diff --git a/src/main/java/io/shiftleft/controller/SearchController.java b/src/main/java/io/shiftleft/controller/SearchController.java index faa4097..6bd6bf6 100644 --- a/src/main/java/io/shiftleft/controller/SearchController.java +++ b/src/main/java/io/shiftleft/controller/SearchController.java @@ -17,16 +17,85 @@ @Controller public class SearchController { - @RequestMapping(value = "/search/user", method = RequestMethod.GET) - public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) { - java.lang.Object message = new Object(); +@RequestMapping(value = "/search/user", method = RequestMethod.GET) +public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) { + // Initialize logger for security monitoring + Logger logger = LoggerFactory.getLogger(SearchController.class); + + // Default safe message + String message = "Invalid search parameter"; + try { - ExpressionParser parser = new SpelExpressionParser(); - Expression exp = parser.parseExpression(foo); - message = (Object) exp.getValue(); + // Input validation: Check if parameter is null or empty + if (foo == null || foo.trim().isEmpty()) { + logger.warn("Empty or null search parameter received from IP: {}", request.getRemoteAddr()); + return "Search parameter cannot be empty"; + } + + // Input validation: Whitelist approach - only allow alphanumeric and safe characters + Pattern safePattern = Pattern.compile("^[a-zA-Z0-9\\s._-]{1,100}$"); + if (!safePattern.matcher(foo).matches()) { + logger.warn("Invalid search parameter detected from IP: {}. Parameter: {}", + request.getRemoteAddr(), Encode.forJava(foo)); + return "Invalid search parameter format"; + } + + // Sanitize input by encoding special characters + String sanitizedInput = Encode.forHtml(foo); + + // Instead of using SpEL expression evaluation which allows code injection, + // perform a safe search operation (e.g., database query, simple string matching) + // Example: Replace dangerous SpEL evaluation with safe string processing + message = performSafeSearch(sanitizedInput); + + // Log successful search for audit purposes + logger.info("Search performed successfully for parameter: {}", sanitizedInput); + } catch (Exception ex) { - System.out.println(ex.getMessage()); + // Proper exception handling without exposing sensitive information + logger.error("Error during search operation from IP: {}", request.getRemoteAddr(), ex); + return "An error occurred while processing your search"; } + + return message; +} + +// Helper method to perform safe search operations +private String performSafeSearch(String searchTerm) { + // Implement your safe search logic here + // Example: Query database using parameterized queries + // or perform simple string operations + return "Search results for: " + searchTerm; +} + + // Initialize logger for security monitoring + Logger logger = LoggerFactory.getLogger(SearchController.class); + + String message = "Invalid input"; + + try { + // Input validation - only allow alphanumeric characters and basic punctuation + if (foo == null || !foo.matches("^[a-zA-Z0-9\\s,.'-]{1,100}$")) { + logger.warn("Invalid search input attempted: {}", foo); + return Encode.forHtml("Invalid search input. Only alphanumeric characters allowed."); + } + + // REMOVED SpEL parser to prevent Expression Language Injection + // SpEL allows arbitrary code execution and should not be used with user input + // Replace with safe string processing + message = "Search query: " + foo; + + logger.info("Search performed with safe input: {}", foo); + + } catch (Exception ex) { + logger.error("Error processing search request", ex); + message = "An error occurred processing your request"; + } + + // Apply HTML encoding to prevent XSS attacks + return Encode.forHtml(message); +} + return message.toString(); } }