Merge pull request #10 from e6-qwiet/MarchRebase

March rebase

Author: e6-qwiet

.github/workflows/qwiet-prezero-workflow.yml

@@ -46,26 +46,26 @@ jobs:
         SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
         SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
 
-    - name: Download export.py and requirements.txt
-      run: |
-        curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/export.py
-        curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/config.py
-        curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/common.py
-        curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/requirements.txt
+  #  - name: Download export.py and requirements.txt
+  #    run: |
+  #      curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/export.py
+  #      curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/config.py
+  #      curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/common.py
+  #      curl -O https://raw.githubusercontent.com/ShiftLeftSecurity/field-integrations/master/shiftleft-utils/requirements.txt
 
-    - name: Install Python dependencies
-      run: |
-        python3 -m pip install --upgrade pip
-        python3 -m pip install -r requirements.txt
+  #  - name: Install Python dependencies
+  #    run: |
+  #      python3 -m pip install --upgrade pip
+  #      python3 -m pip install -r requirements.txt
 
-    - name: Run export.py and generate SARIF report
-      run: |
-        APP_NAME=${{ github.event.repository.name }}
-        python3 export.py -f sarif -a $APP_NAME
-      env:
-        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+  #  - name: Run export.py and generate SARIF report
+  #    run: |
+  #      APP_NAME=${{ github.event.repository.name }}
+  #      python3 export.py -f sarif -a $APP_NAME
+  #    env:
+  #      SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
 
-    - name: Upload SARIF file to GitHub Security Tab
-      uses: github/codeql-action/upload-sarif@v3  
-      with:
-        sarif_file: ./ngsast-report-${{ github.event.repository.name }}-github.sarif  # Correct dynamic path for SARIF output
+  #  - name: Upload SARIF file to GitHub Security Tab
+  #    uses: github/codeql-action/upload-sarif@v3  
+  #    with:
+  #      sarif_file: ./ngsast-report-${{ github.event.repository.name }}-github.sarif  # Correct dynamic path for SARIF output

src/main/java/io/shiftleft/controller/CustomerController.java

@@ -1,3 +1,4 @@
+
 package io.shiftleft.controller;
 
 import io.shiftleft.model.Account;
@@ -216,55 +217,52 @@ public void loadSettings(HttpServletResponse httpResponse, WebRequest request) t
    * @param request
    * @throws Exception
    */
-@RequestMapping(value = "/saveSettings", method = RequestMethod.GET)
-public void saveSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception {
+  @RequestMapping(value = "/saveSettings", method = RequestMethod.GET)
+  public void saveSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception {
     // "Settings" will be stored in a cookie
     // schema: base64(filename,value1,value2...), md5sum(base64(filename,value1,value2...))
 
     if (!checkCookie(request)){
-        httpResponse.getOutputStream().println("Error");
-        throw new Exception("cookie is incorrect");
+      httpResponse.getOutputStream().println("Error");
+      throw new Exception("cookie is incorrect");
     }
 
     String settingsCookie = request.getHeader("Cookie");
     String[] cookie = settingsCookie.split(",");
-    if(cookie.length<2) {
-        httpResponse.getOutputStream().println("Malformed cookie");
-        throw new Exception("cookie is incorrect");
+	if(cookie.length<2) {
+	  httpResponse.getOutputStream().println("Malformed cookie");
+      throw new Exception("cookie is incorrect");
     }
 
     String base64txt = cookie[0].replace("settings=","");
 
     // Check md5sum
     String cookieMD5sum = cookie[1];
     String calcMD5Sum = DigestUtils.md5Hex(base64txt);
-    if(!cookieMD5sum.equals(calcMD5Sum))
+	if(!cookieMD5sum.equals(calcMD5Sum))
     {
-        httpResponse.getOutputStream().println("Wrong md5");
-        throw new Exception("Invalid MD5");
+      httpResponse.getOutputStream().println("Wrong md5");
+      throw new Exception("Invalid MD5");
     }
 
     // Now we can store on filesystem
     String[] settings = new String(Base64.getDecoder().decode(base64txt)).split(",");
-    // storage will have ClassPathResource as basepath
+	// storage will have ClassPathResource as basepath
     ClassPathResource cpr = new ClassPathResource("./static/");
-    // Sanitize filename to prevent directory traversal
-    String filename = FilenameUtils.getName(settings[0]);
-    File file = new File(cpr.getPath() + filename);
+	  File file = new File(cpr.getPath()+settings[0]);
     if(!file.exists()) {
-        file.getParentFile().mkdirs();
+      file.getParentFile().mkdirs();
     }
 
     FileOutputStream fos = new FileOutputStream(file, true);
     // First entry is the filename -> remove it
     String[] settingsArr = Arrays.copyOfRange(settings, 1, settings.length);
-    // on setting at a line
+    // on setting at a linez
     fos.write(String.join("\n",settingsArr).getBytes());
     fos.write(("\n"+cookie[cookie.length-1]).getBytes());
     fos.close();
     httpResponse.getOutputStream().println("Settings Saved");
-}
-
+  }
 
   /**
    * Debug test for saving and reading a customer
@@ -391,4 +389,3 @@ public void removeCustomer(@PathVariable("customerId") Long customerId, HttpServ
 	}
 
 }
-