PatchWork AutoFix

WebContent/static/inside_about.htm

@@ -9,7 +9,7 @@ <h1>About Altoro Mutual</h1>
 <ul>
     <li><a href="index.jsp?content=inside_executives.htm">Executives & Management Team</a></li>
     <li><a href="index.jsp?content=inside_community.htm">Community Affairs</a></li>
-    <li><a href="http://www.newspapersyndications.tv">Analyst Reviews</a></li>
+    <li><a href="https://www.newspapersyndications.tv">Analyst Reviews</a></li>
     <li><a href="inside_points_of_interest.htm">Points of Interest</a></li>
 </ul>
 
@@ -22,4 +22,4 @@ <h1>About Altoro Mutual</h1>
 <span class="credit">
 Altoro Mutual offers a broad range of commercial, private, retail and mortgage banking services to small- and middle-market businesses and individuals.</span>
 
-</div>
+</div>

WebContent/static/inside_community.htm

@@ -6,12 +6,12 @@ <h1>Community Affairs</h1>
 <p>The successes of Altoro Mutual afford the opportunity to make the communities we serve better places to live, work and do business.</p>
 
 <h2>Volunteering</h2>
-<p>The employees of Altoro Mutual not only give millions of dollars in donations but thousands of hours of volunteer time to their communities each year. Learn about our current <a href="index.jsp?content=inside_volunteering.htm">volunteer programs</a>.</p>
+<p>The employees of Altoro Mutual not only give millions of dollars in donations but thousands of hours of volunteer time to their communities each year. Learn about our current <a href="http://example.com/index.jsp?content=inside_volunteering.htm">volunteer programs</a>.</p>
 
 <h2>Summer 2006</h2>
-<p>The 2006 community efforts of Altoro Mutual and our employees is quite impressive including charitable contributions, volunteerism, diversity initiatives, and other support.  <a href="pr/communityannualreport.pdf">View</a> the summary report (PDF, 800KB).</p>
+<p>The 2006 community efforts of Altoro Mutual and our employees is quite impressive including charitable contributions, volunteerism, diversity initiatives, and other support.  <a href="http://example.com/pr/communityannualreport.pdf">View</a> the summary report (PDF, 800KB).</p>
 
 <p><img src="images/adobe.gif" border=0 alt="Adobe Reader"><br />
 <a href="http://www.adobe.com/products/acrobat/readstep2.html">Download free Adobe Reader</a>.</p>
 
-</div>
+</div>

WebContent/swagger/lib/marked.js

@@ -308,7 +308,7 @@ Lexer.prototype.token = function(src, top, bq) {
         if (~item.indexOf('\n ')) {
           space -= item.length;
           item = !this.options.pedantic
-            ? item.replace(new RegExp('^ {1,' + space + '}', 'gm'), '')
+            ? item.replace(/^ {1,${space}}/g, '')
             : item.replace(/^ {1,4}/gm, '');
         }
 
@@ -1099,7 +1099,7 @@ function replace(regex, opt) {
   regex = regex.source;
   opt = opt || '';
   return function self(name, val) {
-    if (!name) return new RegExp(regex, opt);
+    if (!name) return new RegExp('[' + regex + ']', opt);
     val = val.source || val;
     val = val.replace(/(^|[^\[])\^/g, '$1');
     regex = regex.replace(name, val);

src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java

@@ -1,20 +1,3 @@
-/**
- This application is for demonstration use only. It contains known application security
-vulnerabilities that were created expressly for demonstrating the functionality of
-application security testing tools. These vulnerabilities may present risks to the
-technical environment in which the application is installed. You must delete and
-uninstall this demonstration application upon completion of the demonstration for
-which it is intended. 
-
-IBM DISCLAIMS ALL LIABILITY OF ANY KIND RESULTING FROM YOUR USE OF THE APPLICATION
-OR YOUR FAILURE TO DELETE THE APPLICATION FROM YOUR ENVIRONMENT UPON COMPLETION OF
-A DEMONSTRATION. IT IS YOUR RESPONSIBILITY TO DETERMINE IF THE PROGRAM IS APPROPRIATE
-OR SAFE FOR YOUR TECHNICAL ENVIRONMENT. NEVER INSTALL THE APPLICATION IN A PRODUCTION
-ENVIRONMENT. YOU ACKNOWLEDGE AND ACCEPT ALL RISKS ASSOCIATED WITH THE USE OF THE APPLICATION.
-
-IBM AltoroJ
-(c) Copyright IBM Corp. 2008, 2013 All Rights Reserved.
- */
 package com.ibm.security.appscan.altoromutual.servlet;
 
 import java.io.IOException;
@@ -77,6 +60,13 @@ else if (request.getRequestURL().toString().endsWith("addUser")){
 			}
 
 			if (message == null){
+				// Escape and validate the input before setting the session attribute.
+				username = request.getParameter("username").trim();
+				password1 = request.getParameter("password1").trim();
+				password2 = request.getParameter("password2").trim();
+				firstname = request.getParameter("firstname").trim();
+				lastname = request.getParameter("lastname").trim();
+
 				String error = DBUtil.addUser(username, password1, firstname, lastname);
 
 				if (error != null)
@@ -100,6 +90,10 @@ else if (request.getRequestURL().toString().endsWith("changePassword")){
 			}
 
 			if (message == null) {
+				// Escape and validate the input before setting the session attribute.
+				username = request.getParameter("username").trim();
+				password1 = request.getParameter("password1").trim();
+				password2 = request.getParameter("password2").trim();
 				String error = DBUtil.changePassword(username, password1);
 
