From cd625d51870d1627161ff16fb47f316e3f43ed18 Mon Sep 17 00:00:00 2001 From: Harness SAST and SCA Date: Wed, 20 May 2026 15:11:29 -0400 Subject: [PATCH 1/2] Fixing src/main/java/io/shiftleft/controller/CustomerController.java for finding 6 --- .../controller/CustomerController.java | 94 +++++++++++++------ 1 file changed, 66 insertions(+), 28 deletions(-) diff --git a/src/main/java/io/shiftleft/controller/CustomerController.java b/src/main/java/io/shiftleft/controller/CustomerController.java index 40e1c49..a056384 100644 --- a/src/main/java/io/shiftleft/controller/CustomerController.java +++ b/src/main/java/io/shiftleft/controller/CustomerController.java @@ -277,34 +277,72 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t * @return String * @throws IOException */ - @RequestMapping(value = "/debug", method = RequestMethod.GET) - public String debug(@RequestParam String customerId, - @RequestParam int clientId, - @RequestParam String firstName, - @RequestParam String lastName, - @RequestParam String dateOfBirth, - @RequestParam String ssn, - @RequestParam String socialSecurityNum, - @RequestParam String tin, - @RequestParam String phoneNumber, - HttpServletResponse httpResponse, - WebRequest request) throws IOException{ - - // empty for now, because we debug - Set accounts1 = new HashSet(); - //dateofbirth example -> "1982-01-10" - Customer customer1 = new Customer(customerId, clientId, firstName, lastName, DateTime.parse(dateOfBirth).toDate(), - ssn, socialSecurityNum, tin, phoneNumber, new Address("Debug str", - "", "Debug city", "CA", "12345"), - accounts1); - - customerRepository.save(customer1); - httpResponse.setStatus(HttpStatus.CREATED.value()); - httpResponse.setHeader("Location", String.format("%s/customers/%s", - request.getContextPath(), customer1.getId())); - - return customer1.toString().toLowerCase().replace("script",""); - } +@RequestMapping(value = "/debug", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE) +@ResponseBody +public ResponseEntity debug(@RequestParam String customerId, + @RequestParam int clientId, + @RequestParam String firstName, + @RequestParam String lastName, + @RequestParam String dateOfBirth, + @RequestParam String ssn, + @RequestParam String socialSecurityNum, + @RequestParam String tin, + @RequestParam String phoneNumber, + HttpServletResponse httpResponse, + WebRequest request) throws IOException { + + try { + // Input validation for date format + DateTime parsedDate; + try { + parsedDate = DateTime.parse(dateOfBirth); + } catch (IllegalArgumentException e) { + return ResponseEntity.badRequest().body("{\"error\": \"Invalid date format\"}"); + } + + // Validate required fields are not empty or null + if (customerId == null || customerId.trim().isEmpty() || + firstName == null || firstName.trim().isEmpty() || + lastName == null || lastName.trim().isEmpty()) { + return ResponseEntity.badRequest().body("{\"error\": \"Required fields cannot be empty\"}"); + } + + // Create customer object with validated data + Set accounts1 = new HashSet(); + Customer customer1 = new Customer(customerId, clientId, firstName, lastName, + parsedDate.toDate(), ssn, socialSecurityNum, + tin, phoneNumber, + new Address("Debug str", "", "Debug city", "CA", "12345"), + accounts1); + + // Save customer to repository + customerRepository.save(customer1); + + // Set response headers + httpResponse.setStatus(HttpStatus.CREATED.value()); + httpResponse.setHeader("Location", String.format("%s/customers/%s", + request.getContextPath(), customer1.getId())); + + // Return JSON response instead of HTML to prevent XSS + // Use proper JSON serialization instead of toString() + String jsonResponse = String.format( + "{\"id\": \"%s\", \"customerId\": \"%s\", \"clientId\": %d, \"firstName\": \"%s\", \"lastName\": \"%s\"}", + Encode.forJavaScript(String.valueOf(customer1.getId())), + Encode.forJavaScript(customer1.getCustomerId()), + customer1.getClientId(), + Encode.forJavaScript(customer1.getFirstName()), + Encode.forJavaScript(customer1.getLastName()) + ); + + return ResponseEntity.status(HttpStatus.CREATED).body(jsonResponse); + + } catch (Exception e) { + // Log the exception (use proper logging framework) + return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR) + .body("{\"error\": \"An error occurred while processing the request\"}"); + } +} + /** * Debug test for saving and reading a customer From 3bd05b173e634efaf59461f1cac8964038556f0e Mon Sep 17 00:00:00 2001 From: Harness SAST and SCA Date: Wed, 20 May 2026 15:11:30 -0400 Subject: [PATCH 2/2] Fixing src/main/java/io/shiftleft/model/Customer.java for finding 6 --- .../java/io/shiftleft/model/Customer.java | 36 ++++++++++++++----- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/src/main/java/io/shiftleft/model/Customer.java b/src/main/java/io/shiftleft/model/Customer.java index 6ecdc30..dd310b3 100644 --- a/src/main/java/io/shiftleft/model/Customer.java +++ b/src/main/java/io/shiftleft/model/Customer.java @@ -16,9 +16,21 @@ public class Customer { public Customer() { } - public Customer(String customerId, int clientId, String firstName, String lastName, Date dateOfBirth, String ssn, +public Customer(String customerId, int clientId, String firstName, String lastName, Date dateOfBirth, String ssn, String socialInsurancenum, String tin, String phoneNumber, Address address, Set accounts) { super(); + + // Validate and sanitize inputs during object construction + if (customerId != null && customerId.length() > 255) { + throw new IllegalArgumentException("Customer ID exceeds maximum length"); + } + if (firstName != null && firstName.length() > 255) { + throw new IllegalArgumentException("First name exceeds maximum length"); + } + if (lastName != null && lastName.length() > 255) { + throw new IllegalArgumentException("Last name exceeds maximum length"); + } + this.clientId = clientId; this.customerId = customerId; this.firstName = firstName; @@ -30,7 +42,8 @@ public Customer(String customerId, int clientId, String firstName, String lastNa this.phoneNumber = phoneNumber; this.address = address; this.accounts = accounts; - } +} + @Id @GeneratedValue(strategy = GenerationType.AUTO) @@ -156,12 +169,17 @@ public void setAccounts(Set accounts) { this.accounts = accounts; } - @Override - public String toString() { - return "Customer [id=" + id + ", customerId=" + customerId + ", clientId=" + clientId + ", firstName=" + firstName - + ", lastName=" + lastName + ", dateOfBirth=" + dateOfBirth + ", ssn=" + ssn + ", socialInsurancenum=" - + socialInsurancenum + ", tin=" + tin + ", phoneNumber=" + phoneNumber + ", address=" + address + ", accounts=" - + accounts + "]"; - } +@Override +public String toString() { + // This method should only be used for logging purposes, never for HTML output + // For API responses, use proper JSON serialization with Jackson or Gson + return "Customer [id=" + id + ", customerId=" + customerId + ", clientId=" + clientId + + ", firstName=" + firstName + ", lastName=" + lastName + ", dateOfBirth=" + dateOfBirth + + ", ssn=" + (ssn != null ? "***REDACTED***" : "null") + + ", socialInsurancenum=" + (socialInsurancenum != null ? "***REDACTED***" : "null") + + ", tin=" + (tin != null ? "***REDACTED***" : "null") + + ", phoneNumber=" + phoneNumber + ", address=" + address + ", accounts=" + accounts + "]"; +} + }