zervo/seb-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixes Fortify

Browse source
This commit is contained in:
anhefti 2020-05-06 13:03:19 +02:00
parent a65c4356b8
commit 231bccea45
4 changed files with 20 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
src/main/java/ch/ethz/seb/sebserver/gbl/model/user/PasswordChange.java
View file

@ -32,23 +32,23 @@ public class PasswordChange implements Entity {
@NotEmpty(message = "user:password:notNull") @NotEmpty(message = "user:password:notNull")
@JsonProperty(ATTR_NAME_PASSWORD) @JsonProperty(ATTR_NAME_PASSWORD)
private final String password; private final CharSequence password;
@NotEmpty(message = "user:newPassword:notNull") @NotEmpty(message = "user:newPassword:notNull")
@Size(min = 8, max = 255, message = "user:newPassword:size:{min}:{max}:${validatedValue}") @Size(min = 8, max = 255, message = "user:newPassword:size:{min}:{max}:${validatedValue}")
@JsonProperty(ATTR_NAME_NEW_PASSWORD) @JsonProperty(ATTR_NAME_NEW_PASSWORD)
private final String newPassword; private final CharSequence newPassword;
@NotEmpty(message = "user:confirmNewPassword:notNull") @NotEmpty(message = "user:confirmNewPassword:notNull")
@JsonProperty(ATTR_NAME_CONFIRM_NEW_PASSWORD) @JsonProperty(ATTR_NAME_CONFIRM_NEW_PASSWORD)
private final String confirmNewPassword; private final CharSequence confirmNewPassword;
@JsonCreator @JsonCreator
public PasswordChange( public PasswordChange(
@JsonProperty(USER.ATTR_UUID) final String userId, @JsonProperty(USER.ATTR_UUID) final String userId,
@JsonProperty(ATTR_NAME_PASSWORD) final String password, @JsonProperty(ATTR_NAME_PASSWORD) final CharSequence password,
@JsonProperty(ATTR_NAME_NEW_PASSWORD) final String newPassword, @JsonProperty(ATTR_NAME_NEW_PASSWORD) final CharSequence newPassword,
@JsonProperty(ATTR_NAME_CONFIRM_NEW_PASSWORD) final String confirmNewPassword) { @JsonProperty(ATTR_NAME_CONFIRM_NEW_PASSWORD) final CharSequence confirmNewPassword) {
this.userId = userId; this.userId = userId;
this.password = password; this.password = password;
@ -56,15 +56,15 @@ public class PasswordChange implements Entity {
this.confirmNewPassword = confirmNewPassword; this.confirmNewPassword = confirmNewPassword;
} }
public String getPassword() { public CharSequence getPassword() {
return this.password; return this.password;
} }
public String getNewPassword() { public CharSequence getNewPassword() {
return this.newPassword; return this.newPassword;
} }
public String getConfirmNewPassword() { public CharSequence getConfirmNewPassword() {
return this.confirmNewPassword; return this.confirmNewPassword;
} }

10
src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/dao/impl/ExamDAOImpl.java
View file

