Skip to content

Update main.py#1

Open
arielkru wants to merge 1 commit intomainfrom
arielkru-patch-1
Open

Update main.py#1
arielkru wants to merge 1 commit intomainfrom
arielkru-patch-1

Conversation

@arielkru
Copy link
Owner

@arielkru arielkru commented Jan 16, 2024

No description provided.

arielkru
arielkru commented Aug 26, 2024
View reviewed changes
python/main.py


KEY_SIZE = 1024

Copy link
Owner Author

@arielkru arielkru Aug 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
MOCK_FIX

IAC

HIGH  Finding Type Name

Description

MOCK_DESCRIPTION

Benchmarks

  • MOCK_BENCH_1
  • MOCK_BENCH_2

arielkru
arielkru commented Aug 26, 2024
View reviewed changes
python/main.py


KEY_SIZE = 1024

Copy link
Owner Author

@arielkru arielkru Aug 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SECRETS

LOW  Base64 High Entropy String (:warning: Valid)

Description

Entropy check

arielkru
arielkru commented Aug 26, 2024
View reviewed changes
python/main.py


KEY_SIZE = 1024

Copy link
Owner Author

@arielkru arielkru Aug 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LICENSE

PackageName:1.0.0 / ec2.tf

HIGH  Non Compliant License (MIT)

Description

Non Compliant License

arielkru
arielkru commented Aug 26, 2024
View reviewed changes
python/main.py


KEY_SIZE = 1024

Copy link
Owner Author

@arielkru arielkru Aug 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SAST

MEDIUM  External control of system or configuration setting
    Source File: ExternalControlOfSystemOrConfigurationSetting1-taint3.java, Sink File: ExternalControlOfSystemOrConfigurationSetting1-taint3.java
Data Flow

     ExternalControlOfSystemOrConfigurationSetting1-taint3.java
    13 | String tainted = req.getParameter("input");
     ExternalControlOfSystemOrConfigurationSetting1-taint3.java
    14 | c.setCatalog(tainted);


How To Fix

String userInput = request.getParameter("catalogName");
if(isValidCatalogName(userInput)) {
connection.setCatalog(userInput);
}


Description

This SAST policy detects instances where user input is used in the java.sql.Connection's setCatalog call. This can be a potential issue as it may allow attackers to change the database during a connection, leading to disruptions or unexpected behaviors.

Vulnerable code example:

java
String userInput = request.getParameter("catalogName");
connection.setCatalog(userInput);

In the above code, the setCatalog method uses user input catalogName directly without any validation or sanitization. This allows an attacker to manipulate the catalogName parameter and potentially change the database being accessed.

arielkru
arielkru commented Aug 26, 2024
View reviewed changes
python/main.py


KEY_SIZE = 1024

Copy link
Owner Author

@arielkru arielkru Aug 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SCA

MOCK_PACKAGE_NAME 1.1.2 / ec2.tf

Total vulnerabilities: 2

Critical: 1 High: 1 Medium: 0 Low: 0
Vulnerability IDSeverityCVSSFixed inStatus
CVE-2022-1650 CRITICAL CRITICAL 9.3 1.1.1 Open
CVE-2020-7788 HIGH HIGH 7.3 1.0.5 Open

Bridgecrew Comment by Bridgecrew Bot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arielkru