Merge pull request #38 from The-Jibmeister/main

Bulk Commit with suggested changes (closes #27) -- looks good. Thanks for the work!

README.md

@@ -1,5 +1,9 @@
 # VeraDemo - Blab-a-Gag
 
+### :information_source: Notice
+
+This project is intentionally vulnerable! It contains known vulnerabilities and security errors in its code and is meant as an example project for software security scanning tools such as Veracode. Please do not report vulnerabilities in this project; the odds are they’re there on purpose :) .
+
 ## About
 
 Blab-a-Gag is a fairly simple forum type application which allows:

app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java

@@ -40,12 +40,12 @@ public void execute(String blabberUsername) {
 			ResultSet result = sqlStatement.executeQuery(sqlQuery);
 			result.next();
 
-			/* START BAD CODE */
+			/* START EXAMPLE VULNERABILITY */
 			String event = username + " is now ignoring " + blabberUsername + " (" + result.getString(1) + ")";
 			sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
 			logger.info(sqlQuery);
 			sqlStatement.execute(sqlQuery);
-			/* END BAD CODE */
+			/* END EXAMPLE VULNERABILITY */
 		} catch (SQLException e) {
 			// TODO Auto-generated catch block
 			e.printStackTrace();

app/src/main/java/com/veracode/verademo/commands/ListenCommand.java

@@ -40,12 +40,12 @@ public void execute(String blabberUsername) {
 			ResultSet result = sqlStatement.executeQuery(sqlQuery);
 			result.next();
 
-			/* START BAD CODE */
+			/* START EXAMPLE VULNERABILITY */
 			String event = username + " started listening to " + blabberUsername + " (" + result.getString(1) + ")";
 			sqlQuery = "INSERT INTO users_history (blabber, event) VALUES (\"" + username + "\", \"" + event + "\")";
 			logger.info(sqlQuery);
 			sqlStatement.execute(sqlQuery);
-			/* END BAD CODE */
+			/* END EXAMPLE VULNERABILITY */
 		} catch (SQLException e) {
 			// TODO Auto-generated catch block
 			e.printStackTrace();

app/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java

@@ -42,7 +42,7 @@ public void execute(String blabberUsername) {
 			ResultSet result = sqlStatement.executeQuery(sqlQuery);
 			result.next();
 
-			/* START BAD CODE */
+			/* START EXAMPLE VULNERABILITY */
 			String event = "Removed account for blabber " + result.getString(1);
 			sqlQuery = "INSERT INTO users_history (blabber, event) VALUES ('" + blabberUsername + "', '" + event + "')";
 			logger.info(sqlQuery);
@@ -51,7 +51,7 @@ public void execute(String blabberUsername) {
 			sqlQuery = "DELETE FROM users WHERE username = '" + blabberUsername + "'";
 			logger.info(sqlQuery);
 			sqlStatement.execute(sqlQuery);
-			/* END BAD CODE */
+			/* END EXAMPLE VULNERABILITY */
 
 		} catch (SQLException e) {
 			e.printStackTrace();

app/src/main/java/com/veracode/verademo/controller/BlabController.java

@@ -446,7 +446,7 @@ public String showBlabbers(
 		Connection connect = null;
 		PreparedStatement blabberQuery = null;
 
-		/* START BAD CODE */
+		/* START EXAMPLE VULNERABILITY */
 		String blabbersSql = "SELECT users.username," + " users.blab_name," + " users.created_at,"
 				+ " SUM(if(listeners.listener=?, 1, 0)) as listeners,"
 				+ " SUM(if(listeners.status='Active',1,0)) as listening"
@@ -465,7 +465,7 @@ public String showBlabbers(
 			blabberQuery.setString(1, username);
 			blabberQuery.setString(2, username);
 			ResultSet blabbersResults = blabberQuery.executeQuery();
-			/* END BAD CODE */
+			/* END EXAMPLE VULNERABILITY */
 
 			List<Blabber> blabbers = new ArrayList<Blabber>();
 			while (blabbersResults.next()) {
@@ -539,12 +539,12 @@ public String processBlabbers(
 			Class.forName("com.mysql.jdbc.Driver");
 			connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
 
-			/* START BAD CODE */
+			/* START EXAMPLE VULNERABILITY */
 			Class<?> cmdClass = Class.forName("com.veracode.verademo.commands." + ucfirst(command) + "Command");
 			BlabberCommand cmdObj = (BlabberCommand) cmdClass.getDeclaredConstructor(Connection.class, String.class)
 					.newInstance(connect, username);
 			cmdObj.execute(blabberUsername);
-			/* END BAD CODE */
+			/* END EXAMPLE VULNERABILITY */
 
 			nextView = Utils.redirect("blabbers");
 

app/src/main/java/com/veracode/verademo/controller/ToolsController.java

@@ -49,9 +49,9 @@ private String ping(String host) {
 		logger.info("Pinging: " + host);
 
 		try {
-			/* START BAD CODE */
+			/* START EXAMPLE VULNERABILITY */
 			proc = Runtime.getRuntime().exec(new String[] { "bash", "-c", "ping -c1 " + host });
-			/* END BAD CODE */
+			/* END EXAMPLE VULNERABILITY */
 
