PatchWork AutoFix

WebContent/high_yield_investments.htm

@@ -124,7 +124,7 @@ <h1>High Yield Investments</h1>
         if any, to third party products and/or websites are purely coincidental. This site is
         provided "as is" without warranty of any kind, either express or implied. Watchfire does
         not assume any risk in relation to your use of this website. For additional Terms of Use,
-        please go to <a id="_ctl0__ctl0_HyperLink7" href="http://www.watchfire.com/statements/terms.aspx">http://www.watchfire.com/statements/terms.aspx</a>.<br /><br />
+        please go to <a id="_ctl0__ctl0_HyperLink7" href="https://www.watchfire.com/statements/terms.aspx">https://www.watchfire.com/statements/terms.aspx</a>.<br /><br />
 
         Copyright &copy; 2006, Watchfire Corporation, All rights reserved.
     </div>

WebContent/static/inside_about.htm

@@ -9,7 +9,7 @@ <h1>About Altoro Mutual</h1>
 <ul>
     <li><a href="index.jsp?content=inside_executives.htm">Executives & Management Team</a></li>
     <li><a href="index.jsp?content=inside_community.htm">Community Affairs</a></li>
-    <li><a href="http://www.newspapersyndications.tv">Analyst Reviews</a></li>
+    <li><a href="https://www.newspapersyndications.tv">Analyst Reviews</a></li>
     <li><a href="inside_points_of_interest.htm">Points of Interest</a></li>
 </ul>
 
@@ -22,4 +22,4 @@ <h1>About Altoro Mutual</h1>
 <span class="credit">
 Altoro Mutual offers a broad range of commercial, private, retail and mortgage banking services to small- and middle-market businesses and individuals.</span>
 
-</div>
+</div>

WebContent/static/inside_community.htm

@@ -12,6 +12,6 @@ <h2>Summer 2006</h2>
 <p>The 2006 community efforts of Altoro Mutual and our employees is quite impressive including charitable contributions, volunteerism, diversity initiatives, and other support.  <a href="pr/communityannualreport.pdf">View</a> the summary report (PDF, 800KB).</p>
 
 <p><img src="images/adobe.gif" border=0 alt="Adobe Reader"><br />
-<a href="http://www.adobe.com/products/acrobat/readstep2.html">Download free Adobe Reader</a>.</p>
+<a href="https://www.adobe.com/products/acrobat/readstep2.html">Download free Adobe Reader</a>.</p>
 
-</div>
+</div>

WebContent/static/security.htm

@@ -56,7 +56,7 @@ <h2>Keep Your System Up to Date</h2>
 <h2>Backups</h2>
 <p>It is a good practice to back up important files and folders on your computer. To back up files, you can make copies onto media that you can safely store elsewhere, such as CDs or floppy discs. </p>
 
-<p>For more information on home computer security, visit <a href="http://www.cert.org/">http://www.cert.org/</a>.</p>
+<p>For more information on home computer security, visit <a href="https://www.cert.org/">https://www.cert.org/</a>.</p>
 <p><a href="#top"><img alt="Back to Top" src="images/icon_top.gif" border="0" /></a>
 
 </div>

WebContent/swagger/lib/marked.js

@@ -308,7 +308,7 @@ Lexer.prototype.token = function(src, top, bq) {
         if (~item.indexOf('\n ')) {
           space -= item.length;
           item = !this.options.pedantic
-            ? item.replace(new RegExp('^ {1,' + space + '}', 'gm'), '')
+            ? item.replace(/^ {1, space}/gm, '')
             : item.replace(/^ {1,4}/gm, '');
         }
 
@@ -1095,9 +1095,11 @@ function unescape(html) {
   });
 }
 
-function replace(regex, opt) {
-  regex = regex.source;
-  opt = opt || '';
+
+function replace(name, val) {
+  let regex = "^[a-zA-Z0-9]*$"; 
+  let opt = (typeof val === 'string' && val.length > 0) ? val : '';
+
   return function self(name, val) {
     if (!name) return new RegExp(regex, opt);
     val = val.source || val;
@@ -1107,6 +1109,7 @@ function replace(regex, opt) {
   };
 }
 
+
 function noop() {}
 noop.exec = noop;
 

src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java

@@ -25,6 +25,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 import com.ibm.security.appscan.altoromutual.util.DBUtil;
+import org.apache.commons.text.StringEscapeUtils;
 
 /**
  * This servlet handles site admin operations
@@ -115,7 +116,8 @@ else if (request.getRequestURL().toString().endsWith("changePassword")){
 		else
 			message = "Requested operation has completed successfully.";
 
