From 5efe49b136617622420b0bda788b4e0d94bd42a9 Mon Sep 17 00:00:00 2001 From: Harness SAST and SCA Date: Wed, 20 May 2026 15:11:21 -0400 Subject: [PATCH 1/2] Fixing src/main/java/io/shiftleft/controller/SearchController.java for finding 8 --- .../controller/SearchController.java | 48 +++++++++++++++---- 1 file changed, 39 insertions(+), 9 deletions(-) diff --git a/src/main/java/io/shiftleft/controller/SearchController.java b/src/main/java/io/shiftleft/controller/SearchController.java index faa4097..b4efbed 100644 --- a/src/main/java/io/shiftleft/controller/SearchController.java +++ b/src/main/java/io/shiftleft/controller/SearchController.java @@ -17,16 +17,46 @@ @Controller public class SearchController { - @RequestMapping(value = "/search/user", method = RequestMethod.GET) - public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) { - java.lang.Object message = new Object(); - try { - ExpressionParser parser = new SpelExpressionParser(); - Expression exp = parser.parseExpression(foo); - message = (Object) exp.getValue(); - } catch (Exception ex) { - System.out.println(ex.getMessage()); +@RequestMapping(value = "/search/user", method = RequestMethod.GET) +@ResponseBody +public String doGetSearch( + @RequestParam @Size(max = 100) String foo, + HttpServletResponse response, + HttpServletRequest request) { + + // Set secure response headers to prevent XSS + response.setHeader("Content-Type", "text/plain; charset=UTF-8"); + response.setHeader("X-Content-Type-Options", "nosniff"); + response.setHeader("X-XSS-Protection", "1; mode=block"); + + // Initialize logger for security monitoring + Logger logger = LoggerFactory.getLogger(SearchController.class); + + String message = "Invalid input"; + + try { + // Input validation - only allow alphanumeric characters and basic punctuation + if (foo == null || !foo.matches("^[a-zA-Z0-9\\s,.'-]{1,100}$")) { + logger.warn("Invalid search input attempted: {}", foo); + return Encode.forHtml("Invalid search input. Only alphanumeric characters allowed."); } + + // REMOVED SpEL parser to prevent Expression Language Injection + // SpEL allows arbitrary code execution and should not be used with user input + // Replace with safe string processing + message = "Search query: " + foo; + + logger.info("Search performed with safe input: {}", foo); + + } catch (Exception ex) { + logger.error("Error processing search request", ex); + message = "An error occurred processing your request"; + } + + // Apply HTML encoding to prevent XSS attacks + return Encode.forHtml(message); +} + return message.toString(); } } From 5465e672157fcef50f9ff79d9fbe2cb4539383d6 Mon Sep 17 00:00:00 2001 From: Harness SAST and SCA Date: Wed, 20 May 2026 15:11:25 -0400 Subject: [PATCH 2/2] Fixing src/main/java/io/shiftleft/controller/SearchController.java for finding 12 --- .../controller/SearchController.java | 61 +++++++++++++++---- 1 file changed, 50 insertions(+), 11 deletions(-) diff --git a/src/main/java/io/shiftleft/controller/SearchController.java b/src/main/java/io/shiftleft/controller/SearchController.java index b4efbed..6bd6bf6 100644 --- a/src/main/java/io/shiftleft/controller/SearchController.java +++ b/src/main/java/io/shiftleft/controller/SearchController.java @@ -18,17 +18,56 @@ public class SearchController { @RequestMapping(value = "/search/user", method = RequestMethod.GET) -@ResponseBody -public String doGetSearch( - @RequestParam @Size(max = 100) String foo, - HttpServletResponse response, - HttpServletRequest request) { - - // Set secure response headers to prevent XSS - response.setHeader("Content-Type", "text/plain; charset=UTF-8"); - response.setHeader("X-Content-Type-Options", "nosniff"); - response.setHeader("X-XSS-Protection", "1; mode=block"); - +public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) { + // Initialize logger for security monitoring + Logger logger = LoggerFactory.getLogger(SearchController.class); + + // Default safe message + String message = "Invalid search parameter"; + + try { + // Input validation: Check if parameter is null or empty + if (foo == null || foo.trim().isEmpty()) { + logger.warn("Empty or null search parameter received from IP: {}", request.getRemoteAddr()); + return "Search parameter cannot be empty"; + } + + // Input validation: Whitelist approach - only allow alphanumeric and safe characters + Pattern safePattern = Pattern.compile("^[a-zA-Z0-9\\s._-]{1,100}$"); + if (!safePattern.matcher(foo).matches()) { + logger.warn("Invalid search parameter detected from IP: {}. Parameter: {}", + request.getRemoteAddr(), Encode.forJava(foo)); + return "Invalid search parameter format"; + } + + // Sanitize input by encoding special characters + String sanitizedInput = Encode.forHtml(foo); + + // Instead of using SpEL expression evaluation which allows code injection, + // perform a safe search operation (e.g., database query, simple string matching) + // Example: Replace dangerous SpEL evaluation with safe string processing + message = performSafeSearch(sanitizedInput); + + // Log successful search for audit purposes + logger.info("Search performed successfully for parameter: {}", sanitizedInput); + + } catch (Exception ex) { + // Proper exception handling without exposing sensitive information + logger.error("Error during search operation from IP: {}", request.getRemoteAddr(), ex); + return "An error occurred while processing your search"; + } + + return message; +} + +// Helper method to perform safe search operations +private String performSafeSearch(String searchTerm) { + // Implement your safe search logic here + // Example: Query database using parameterized queries + // or perform simple string operations + return "Search results for: " + searchTerm; +} + // Initialize logger for security monitoring Logger logger = LoggerFactory.getLogger(SearchController.class);