 			proc.waitFor(5, TimeUnit.SECONDS);
 			InputStreamReader isr = new InputStreamReader(proc.getInputStream());
@@ -79,9 +79,9 @@ private String fortune(String fortuneFile) {
 		String output = "";
 		Process proc;
 		try {
-			/* START BAD CODE */
+			/* START EXAMPLE VULNERABILITY */
 			proc = Runtime.getRuntime().exec(new String[] { "bash", "-c", cmd });
-			/* END BAD CODE */
+			/* END EXAMPLE VULNERABILITY */
 
 			proc.waitFor(5, TimeUnit.SECONDS);
 			InputStreamReader isr = new InputStreamReader(proc.getInputStream());

app/src/main/java/com/veracode/verademo/controller/UserController.java

@@ -155,15 +155,15 @@ public String processLogin(
 			Class.forName("com.mysql.jdbc.Driver");
 			connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
 
-			/* START BAD CODE */
+			/* START EXAMPLE VULNERABILITY */
 			// Execute the query
 			logger.info("Creating the Statement");
 			String sqlQuery = "select username, password, password_hint, created_at, last_login, real_name, blab_name from users where username='"
 					+ username + "' and password='" + md5(password) + "';";
 			sqlStatement = connect.createStatement();
 			logger.info("Execute the Statement");
 			ResultSet result = sqlStatement.executeQuery(sqlQuery);
-			/* END BAD CODE */
+			/* END EXAMPLE VULNERABILITY */
 
 			// Did we find exactly 1 user that matched?
 			if (result.first()) {
@@ -357,7 +357,7 @@ public String processRegisterFinish(
 			Class.forName("com.mysql.jdbc.Driver");
 			connect = DriverManager.getConnection(Constants.create().getJdbcConnectionString());
 
-			/* START BAD CODE */
+			/* START EXAMPLE VULNERABILITY */
 			// Execute the query
 			String mysqlCurrentDateTime = (new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"))
 					.format(Calendar.getInstance().getTime());
@@ -373,7 +373,7 @@ public String processRegisterFinish(
 			sqlStatement = connect.createStatement();
 			sqlStatement.execute(query.toString());
 			logger.info(query.toString());
-			/* END BAD CODE */
+			/* END EXAMPLE VULNERABILITY */
 
 			emailUser(username);
 		} catch (SQLException | ClassNotFoundException ex) {
@@ -415,9 +415,9 @@ private void emailUser(String username) {
 			message.setFrom(new InternetAddress(from));
 			message.addRecipient(Message.RecipientType.TO, new InternetAddress(to));
 
-			/* START BAD CODE */
+			/* START EXAMPLE VULNERABILITY */
 			message.setSubject(env.getProperty("mail.subject.new_user") + " " + username);
-			/* END BAD CODE */
+			/* END EXAMPLE VULNERABILITY */
 
 			message.setText("A new VeraDemo user registered: " + username);
 
@@ -471,13 +471,13 @@ public String showProfile(
 			// Get the audit trail for this user
 			ArrayList<String> events = new ArrayList<String>();
 
-			/* START BAD CODE */
+			/* START EXAMPLE VULNERABILITY */
 			String sqlMyEvents = "select event from users_history where blabber=\"" + username
 					+ "\" ORDER BY eventid DESC; ";
 			logger.info(sqlMyEvents);
 			Statement sqlStatement = connect.createStatement();
 			ResultSet userHistoryResult = sqlStatement.executeQuery(sqlMyEvents);
-			/* END BAD CODE */
+			/* END EXAMPLE VULNERABILITY */
 
 			while (userHistoryResult.next()) {
 				events.add(userHistoryResult.getString(1));
@@ -888,9 +888,9 @@ public void emailExceptionsToAdmin(Throwable t) {
 			message.setFrom(new InternetAddress(from));
 			message.addRecipient(Message.RecipientType.TO, new InternetAddress(to));
 
-			/* START BAD CODE */
+			/* START EXAMPLE VULNERABILITY */
 			message.setSubject("Error detected: " + t.getMessage());
-			/* END BAD CODE */
+			/* END EXAMPLE VULNERABILITY */
 
 			message.setText(t.getMessage() + "<br>" + properties.getProperty("test") + displayErrorForWeb(t));
 

app/src/main/java/com/veracode/verademo/utils/Constants.java

@@ -9,9 +9,9 @@ public class Constants {
 	private final String JDBC_PORT = "3306";
 	private final String JDBC_DATABASE = "blab";
 	private final String JDBC_USER = "blab";
-	/* START BAD CODE */
+	/* START EXAMPLE VULNERABILITY */
 	private final String JDBC_PASSWORD = "z2^E6J4$;u;d";
-	/* END BAD CODE */
+	/* END EXAMPLE VULNERABILITY */
 
 	private String hostname;
 	private String port;

app/src/main/java/com/veracode/verademo/utils/UserFactory.java

@@ -38,11 +38,11 @@ public static User createFromRequest(HttpServletRequest req) {
 		InputStream decodedstream = Base64.getDecoder().wrap(stream);
 		ObjectInputStream in;
 		try {
-			/* START BAD CODE */
+			/* START EXAMPLE VULNERABILITY */
 			in = new ObjectInputStream(decodedstream);
 			User user = (User) in.readObject();
 			in.close();
-			/* END BAD CODE */
+			/* END EXAMPLE VULNERABILITY */
 
 			return user;