-		request.getSession().setAttribute("message", message);
+		String safeMessage = StringEscapeUtils.escapeHtml4(message);
+		request.getSession().setAttribute("message", safeMessage);
 		response.sendRedirect("admin.jsp");
 		return ;
 	}

src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java

@@ -36,72 +36,70 @@
  * @author Alexei
  */
 public class LoginServlet extends HttpServlet {
-	private static final long serialVersionUID = 1L;
-	
+    private static final long serialVersionUID = 1L;
+    
     /**
      * @see HttpServlet#HttpServlet()
      */
     public LoginServlet() {
         super();
     }
 
-	/**
-	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
-	 */
-	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		//log out
-		try {
-			HttpSession session = request.getSession(false);
-			session.removeAttribute(ServletUtil.SESSION_ATTR_USER);
-		} catch (Exception e){
-			// do nothing
-		} finally {
-			response.sendRedirect("index.jsp");
-		}
-
-	}
-
-	/**
-	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
-	 */
-	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-		//log in
-		// Create session if there isn't one:
-		HttpSession session = request.getSession(true);
+    /**
+     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
+     */
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        //log out
+        try {
+            HttpSession session = request.getSession(false);
+            session.removeAttribute(ServletUtil.SESSION_ATTR_USER);
+        } catch (Exception e){
+            // do nothing
+        } finally {
+            response.sendRedirect("index.jsp");
+        }
+
+    }
 
-		String username = null;
-
-		try {
-			username = request.getParameter("uid");
-			if (username != null)
-				username = username.trim().toLowerCase();
-
-			String password = request.getParameter("passw");
-			password = password.trim().toLowerCase(); //in real life the password usually is case sensitive and this cast would not be done
-
-			if (!DBUtil.isValidUser(username, password)){
-				Log4AltoroJ.getInstance().logError("Login failed >>> User: " +username + " >>> Password: " + password);
-				throw new Exception("Login Failed: We're sorry, but this username or password was not found in our system. Please try again.");
-			}
-		} catch (Exception ex) {
-			request.getSession(true).setAttribute("loginError", ex.getLocalizedMessage());
-			response.sendRedirect("login.jsp");
-			return;
-		}
+    /**
+     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
+     */
+    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        //log in
+        // Create session if there isn't one:
+        HttpSession session = request.getSession(true);
+        String username = null;
 
-		//Handle the cookie using ServletUtil.establishSession(String)
-		try{
-			Cookie accountCookie = ServletUtil.establishSession(username,session);
-			response.addCookie(accountCookie);
-			response.sendRedirect(request.getContextPath()+"/bank/main.jsp");
-			}
-		catch (Exception ex){
-			ex.printStackTrace();
-			response.sendError(500);
-		}
-
-
-		return;
-	}
+        try {
+            username = request.getParameter("uid");
+            if (username != null)
+                username = username.trim().toLowerCase();
+
+            String password = request.getParameter("passw");
+            password = password.trim().toLowerCase(); //in real life the password usually is case sensitive and this cast would not be done
+
+            if (!DBUtil.isValidUser(username, password)){
+                Log4AltoroJ.getInstance().logError("Login failed >>> User: " +username + " >>> Password: " + password);
+                throw new Exception("Login Failed: We're sorry, but this username or password was not found in our system. Please try again.");
+            }
+        } catch (Exception ex) {
+            request.getSession(true).setAttribute("loginError", ex.getLocalizedMessage());
+            response.sendRedirect("login.jsp");
+            return;
+        }
 
+        //Handle the cookie using ServletUtil.establishSession(String)
+        try {
+            Cookie accountCookie = ServletUtil.establishSession(username, session);
+            accountCookie.setHttpOnly(true);
+            accountCookie.setSecure(true);
+            response.addCookie(accountCookie);
+            response.sendRedirect(request.getContextPath()+"/bank/main.jsp");
+        } catch (Exception ex) {
+            ex.printStackTrace();
+            response.sendError(500);
+        }
+
+        return;
+    }
 }

src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java

@@ -95,10 +95,19 @@ else if (step.equals("done")){
 			content = "<h1>Request Out of Order</h1>"+
 			"<div width=\"99%\"><p>It appears that you attempted to skip or repeat some areas of this survey.  Please <a href=\"survey_questions.jsp\">return to the start page</a> to begin again.</p></div>";
 		} else {		
-			request.getSession().setAttribute("surveyStep", step);
+        String step = request.getParameter("step");
+        public String sanitizeInput(String input) {
+            return input.replaceAll("[^a-zA-Z0-9]", "");
+        }
+        String sanitizedStep = sanitizeInput(step);
+        request.getSession().setAttribute("surveyStep", sanitizedStep);
+
 		}
 		response.setContentType("text/html");
-		response.getWriter().write(content);
+		import org.owasp.esapi.ESAPI;
+
+		String safeContent = ESAPI.encoder().encodeForHTML(content);
+		response.getWriter().write(safeContent);
 		response.getWriter().flush();
 
 	}