diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 00000000..2c8f76af --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,26 @@ +on: + workflow_dispatch: {} + pull_request: {} + push: + branches: + - main + - master + paths: + - .github/workflows/semgrep.yml + schedule: + # random HH:MM to avoid a load spike on GitHub Actions at 00:00 + - cron: 7 11 * * * +name: Semgrep +jobs: + semgrep: + name: semgrep/ci + runs-on: ubuntu-latest + permissions: + contents: read + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + container: + image: semgrep/semgrep + steps: + - uses: actions/checkout@v4 + - run: semgrep ci diff --git a/src/main/java/org/owasp/benchmark/helpers/DataBaseServer.java b/src/main/java/org/owasp/benchmark/helpers/DataBaseServer.java index e59ecef1..62716e24 100644 --- a/src/main/java/org/owasp/benchmark/helpers/DataBaseServer.java +++ b/src/main/java/org/owasp/benchmark/helpers/DataBaseServer.java @@ -67,7 +67,7 @@ public ResponseEntity> getAll( org.owasp.benchmark.helpers.DatabaseHelper.printResults(statement, sql, resp); } catch (java.sql.SQLException e) { if (org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors) { - e.printStackTrace(); + //e.printStackTrace(); resp.add(new XMLMessage("Error processing request: " + e.getMessage())); return new ResponseEntity>(resp, HttpStatus.OK); } else throw new ServletException(e); diff --git a/src/main/java/org/owasp/benchmark/helpers/HibernateUtil.java b/src/main/java/org/owasp/benchmark/helpers/HibernateUtil.java index 653cf44a..5dbaf5ca 100644 --- a/src/main/java/org/owasp/benchmark/helpers/HibernateUtil.java +++ b/src/main/java/org/owasp/benchmark/helpers/HibernateUtil.java @@ -185,7 +185,7 @@ public void initData() { tx.commit(); } catch (HibernateException e) { if (tx != null) tx.rollback(); - e.printStackTrace(); + //e.printStackTrace(); } finally { } diff --git a/src/main/java/org/owasp/benchmark/helpers/LDAPServer.java b/src/main/java/org/owasp/benchmark/helpers/LDAPServer.java index e05df1f7..5152a03f 100644 --- a/src/main/java/org/owasp/benchmark/helpers/LDAPServer.java +++ b/src/main/java/org/owasp/benchmark/helpers/LDAPServer.java @@ -172,7 +172,7 @@ private void initDirectoryService(File workDir) { service.startup(); } catch (Exception e) { System.out.println("Error at LDAP startup: " + e.getMessage()); - e.printStackTrace(); + //e.printStackTrace(); } // Inject the foo root entry if it does not already exist diff --git a/src/main/java/org/owasp/benchmark/helpers/Startup.java b/src/main/java/org/owasp/benchmark/helpers/Startup.java index 82e5e160..7ea07155 100644 --- a/src/main/java/org/owasp/benchmark/helpers/Startup.java +++ b/src/main/java/org/owasp/benchmark/helpers/Startup.java @@ -38,10 +38,10 @@ public void contextInitialized(ServletContextEvent sce) { } catch (ClassNotFoundException e) { System.out.println("ERROR: Could not find expected DatabaseHelper class."); - e.printStackTrace(); + //e.printStackTrace(); } catch (Exception e) { System.out.println("ERROR: Could not find or add BouncyCastle as crypto provider."); - e.printStackTrace(); + //e.printStackTrace(); } if (Security.getProvider("BC") == null) diff --git a/src/main/java/org/owasp/benchmark/helpers/Utils.java b/src/main/java/org/owasp/benchmark/helpers/Utils.java index b1a26081..ed6c1ebf 100644 --- a/src/main/java/org/owasp/benchmark/helpers/Utils.java +++ b/src/main/java/org/owasp/benchmark/helpers/Utils.java @@ -104,7 +104,7 @@ public class Utils { } catch (ParserConfigurationException e) { System.out.println( "ERROR: couldn't set http://apache.org/xml/features/disallow-doctype-decl"); - e.printStackTrace(); + //e.printStackTrace(); } File tempDir = new File(TESTFILES_DIR); @@ -116,7 +116,7 @@ public class Utils { out.write("Test is a test file.\n"); out.close(); } catch (FileNotFoundException e) { - e.printStackTrace(); + //e.printStackTrace(); } File testFile2 = new File(TESTFILES_DIR + "SafeText"); try { diff --git a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java index 2359c9ba..1c112a72 100644 --- a/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java +++ b/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest00006.java @@ -59,7 +59,13 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) argList.add("sh"); argList.add("-c"); } - argList.add("echo " + param); + //argList.add("echo " + param); + // Sanitize param to only allow alphanumeric characters and spaces. + // Adjust the regex as needed depending on allowed input. + param = param.replaceAll("[^a-zA-Z0-9 ]", ""); + + argList.add("echo"); + argList.add(param); // Pass param as a separate argument to avoid command injection ProcessBuilder pb = new ProcessBuilder();