results.hasMore()) {
                 SearchResult sr = (SearchResult) results.next();
                 Attributes attrs = sr.getAttributes();
 
                 Attribute attr = attrs.get("uid");
                 if (attr != null) {
-                    // logger.debug("record found " + attr.get());
                     // System.out.println("record found " + attr.get());
                 }
             }
             ctx.close();
 
-            return true;
+            return foundUser;
         } catch (Exception e) {
             System.out.println("LDAP error search: ");
             e.printStackTrace();

src/main/java/org/owasp/benchmark/helpers/Utils.java

@@ -236,8 +236,6 @@ public static void printOSCommandResults(java.lang.Process proc, HttpServletResp
 
         try {
             // read the output from the command
-            // System.out.println("Here is the standard output of the
-            // command:\n");
             out.write("Here is the standard output of the command:<br>");
             String s = null;
             while ((s = stdInput.readLine()) != null) {
@@ -246,8 +244,6 @@ public static void printOSCommandResults(java.lang.Process proc, HttpServletResp
             }
 
             // read any errors from the attempted command
-            // System.out.println("Here is the standard error of the command (if
-            // any):\n");
             out.write("<br>Here is the std err of the command (if any):<br>");
             while ((s = stdError.readLine()) != null) {
                 out.write(ESAPI.encoder().encodeForHTML(s));

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00001.java

@@ -37,6 +37,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
                 new javax.servlet.http.Cookie("BenchmarkTest00001", "FileName");
         userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
         userCookie.setSecure(true);
+        userCookie.setHttpOnly(true);
         userCookie.setPath(request.getRequestURI());
         userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
         response.addCookie(userCookie);

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00002.java

@@ -37,6 +37,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
                 new javax.servlet.http.Cookie("BenchmarkTest00002", "FileName");
         userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
         userCookie.setSecure(true);
+        userCookie.setHttpOnly(true);
         userCookie.setPath(request.getRequestURI());
         userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
         response.addCookie(userCookie);

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00003.java

@@ -37,6 +37,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
                 new javax.servlet.http.Cookie("BenchmarkTest00003", "someSecret");
         userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
         userCookie.setSecure(true);
+        userCookie.setHttpOnly(true);
         userCookie.setPath(request.getRequestURI());
         userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
         response.addCookie(userCookie);

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00004.java

@@ -37,6 +37,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response)
                 new javax.servlet.http.Cookie("BenchmarkTest00004", "color");
         userCookie.setMaxAge(60 * 3); // Store cookie for 3 minutes
         userCookie.setSecure(true);
+        userCookie.setHttpOnly(true);
         userCookie.setPath(request.getRequestURI());
         userCookie.setDomain(new java.net.URL(request.getRequestURL().toString()).getHost());
         response.addCookie(userCookie);

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00008.java

@@ -61,7 +61,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         } catch (java.sql.SQLException e) {
             if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) {
                 response.getWriter().println("Error processing request.");
-                return;
             } else throw new ServletException(e);
         }
     }

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00012.java

@@ -78,12 +78,18 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
                             .println(
                                     "LDAP query results:<br>"
                                             + "Record found with name "
-                                            + attr.get()
-                                            + "<br>"
-                                            + "Address: "
-                                            + attr2.get()
+                                            + org.owasp
+                                                    .esapi
+                                                    .ESAPI
+                                                    .encoder()
+                                                    .encodeForHTML(attr.get().toString())
+                                            + "<br>Address: "
+                                            + org.owasp
+                                                    .esapi
+                                                    .ESAPI
+                                                    .encoder()
+                                                    .encodeForHTML(attr2.get().toString())
                                             + "<br>");
-                    // System.out.println("record found " + attr.get());
                     found = true;
                 }
             }

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00018.java

@@ -61,7 +61,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         } catch (java.sql.SQLException e) {
             if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) {
                 response.getWriter().println("Error processing request.");
-                return;
             } else throw new ServletException(e);
         }
     }

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00021.java

@@ -53,7 +53,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
             sc.setSearchScope(javax.naming.directory.SearchControls.SUBTREE_SCOPE);
             String filter = "(&(objectclass=person))(|(uid=" + param + ")(street={0}))";
             Object[] filters = new Object[] {"The streetz 4 Ms bar"};
-            // System.out.println("Filter " + filter);
             boolean found = false;
             javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results =
                     ctx.search(base, filter, filters, sc);
@@ -69,12 +68,18 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
                             .println(
                                     "LDAP query results:<br>"
                                             + "Record found with name "
-                                            + attr.get()
-                                            + "<br>"
-                                            + "Address: "
-                                            + attr2.get()
+                                            + org.owasp
+                                                    .esapi
+                                                    .ESAPI
+                                                    .encoder()
+                                                    .encodeForHTML(attr.get().toString())
+                                            + "<br>Address: "
+                                            + org.owasp
+                                                    .esapi
+                                                    .ESAPI
+                                                    .encoder()
+                                                    .encodeForHTML(attr2.get().toString())
                                             + "<br>");
-                    // System.out.println("record found " + attr.get());
                     found = true;
                 }
             }

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00024.java

@@ -61,7 +61,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         } catch (java.sql.SQLException e) {
             if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) {
                 response.getWriter().println("Error processing request.");
-                return;
             } else throw new ServletException(e);
         }
     }

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00026.java

@@ -50,7 +50,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
                     org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForRowSet(sql);
             response.getWriter().println("Your results are: ");
 
-            //		System.out.println("Your results are");
             while (results.next()) {
                 response.getWriter()
                         .println(
@@ -60,7 +59,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
                                                 .encoder()
                                                 .encodeForHTML(results.getString("USERNAME"))
                                         + " ");
-                //			System.out.println(results.getString("USERNAME"));
             }
         } catch (org.springframework.dao.EmptyResultDataAccessException e) {
             response.getWriter()

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00027.java

@@ -54,7 +54,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         } catch (java.sql.SQLException e) {
             if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) {
                 response.getWriter().println("Error processing request.");
-                return;
             } else throw new ServletException(e);
         }
     }

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00033.java

@@ -54,7 +54,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
                     org.owasp.benchmark.helpers.DatabaseHelper.JDBCtemplate.queryForRowSet(sql);
             response.getWriter().println("Your results are: ");
 
-            //		System.out.println("Your results are");
             while (results.next()) {
                 response.getWriter()
                         .println(
@@ -64,7 +63,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
                                                 .encoder()
                                                 .encodeForHTML(results.getString("USERNAME"))
                                         + " ");
-                //			System.out.println(results.getString("USERNAME"));
             }
         } catch (org.springframework.dao.EmptyResultDataAccessException e) {
             response.getWriter()

src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00034.java

@@ -58,7 +58,6 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
         } catch (java.sql.SQLException e) {
             if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) {
                 response.getWriter().println("Error processing request.");
-                return;
             } else throw new ServletException(e);
         }
     }