@ -187,7 +187,7 @@ public class ExamDAOImpl implements ExamDAO {
.map(examRecord -> { .map(examRecord -> {
if (BooleanUtils.isTrue(BooleanUtils.toBooleanObject(examRecord.getUpdating()))) { if (BooleanUtils.isTrue(BooleanUtils.toBooleanObject(examRecord.getUpdating()))) {
if (!updateId.equals(examRecord.getLastupdate())) { if (!updateId.equals(examRecord.getLastupdate())) {
throw new IllegalStateException("Exam is currently locked: " + examRecord); throw new IllegalStateException("Exam is currently locked: " + examRecord.getExternalId());
} }
} }
@ -212,7 +212,7 @@ public class ExamDAOImpl implements ExamDAO {
// check internal persistent write-lock // check internal persistent write-lock
final ExamRecord oldRecord = this.examRecordMapper.selectByPrimaryKey(exam.id); final ExamRecord oldRecord = this.examRecordMapper.selectByPrimaryKey(exam.id);
if (BooleanUtils.isTrue(BooleanUtils.toBooleanObject(oldRecord.getUpdating()))) { if (BooleanUtils.isTrue(BooleanUtils.toBooleanObject(oldRecord.getUpdating()))) {
throw new IllegalStateException("Exam is currently locked: " + exam); throw new IllegalStateException("Exam is currently locked: " + exam.externalId);
} }
final ExamRecord examRecord = new ExamRecord( final ExamRecord examRecord = new ExamRecord(
@ -450,7 +450,8 @@ public class ExamDAOImpl implements ExamDAO {
// consistency check // consistency check
if (BooleanUtils.isTrue(BooleanUtils.toBooleanObject(examRec.getUpdating()))) { if (BooleanUtils.isTrue(BooleanUtils.toBooleanObject(examRec.getUpdating()))) {
throw new IllegalStateException("Exam to end update is not in expected state: " + examRec); throw new IllegalStateException(
"Exam to end update is not in expected state: " + examRec.getExternalId());
} }
final ExamRecord newRecord = new ExamRecord( final ExamRecord newRecord = new ExamRecord(
@ -480,7 +481,8 @@ public class ExamDAOImpl implements ExamDAO {
if (BooleanUtils.isFalse(BooleanUtils.toBooleanObject(examRec.getUpdating())) if (BooleanUtils.isFalse(BooleanUtils.toBooleanObject(examRec.getUpdating()))
|| !updateId.equals(examRec.getLastupdate())) { || !updateId.equals(examRec.getLastupdate())) {
throw new IllegalStateException("Exam to end update is not in expected state: " + examRec); throw new IllegalStateException(
"Exam to end update is not in expected state: " + examRec.getExternalId());
} }
final ExamRecord newRecord = new ExamRecord( final ExamRecord newRecord = new ExamRecord(

4
src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/sebconfig/impl/ExamConfigXMLParser.java
View file

@ -86,7 +86,7 @@ public class ExamConfigXMLParser extends DefaultHandler {
private static final Set<String> KNOWN_INLINE_TABLES = new HashSet<>(Arrays.asList( private static final Set<String> KNOWN_INLINE_TABLES = new HashSet<>(Arrays.asList(
"arguments")); "arguments"));
public static final Set<String> PASSWORD_ATTRIBUTES = new HashSet<>(Arrays.asList( public static final Set<String> SECRET_ATTRIBUTES = new HashSet<>(Arrays.asList(
"hashedQuitPassword", "hashedQuitPassword",
"hashedAdminPassword")); "hashedAdminPassword"));
@ -443,7 +443,7 @@ public class ExamConfigXMLParser extends DefaultHandler {
return null; return null;
} }
if (PASSWORD_ATTRIBUTES.contains(name)) { if (SECRET_ATTRIBUTES.contains(name)) {
// NOTE this is a special case, if a hashed password is imported it is not possible to view this password // NOTE this is a special case, if a hashed password is imported it is not possible to view this password
// later in plain text to the administrator. Therefore this password hash is marked here as imported // later in plain text to the administrator. Therefore this password hash is marked here as imported
// and internally encrypted as usual. So the password will be decrypted while viewing and is recognizable // and internally encrypted as usual. So the password will be decrypted while viewing and is recognizable

6
src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/sebconfig/impl/converter/StringConverter.java
View file

@ -111,7 +111,7 @@ public class StringConverter implements AttributeValueConverter {
out.write(Utils.toByteArray(String.format( out.write(Utils.toByteArray(String.format(
template, template,
realName, realName,
convertPassword(realName, value)))); convertSecret(realName, value))));
} else { } else {
out.write(Utils.toByteArray(String.format( out.write(Utils.toByteArray(String.format(
emptyTemplate, emptyTemplate,
@ -119,7 +119,7 @@ public class StringConverter implements AttributeValueConverter {
} }
} }
private CharSequence convertPassword( private CharSequence convertSecret(
final String attributeName, final String attributeName,
final String value) { final String value) {
@ -127,7 +127,7 @@ public class StringConverter implements AttributeValueConverter {
return value; return value;
} }
if (!ExamConfigXMLParser.PASSWORD_ATTRIBUTES.contains(attributeName)) { if (!ExamConfigXMLParser.SECRET_ATTRIBUTES.contains(attributeName)) {
return value; return value;
} }