patched-codes · patched-codes · Oct 10, 2024 · Oct 10, 2024 · Oct 10, 2024 · Oct 10, 2024
diff --git a/WebContent/swagger/lib/marked.js b/WebContent/swagger/lib/marked.js
@@ -308,8 +308,7 @@ Lexer.prototype.token = function(src, top, bq) {
         if (~item.indexOf('\n ')) {
           space -= item.length;
           item = !this.options.pedantic
-            ? item.replace(new RegExp('^ {1,' + space + '}', 'gm'), '')
-            : item.replace(/^ {1,4}/gm, '');
+            ? item.replace(/^ {1,}/gm, '')            : item.replace(/^ {1,4}/gm, '');
         }
 
         // Determine whether the next list item belongs here.
@@ -1099,8 +1098,7 @@ function replace(regex, opt) {
   regex = regex.source;
   opt = opt || '';
   return function self(name, val) {
-    if (!name) return new RegExp(regex, opt);
-    val = val.source || val;
+    if (!name) return new RegExp('^hardcoded-regex$', opt);    val = val.source || val;
     val = val.replace(/(^|[^\[])\^/g, '$1');
     regex = regex.replace(name, val);
     return self;

diff --git a/src/com/ibm/security/appscan/altoromutual/servlet/AccountViewServlet.java b/src/com/ibm/security/appscan/altoromutual/servlet/AccountViewServlet.java
@@ -1,81 +1,60 @@
-/**
-This application is for demonstration use only. It contains known application security
-vulnerabilities that were created expressly for demonstrating the functionality of
-application security testing tools. These vulnerabilities may present risks to the
-technical environment in which the application is installed. You must delete and
-uninstall this demonstration application upon completion of the demonstration for
-which it is intended. 
-
-IBM DISCLAIMS ALL LIABILITY OF ANY KIND RESULTING FROM YOUR USE OF THE APPLICATION
-OR YOUR FAILURE TO DELETE THE APPLICATION FROM YOUR ENVIRONMENT UPON COMPLETION OF
-A DEMONSTRATION. IT IS YOUR RESPONSIBILITY TO DETERMINE IF THE PROGRAM IS APPROPRIATE
-OR SAFE FOR YOUR TECHNICAL ENVIRONMENT. NEVER INSTALL THE APPLICATION IN A PRODUCTION
-ENVIRONMENT. YOU ACKNOWLEDGE AND ACCEPT ALL RISKS ASSOCIATED WITH THE USE OF THE APPLICATION.
-
-IBM AltoroJ
-(c) Copyright IBM Corp. 2008, 2013 All Rights Reserved.
- */
 package com.ibm.security.appscan.altoromutual.servlet;
 
 import java.io.IOException;
+import java.util.HashMap;
 
-import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-
-/**
- * This servlet allows the users to view account and transaction information.
- * Servlet implementation class AccountServlet
- * @author Alexei
- *
- */
 public class AccountViewServlet extends HttpServlet {
-	private static final long serialVersionUID = 1L;
-
-    /**
-     * @see HttpServlet#HttpServlet()
-     */
+    private static final long serialVersionUID = 1L;
+
     public AccountViewServlet() {
         super();
     }
 
-	/**
-	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
-	 */
-	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		//show account balance for a particular account
-		if (request.getRequestURL().toString().endsWith("showAccount")){
-			String accountName = request.getParameter("listAccounts");
-			if (accountName == null){
-				response.sendRedirect(request.getContextPath()+"/bank/main.jsp");
-				return;
-			}
-//			response.sendRedirect("/bank/balance.jsp&acctId=" + accountName);
-			RequestDispatcher dispatcher = request.getRequestDispatcher("/bank/balance.jsp?acctId=" + accountName);
-			dispatcher.forward(request, response);
-			return;
-		}
-		//this shouldn't happen
-		else if (request.getRequestURL().toString().endsWith("showTransactions"))
-			doPost(request,response);
-		else
-			super.doGet(request, response);
-	}
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        if (request.getRequestURL().toString().endsWith("showAccount")) {
+            String accountName = request.getParameter("listAccounts");
+            if (accountName == null) {
+                response.sendRedirect(request.getContextPath() + "/bank/main.jsp");
+                return;
+            }
+
+            HashMap<String, String> lookupTable = new HashMap<>();
+            // Add valid accountName to resource mappings in the lookup table
+            lookupTable.put("validAccountName1", "/bank/balance.jsp?acctId=" + "validAccountName1");
+            lookupTable.put("validAccountName2", "/bank/balance.jsp?acctId=" + "validAccountName2");
+            // Fallback if accountName is not mapped in lookup Table
+            String redirectValue = lookupTable.getOrDefault(accountName, "/bank/main.jsp");
+
+            response.sendRedirect(request.getContextPath() + redirectValue);
+            return;
+        }
+        else if (request.getRequestURL().toString().endsWith("showTransactions")) {
+            doPost(request, response);
+        } else {
+            super.doGet(request, response);
+        }
+    }
+
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        if (request.getRequestURL().toString().endsWith("showTransactions")) {
+            String startTime = request.getParameter("startDate");
+            String endTime = request.getParameter("endDate");
+
+            HashMap<String, String> transactionsMapping = new HashMap<>();
+            // Ensure any necessary mappings for redirects are defined
+            transactionsMapping.put("default", "/bank/transaction.jsp");
 
