From e28acd57607df3093e3effcc0bb47ecf77a0ba45 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Thu, 29 Sep 2022 21:00:08 +0200 Subject: [PATCH 01/36] Drop Java 8 --- .github/workflows/build-test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index dd6a07e..5ddaea4 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -15,9 +15,9 @@ concurrency: jobs: tests: name: Tests - uses: playframework/.github/.github/workflows/cmd.yml@v2 + uses: playframework/.github/.github/workflows/cmd.yml@v3 with: - java: 17, 11, 8 + java: 17, 11 scala: 2.12.17, 2.13.8 cmd: sbt ++$MATRIX_SCALA test @@ -26,4 +26,4 @@ jobs: if: github.event_name == 'pull_request' needs: # Should be last - "tests" - uses: playframework/.github/.github/workflows/rtm.yml@v2 + uses: playframework/.github/.github/workflows/rtm.yml@v3 From 7002ce83094208c945dcd065be6fb0dbe550675d Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Tue, 4 Oct 2022 15:53:08 +0200 Subject: [PATCH 02/36] Unstable Play 2.9 milestone --- project/plugins.sbt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/plugins.sbt b/project/plugins.sbt index cb44a7a..d6161ac 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -2,4 +2,4 @@ scalacOptions ++= Seq( "-feature", "-unchecked", "-deprecation", "-Xlint:-unused", "-Xfatal-warnings") -addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.8.16") +addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0-M2") From f28683ad2320b8b87e8b9f4c9475a0b74f7a6536 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Tue, 4 Oct 2022 15:53:30 +0200 Subject: [PATCH 03/36] Drop Scala 2.12 --- .github/workflows/build-test.yml | 2 +- build.sbt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index 5ddaea4..312452e 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -18,7 +18,7 @@ jobs: uses: playframework/.github/.github/workflows/cmd.yml@v3 with: java: 17, 11 - scala: 2.12.17, 2.13.8 + scala: 2.13.8 cmd: sbt ++$MATRIX_SCALA test finish: diff --git a/build.sbt b/build.sbt index fd5c192..00ce325 100644 --- a/build.sbt +++ b/build.sbt @@ -3,7 +3,7 @@ lazy val `play-webgoat` = (project in file(".")).enablePlugins(PlayScala) name := "play-webgoat" version := "1.0" -crossScalaVersions := Seq("2.13.8", "2.12.17") +crossScalaVersions := Seq("2.13.8") scalaVersion := crossScalaVersions.value.head // tc-skip libraryDependencies ++= Seq(guice, ws) From 2839a6b2586de25ff33e216340c3ef98113264f5 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Tue, 4 Oct 2022 15:53:42 +0200 Subject: [PATCH 04/36] Correct branch (2.9.x) for workflow --- .github/workflows/build-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index 312452e..ee453fd 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -5,7 +5,7 @@ on: push: branches: - - 2.8.x # Check branch after merge + - 2.9.x # Check branch after merge concurrency: # Only run once for latest commit per ref and cancel other (previous) runs. From 513b9a8aba6e19a2cc1a5e14bd58b072865bcf12 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Tue, 4 Oct 2022 15:55:42 +0200 Subject: [PATCH 05/36] scala-xml conflict workaround --- project/plugins.sbt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/project/plugins.sbt b/project/plugins.sbt index d6161ac..d95936b 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -1,3 +1,7 @@ +lazy val plugins = (project in file(".")).settings( + scalaVersion := "2.12.17", // TODO: remove when upgraded to sbt 1.8.0 (maybe even 1.7.2), see https://github.com/sbt/sbt/pull/7021 +) + scalacOptions ++= Seq( "-feature", "-unchecked", "-deprecation", "-Xlint:-unused", "-Xfatal-warnings") From e53f7fe75564513c1411a6083549260346ccd68b Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Wed, 5 Oct 2022 11:18:27 +0200 Subject: [PATCH 06/36] Semantic Scala version selector expression in workflows --- .github/workflows/build-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index ee453fd..e0f1af5 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -18,7 +18,7 @@ jobs: uses: playframework/.github/.github/workflows/cmd.yml@v3 with: java: 17, 11 - scala: 2.13.8 + scala: 2.13.x cmd: sbt ++$MATRIX_SCALA test finish: From d9f8a0d91da6235b0b5d0a9cda94e055d8c7f621 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Mon, 10 Oct 2022 12:34:56 +0200 Subject: [PATCH 07/36] Latest Scala/sbt versions --- build.sbt | 2 +- project/build.properties | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build.sbt b/build.sbt index 00ce325..42cd013 100644 --- a/build.sbt +++ b/build.sbt @@ -3,7 +3,7 @@ lazy val `play-webgoat` = (project in file(".")).enablePlugins(PlayScala) name := "play-webgoat" version := "1.0" -crossScalaVersions := Seq("2.13.8") +crossScalaVersions := Seq("2.13.10") scalaVersion := crossScalaVersions.value.head // tc-skip libraryDependencies ++= Seq(guice, ws) diff --git a/project/build.properties b/project/build.properties index 22af262..563a014 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=1.7.1 +sbt.version=1.7.2 From a553f9cfaafcfccf9dfae57e322ff982ab94dfeb Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Fri, 14 Oct 2022 11:47:49 +0200 Subject: [PATCH 08/36] Use the mergify config from the .github repo --- .github/mergify.yml | 1 + .mergify.yml | 39 --------------------------------------- 2 files changed, 1 insertion(+), 39 deletions(-) create mode 100644 .github/mergify.yml delete mode 100644 .mergify.yml diff --git a/.github/mergify.yml b/.github/mergify.yml new file mode 100644 index 0000000..526045d --- /dev/null +++ b/.github/mergify.yml @@ -0,0 +1 @@ +extends: .github diff --git a/.mergify.yml b/.mergify.yml deleted file mode 100644 index d3b4b8a..0000000 --- a/.mergify.yml +++ /dev/null @@ -1,39 +0,0 @@ -defaults: - actions: - backport: - title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }}) by @{{ author }}" - -queue_rules: - - name: default - conditions: - # Conditions to get out of the queue (= merged) - - check-success~=/ Ready To Merge$ - -pull_request_rules: - - name: Merge PRs that are ready - conditions: - - check-success~=/ Ready To Merge$ - - "#approved-reviews-by>=1" - - "#review-requested=0" - - "#changes-requested-reviews-by=0" - - label!=status:block-merge - - label=status:merge-when-green - actions: - queue: - method: merge - name: default - - - name: Delete the PR branch and remove label after merge - conditions: - - merged - actions: - delete_head_branch: {} - label: - remove: [ "status:merge-when-green" ] - - - name: Labeling for Scala Steward PR's - conditions: - - author=scala-steward - actions: - label: - add: [ "type:updates" ] From 0491b72d6f8ecb4650ce099535914f2264c368f0 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Fri, 14 Oct 2022 22:23:37 +0200 Subject: [PATCH 09/36] Remove unecessary NOTICE file (cherry picked from commit 2984801096b20ba972d3d12a2a5cdb03c142f410) --- NOTICE | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 NOTICE diff --git a/NOTICE b/NOTICE deleted file mode 100644 index 6d6c034..0000000 --- a/NOTICE +++ /dev/null @@ -1,8 +0,0 @@ -Written by Lightbend - -To the extent possible under law, the author(s) have dedicated all copyright and -related and neighboring rights to this software to the public domain worldwide. -This software is distributed without any warranty. - -You should have received a copy of the CC0 Public Domain Dedication along with -this software. If not, see . From db9b45dae7208538096ce5f709e7240d6fa6b57f Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Tue, 4 Oct 2022 16:58:54 +0200 Subject: [PATCH 10/36] Revert "scala-xml conflict workaround" This reverts commit 513b9a8aba6e19a2cc1a5e14bd58b072865bcf12. --- project/plugins.sbt | 4 ---- 1 file changed, 4 deletions(-) diff --git a/project/plugins.sbt b/project/plugins.sbt index d95936b..d6161ac 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -1,7 +1,3 @@ -lazy val plugins = (project in file(".")).settings( - scalaVersion := "2.12.17", // TODO: remove when upgraded to sbt 1.8.0 (maybe even 1.7.2), see https://github.com/sbt/sbt/pull/7021 -) - scalacOptions ++= Seq( "-feature", "-unchecked", "-deprecation", "-Xlint:-unused", "-Xfatal-warnings") From 23a2068341c85c899f927a633cca7dc32baf1c35 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Mon, 7 Nov 2022 10:47:49 +0100 Subject: [PATCH 11/36] sbt 1.8.0-RC1 --- project/build.