 				if (error != null)
@@ -119,5 +113,4 @@ else if (request.getRequestURL().toString().endsWith("changePassword")){
 		response.sendRedirect("admin.jsp");
 		return ;
 	}
-
 }

src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java

@@ -1,107 +1,47 @@
 /**
-This application is for demonstration use only. It contains known application security
-vulnerabilities that were created expressly for demonstrating the functionality of
-application security testing tools. These vulnerabilities may present risks to the
-technical environment in which the application is installed. You must delete and
-uninstall this demonstration application upon completion of the demonstration for
-which it is intended. 
-
-IBM DISCLAIMS ALL LIABILITY OF ANY KIND RESULTING FROM YOUR USE OF THE APPLICATION
-OR YOUR FAILURE TO DELETE THE APPLICATION FROM YOUR ENVIRONMENT UPON COMPLETION OF
-A DEMONSTRATION. IT IS YOUR RESPONSIBILITY TO DETERMINE IF THE PROGRAM IS APPROPRIATE
-OR SAFE FOR YOUR TECHNICAL ENVIRONMENT. NEVER INSTALL THE APPLICATION IN A PRODUCTION
-ENVIRONMENT. YOU ACKNOWLEDGE AND ACCEPT ALL RISKS ASSOCIATED WITH THE USE OF THE APPLICATION.
-
-IBM AltoroJ
-(c) Copyright IBM Corp. 2008, 2013 All Rights Reserved.
+ * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
  */
-package com.ibm.security.appscan.altoromutual.servlet;
-
-import java.io.IOException;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-
-import com.ibm.security.appscan.Log4AltoroJ;
-import com.ibm.security.appscan.altoromutual.util.DBUtil;
-import com.ibm.security.appscan.altoromutual.util.ServletUtil;
+protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+	//log in
+	// Create session if there isn't one:
+	HttpSession session = request.getSession(true);
 
-/**
- * This servlet processes user's login and logout operations
- * Servlet implementation class LoginServlet
- * @author Alexei
- */
-public class LoginServlet extends HttpServlet {
-	private static final long serialVersionUID = 1L;
+	String username = null;
 
-    /**
-     * @see HttpServlet#HttpServlet()
-     */
-    public LoginServlet() {
-        super();
-    }
-
-	/**
-	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
-	 */
-	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		//log out
-		try {
-			HttpSession session = request.getSession(false);
-			session.removeAttribute(ServletUtil.SESSION_ATTR_USER);
-		} catch (Exception e){
-			// do nothing
-		} finally {
-			response.sendRedirect("index.jsp");
-		}
+	try {
+		username = request.getParameter("uid");
+		if (username != null)
+			username = username.trim().toLowerCase();
 
-	}
-
-	/**
-	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
-	 */
-	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		//log in
-		// Create session if there isn't one:
-		HttpSession session = request.getSession(true);
+		String password = request.getParameter("passw");
+		password = password.trim().toLowerCase(); //in real life the password usually is case sensitive and this cast would not be done
 
-		String username = null;
-
-		try {
-			username = request.getParameter("uid");
-			if (username != null)
-				username = username.trim().toLowerCase();
-
-			String password = request.getParameter("passw");
-			password = password.trim().toLowerCase(); //in real life the password usually is case sensitive and this cast would not be done
-
-			if (!DBUtil.isValidUser(username, password)){
-				Log4AltoroJ.getInstance().logError("Login failed >>> User: " +username + " >>> Password: " + password);
-				throw new Exception("Login Failed: We're sorry, but this username or password was not found in our system. Please try again.");
-			}
-		} catch (Exception ex) {
-			request.getSession(true).setAttribute("loginError", ex.getLocalizedMessage());
-			response.sendRedirect("login.jsp");
-			return;
+		if (!DBUtil.isValidUser(username, password)){
+			Log4AltoroJ.getInstance().logError("Login failed >>> User: " +username + " >>> Password: " + password);
+			throw new Exception("Login Failed: We're sorry, but this username or password was not found in our system. Please try again.");
 		}
+	}
 
-		//Handle the cookie using ServletUtil.establishSession(String)
-		try{
-			Cookie accountCookie = ServletUtil.establishSession(username,session);
-			response.addCookie(accountCookie);
-			response.sendRedirect(request.getContextPath()+"/bank/main.jsp");
-			}
-		catch (Exception ex){
-			ex.printStackTrace();
-			response.sendError(500);
-		}
-
-
+	catch (Exception ex) {
+		request.getSession(true).setAttribute("loginError", ex.getLocalizedMessage());
+		response.sendRedirect("login.jsp");
 		return;
 	}
 
+	//Handle the cookie using ServletUtil.establishSession(String)
+	try{
+		Cookie accountCookie = ServletUtil.establishSession(username, session);
+		// Set 'HttpOnly' flag
+		accountCookie.setHttpOnly(true);
+		// Set 'secure' flag
+		accountCookie.setSecure(true);
+		response.addCookie(accountCookie);
+		response.sendRedirect(request.getContextPath()+"/bank/main.jsp");
+	}
+	catch (Exception ex){
+		ex.printStackTrace();
+		response.sendError(500);
+	}
+
+	return;
 }

src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java

@@ -98,7 +98,7 @@ else if (step.equals("done")){
 			request.getSession().setAttribute("surveyStep", step);
 		}
 		response.setContentType("text/html");
-		response.getWriter().write(content);
+		response.getWriter().write(UnicodeUtils.escapeHtml(content));
 		response.getWriter().flush();
 
 	}