api end point

scan-rules.conf

@@ -0,0 +1,76 @@
+# zap-full-scan rule configuration file
+# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
+# Active scan rules set to IGNORE will not be run which will speed up the scan
+# Only the rule identifiers are used - the names are just for info
+# You can add your own messages to each rule by appending them after a tab on each line.
+0	WARN	(Directory Browsing - Active/release)
+10010	WARN	(Cookie No HttpOnly Flag - Passive/release)
+10011	WARN	(Cookie Without Secure Flag - Passive/release)
+10015	WARN	(Incomplete or No Cache-control and Pragma HTTP Header Set - Passive/release)
+10016	FAIL	(Web Browser XSS Protection Not Enabled - Passive/release)
+10017	WARN	(Cross-Domain JavaScript Source File Inclusion - Passive/release)
+10019	WARN	(Content-Type Header Missing - Passive/release)
+10020	WARN	(X-Frame-Options Header Scanner - Passive/release)
+10021	WARN	(X-Content-Type-Options Header Missing - Passive/release)
+10023	WARN	(Information Disclosure - Debug Error Messages - Passive/release)
+10024	WARN	(Information Disclosure - Sensitive Information in URL - Passive/beta)
+10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/beta)
+10026	WARN	(HTTP Parameter Override - Passive/beta)
+10027	WARN	(Information Disclosure - Suspicious Comments - Passive/beta)
+10032	WARN	(Viewstate Scanner - Passive/release)
+10037	WARN	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/beta)
+10040	WARN	(Secure Pages Include Mixed Content - Passive/release)
+10045	WARN	(Source Code Disclosure - /WEB-INF folder - Active/release)
+10048	WARN	(Remote Code Execution - Shell Shock - Active/beta)
+10054	WARN	(Cookie Without SameSite Attribute - Passive/beta)
+10055	WARN	(CSP Scanner - Passive/release)
+10056	WARN	(X-Debug-Token Information Leak - Passive/beta)
+10057	WARN	(Username Hash Found - Passive/beta)
+10061	WARN	(X-AspNet-Version Response Header Scanner - Passive/beta)
+10095	WARN	(Backup File Disclosure - Active/beta)
+10096	WARN	(Timestamp Disclosure - Passive/beta)
+10098	WARN	(Cross-Domain Misconfiguration - Passive/beta)
+10105	WARN	(Weak Authentication Method - Passive/release)
+10202	WARN	(Absence of Anti-CSRF Tokens - Passive/release)
+2	WARN	(Private IP Disclosure - Passive/release)
+20012	WARN	(Anti CSRF Tokens Scanner - Active/beta)
+20014	WARN	(HTTP Parameter Pollution scanner - Active/beta)
+20015	WARN	(Heartbleed OpenSSL Vulnerability - Active/beta)
+20016	WARN	(Cross-Domain Misconfiguration - Active/beta)
+20017	WARN	(Source Code Disclosure - CVE-2012-1823 - Active/beta)
+20018	WARN	(Remote Code Execution - CVE-2012-1823 - Active/beta)
+20019	WARN	(External Redirect - Active/release)
+3	WARN	(Session ID in URL Rewrite - Passive/release)
+30001	WARN	(Buffer Overflow - Active/release)
+30002	WARN	(Format String Error - Active/release)
+30003	WARN	(Integer Overflow Error - Active/beta)
+40003	WARN	(CRLF Injection - Active/release)
+40008	WARN	(Parameter Tampering - Active/release)
+40009	WARN	(Server Side Include - Active/release)
+40012	FAIL	(Cross Site Scripting (Reflected) - Active/release)
+40013	WARN	(Session Fixation - Active/beta)
+40014	FAIL	(Cross Site Scripting (Persistent) - Active/release)
+40016	FAIL	(Cross Site Scripting (Persistent) - Prime - Active/release)
+40017	FAIL	(Cross Site Scripting (Persistent) - Spider - Active/release)
+40018	FAIL	(SQL Injection - Active/release)
+40019	FAIL	(SQL Injection - MySQL - Active/beta)
+40020	FAIL	(SQL Injection - Hypersonic SQL - Active/beta)
+40021	FAIL	(SQL Injection - Oracle - Active/beta)
+40022	FAIL	(SQL Injection - PostgreSQL - Active/beta)
+40023	WARN	(Possible Username Enumeration - Active/beta)
+42	WARN	(Source Code Disclosure - SVN - Active/beta)
+50000	WARN	(Script Active Scan Rules - Active/release)
+50001	WARN	(Script Passive Scan Rules - Passive/release)
+6	WARN	(Path Traversal - Active/release)
+7	WARN	(Remote File Inclusion - Active/release)
+90001	WARN	(Insecure JSF ViewState - Passive/release)
+90011	WARN	(Charset Mismatch - Passive/release)
+90019	WARN	(Server Side Code Injection - Active/release)
+90020	WARN	(Remote OS Command Injection - Active/release)
+90021	WARN	(XPath Injection - Active/beta)
+90022	WARN	(Application Error Disclosure - Passive/release)
+90023	WARN	(XML External Entity Attack - Active/beta)
+90024	WARN	(Generic Padding Oracle - Active/beta)
+90025	WARN	(Expression Language Injection - Active/beta)
+90028	WARN	(Insecure HTTP Method - Active/beta)
+90033	WARN	(Loosely Scoped Cookie - Passive/release)

src/main/java/hawk/ApiSearchController.java

@@ -0,0 +1,25 @@
+package hawk;
+
+import hawk.api.SearchResult;
+import hawk.entity.Item;
+import hawk.form.Search;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.util.List;
+
+@RestController
+public class ApiSearchController {
+
+    @Autowired
+    SearchService searchService;
+
+    @GetMapping("/api/search")
+    public SearchResult searchApi(@RequestParam(value = "searchText", defaultValue = "") String searchText) {
+        List<Item> items = searchService.search(new Search(searchText));
+        return new SearchResult(searchText, items);
+    }
+
+}

src/main/java/hawk/MvcConfig.java → src/main/java/hawk/Config.java

@@ -1,18 +1,24 @@
 package hawk;
 