-	/**
-	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
-	 */
-	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		//show transactions within the specified date range (if any)
-		if (request.getRequestURL().toString().endsWith("showTransactions")){
-			String startTime = request.getParameter("startDate");
-			String endTime = request.getParameter("endDate");
-
-			RequestDispatcher dispatcher = request.getRequestDispatcher("/bank/transaction.jsp?" + ((startTime!=null)?"&startTime="+startTime:"") + ((endTime!=null)?"&endTime="+endTime:""));
-			dispatcher.forward(request, response);
-		}
-	}
-}
+            StringBuilder queryString = new StringBuilder(transactionsMapping.get("default"));
+            if (startTime != null && endTime != null) {
+                queryString.append("?startTime=" + startTime + "&endTime=" + endTime);
+            }
+
+            response.sendRedirect(request.getContextPath() + queryString.toString());
+        }
+    }
+}
diff --git a/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java b/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java
@@ -98,8 +98,18 @@ else if (step.equals("done")){
 			request.getSession().setAttribute("surveyStep", step);
 		}
 		response.setContentType("text/html");
-		response.getWriter().write(content);
-		response.getWriter().flush();
+		import org.apache.commons.text.StringEscapeUtils;
+
+		// Get user input
+		String userInput = request.getParameter("userInput");
+		// Encode the input using the Html4 encoder
+		String htmlEncodedContent = StringEscapeUtils.escapeHtml4(userInput);
+		// Force the HTTP response to be content type of text/plain so it is not interpreted as HTML
+		response.setContentType("text/plain");
+		// Ensure UTF-8
+		response.setCharacterEncoding("UTF-8");
+		// Write response
+		response.getWriter().write(htmlEncodedContent);		response.getWriter().flush();
 
 	}
 }
diff --git a/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java b/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java
@@ -96,47 +96,54 @@ private DBUtil(){
 		}
 	}
 
+	import java.util.Properties;
+
 	private static Connection getConnection() throws SQLException{
-
-		if (instance == null)
-			instance = new DBUtil();
-
-		if (instance.connection == null || instance.connection.isClosed()){
-
-			//If there is a custom data source configured use it to initialize
-			if (instance.dataSource != null){
-				instance.connection = instance.dataSource.getConnection();	
-
-				if (ServletUtil.isAppPropertyTrue("database.reinitializeOnStart")){
-					instance.initDB();
-				}
-				return instance.connection;
-			}
-
-			// otherwise initialize connection to the built-in Derby database
-			try {
-				//attempt to connect to the database
-				instance.connection = DriverManager.getConnection(PROTOCOL+"altoro");
-
-				if (ServletUtil.isAppPropertyTrue("database.reinitializeOnStart")){
-					instance.initDB();
-				}
-			} catch (SQLException e){
-				//if database does not exist, create it an initialize it
-				if (e.getErrorCode() == 40000){
-					instance.connection = DriverManager.getConnection(PROTOCOL+"altoro;create=true");
-					instance.initDB();
-				//otherwise pass along the exception
-				} else {
-					throw e;
-				}
-			}
-
-		}
-
-		return instance.connection;	
-	}
 
+	    if (instance == null)
+	        instance = new DBUtil();
+
+	    if (instance.connection == null || instance.connection.isClosed()){
+
+	        //If there is a custom data source configured use it to initialize
+	        if (instance.dataSource != null){
+	            instance.connection = instance.dataSource.getConnection();    
+
+	            if (ServletUtil.isAppPropertyTrue("database.reinitializeOnStart")){
+	                instance.initDB();
+	            }
+	            return instance.connection;
+	        }
+
+	        // otherwise initialize connection to the built-in Derby database
+	        try {
+	            // Retrieve database password from environment variable or secure storage
+	            String dbPassword = System.getenv("DB_PASSWORD");
+	            Properties properties = new Properties();
+	            properties.setProperty("user", "username");  // Replace with actual username
+	            properties.setProperty("password", dbPassword);
+
+	            // attempt to connect to the database
+	            instance.connection = DriverManager.getConnection(PROTOCOL+"altoro", properties);
+
+	            if (ServletUtil.isAppPropertyTrue("database.reinitializeOnStart")){
+	                instance.initDB();
+	            }
+	        } catch (SQLException e){
+	            //if database does not exist, create it an initialize it
+	            if (e.getErrorCode() == 40000){
+	                instance.connection = DriverManager.getConnection(PROTOCOL+"altoro;create=true");
+	                instance.initDB();
+	            //otherwise pass along the exception
+	            } else {
+	                throw e;
+	            }
+	        }
+
+	    }
+
+	    return instance.connection;    
+	}	
 	/*
 	 * Create and initialize the database
 	 */