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/build.properties b/project/build.properties index 563a014..746ef5a 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=1.7.2 +sbt.version=1.8.0-RC1 From 04cecc7a80b79f9e85c4fb1d06c56a7033a3dd8a Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Mon, 6 Feb 2023 13:43:06 +0100 Subject: [PATCH 12/36] Switch from coloredLevel to %highlight(%-5level) --- conf/logback.xml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/conf/logback.xml b/conf/logback.xml index b69d188..31480f3 100644 --- a/conf/logback.xml +++ b/conf/logback.xml @@ -4,11 +4,9 @@ - - - %coloredLevel %logger{15} - %message%n%xException{10} + %highlight(%-5level) %logger{15} - %message%n%xException{10} From 861b6e18e05f1eeea57d5345e1d3c049b27b29ab Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Tue, 7 Feb 2023 15:27:25 +0100 Subject: [PATCH 13/36] Update gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 1a82448..53ee61f 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ dist /.project /RUNNING_PID /.settings +/.bsp From aedfb65f590d941e482914032a88c353543017aa Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Tue, 7 Feb 2023 15:30:17 +0100 Subject: [PATCH 14/36] Upgrade logback conf to new canonical format --- conf/logback.xml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/conf/logback.xml b/conf/logback.xml index 31480f3..67c12f7 100644 --- a/conf/logback.xml +++ b/conf/logback.xml @@ -1,17 +1,24 @@ + + + Copyright (C) from 2022 The Play Framework Contributors , 2011-2021 Lightbend Inc. +--> + + + + + - - + + %highlight(%-5level) %logger{15} - %message%n%xException{10} - + From 0d03f275f86dc5cf8ac7baa9126ce405106856da Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Wed, 1 Mar 2023 18:48:12 +0100 Subject: [PATCH 15/36] Set up sbt dependency submission --- .github/workflows/dependency-graph.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/dependency-graph.yml diff --git a/.github/workflows/dependency-graph.yml b/.github/workflows/dependency-graph.yml new file mode 100644 index 0000000..af60c2d --- /dev/null +++ b/.github/workflows/dependency-graph.yml @@ -0,0 +1,24 @@ +name: Dependency Graph +on: + push: + branches: + - 2.9.x + +concurrency: + # Only run once for latest commit per ref and cancel other (previous) runs. + group: dependency-graph-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: write # this permission is needed to submit the dependency graph + +jobs: + dependency-graph: + name: Submit dependencies to GitHub + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ inputs.ref }} + - uses: scalacenter/sbt-dependency-submission@v2 From 01ff9152238642724c054283271a42eea8d34426 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Wed, 5 Apr 2023 17:28:54 +0200 Subject: [PATCH 16/36] Make it compile with Scala 3 --- .github/workflows/build-test.yml | 2 +- app/controllers/HomeController.scala | 35 +++++++++++++++------------- build.sbt | 7 +++--- project/build.properties | 2 +- project/plugins.sbt | 2 +- 5 files changed, 25 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index e0f1af5..dfc6c49 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -18,7 +18,7 @@ jobs: uses: playframework/.github/.github/workflows/cmd.yml@v3 with: java: 17, 11 - scala: 2.13.x + scala: 2.13.x, 3.x cmd: sbt ++$MATRIX_SCALA test finish: diff --git a/app/controllers/HomeController.scala b/app/controllers/HomeController.scala index 60140ad..3ba7548 100644 --- a/app/controllers/HomeController.scala +++ b/app/controllers/HomeController.scala @@ -15,7 +15,7 @@ import scala.sys.process._ */ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(implicit ec: ExecutionContext) extends MessagesAbstractController(cc) { - def index = Action { implicit request => + def index: Action[AnyContent] = Action { implicit request => Ok(Html(s""" @@ -41,7 +41,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * Command injection & XSS directly from directly called query parameter */ - def attackerQuerySimple = Action { implicit request => + def attackerQuerySimple: Action[AnyContent] = Action { implicit request => val address = request.getQueryString("address") // [RuleTest] Command Injection @@ -56,7 +56,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * Command injection & XSS directly from directly called query parameter */ - def attackerQueryPatternMatching = Action { implicit request => + def attackerQueryPatternMatching: Action[AnyContent] = Action { implicit request => val addressRE= "(.*):(\\d+)".r val address = request.cookies.get("address").get.value @@ -72,7 +72,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS directly from directly called query parameter */ - def attackerQuery = Action { implicit request => + def attackerQuery: Action[AnyContent] = Action { implicit request => val result = request.getQueryString("attacker").map { command => // Render the command directly from query parameter, this is the obvious example @@ -87,21 +87,21 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS through query string parsed by generated router from conf/routes file. */ - def attackerRouteControlledQuery(attacker: String) = Action { implicit request => + def attackerRouteControlledQuery(attacker: String): Action[AnyContent] = Action { implicit request => Ok(Html(attacker)) as HTML } /** * XSS through path binding parsed by generated router from conf/routes file. */ - def attackerRouteControlledPath(attacker: String) = Action { implicit request => + def attackerRouteControlledPath(attacker: String): Action[AnyContent] = Action { implicit request => Ok(Html(attacker)) as HTML } /** * XSS through attacker controlled info in cookie */ - def attackerCookie = Action { implicit request => + def attackerCookie: Action[AnyContent] = Action { implicit request => // User cookies have no message authentication by default, so an attacker can pass in a cookie val result = request.cookies.get("attacker").map { attackerCookie => // Render the command @@ -114,7 +114,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS through attacker controlled header */ - def attackerHeader = Action { implicit request => + def attackerHeader: Action[AnyContent] = Action { implicit request => // Request headers are also unvalidated by default. // The usual example is pulling the Location header to do an unsafe redirect val result = request.headers.get("Attacker").map { command => @@ -128,7 +128,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * Unbound redirect through Header */ - def attackerOpenRedirect = Action { implicit request => + def attackerOpenRedirect: Action[AnyContent] = Action { implicit request => request.headers.get("Location") match { case Some(attackerLocation) => // Also see https://github.com/playframework/playframework/issues/6450 @@ -142,7 +142,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS through URL encoded form input. */ - def attackerFormInput = Action { implicit request => + def attackerFormInput: Action[AnyContent] = Action { implicit request => val boundForm = FormData.form.bindFromRequest() boundForm.fold(badData => BadRequest("Bad form binding"), userData => { // Render the attacker command as HTML @@ -154,7 +154,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS through attacker controlled flash cookie. */ - def attackerFlash = Action { implicit request => + def attackerFlash: Action[AnyContent] = Action { implicit request => // Flash is usually handled with // Redirect(routes.HomeController.attackerFlash()).flashing("info" -> "Some text") // but if the user puts HTML in it and then renders it, @@ -170,14 +170,14 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i } // Render a boring form - def constraintForm = Action { implicit request => + def constraintForm: Action[AnyContent] = Action { implicit request => Ok(views.html.index(FormData.customForm)) } /** * XSS through custom constraint with user input */ - def attackerConstraintForm = Action { implicit request => + def attackerConstraintForm: Action[AnyContent] = Action { implicit request => // Bind a form that uses the i18n messages api, but the user input is reflected in the error message // Play takes a raw string here and escapes everything, but it may be possible to escape this... @@ -196,7 +196,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * SSRF attacks done with Play WS */ - def attackerSSRF = Action.async { implicit request => + def attackerSSRF: Action[AnyContent] = Action.async { implicit request => // Play WS does not have a whitelist of valid URLs, so if you're calling it // directly with user input, you're open to SSRF. The best thing to do is // to place WS access in a wrapper, i.e. @@ -213,7 +213,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * Command injection with custom body parser */ - def attackerCustomBodyParser = Action(bodyParser = BodyParser { header: RequestHeader => + def attackerCustomBodyParser: Action[Foo] = Action(bodyParser = BodyParser { (header: RequestHeader) => { // request header is a request without a body // http://localhost:9000/attackerCustomBodyParser?address=/etc/passwd val result = header.getQueryString("filename").map { filename => @@ -222,7 +222,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i }.getOrElse("No filename found!") Accumulator.done(Right(Foo(bar = result))) - }) { implicit request: Request[Foo] => + }}) { implicit request: Request[Foo] => val foo: Foo = request.body Ok(foo.bar) } @@ -304,4 +304,7 @@ object FormData { case class UserData(name: String, age:Int) + object UserData { + def unapply(u: UserData): Option[(String, Int)] = Some((u.name, u.age)) + } } diff --git a/build.sbt b/build.sbt index 42cd013..3a013b7 100644 --- a/build.sbt +++ b/build.sbt @@ -3,12 +3,11 @@ lazy val `play-webgoat` = (project in file(".")).enablePlugins(PlayScala) name := "play-webgoat" version := "1.0" -crossScalaVersions := Seq("2.13.10") +crossScalaVersions := Seq("2.13.10", "3.3.0-RC3") scalaVersion := crossScalaVersions.value.head // tc-skip libraryDependencies ++= Seq(guice, ws) scalacOptions ++= Seq( - "-feature", "-unchecked", "-deprecation", "-Xfatal-warnings", - // "unused" is too fragile w/ Twirl, routes file - "-Xlint:-unused" + // "-unchecked", "-deprecation" // Set by Play already + "-feature", "-Werror", ) diff --git a/project/build.properties b/project/build.properties index 746ef5a..46e43a9 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=1.8.0-RC1 +sbt.version=1.8.2 diff --git a/project/plugins.sbt b/project/plugins.sbt index d6161ac..a44c428 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -2,4 +2,4 @@ scalacOptions ++= Seq( "-feature", "-unchecked", "-deprecation", "-Xlint:-unused", "-Xfatal-warnings") -addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0-M2") +addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0-M3") From 2ee0fdb78740986b80005b185e43f5866c843288 Mon Sep 17 00:00:00 2001 From: Seth Tisue Date: Thu, 6 Apr 2023 10:46:22 +0200 Subject: [PATCH 17/36] re-enable -Xlint on Scala 2 --- app/controllers/HomeController.scala | 3 ++- build.sbt | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/app/controllers/HomeController.scala b/app/controllers/HomeController.scala index 3ba7548..5a63d7a 100644 --- a/app/controllers/HomeController.scala +++ b/app/controllers/HomeController.scala @@ -62,8 +62,9 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i val address = request.cookies.get("address").get.value address match { - // [RuleTest] Command Injection + // [RuleTest] Command Injection case addressRE(address, port) => s"ping ${address}".! + case _ => } // [RuleTest] Cross-Site Scripting: Reflected Ok(Html(s"Host ${address} pinged")) as HTML diff --git a/build.sbt b/build.sbt index 3a013b7..0c8a38f 100644 --- a/build.sbt +++ b/build.sbt @@ -11,3 +11,7 @@ scalacOptions ++= Seq( // "-unchecked", "-deprecation" // Set by Play already "-feature", "-Werror", ) +scalacOptions ++= (CrossVersion.partialVersion(scalaVersion.value) match { + case Some((2, _)) => Seq("-Xlint:-unused,_") + case _ => Seq() +}) From 571fde04f02283abbefc7b3bbc2a15cfdf68fbc7 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Thu, 27 Apr 2023 21:48:28 +0200 Subject: [PATCH 18/36] Scala 3.3.0-RC5 --- build.sbt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.sbt b/build.sbt index 0c8a38f..9f62b29 100644 --- a/build.sbt +++ b/build.sbt @@ -3,7 +3,7 @@ lazy val `play-webgoat` = (project in file(".")).enablePlugins(PlayScala) name := "play-webgoat" version := "1.0" -crossScalaVersions := Seq("2.13.10", "3.3.0-RC3") +crossScalaVersions := Seq("2.13.10", "3.3.0-RC5") scalaVersion := crossScalaVersions.value.head // tc-skip libraryDependencies ++= Seq(guice, ws) From 23f25a3b365be35f2e5e3527abae6aee87b250c6 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Mon, 5 Jun 2023 13:23:33 +0200 Subject: [PATCH 19/36] scala / sbt upgrades --- build.sbt | 2 +- project/build.properties | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build.sbt b/build.sbt index 9f62b29..168cc2b 100644 --- a/build.sbt +++ b/build.sbt @@ -3,7 +3,7 @@ lazy val `play-webgoat` = (project in file(".")).enablePlugins(PlayScala) name := "play-webgoat" version := "1.0" -crossScalaVersions := Seq("2.13.10", "3.3.0-RC5") +crossScalaVersions := Seq("2.13.11", "3.3.0") scalaVersion := crossScalaVersions.value.head // tc-skip libraryDependencies ++= Seq(guice, ws) diff --git a/project/build.properties b/project/build.properties index 46e43a9..40b3b8e 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=1.8.2 +sbt.version=1.9.0 From ed0055445700e24ee8c5014791d293b6c2d7b7a2 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Mon, 5 Jun 2023 15:09:18 +0200 Subject: [PATCH 20/36] Play 2.9.0-M6 --- project/plugins.sbt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/plugins.sbt b/project/plugins.sbt index a44c428..0ba3c8a 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -2,4 +2,4 @@ scalacOptions ++= Seq( "-feature", "-unchecked", "-deprecation", "-Xlint:-unused", "-Xfatal-warnings") -addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0-M3") +addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0-M6") From f259d911418af2d8c980d64daa3d3c4fa825625f Mon Sep 17 00:00:00 2001 From: Seth Tisue Date: Tue, 27 Jun 2023 15:46:18 -0400 Subject: [PATCH 21/36] sbt 1.9.1 (was .0) --- project/build.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/build.properties b/project/build.properties index 40b3b8e..3c0b78a 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=1.9.0 +sbt.version=1.9.1 From 681ccc133c58e956a10d2ce64479bbdea1677c9e Mon Sep 17 00:00:00 2001 From: Seth Tisue Date: Wed, 12 Jul 2023 14:30:35 -0700 Subject: [PATCH 22/36] sbt 1.9.2 (was .1) --- project/build.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/build.properties b/project/build.properties index 3c0b78a..875b706 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=1.9.1 +sbt.version=1.9.2 From 3ab63e30618606bad4e7412a187d5a41551ee483 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Fri, 11 Aug 2023 11:41:26 +0200 Subject: [PATCH 23/36] sbt 1.9.3 --- project/build.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/build.properties b/project/build.properties index 875b706..52413ab 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=1.9.2 +sbt.version=1.9.3 From 3c1de4c842026124d9f41f000fffaf435540f948 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Mon, 21 Aug 2023 15:17:51 +0200 Subject: [PATCH 24/36] Play 2.9.0 M7 --- project/plugins.sbt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/plugins.sbt b/project/plugins.sbt index 0ba3c8a..8803036 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -2,4 +2,4 @@ scalacOptions ++= Seq( "-feature", "-unchecked", "-deprecation", "-Xlint:-unused", "-Xfatal-warnings") -addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0-M6") +addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0-M7") From 94f9815bb5c655399c11f78d084eb2599fdf42bd Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Fri, 11 Aug 2023 13:34:52 +0200 Subject: [PATCH 25/36] Scala 3.3.1 / 2.13.12 --- build.sbt | 2 +- project/build.properties | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build.sbt b/build.sbt index 168cc2b..1787870 100644 --- a/build.sbt +++ b/build.sbt @@ -3,7 +3,7 @@ lazy val `play-webgoat` = (project in file(".")).enablePlugins(PlayScala) name := "play-webgoat" version := "1.0" -crossScalaVersions := Seq("2.13.11", "3.3.0") +crossScalaVersions := Seq("2.13.12", "3.3.1") scalaVersion := crossScalaVersions.value.head // tc-skip libraryDependencies ++= Seq(guice, ws) diff --git a/project/build.properties b/project/build.properties index 52413ab..3040987 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=1.9.3 +sbt.version=1.9.4 From 42af899ef20aeb3dea815023f0543be023f65e03 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Thu, 14 Sep 2023 09:29:18 +0200 Subject: [PATCH 26/36] sbt 1.9.5 --- project/build.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/build.properties b/project/build.properties index 3040987..51b51fc 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=1.9.4 +sbt.version=1.9.5 From 6c6eecb7df439fee2d99911b869e2d03f4d67261 Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Sat, 16 Sep 2023 00:30:34 +0200 Subject: [PATCH 27/36] Group Scala Steward patch updates into single PR --- .scala-steward.conf | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .scala-steward.conf diff --git a/.scala-steward.conf b/.scala-steward.conf new file mode 100644 index 0000000..c17dba6 --- /dev/null +++ b/.scala-steward.conf @@ -0,0 +1,7 @@ +pullRequests.frequency = "@monthly" + +commits.message = "${artifactName} ${nextVersion} (was ${currentVersion})" + +pullRequests.grouping = [ + { name = "patches", "title" = "Patch updates", "filter" = [{"version" = "patch"}] } +] From bb9622d2825c7365c6c4a90dd513e39b699b0b9f Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Mon, 18 Sep 2023 10:41:32 +0200 Subject: [PATCH 28/36] sbt 1.9.6 --- project/build.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/build.properties b/project/build.properties index 51b51fc..2743082 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=1.9.5 +sbt.version=1.9.6 From f99364797cf6a287efd498fd39527a2b2c937ecb Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Fri, 15 Sep 2023 19:11:17 +0200 Subject: [PATCH 29/36] Play 2.9 release candidate --- project/plugins.sbt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/plugins.sbt b/project/plugins.sbt index 8803036..7673b48 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -2,4 +2,4 @@ scalacOptions ++= Seq( "-feature", "-unchecked", "-deprecation", "-Xlint:-unused", "-Xfatal-warnings") -addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0-M7") +addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0-RC2") From 952429041eb27e403097cb150a062b552320d109 Mon Sep 17 00:00:00 2001 From: Scala Steward Date: Tue, 17 Oct 2023 00:42:06 +0000 Subject: [PATCH 30/36] play-ahc-ws, play-akka-http-server, ... 