flow test

[sa-ny]

No description provided.

[github-actions]

Caution

Breaking Flaws identified in code!

Fixes for application/views/userController.py:
Falws found for this file:
CWE 327 - Use of a Broken or Risky Cryptographic Algorithm - Severity 3 on line 412 for issue 1014
CWE 601 - URL Redirection to Untrusted Site ('Open Redirect') - Severity 3 on line 96 for issue 1027
CWE 73 - External Control of File Name or Path - Severity 3 on line 661 for issue 1083
CWE 80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - Severity 3 on line 197 for issue 1022
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 523 for issue 1075
CWE 601 - URL Redirection to Untrusted Site ('Open Redirect') - Severity 3 on line 437 for issue 1074
CWE 73 - External Control of File Name or Path - Severity 3 on line 701 for issue 1058
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 261 for issue 1068
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 227 for issue 1065
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 186 for issue 1040
CWE 73 - External Control of File Name or Path - Severity 3 on line 702 for issue 1057
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 420 for issue 1073
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 494 for issue 1079
CWE 80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - Severity 3 on line 560 for issue 1086
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 513 for issue 1077
CWE 73 - External Control of File Name or Path - Severity 3 on line 787 for issue 1094
CWE 80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - Severity 3 on line 199 for issue 1039
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 342 for issue 1071
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 733 for issue 1093
CWE 601 - URL Redirection to Untrusted Site ('Open Redirect') - Severity 3 on line 93 for issue 1029
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 586 for issue 1082
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 139 for issue 1020
CWE 327 - Use of a Broken or Risky Cryptographic Algorithm - Severity 3 on line 105 for issue 1012
CWE 73 - External Control of File Name or Path - Severity 3 on line 648 for issue 1085
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 774 for issue 1096
CWE 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - Severity 4 on line 111 for issue 1031

Fix suggestions:

--- application/views/userController.py
+++ application/views/userController.py
@@ -22,6 +22,7 @@
 
 from application.models import User, Blabber
 from application.forms import RegisterForm
+from html import escape
 
 
 # Get logger
@@ -108,7 +109,7 @@
                 parsed = sqlparse.parse(sqlQuery)[0]
                 logger.info("Attempted login with username and password: " + parsed[8].value)
 
-                cursor.execute(sqlQuery)
+                cursor.execute("%s", (username,))
                 # END VULN CODE
                 # GOOD CODE
                 # sqlQuery = "select username, password, password_hint, created_at, last_login, \
@@ -135,8 +136,8 @@
                                     blab_name=row["blab_name"])
                         response = updateInResponse(currentUser, response)
 
-                    update = "UPDATE users SET last_login=datetime('now') WHERE username='" + row['username'] + "';"
-                    cursor.execute(update)
+                    update = "UPDATE users SET last_login=datetime('now') WHERE username=%s;"
+                    cursor.execute(update, (username, ))
 
                     # if the username ends with "totp", add the TOTP login step
                     if username[-4:].lower() == "totp":
@@ -181,9 +182,9 @@
     try:
         logger.info("Creating the Database connection")
         with connection.cursor() as cursor:
-            sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"
+            sql = "SELECT password_hint FROM users WHERE username = %s"
             logger.info(sql)
-            cursor.execute(sql)
+            cursor.execute(sql, (username,))
             row = cursor.fetchone()
             
             if (row):
@@ -194,9 +195,9 @@
                 formatString = "Username '" + username + "' has password: {}"
                 hint = formatString.format(password[:2] + ("*" * (len(password) - 2)))
                 logger.info(hint)
-                return HttpResponse(hint)
+                return HttpResponse(escape(hint))
             else:
-                return HttpResponse("No password found for " + username)
+                return HttpResponse(escape("No password found for " + username))
     except DatabaseError as db_err:
             logger.error("Database error", db_err)
             return HttpResponse("ERROR!") 
@@ -222,9 +223,9 @@
         #Create db connection
         with connection.cursor() as cursor:
 
-            sql = "SELECT totp_secret FROM users WHERE username = '" + username + "'"
+            sql = "SELECT totp_secret FROM users WHERE username = %s"
             logger.info(sql)
-            cursor.execute(sql)
+            cursor.execute(sql, (username,))
 
             result = cursor.fetchone()
         if result:
@@ -256,9 +257,9 @@
         
         with connection.cursor() as cursor:
         
-            sql = "SELECT totp_secret FROM users WHERE username = '" + username + "'"
+            sql = "SELECT totp_secret FROM users WHERE username = %s"
             logger.info(sql)
-            cursor.execute(sql)
+            cursor.execute(sql, (username,))
 
             result = cursor.fetchone()
             if result:
@@ -338,8 +339,8 @@
     logger.info("Creating the Database connection")
     try:
         with connection.cursor() as cursor:
-            sqlQuery = "SELECT username FROM users WHERE username = '" + username + "'"
-            cursor.execute(sqlQuery)
+            sqlQuery = "SELECT username FROM users WHERE username = %s"
+            cursor.execute(sqlQuery, (username,))
             row = cursor.fetchone()
             if (row):
                 request.error = "Username '" + username + "' already exists!"
@@ -417,7 +418,7 @@
                 query += ("'" + blabName + "'")
                 query += (");")
                 #execute query
-                cursor.execute(query)
+                cursor.execute("%s", (password,))
                 sqlStatement = cursor.fetchone() #<- variable for response
                 logger.info(query)
                 # END EXAMPLE VULNERABILITY
@@ -491,7 +492,7 @@
         with connection.cursor() as cursor:    
             # Find the Blabbers that this user listens to
             logger.info(sqlMyHecklers)
-            cursor.execute(sqlMyHecklers % username)
+            cursor.execute(sqlMyHecklers, (username,))
             myHecklersResults = cursor.fetchall()
             hecklers=[]
             for i in myHecklersResults:
@@ -508,9 +509,9 @@
             events = []
 
             # START EXAMPLE VULNERABILITY 
-            sqlMyEvents = "select event from users_history where blabber=\"" + username + "\" ORDER BY eventid DESC; "
-            logger.info(sqlMyEvents)
-            cursor.execute(sqlMyEvents)
+            sqlMyEvents = "select event from users_history where blabber=%s ORDER BY eventid DESC; "
+            logger.info(sqlMyEvents, (username,))
+            cursor.execute(sqlMyEvents, (username,))
             userHistoryResult = cursor.fetchall()
             # END EXAMPLE VULNERABILITY 
 
@@ -518,9 +519,9 @@
                 events.append(result[0])
 
             # Get the users information
-            sql = "SELECT username, real_name, blab_name, totp_secret FROM users WHERE username = '" + username + "'"
+            sql = "SELECT username, real_name, blab_name, totp_secret FROM users WHERE username = %s"
             logger.info(sql)
-            cursor.execute(sql)
+            cursor.execute(sql, (username, ))
             myInfoResults = cursor.fetchone()
             if not myInfoResults:
                 return JsonResponse({'message':'Error, no Inforesults found'})
@@ -557,7 +558,7 @@
     # Initial response only get returns if everything else succeeds.
     # This must be here in order to use set_cookie later in the program
     msg = f"<script>alert('Successfully changed values!\\nusername: {username.lower()}\\nReal Name: {realName}\\nBlab Name: {blabName}');</script>"
-    response = JsonResponse({'values':{"username": username.lower(), "realName": realName, "blabName": blabName}, 'message':msg},status=200)
+    response = JsonResponse({'values':escape({"username": username.lower(), "realName": realName, "blabName": blabName}),'message':msg}, status=200)
     
     logger.info("entering processProfile")
     sessionUsername = request.session.get('username')