Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions src/main/java/demo/security/servlet/MichaelQgFailServlet.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
package demo.security.servlet;

import java.io.IOException;
import java.io.PrintWriter;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet("/michael-qg-fail")
public class MichaelQgFailServlet extends HttpServlet {

private static final long serialVersionUID = 1L;

@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String username = request.getParameter("user");
String message = request.getParameter("msg");

response.setContentType("text/html");
PrintWriter out = response.getWriter();

Check warning on line 28 in src/main/java/demo/security/servlet/MichaelQgFailServlet.java

View check run for this annotation

Sonar-Nautilus / SonarQube Code Analysis

Handle the following exception that could be thrown by "getWriter": IOException.

[S1989] Exceptions should not be thrown from servlet methods See more on https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=84&issues=abafa160-d46d-400d-b250-e8287943839d&open=abafa160-d46d-400d-b250-e8287943839d

Check notice

Code scanning / SonarQube

Exceptions should not be thrown from servlet methods Low

Handle the following exception that could be thrown by "getWriter": IOException. See more on SonarQube
out.print("<html><body>");
out.print("<p>Lookup result: " + lookupUser(username) + "</p>");
out.print("<p>Your message: " + message + "</p>");

Check failure on line 31 in src/main/java/demo/security/servlet/MichaelQgFailServlet.java

View check run for this annotation

Sonar-Nautilus / SonarQube Code Analysis

Change this code to not reflect unsanitized user-controlled data.

[S5131] Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks See more on https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=84&issues=a9ac9500-fa16-4a76-b2ea-43c0f14f5481&open=a9ac9500-fa16-4a76-b2ea-43c0f14f5481

Check failure

Code scanning / SonarQube

Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks Critical

Change this code to not reflect unsanitized user-controlled data. See more on SonarQube
out.print("</body></html>");
out.close();
}

private String lookupUser(String user) {
if (user == null) {
return "no user specified";
}
try (Connection connection = DriverManager.getConnection(
"jdbc:demo", "demo", "demo");

Check failure on line 41 in src/main/java/demo/security/servlet/MichaelQgFailServlet.java

View check run for this annotation

Sonar-Nautilus / SonarQube Code Analysis

Revoke and change this password, as it is compromised.

[S6437] Credentials should not be hard-coded See more on https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=84&issues=c1a59453-1896-4f6c-88d6-cccf2eeb6d74&open=c1a59453-1896-4f6c-88d6-cccf2eeb6d74

Check failure

Code scanning / SonarQube

Credentials should not be hard-coded Critical

Revoke and change this password, as it is compromised. See more on SonarQube
Statement statement = connection.createStatement()) {
String query = "SELECT userid FROM users WHERE username = '" + user + "'";
ResultSet resultSet = statement.executeQuery(query);

Check failure on line 44 in src/main/java/demo/security/servlet/MichaelQgFailServlet.java

View check run for this annotation

Sonar-Nautilus / SonarQube Code Analysis

Change this code to not construct SQL queries directly from user-controlled data.

[S3649] Database queries should not be vulnerable to injection attacks See more on https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=84&issues=a60af7c4-11ca-4fa9-aa63-b6a5834e6aa7&open=a60af7c4-11ca-4fa9-aa63-b6a5834e6aa7

Check warning on line 44 in src/main/java/demo/security/servlet/MichaelQgFailServlet.java

View check run for this annotation

Sonar-Nautilus / SonarQube Code Analysis

Make sure using a dynamically formatted SQL query is safe here.

[S2077] Formatting SQL queries is security-sensitive See more on https://nautilus.sonarqube.org/project/issues?id=demo%3Ajava-security&pullRequest=84&issues=2f7a3a2b-27a7-4479-a29f-39506424f63d&open=2f7a3a2b-27a7-4479-a29f-39506424f63d

Check failure

Code scanning / SonarQube

Database queries should not be vulnerable to injection attacks Critical

Change this code to not construct SQL queries directly from user-controlled data. See more on SonarQube
if (resultSet.next()) {
return resultSet.getString(1);
}
return "not found";
} catch (Exception e) {
return "error: " + e.getMessage();
}
}
}