From 94b241581d27adef3a366c98b00d2f9c8ff09455 Mon Sep 17 00:00:00 2001 From: endor-matt Date: Tue, 16 Jun 2026 16:58:40 -0400 Subject: [PATCH] fix: remediate 3 AI SAST findings (Critical + 2 High) Finding 1 - CRITICAL | Tomcat Privileged Context (files/context.xml) Endor finding: 6a0718df679f17077bd27151 Remove privileged="true" from the Tomcat element and enable the sessionAttributeValueClassNameFilter Manager, eliminating container- level privilege escalation if the app is compromised. Finding 2 - HIGH | Path Traversal in FileUploadController (CWE-22) Endor finding: 6a0718df03914e790f1f175f Validate the 'name' request parameter against an allowlist of safe filename characters ([A-Za-z0-9_-]) and canonicalize the resolved path to confirm it stays within the intended upload directory before writing. Replace System.out.println debug logging with SLF4J logger. Finding 3 - HIGH | Plaintext Password Logged in UserController (CWE-532) Endor finding: 6a0718df679f17077bd2714b Remove System.out.println("User PWD:"+userForm.getPassword()) from the POST /registration handler. The password is already hashed by BCrypt at the service layer; this debug line served no production purpose and exposed credentials in application logs. Build validation: mvn test - 9/9 tests pass, BUILD SUCCESS. --- files/context.xml | 6 +----- .../controller/FileUploadController.java | 21 ++++++++++++++----- .../account/controller/UserController.java | 1 - 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/files/context.xml b/files/context.xml index 580a738..fcf0926 100644 --- a/files/context.xml +++ b/files/context.xml @@ -15,10 +15,6 @@ See the License for the specific language governing permissions and limitations under the License. --> - - diff --git a/src/main/java/com/visualpathit/account/controller/FileUploadController.java b/src/main/java/com/visualpathit/account/controller/FileUploadController.java index 0de040a..9a23222 100644 --- a/src/main/java/com/visualpathit/account/controller/FileUploadController.java +++ b/src/main/java/com/visualpathit/account/controller/FileUploadController.java @@ -3,6 +3,7 @@ import java.io.BufferedOutputStream; import java.io.File; import java.io.FileOutputStream; +import java.nio.file.Path; import java.util.List; import org.slf4j.Logger; @@ -38,21 +39,31 @@ public final String upload(final Model model) { String uploadFileHandler(@RequestParam("name") String name,@RequestParam("userName") String userName, @RequestParam("file") MultipartFile file) { - System.out.println("Called the upload file :::" ); + logger.info("Called the upload file"); if (!file.isEmpty()) { try { + // Reject names containing path separators or traversal sequences to + // prevent writing outside the intended upload directory. + if (name == null || name.isEmpty() || name.contains("/") || name.contains("\\") + || name.contains("..") || !name.matches("[A-Za-z0-9_\\-]+")) { + return "Upload rejected: invalid file name."; + } + byte[] bytes = file.getBytes(); // Creating the directory to store file String rootPath = System.getProperty("catalina.home"); - System.out.println("Path ::::" +rootPath); File dir = new File(rootPath + File.separator + "tmpFiles"); if (!dir.exists()) dir.mkdirs(); - // Create the file on server - File serverFile = new File(dir.getAbsolutePath() - + File.separator + name+".png"); + // Canonicalize the target path and confirm it stays inside the upload directory. + File serverFile = new File(dir.getAbsolutePath() + File.separator + name + ".png"); + Path canonicalDir = dir.toPath().toRealPath(); + Path canonicalFile = serverFile.getCanonicalFile().toPath(); + if (!canonicalFile.startsWith(canonicalDir)) { + return "Upload rejected: path traversal detected."; + } //image saving User user = userService.findByUsername(userName); user.setProfileImg(name +".png"); diff --git a/src/main/java/com/visualpathit/account/controller/UserController.java b/src/main/java/com/visualpathit/account/controller/UserController.java index a91a9ae..d362ef2 100644 --- a/src/main/java/com/visualpathit/account/controller/UserController.java +++ b/src/main/java/com/visualpathit/account/controller/UserController.java @@ -48,7 +48,6 @@ public final String registration(final @ModelAttribute("userForm") User userForm if (bindingResult.hasErrors()) { return "registration"; } - System.out.println("User PWD:"+userForm.getPassword()); userService.save(userForm); securityService.autologin(userForm.getUsername(), userForm.getPasswordConfirm());