zervo/seb-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixes Fortify

Browse source
This commit is contained in:
anhefti 2020-05-06 13:03:19 +02:00
parent a65c4356b8
commit 231bccea45
4 changed files with 20 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
src/main/java/ch/ethz/seb/sebserver/gbl/model/user/PasswordChange.java
View file

@ -32,23 +32,23 @@ public class PasswordChange implements Entity {
@NotEmpty(message = "user:password:notNull")
@JsonProperty(ATTR_NAME_PASSWORD)
private final String password;
private final CharSequence password;
@NotEmpty(message = "user:newPassword:notNull")
@Size(min = 8, max = 255, message = "user:newPassword:size:{min}:{max}:${validatedValue}")
@JsonProperty(ATTR_NAME_NEW_PASSWORD)
private final String newPassword;
private final CharSequence newPassword;
@NotEmpty(message = "user:confirmNewPassword:notNull")
@JsonProperty(ATTR_NAME_CONFIRM_NEW_PASSWORD)
private final String confirmNewPassword;
private final CharSequence confirmNewPassword;
@JsonCreator
public PasswordChange(
@JsonProperty(USER.ATTR_UUID) final String userId,
@JsonProperty(ATTR_NAME_PASSWORD) final String password,
@JsonProperty(ATTR_NAME_NEW_PASSWORD) final String newPassword,
@JsonProperty(ATTR_NAME_CONFIRM_NEW_PASSWORD) final String confirmNewPassword) {
@JsonProperty(ATTR_NAME_PASSWORD) final CharSequence password,
@JsonProperty(ATTR_NAME_NEW_PASSWORD) final CharSequence newPassword,
@JsonProperty(ATTR_NAME_CONFIRM_NEW_PASSWORD) final CharSequence confirmNewPassword) {
this.userId = userId;
this.password = password;
@ -56,15 +56,15 @@ public class PasswordChange implements Entity {
this.confirmNewPassword = confirmNewPassword;
}
public String getPassword() {
public CharSequence getPassword() {
return this.password;
}
public String getNewPassword() {
public CharSequence getNewPassword() {
return this.newPassword;
}
public String getConfirmNewPassword() {
public CharSequence getConfirmNewPassword() {
return this.confirmNewPassword;
}

10
src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/dao/impl/ExamDAOImpl.java
View file

@ -187,7 +187,7 @@ public class ExamDAOImpl implements ExamDAO {
.map(examRecord -> {
if (BooleanUtils.isTrue(BooleanUtils.toBooleanObject(examRecord.getUpdating()))) {
if (!updateId.equals(examRecord.getLastupdate())) {
throw new IllegalStateException("Exam is currently locked: " + examRecord);
throw new IllegalStateException("Exam is currently locked: " + examRecord.getExternalId());
}
}
@ -212,7 +212,7 @@ public class ExamDAOImpl implements ExamDAO {
// check internal persistent write-lock
final ExamRecord oldRecord = this.examRecordMapper.selectByPrimaryKey(exam.id);
if (BooleanUtils.isTrue(BooleanUtils.toBooleanObject(oldRecord.getUpdating()))) {
throw new IllegalStateException("Exam is currently locked: " + exam);
throw new IllegalStateException("Exam is currently locked: " + exam.externalId);
}
final ExamRecord examRecord = new ExamRecord(
@ -450,7 +450,8 @@ public class ExamDAOImpl implements ExamDAO {
// consistency check
if (BooleanUtils.isTrue(BooleanUtils.toBooleanObject(examRec.getUpdating()))) {
throw new IllegalStateException("Exam to end update is not in expected state: " + examRec);
throw new IllegalStateException(
"Exam to end update is not in expected state: " + examRec.getExternalId());
}
final ExamRecord newRecord = new ExamRecord(
@ -480,7 +481,8 @@ public class ExamDAOImpl implements ExamDAO {
if (BooleanUtils.isFalse(BooleanUtils.toBooleanObject(examRec.getUpdating()))
|| !updateId.equals(examRec.getLastupdate())) {
throw new IllegalStateException("Exam to end update is not in expected state: " + examRec);
throw new IllegalStateException(
"Exam to end update is not in expected state: " + examRec.getExternalId());
}
final ExamRecord newRecord = new ExamRecord(

4
src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/sebconfig/impl/ExamConfigXMLParser.java
View file

@ -86,7 +86,7 @@ public class ExamConfigXMLParser extends DefaultHandler {
private static final Set<String> KNOWN_INLINE_TABLES = new HashSet<>(Arrays.asList(
"arguments"));
public static final Set<String> PASSWORD_ATTRIBUTES = new HashSet<>(Arrays.asList(
public static final Set<String> SECRET_ATTRIBUTES = new HashSet<>(Arrays.asList(
"hashedQuitPassword",
"hashedAdminPassword"));
@ -443,7 +443,7 @@ public class ExamConfigXMLParser extends DefaultHandler {
return null;
}
if (PASSWORD_ATTRIBUTES.contains(name)) {
if (SECRET_ATTRIBUTES.contains(name)) {
// NOTE this is a special case, if a hashed password is imported it is not possible to view this password
// later in plain text to the administrator. Therefore this password hash is marked here as imported
// and internally encrypted as usual. So the password will be decrypted while viewing and is recognizable

6
src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/sebconfig/impl/converter/StringConverter.java
View file

@ -111,7 +111,7 @@ public class StringConverter implements AttributeValueConverter {
out.write(Utils.toByteArray(String.format(
template,
realName,
convertPassword(realName, value))));
convertSecret(realName, value))));
} else {
out.write(Utils.toByteArray(String.format(
emptyTemplate,
@ -119,7 +119,7 @@ public class StringConverter implements AttributeValueConverter {
}
}
private CharSequence convertPassword(
private CharSequence convertSecret(
final String attributeName,
final String value) {
@ -127,7 +127,7 @@ public class StringConverter implements AttributeValueConverter {
return value;
}
if (!ExamConfigXMLParser.PASSWORD_ATTRIBUTES.contains(attributeName)) {
if (!ExamConfigXMLParser.SECRET_ATTRIBUTES.contains(attributeName)) {
return value;
}