Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update main.py #1

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update main.py #1

wants to merge 1 commit into from

Conversation

arielkru
Copy link
Owner

No description provided.

arielkru
arielkru commented Aug 26, 2024
View reviewed changes
python/main.py
KEY_SIZE = 1024

Copy link
Owner Author

@arielkru arielkru Aug 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
MOCK_FIX

IAC

HIGH  Finding Type Name

Description

MOCK_DESCRIPTION

Benchmarks

  • MOCK_BENCH_1
  • MOCK_BENCH_2

arielkru
arielkru commented Aug 26, 2024
View reviewed changes
python/main.py
KEY_SIZE = 1024

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SECRETS

LOW  Base64 High Entropy String (:warning: Valid)

Description

Entropy check

arielkru
arielkru commented Aug 26, 2024
View reviewed changes
python/main.py
KEY_SIZE = 1024

Copy link
Owner Author

@arielkru arielkru Aug 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LICENSE

PackageName:1.0.0 / ec2.tf

HIGH  Non Compliant License (MIT)

Description

Non Compliant License

arielkru
arielkru commented Aug 26, 2024
View reviewed changes
python/main.py
KEY_SIZE = 1024

Copy link
Owner Author

@arielkru arielkru Aug 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SAST

MEDIUM  External control of system or configuration setting
    Source File: ExternalControlOfSystemOrConfigurationSetting1-taint3.java, Sink File: ExternalControlOfSystemOrConfigurationSetting1-taint3.java
Data Flow

     ExternalControlOfSystemOrConfigurationSetting1-taint3.java
    13 | String tainted = req.getParameter("input");
     ExternalControlOfSystemOrConfigurationSetting1-taint3.java
    14 | c.setCatalog(tainted);


How To Fix

String userInput = request.getParameter("catalogName");
if(isValidCatalogName(userInput)) {
connection.setCatalog(userInput);
}


Description

This SAST policy detects instances where user input is used in the java.sql.Connection's setCatalog call. This can be a potential issue as it may allow attackers to change the database during a connection, leading to disruptions or unexpected behaviors.

Vulnerable code example:

java
String userInput = request.getParameter("catalogName");
connection.setCatalog(userInput);

In the above code, the setCatalog method uses user input catalogName directly without any validation or sanitization. This allows an attacker to manipulate the catalogName parameter and potentially change the database being accessed.

arielkru
arielkru commented Aug 26, 2024
View reviewed changes
python/main.py
KEY_SIZE = 1024

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SCA

MOCK_PACKAGE_NAME 1.1.2 / ec2.tf

Total vulnerabilities: 2

Critical: 1 High: 1 Medium: 0 Low: 0
Vulnerability IDSeverityCVSSFixed inStatus
CVE-2022-1650 CRITICAL CRITICAL 9.3 1.1.1 Open
CVE-2020-7788 HIGH HIGH 7.3 1.0.5 Open

Bridgecrew Comment by Bridgecrew Bot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@arielkru