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
 @EnableJpaRepositories
-public class MvcConfig implements WebMvcConfigurer {
+public class Config implements WebMvcConfigurer {
 
     /*public void addViewControllers(ViewControllerRegistry registry) {
         //registry.addViewController("/").setViewName("index");
         //registry.addViewController("/hello").setViewName("hello");
         //registry.addViewController("/login").setViewName("login");
     }*/
 
+    @Bean
+    public SearchService searchService(){
+        return new SearchService();
+    }
+
 }

src/main/java/hawk/SearchController.java

@@ -1,11 +1,7 @@
 package hawk;
 
-import hawk.entity.Item;
 import hawk.form.Search;
-import hawk.repos.ItemRepo;
 import hawk.repos.ItemsRepo;
-import org.hibernate.Session;
-import org.hibernate.jdbc.ReturningWork;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
@@ -14,10 +10,6 @@
 import org.springframework.web.bind.annotation.PostMapping;
 
 import javax.persistence.EntityManager;
-import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.util.ArrayList;
 import java.util.List;
 
 @Controller
@@ -29,6 +21,9 @@ public class SearchController {
     @Autowired
     EntityManager entityManager;
 
+    @Autowired
+    SearchService searchService;
+
     @GetMapping("/search")
     public String searchForm(Model model) {
         model.addAttribute("search", new Search());
@@ -37,24 +32,7 @@ public String searchForm(Model model) {
 
     @PostMapping("/search")
     public String searchSubmit(@ModelAttribute Search search, Model model) {
-        final Session session = (Session) entityManager.unwrap(Session.class);
-        List itemsx = session.doReturningWork(new ReturningWork<List<Item>>() {
-            @Override
-            public List<Item> execute(Connection connection) throws SQLException {
-                List<Item> items = new ArrayList<>();
-                ResultSet rs = connection
-                        .createStatement()
-                        .executeQuery(
-                                "select * from ITEM where name like '%" + search.getSearchText() + "%'"
-                        );
-                //or description like '%" + search.getSearchText() + "%'
-                while (rs.next()) {
-                    items.add(new Item(rs.getLong("id"), rs.getString("name"), rs.getString("description")));
-                }
-                return items;
-            }
-        });
-
+        List itemsx = searchService.search(search);
         //List items = repo.findByNameContainingOrDescriptionContaining(search.getSearchText(), search.getSearchText());
         model.addAttribute("items", itemsx);
         model.addAttribute("search", search);

src/main/java/hawk/SearchService.java

@@ -0,0 +1,44 @@
+package hawk;
+
+import hawk.entity.Item;
+import hawk.form.Search;
+import org.hibernate.Session;
+import org.hibernate.jdbc.ReturningWork;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+
+import javax.persistence.EntityManager;
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.List;
+
+public class SearchService {
+
+    @Autowired
+    EntityManager entityManager;
+
+    List<Item> search(Search search) {
+        final Session session = (Session) entityManager.unwrap(Session.class);
+        List items = session.doReturningWork(new ReturningWork<List<Item>>() {
+            @Override
+            public List<Item> execute(Connection connection) throws SQLException {
+                List<Item> items = new ArrayList<>();
+                ResultSet rs = connection
+                        .createStatement()
+                        .executeQuery(
+                                "select * from ITEM where name like '%" + search.getSearchText() + "%'"
+                        );
+                //or description like '%" + search.getSearchText() + "%'
+                while (rs.next()) {
+                    items.add(new Item(rs.getLong("id"), rs.getString("name"), rs.getString("description")));
+                }
+                return items;
+            }
+        });
+        return items;
+    }
+
+
+}

src/main/java/hawk/api/SearchResult.java

@@ -0,0 +1,24 @@
+package hawk.api;
+
+import hawk.entity.Item;
+
+import java.util.List;
+
+public class SearchResult {
+
+    private final String searchText;
+    private final List<Item> items;
+
+    public SearchResult(String searchText, List<Item> items) {
+        this.searchText = searchText;
+        this.items = items;
+    }
+
+    public String getSearchText() {
+        return searchText;
+    }
+
+    public List<Item> getItems() {
+        return items;
+    }
+}

src/main/java/hawk/form/Search.java

@@ -5,6 +5,13 @@ public class Search {
 
     private String searchText;
 
+    public Search() {
+    }
+
+    public Search(String searchText) {
+        this.searchText = searchText;
+    }
+
     public String getSearchText() {
         return searchText;
     }

stackhawk.yml

@@ -2,6 +2,6 @@ app:
   host: ${APP_HOST:http://localhost:8080}
   scanType: ${SCAN_TYPE:baseline}
   scanLevelConf: ${SCAN_LEVEL_CONF:}
-#  basePath: /api
-#  routes:
-#    - path: GET /search?searchTxt=string
+  basePath: /api
+  routes:
+    - path: GET /search?searchTxt=string