2.9.0-RC3 (was 2.9.0-RC2) --- project/plugins.sbt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/plugins.sbt b/project/plugins.sbt index 7673b48..a74039c 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -2,4 +2,4 @@ scalacOptions ++= Seq( "-feature", "-unchecked", "-deprecation", "-Xlint:-unused", "-Xfatal-warnings") -addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0-RC2") +addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0-RC3") From 2b641a3bcbb6fcd9804515ac64917ff06a99715e Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Mon, 23 Oct 2023 10:25:48 +0200 Subject: [PATCH 31/36] Move scala steward conf into .github folder --- .scala-steward.conf => .github/scala-steward.conf | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .scala-steward.conf => .github/scala-steward.conf (100%) diff --git a/.scala-steward.conf b/.github/scala-steward.conf similarity index 100% rename from .scala-steward.conf rename to .github/scala-steward.conf From fb5c1e96f0b0563a987367371b2eeb2e994f1e6e Mon Sep 17 00:00:00 2001 From: Scala Steward Date: Wed, 25 Oct 2023 02:29:25 +0000 Subject: [PATCH 32/36] sbt 1.9.7 (was 1.9.6) --- project/build.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/build.properties b/project/build.properties index 2743082..e8a1e24 100644 --- a/project/build.properties +++ b/project/build.properties @@ -1 +1 @@ -sbt.version=1.9.6 +sbt.version=1.9.7 From 44dde71b4fe74e245c71be83a165805ef538abfe Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Wed, 25 Oct 2023 16:41:01 +0200 Subject: [PATCH 33/36] Play 2.9.0 --- project/plugins.sbt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/project/plugins.sbt b/project/plugins.sbt index a74039c..7e45f85 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -2,4 +2,4 @@ scalacOptions ++= Seq( "-feature", "-unchecked", "-deprecation", "-Xlint:-unused", "-Xfatal-warnings") -addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0-RC3") +addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0") From 1f8fe878f7dcc999c52e5a542cd2c7cf76576f9a Mon Sep 17 00:00:00 2001 From: Matthias Kurz Date: Wed, 25 Oct 2023 22:59:54 +0200 Subject: [PATCH 34/36] correct cross-build comment (cherry picked from commit 5caffa75f76674f42a160c5763516f20287ce68b) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d894175..d68b41e 100644 --- a/README.md +++ b/README.md @@ -27,4 +27,4 @@ Then go to http://localhost:9000. ## Scala versions -Cross-building to Scala 2.12 and 2.13 is supported. +Cross-building to Scala 2.13 and 3 is supported. From aad198a2898bcde2b68fc511a87c4f30d766699b Mon Sep 17 00:00:00 2001 From: Seth Tisue Date: Tue, 5 Dec 2023 18:26:28 -0800 Subject: [PATCH 35/36] Fortify: move to Play 2.9 and add Scala 3 --- .github/workflows/fortify.yml | 8 +- README.md | 2 +- app/controllers/HomeController.scala | 40 +++--- build.sbt | 11 +- conf/logback.xml | 17 ++- fortify.sbt | 2 +- project/plugins.sbt | 6 +- vulnerabilities-2.12.x.txt | 179 --------------------------- vulnerabilities-3.x.txt | 170 +++++++++++++++++++++++++ 9 files changed, 218 insertions(+), 217 deletions(-) delete mode 100644 vulnerabilities-2.12.x.txt create mode 100644 vulnerabilities-3.x.txt diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml index 899db6e..2d5d15e 100644 --- a/.github/workflows/fortify.yml +++ b/.github/workflows/fortify.yml @@ -13,15 +13,15 @@ jobs: strategy: fail-fast: false matrix: - java: [8, 11, 17] - scala: [2.12.x, 2.13.x] + java: [8, 11, 17, 21] + scala: [2.13.x, 3.x] runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: coursier/cache-action@v6 - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: - distribution: adopt + distribution: temurin java-version: ${{matrix.java}} - uses: actions/cache@v3 diff --git a/README.md b/README.md index d88d21f..dc49049 100644 --- a/README.md +++ b/README.md @@ -39,4 +39,4 @@ Then go to http://localhost:9000. ## Scala versions -Cross-building to Scala 2.12 and 2.13 is supported. +Cross-building to Scala 2.13 and 3 is supported. diff --git a/app/controllers/HomeController.scala b/app/controllers/HomeController.scala index 2d0b6e7..48892d1 100644 --- a/app/controllers/HomeController.scala +++ b/app/controllers/HomeController.scala @@ -15,7 +15,7 @@ import scala.sys.process._ */ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(implicit ec: ExecutionContext) extends MessagesAbstractController(cc) { - def index = Action { implicit request => + def index: Action[AnyContent] = Action { implicit request => Ok(Html(s""" @@ -41,7 +41,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * Command injection & XSS directly from directly called query parameter */ - def attackerQuerySimple = Action { implicit request => + def attackerQuerySimple: Action[AnyContent] = Action { implicit request => val address = request.getQueryString("address") // [RuleTest] Command Injection @@ -56,14 +56,15 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * Command injection & XSS directly from directly called query parameter */ - def attackerQueryPatternMatching = Action { implicit request => + def attackerQueryPatternMatching: Action[AnyContent] = Action { implicit request => val addressRE= "(.*):(\\d+)".r val address = request.cookies.get("address").get.value address match { - // [RuleTest] Command Injection + // [RuleTest] Command Injection case addressRE(address, port) => s"ping ${address}".! + case _ => } // [RuleTest] Cross-Site Scripting: Reflected Ok(Html(s"Host ${address} pinged")) as HTML @@ -72,7 +73,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS directly from directly called query parameter */ - def attackerQuery = Action { implicit request => + def attackerQuery: Action[AnyContent] = Action { implicit request => val result = request.getQueryString("attacker").map { command => // Render the command directly from query parameter, this is the obvious example @@ -87,21 +88,21 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS through query string parsed by generated router from conf/routes file. */ - def attackerRouteControlledQuery(attacker: String) = Action { implicit request => + def attackerRouteControlledQuery(attacker: String): Action[AnyContent] = Action { implicit request => Ok(Html(attacker)) as HTML } /** * XSS through path binding parsed by generated router from conf/routes file. */ - def attackerRouteControlledPath(attacker: String) = Action { implicit request => + def attackerRouteControlledPath(attacker: String): Action[AnyContent] = Action { implicit request => Ok(Html(attacker)) as HTML } /** * XSS through attacker controlled info in cookie */ - def attackerCookie = Action { implicit request => + def attackerCookie: Action[AnyContent] = Action { implicit request => // User cookies have no message authentication by default, so an attacker can pass in a cookie val result = request.cookies.get("attacker").map { attackerCookie => // Render the command @@ -114,7 +115,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS through attacker controlled header */ - def attackerHeader = Action { implicit request => + def attackerHeader: Action[AnyContent] = Action { implicit request => // Request headers are also unvalidated by default. // The usual example is pulling the Location header to do an unsafe redirect val result = request.headers.get("Attacker").map { command => @@ -128,7 +129,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * Unbound redirect through Header */ - def attackerOpenRedirect = Action { implicit request => + def attackerOpenRedirect: Action[AnyContent] = Action { implicit request => request.headers.get("Location") match { case Some(attackerLocation) => // Also see https://github.com/playframework/playframework/issues/6450 @@ -142,7 +143,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS through URL encoded form input. */ - def attackerFormInput = Action { implicit request => + def attackerFormInput: Action[AnyContent] = Action { implicit request => val boundForm = FormData.form.bindFromRequest() boundForm.fold(badData => BadRequest("Bad form binding"), userData => { // Render the attacker command as HTML @@ -154,7 +155,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS through attacker controlled flash cookie. */ - def attackerFlash = Action { implicit request => + def attackerFlash: Action[AnyContent] = Action { implicit request => // Flash is usually handled with // Redirect(routes.HomeController.attackerFlash()).flashing("info" -> "Some text") // but if the user puts HTML in it and then renders it, @@ -170,14 +171,14 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i } // Render a boring form - def constraintForm = Action { implicit request => + def constraintForm: Action[AnyContent] = Action { implicit request => Ok(views.html.index(FormData.customForm)) } /** * XSS through custom constraint with user input */ - def attackerConstraintForm = Action { implicit request => + def attackerConstraintForm: Action[AnyContent] = Action { implicit request => // Bind a form that uses the i18n messages api, but the user input is reflected in the error message // Play takes a raw string here and escapes everything, but it may be possible to escape this... @@ -196,7 +197,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS involving Twirl template */ - def twirlXSS = Action { implicit request => + def twirlXSS = Action { implicit request: MessagesRequest[AnyContent] => request.getQueryString("xss").map { payload => Ok(views.html.xss(payload)) }.getOrElse(Ok("Missing xss param")) @@ -205,7 +206,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * SSRF attacks done with Play WS */ - def attackerSSRF = Action.async { implicit request => + def attackerSSRF: Action[AnyContent] = Action.async { implicit request => // Play WS does not have a whitelist of valid URLs, so if you're calling it // directly with user input, you're open to SSRF. The best thing to do is // to place WS access in a wrapper, i.e. @@ -222,7 +223,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * Command injection with custom body parser */ - def attackerCustomBodyParser = Action(bodyParser = BodyParser { header: RequestHeader => + def attackerCustomBodyParser: Action[Foo] = Action(bodyParser = BodyParser { (header: RequestHeader) => { // request header is a request without a body // http://localhost:9000/attackerCustomBodyParser?address=/etc/passwd val result = header.getQueryString("filename").map { filename => @@ -231,7 +232,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i }.getOrElse("No filename found!") Accumulator.done(Right(Foo(bar = result))) - }) { implicit request: Request[Foo] => + }}) { implicit request: Request[Foo] => val foo: Foo = request.body Ok(foo.bar) } @@ -313,4 +314,7 @@ object FormData { case class UserData(name: String, age:Int) + object UserData { + def unapply(u: UserData): Option[(String, Int)] = Some((u.name, u.age)) + } } diff --git a/build.sbt b/build.sbt index ba53a0f..cb95f09 100644 --- a/build.sbt +++ b/build.sbt @@ -3,12 +3,15 @@ lazy val `play-webgoat` = (project in file(".")).enablePlugins(PlayScala) name := "play-webgoat" version := "1.0" -crossScalaVersions := Seq("2.13.12", "2.12.18") +crossScalaVersions := Seq("3.3.1", "2.13.12") scalaVersion := crossScalaVersions.value.head // tc-skip libraryDependencies ++= Seq(guice, ws) scalacOptions ++= Seq( - "-feature", "-unchecked", "-deprecation", "-Xfatal-warnings", - // "unused" is too fragile w/ Twirl, routes file - "-Xlint:-unused" + // "-unchecked", "-deprecation" // Set by Play already + "-feature", "-Werror", ) +scalacOptions ++= (CrossVersion.partialVersion(scalaVersion.value) match { + case Some((2, _)) => Seq("-Xlint:-unused,_") + case _ => Seq() +}) diff --git a/conf/logback.xml b/conf/logback.xml index 31480f3..67c12f7 100644 --- a/conf/logback.xml +++ b/conf/logback.xml @@ -1,17 +1,24 @@ + + + Copyright (C) from 2022 The Play Framework Contributors , 2011-2021 Lightbend Inc. +--> + + + + + - - + + %highlight(%-5level) %logger{15} - %message%n%xException{10} - + diff --git a/fortify.sbt b/fortify.sbt index 4b0587f..d1d908b 100644 --- a/fortify.sbt +++ b/fortify.sbt @@ -1,6 +1,6 @@ // enable the plugin addCompilerPlugin( - "com.lightbend" %% "scala-fortify" % "1.0.25" + "com.lightbend" %% "scala-fortify" % "1.1.0-RC1" cross CrossVersion.patch) // configure the plugin diff --git a/project/plugins.sbt b/project/plugins.sbt index da36c0f..7e45f85 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -2,8 +2,4 @@ scalacOptions ++= Seq( "-feature", "-unchecked", "-deprecation", "-Xlint:-unused", "-Xfatal-warnings") -ThisBuild / libraryDependencySchemes ++= Seq( - "org.scala-lang.modules" %% "scala-xml" % VersionScheme.Always -) - -addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.8.19") +addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0") diff --git a/vulnerabilities-2.12.x.txt b/vulnerabilities-2.12.x.txt deleted file mode 100644 index e677709..0000000 --- a/vulnerabilities-2.12.x.txt +++ /dev/null @@ -1,179 +0,0 @@ -[70987AD0CCC4270469DECB9E338D8C9E : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(53) : ->Result.as(this) - app/controllers/HomeController.scala(53) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(50) : <=> (html) - app/controllers/HomeController.scala(50) : <->Html.apply(0->return) - app/controllers/HomeController.scala(50) : <->Object.toString(this->return) - app/controllers/HomeController.scala(45) : <=> (address) - app/controllers/HomeController.scala(45) : <- RequestHeader.getQueryString(return) - -[33128A11344ABDEF50E2F7D8D7146DB1 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(69) : ->Result.as(this) - app/controllers/HomeController.scala(69) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(69) : <->Html.apply(0->return) - app/controllers/HomeController.scala(62) : <=> (address) - app/controllers/HomeController.scala(62) : <->Cookie.value(this->return) - app/controllers/HomeController.scala(62) : <->Option.get(this->return) - app/controllers/HomeController.scala(62) : <->Cookies.get(this->return) - app/controllers/HomeController.scala(62) : <- RequestHeader.cookies(return) - -[5B7D0DB4D614ADB01C888ABFA9BED320 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(84) : ->Result.as(this) - app/controllers/HomeController.scala(77) : <=> (result) - app/controllers/HomeController.scala(77) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(81) : return - app/controllers/HomeController.scala(81) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(81) : <->Html.apply(0->return) - app/controllers/HomeController.scala(77) : <->controllers.HomeController$anonfun$attackerQuery$2.apply(0->return) - app/controllers/HomeController.scala(77) : <- RequestHeader.getQueryString(return) - -[B09BD522BAB03D03138116E5C24A332E : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(91) : ->Result.as(this) - app/controllers/HomeController.scala(91) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(91) : <->Html.apply(0->return) - app/controllers/HomeController.scala(90) : ->controllers.HomeController$anonfun$attackerRouteControlledQuery$1.apply(this) - app/controllers/HomeController.scala(90) : <=> (this) - app/controllers/HomeController.scala(90) : <->controllers.HomeController$anonfun$attackerRouteControlledQuery$1.innerinit^(0->this) - app/controllers/HomeController.scala(90) : ->HomeController.attackerRouteControlledQuery(0) - -[76157C51B8F7E2674323F2BBE0459F81 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(98) : ->Result.as(this) - app/controllers/HomeController.scala(98) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(98) : <->Html.apply(0->return) - app/controllers/HomeController.scala(97) : ->controllers.HomeController$anonfun$attackerRouteControlledPath$1.apply(this) - app/controllers/HomeController.scala(97) : <=> (this) - app/controllers/HomeController.scala(97) : <->controllers.HomeController$anonfun$attackerRouteControlledPath$1.innerinit^(0->this) - app/controllers/HomeController.scala(97) : ->HomeController.attackerRouteControlledPath(0) - -[8EE69802E6FCE8A1A4739050180C0BBC : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(111) : ->Result.as(this) - app/controllers/HomeController.scala(106) : <=> (result) - app/controllers/HomeController.scala(106) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(108) : return - app/controllers/HomeController.scala(108) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(108) : <->Html.apply(0->return) - app/controllers/HomeController.scala(108) : <->Cookie.value(this->return) - app/controllers/HomeController.scala(106) : <->controllers.HomeController$anonfun$attackerCookie$2.apply(0->return) - app/controllers/HomeController.scala(106) : <->Cookies.get(this->return) - app/controllers/HomeController.scala(106) : <- RequestHeader.cookies(return) - -[7BB2A2B92BB725FFAE8CC580EC07547E : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(125) : ->Result.as(this) - app/controllers/HomeController.scala(120) : <=> (result) - app/controllers/HomeController.scala(120) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(122) : return - app/controllers/HomeController.scala(122) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(120) : <->controllers.HomeController$anonfun$attackerHeader$2.apply(0->return) - app/controllers/HomeController.scala(120) : <->Headers.get(this->return) - app/controllers/HomeController.scala(120) : <- WrappedRequest.headers(return) - -[39721F0AF3B5131A3B3035F9317C4CD9 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(150) : ->Result.as(this) - app/controllers/HomeController.scala(150) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(150) : <->Html.apply(0->return) - app/controllers/HomeController.scala(149) : <=> (command) - app/controllers/HomeController.scala(315) : return (this.name) - app/controllers/HomeController.scala(149) : <->FormData$UserData.name(this.name->return) - app/controllers/HomeController.scala(147) : ->controllers.HomeController$anonfun$attackerFormInput$3.apply(0.name) - app/controllers/HomeController.scala(146) : <=> (boundForm) - app/controllers/HomeController.scala(146) : <- Form.bindFromRequest(return) - -[E6CC52318B0B2200473A13FE2F3944AE : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(169) : ->Result.as(this) - app/controllers/HomeController.scala(164) : <=> (result) - app/controllers/HomeController.scala(164) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(166) : return - app/controllers/HomeController.scala(166) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(166) : <->Html.apply(0->return) - app/controllers/HomeController.scala(164) : <->controllers.HomeController$anonfun$attackerFlash$2.apply(0->return) - app/controllers/HomeController.scala(164) : <->Flash.get(this->return) - app/controllers/HomeController.scala(164) : <- RequestHeader.flash(return) - -[8D691E21A8DD2904FFB9D9C86B76D022 : high : Server-Side Request Forgery : dataflow ] -app/controllers/HomeController.scala(216) : ->WSClient.url(0) - app/controllers/HomeController.scala(214) : <=> (attackerUrl) - app/controllers/HomeController.scala(214) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(214) : <->AnyContent.asText(this->return) - app/controllers/HomeController.scala(214) : <- WrappedRequest.body(return) - -[2D3C1DE38D160DC1111779E2B1CB792A : critical : Open Redirect : dataflow ] -app/controllers/HomeController.scala(135) : ->Results.Redirect(0) - app/controllers/HomeController.scala(133) : <=> (attackerLocation) - app/controllers/HomeController.scala(133) : <->Some.value(this->return) - app/controllers/HomeController.scala(132) : <->Headers.get(this->return) - app/controllers/HomeController.scala(132) : <- WrappedRequest.headers(return) - -[6D5A6D191A67348160822F3A70E73B41 : critical : Command Injection : dataflow ] -app/controllers/HomeController.scala(48) : ->ProcessBuilder.!(this) - app/controllers/HomeController.scala(48) : <->ProcessImplicits.stringToProcess(0->return) - app/controllers/HomeController.scala(48) : <->Object.toString(this->return) - app/controllers/HomeController.scala(45) : <=> (address) - app/controllers/HomeController.scala(45) : <- RequestHeader.getQueryString(return) - -[E054AE8B29DE1B03994CE9E180806D14 : critical : Command Injection : dataflow ] -app/controllers/HomeController.scala(66) : ->ProcessBuilder.!(this) - app/controllers/HomeController.scala(66) : <->ProcessImplicits.stringToProcess(0->return) - app/controllers/HomeController.scala(66) : <=> (address~1) - app/controllers/HomeController.scala(66) : <->LinearSeqOptimized.apply(this->return) - app/controllers/HomeController.scala(66) : <->Option.get(this->return) - app/controllers/HomeController.scala(66) : <->Regex.unapplySeq(0->return) - app/controllers/HomeController.scala(62) : <=> (address) - app/controllers/HomeController.scala(62) : <->Cookie.value(this->return) - app/controllers/HomeController.scala(62) : <->Option.get(this->return) - app/controllers/HomeController.scala(62) : <->Cookies.get(this->return) - app/controllers/HomeController.scala(62) : <- RequestHeader.cookies(return) - -[7539909C6B48052B774D20F0F9D4B833 : critical : Command Injection : dataflow ] -app/controllers/HomeController.scala(230) : ->ProcessBuilder.!!(this) - app/controllers/HomeController.scala(230) : <->ProcessImplicits.stringToProcess(0->return) - app/controllers/HomeController.scala(228) : ->controllers.HomeController$anonfun$attackerCustomBodyParser$2.apply(0) - app/controllers/HomeController.scala(228) : <- RequestHeader.getQueryString(return) - -[7AA03F985E923884F14D7CCCEBCAFC97 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/views/xss.scala.html(3) : ->BaseScalaTemplate._display_(0) - app/views/xss.scala.html(3) : <->Html.apply(0->return) - app/controllers/HomeController.scala(201) : ->xss.apply(0) - app/controllers/HomeController.scala(202) : ->controllers.HomeController$anonfun$twirlXSS$2.apply(0) - app/controllers/HomeController.scala(202) : <- RequestHeader.getQueryString(return) - -[7D28392534D22625D25CE2901CD24E92 : critical : Password Management : Hardcoded Password : configuration ] - Fortify/Fortify_SCA_23.1.1/Core/go/src/net/http/request.go(954) - -[16E724BE48E9A475B158F8B7BB09E34B : low : Password Management : Password in Comment : configuration ] - Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(108) - -[7D60AB57B5E6F97588B47E1727BBDF01 : low : Password Management : Password in Comment : configuration ] - Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(110) - -[CD014C42A1C713E32626350CE46374E1 : low : Password Management : Password in Comment : configuration ] - Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(210) - -[FFC84141D7968A38A4E2DD0AE4D63023 : low : Password Management : Password in Comment : configuration ] - Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(222) - -[EB2255E14A58F1EA53655CCF5E4A9331 : low : Password Management : Password in Comment : configuration ] - Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(226) - -[A6529A7EBCDA4CEA93D49376FA2E103A : low : Code Correctness : Non-Static Inner Class Implements Serializable : structural ] - app/controllers/HomeController.scala(239) - -[A054B8CF843466C9C08F7C31A431AF62 : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(277) - -[B2934DA20E3AD7BB839D019DDB7EF610 : low : Missing Form Field Validation : structural ] - app/controllers/HomeController.scala(277) - -[3123D430AEB62E4FF2BB7F6A775DE9F4 : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(277) - -[EF0E143E15EB85C0226B44014A79E298 : low : Missing Form Field Validation : structural ] - app/controllers/HomeController.scala(277) - -[3F112D268BC9CC49AEA7DD1B65D2543E : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(284) - -[1D7A640F7D4C395E44AE1B510CA5FA05 : low : Missing Form Field Validation : structural ] - app/controllers/HomeController.scala(284) - -[00132A9E4889966ADB911CACDED783FE : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(284) diff --git a/vulnerabilities-3.x.txt b/vulnerabilities-3.x.txt new file mode 100644 index 0000000..66a7779 --- /dev/null +++ b/vulnerabilities-3.x.txt @@ -0,0 +1,170 @@ +[C3F0AF7EE2817C0570D9C65E755D2FAD : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(53) : ->Result.as(this) + app/controllers/HomeController.scala(53) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(50) : <=> (html) + app/controllers/HomeController.scala(50) : <->Html.apply(0->return) + app/controllers/HomeController.scala(50) : <->Object.toString(this->return) + app/controllers/HomeController.scala(45) : <=> (address) + app/controllers/HomeController.scala(45) : <- RequestHeader.getQueryString(return) + +[044F951511B13BA782BA2F1196405D07 : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(70) : ->Result.as(this) + app/controllers/HomeController.scala(70) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(70) : <->Html.apply(0->return) + app/controllers/HomeController.scala(62) : <=> (address) + app/controllers/HomeController.scala(62) : <->Cookie.value(this->return) + app/controllers/HomeController.scala(62) : <->Option.get(this->return) + app/controllers/HomeController.scala(62) : <->Cookies.get(this->return) + app/controllers/HomeController.scala(62) : <- RequestHeader.cookies(return) + +[16812E772A81725CEBB9EB41749B515C : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(85) : ->Result.as(this) + app/controllers/HomeController.scala(78) : <=> (result) + app/controllers/HomeController.scala(78) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(82) : return + app/controllers/HomeController.scala(82) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(82) : <->Html.apply(0->return) + app/controllers/HomeController.scala(78) : <->controllers.HomeController$anonfun$1.apply(0->return) + app/controllers/HomeController.scala(78) : <- RequestHeader.getQueryString(return) + +[B09BD522BAB03D03138116E5C24A332E : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(92) : ->Result.as(this) + app/controllers/HomeController.scala(92) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(92) : <->Html.apply(0->return) + app/controllers/HomeController.scala(91) : ->controllers.HomeControllerattackerRouteControlledQuery$$anonfun$1.apply(this) + app/controllers/HomeController.scala(91) : <=> (this) + app/controllers/HomeController.scala(92) : <->controllers.HomeControllerattackerRouteControlledQuery$$anonfun$1.innerinit^(0->this) + app/controllers/HomeController.scala(91) : ->HomeController.attackerRouteControlledQuery(0) + +[76157C51B8F7E2674323F2BBE0459F81 : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(99) : ->Result.as(this) + app/controllers/HomeController.scala(99) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(99) : <->Html.apply(0->return) + app/controllers/HomeController.scala(98) : ->controllers.HomeControllerattackerRouteControlledPath$$anonfun$1.apply(this) + app/controllers/HomeController.scala(98) : <=> (this) + app/controllers/HomeController.scala(99) : <->controllers.HomeControllerattackerRouteControlledPath$$anonfun$1.innerinit^(0->this) + app/controllers/HomeController.scala(98) : ->HomeController.attackerRouteControlledPath(0) + +[3795138EC238E0F49E5A94291F0D4EB8 : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(112) : ->Result.as(this) + app/controllers/HomeController.scala(107) : <=> (result) + app/controllers/HomeController.scala(107) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(109) : return + app/controllers/HomeController.scala(109) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(109) : <->Html.apply(0->return) + app/controllers/HomeController.scala(109) : <->Cookie.value(this->return) + app/controllers/HomeController.scala(107) : <->controllers.HomeController$anonfun$3.apply(0->return) + app/controllers/HomeController.scala(107) : <->Cookies.get(this->return) + app/controllers/HomeController.scala(107) : <- RequestHeader.cookies(return) + +[96D3E7E2197C805881750C3DCE84914C : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(126) : ->Result.as(this) + app/controllers/HomeController.scala(121) : <=> (result) + app/controllers/HomeController.scala(121) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(123) : return + app/controllers/HomeController.scala(123) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(121) : <->controllers.HomeController$anonfun$5.apply(0->return) + app/controllers/HomeController.scala(121) : <->Headers.get(this->return) + app/controllers/HomeController.scala(121) : <- WrappedRequest.headers(return) + +[6475C00D5E47A96AF3E75435BFDDBD1E : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(151) : ->Result.as(this) + app/controllers/HomeController.scala(151) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(151) : <->Html.apply(0->return) + app/controllers/HomeController.scala(150) : <=> (command) + app/controllers/HomeController.scala(316) : return (this.name) + app/controllers/HomeController.scala(150) : <->FormData$UserData.name(this.name->return) + app/controllers/HomeController.scala(148) : ->controllers.HomeControllerattackerFormInput$$anonfun$1$$anonfun$2.apply(0.name) + app/controllers/HomeController.scala(147) : <=> (boundForm) + app/controllers/HomeController.scala(147) : <- Form.bindFromRequest(return) + +[11FCDCF1B24839756EB1953B60CBC8B3 : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(170) : ->Result.as(this) + app/controllers/HomeController.scala(165) : <=> (result) + app/controllers/HomeController.scala(165) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(167) : return + app/controllers/HomeController.scala(167) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(167) : <->Html.apply(0->return) + app/controllers/HomeController.scala(165) : <->controllers.HomeController$anonfun$7.apply(0->return) + app/controllers/HomeController.scala(165) : <->Flash.get(this->return) + app/controllers/HomeController.scala(165) : <- RequestHeader.flash(return) + +[4833799B0EBD7B1791F5342C096BDE6F : high : Server-Side Request Forgery : dataflow ] +app/controllers/HomeController.scala(217) : ->WSClient.url(0) + app/controllers/HomeController.scala(215) : <=> (attackerUrl) + app/controllers/HomeController.scala(215) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(215) : <->AnyContent.asText(this->return) + app/controllers/HomeController.scala(215) : <- WrappedRequest.body(return) + +[B0560B4681BAD5206C25ED5D5AA6F441 : critical : Open Redirect : dataflow ] +app/controllers/HomeController.scala(136) : ->Results.Redirect(0) + app/controllers/HomeController.scala(134) : <=> (attackerLocation) + app/controllers/HomeController.scala(134) : <->Some.value(this->return) + app/controllers/HomeController.scala(133) : <->Headers.get(this->return) + app/controllers/HomeController.scala(133) : <- WrappedRequest.headers(return) + +[2F3B03C604BC09D5664BF65A1A886FAC : critical : Command Injection : dataflow ] +app/controllers/HomeController.scala(48) : ->ProcessBuilder.!(this) + app/controllers/HomeController.scala(48) : <->ProcessImplicits.stringToProcess(0->return) + app/controllers/HomeController.scala(48) : <->Object.toString(this->return) + app/controllers/HomeController.scala(45) : <=> (address) + app/controllers/HomeController.scala(45) : <- RequestHeader.getQueryString(return) + +[EE42804AE6EB1A66313E692165683019 : critical : Command Injection : dataflow ] +app/controllers/HomeController.scala(66) : ->ProcessBuilder.!(this) + app/controllers/HomeController.scala(66) : <->ProcessImplicits.stringToProcess(0->return) + app/controllers/HomeController.scala(66) : <=> (address~1) + app/controllers/HomeController.scala(66) : <->LinearSeqOps.apply(this->return) + app/controllers/HomeController.scala(66) : <->Option.get(this->return) + app/controllers/HomeController.scala(66) : <->Regex.unapplySeq(0->return) + app/controllers/HomeController.scala(62) : <=> (address) + app/controllers/HomeController.scala(62) : <->Cookie.value(this->return) + app/controllers/HomeController.scala(62) : <->Option.get(this->return) + app/controllers/HomeController.scala(62) : <->Cookies.get(this->return) + app/controllers/HomeController.scala(62) : <- RequestHeader.cookies(return) + +[B9DF91AACD4B21B618149964386E4129 : critical : Command Injection : dataflow ] +app/controllers/HomeController.scala(231) : ->ProcessBuilder.!!(this) + app/controllers/HomeController.scala(231) : <->ProcessImplicits.stringToProcess(0->return) + app/controllers/HomeController.scala(229) : ->controllers.HomeController$anonfun$10.apply(0) + app/controllers/HomeController.scala(229) : <- RequestHeader.getQueryString(return) + +[19934AF014F44D85C1841457D8ED6581 : critical : Cross-Site Scripting : Reflected : dataflow ] +target/scala-3.3.1/twirl/main/views/html/xss.template.scala(28) : ->BaseScalaTemplate._display_(0) + target/scala-3.3.1/twirl/main/views/html/xss.template.scala(28) : <->Html.apply(0->return) + app/controllers/HomeController.scala(202) : ->xss.apply(0) + app/controllers/HomeController.scala(201) : ->controllers.HomeControllertwirlXSS$$anonfun$1$$anonfun$1.apply(0) + app/controllers/HomeController.scala(201) : <- RequestHeader.getQueryString(return) + +[1810A9D7ABBD32A9C113C3F821AF3E2A : low : Poor Style : Value Never Read : structural ] + app/controllers/HomeController.scala(66) + Variable: port [app/controllers/HomeController.scala(66)] + +[A6529A7EBCDA4CEA93D49376FA2E103A : low : Code Correctness : Non-Static Inner Class Implements Serializable : structural ] + app/controllers/HomeController.scala(240) + +[A054B8CF843466C9C08F7C31A431AF62 : low : Missing Form Field Constraints : structural ] + app/controllers/HomeController.scala(278) + +[B2934DA20E3AD7BB839D019DDB7EF610 : low : Missing Form Field Validation : structural ] + app/controllers/HomeController.scala(278) + +[3123D430AEB62E4FF2BB7F6A775DE9F4 : low : Missing Form Field Constraints : structural ] + app/controllers/HomeController.scala(278) + +[EF0E143E15EB85C0226B44014A79E298 : low : Missing Form Field Validation : structural ] + app/controllers/HomeController.scala(278) + +[3F112D268BC9CC49AEA7DD1B65D2543E : low : Missing Form Field Constraints : structural ] + app/controllers/HomeController.scala(285) + +[1D7A640F7D4C395E44AE1B510CA5FA05 : low : Missing Form Field Validation : structural ] + app/controllers/HomeController.scala(285) + +[00132A9E4889966ADB911CACDED783FE : low : Missing Form Field Constraints : structural ] + app/controllers/HomeController.scala(285) + +[C997F7BB94E70A739A5522B291E17A57 : low : Code Correctness : Constructor Invokes Overridable Function : structural ] + target/scala-3.3.1/routes/main/router/Routes.scala(37) + Function: router.Routes.Routes [target/scala-3.3.1/routes/main/router/Routes.scala(13)] + Function: router.Routes.prefix [target/scala-3.3.1/routes/main/router/Routes.scala(19)] From b4ddca61adc5d905396d00d195493574ca04212e Mon Sep 17 00:00:00 2001 From: Seth Tisue Date: Tue, 5 Dec 2023 18:56:48 -0800 Subject: [PATCH 36/36] Fortify: fixups --- vulnerabilities-2.13.x.txt | 172 ++++++++++++++++++------------------- vulnerabilities-3.x.txt | 18 ++++ 2 files changed, 104 insertions(+), 86 deletions(-) diff --git a/vulnerabilities-2.13.x.txt b/vulnerabilities-2.13.x.txt index 29f094c..5343af4 100644 --- a/vulnerabilities-2.13.x.txt +++ b/vulnerabilities-2.13.x.txt @@ -8,9 +8,9 @@ app/controllers/HomeController.scala(53) : ->Result.as(this) app/controllers/HomeController.scala(45) : <- RequestHeader.getQueryString(return) [33128A11344ABDEF50E2F7D8D7146DB1 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(69) : ->Result.as(this) - app/controllers/HomeController.scala(69) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(69) : <->Html.apply(0->return) +app/controllers/HomeController.scala(70) : ->Result.as(this) + app/controllers/HomeController.scala(70) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(70) : <->Html.apply(0->return) app/controllers/HomeController.scala(62) : <=> (address) app/controllers/HomeController.scala(62) : <->Cookie.value(this->return) app/controllers/HomeController.scala(62) : <->Option.get(this->return) @@ -18,90 +18,90 @@ app/controllers/HomeController.scala(69) : ->Result.as(this) app/controllers/HomeController.scala(62) : <- RequestHeader.cookies(return) [5B7D0DB4D614ADB01C888ABFA9BED320 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(84) : ->Result.as(this) - app/controllers/HomeController.scala(77) : <=> (result) - app/controllers/HomeController.scala(77) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(81) : return - app/controllers/HomeController.scala(81) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(81) : <->Html.apply(0->return) - app/controllers/HomeController.scala(77) : <->controllers.HomeController$anonfun$attackerQuery$2.apply(0->return) - app/controllers/HomeController.scala(77) : <- RequestHeader.getQueryString(return) +app/controllers/HomeController.scala(85) : ->Result.as(this) + app/controllers/HomeController.scala(78) : <=> (result) + app/controllers/HomeController.scala(78) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(82) : return + app/controllers/HomeController.scala(82) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(82) : <->Html.apply(0->return) + app/controllers/HomeController.scala(78) : <->controllers.HomeController$anonfun$attackerQuery$2.apply(0->return) + app/controllers/HomeController.scala(78) : <- RequestHeader.getQueryString(return) [B09BD522BAB03D03138116E5C24A332E : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(91) : ->Result.as(this) - app/controllers/HomeController.scala(91) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(91) : <->Html.apply(0->return) - app/controllers/HomeController.scala(90) : ->controllers.HomeController$anonfun$attackerRouteControlledQuery$1.apply(this) - app/controllers/HomeController.scala(90) : <=> (this) - app/controllers/HomeController.scala(90) : <->controllers.HomeController$anonfun$attackerRouteControlledQuery$1.innerinit^(0->this) - app/controllers/HomeController.scala(90) : ->HomeController.attackerRouteControlledQuery(0) +app/controllers/HomeController.scala(92) : ->Result.as(this) + app/controllers/HomeController.scala(92) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(92) : <->Html.apply(0->return) + app/controllers/HomeController.scala(91) : ->controllers.HomeController$anonfun$attackerRouteControlledQuery$1.apply(this) + app/controllers/HomeController.scala(91) : <=> (this) + app/controllers/HomeController.scala(91) : <->controllers.HomeController$anonfun$attackerRouteControlledQuery$1.innerinit^(0->this) + app/controllers/HomeController.scala(91) : ->HomeController.attackerRouteControlledQuery(0) [76157C51B8F7E2674323F2BBE0459F81 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(98) : ->Result.as(this) - app/controllers/HomeController.scala(98) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(98) : <->Html.apply(0->return) - app/controllers/HomeController.scala(97) : ->controllers.HomeController$anonfun$attackerRouteControlledPath$1.apply(this) - app/controllers/HomeController.scala(97) : <=> (this) - app/controllers/HomeController.scala(97) : <->controllers.HomeController$anonfun$attackerRouteControlledPath$1.innerinit^(0->this) - app/controllers/HomeController.scala(97) : ->HomeController.attackerRouteControlledPath(0) +app/controllers/HomeController.scala(99) : ->Result.as(this) + app/controllers/HomeController.scala(99) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(99) : <->Html.apply(0->return) + app/controllers/HomeController.scala(98) : ->controllers.HomeController$anonfun$attackerRouteControlledPath$1.apply(this) + app/controllers/HomeController.scala(98) : <=> (this) + app/controllers/HomeController.scala(98) : <->controllers.HomeController$anonfun$attackerRouteControlledPath$1.innerinit^(0->this) + app/controllers/HomeController.scala(98) : ->HomeController.attackerRouteControlledPath(0) [8EE69802E6FCE8A1A4739050180C0BBC : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(111) : ->Result.as(this) - app/controllers/HomeController.scala(106) : <=> (result) - app/controllers/HomeController.scala(106) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(108) : return - app/controllers/HomeController.scala(108) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(108) : <->Html.apply(0->return) - app/controllers/HomeController.scala(108) : <->Cookie.value(this->return) - app/controllers/HomeController.scala(106) : <->controllers.HomeController$anonfun$attackerCookie$2.apply(0->return) - app/controllers/HomeController.scala(106) : <->Cookies.get(this->return) - app/controllers/HomeController.scala(106) : <- RequestHeader.cookies(return) +app/controllers/HomeController.scala(112) : ->Result.as(this) + app/controllers/HomeController.scala(107) : <=> (result) + app/controllers/HomeController.scala(107) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(109) : return + app/controllers/HomeController.scala(109) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(109) : <->Html.apply(0->return) + app/controllers/HomeController.scala(109) : <->Cookie.value(this->return) + app/controllers/HomeController.scala(107) : <->controllers.HomeController$anonfun$attackerCookie$2.apply(0->return) + app/controllers/HomeController.scala(107) : <->Cookies.get(this->return) + app/controllers/HomeController.scala(107) : <- RequestHeader.cookies(return) [7BB2A2B92BB725FFAE8CC580EC07547E : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(125) : ->Result.as(this) - app/controllers/HomeController.scala(120) : <=> (result) - app/controllers/HomeController.scala(120) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(122) : return - app/controllers/HomeController.scala(122) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(120) : <->controllers.HomeController$anonfun$attackerHeader$2.apply(0->return) - app/controllers/HomeController.scala(120) : <->Headers.get(this->return) - app/controllers/HomeController.scala(120) : <- WrappedRequest.headers(return) +app/controllers/HomeController.scala(126) : ->Result.as(this) + app/controllers/HomeController.scala(121) : <=> (result) + app/controllers/HomeController.scala(121) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(123) : return + app/controllers/HomeController.scala(123) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(121) : <->controllers.HomeController$anonfun$attackerHeader$2.apply(0->return) + app/controllers/HomeController.scala(121) : <->Headers.get(this->return) + app/controllers/HomeController.scala(121) : <- WrappedRequest.headers(return) [39721F0AF3B5131A3B3035F9317C4CD9 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(150) : ->Result.as(this) - app/controllers/HomeController.scala(150) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(150) : <->Html.apply(0->return) - app/controllers/HomeController.scala(149) : <=> (command) - app/controllers/HomeController.scala(315) : return (this.name) - app/controllers/HomeController.scala(149) : <->FormData$UserData.name(this.name->return) - app/controllers/HomeController.scala(147) : ->controllers.HomeController$anonfun$attackerFormInput$3.apply(0.name) - app/controllers/HomeController.scala(146) : <=> (boundForm) - app/controllers/HomeController.scala(146) : <- Form.bindFromRequest(return) +app/controllers/HomeController.scala(151) : ->Result.as(this) + app/controllers/HomeController.scala(151) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(151) : <->Html.apply(0->return) + app/controllers/HomeController.scala(150) : <=> (command) + app/controllers/HomeController.scala(316) : return (this.name) + app/controllers/HomeController.scala(150) : <->FormData$UserData.name(this.name->return) + app/controllers/HomeController.scala(148) : ->controllers.HomeController$anonfun$attackerFormInput$3.apply(0.name) + app/controllers/HomeController.scala(147) : <=> (boundForm) + app/controllers/HomeController.scala(147) : <- Form.bindFromRequest(return) [E6CC52318B0B2200473A13FE2F3944AE : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(169) : ->Result.as(this) - app/controllers/HomeController.scala(164) : <=> (result) - app/controllers/HomeController.scala(164) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(166) : return - app/controllers/HomeController.scala(166) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(166) : <->Html.apply(0->return) - app/controllers/HomeController.scala(164) : <->controllers.HomeController$anonfun$attackerFlash$2.apply(0->return) - app/controllers/HomeController.scala(164) : <->Flash.get(this->return) - app/controllers/HomeController.scala(164) : <- RequestHeader.flash(return) +app/controllers/HomeController.scala(170) : ->Result.as(this) + app/controllers/HomeController.scala(165) : <=> (result) + app/controllers/HomeController.scala(165) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(167) : return + app/controllers/HomeController.scala(167) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(167) : <->Html.apply(0->return) + app/controllers/HomeController.scala(165) : <->controllers.HomeController$anonfun$attackerFlash$2.apply(0->return) + app/controllers/HomeController.scala(165) : <->Flash.get(this->return) + app/controllers/HomeController.scala(165) : <- RequestHeader.flash(return) [8D691E21A8DD2904FFB9D9C86B76D022 : high : Server-Side Request Forgery : dataflow ] -app/controllers/HomeController.scala(216) : ->WSClient.url(0) - app/controllers/HomeController.scala(214) : <=> (attackerUrl) - app/controllers/HomeController.scala(214) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(214) : <->AnyContent.asText(this->return) - app/controllers/HomeController.scala(214) : <- WrappedRequest.body(return) +app/controllers/HomeController.scala(217) : ->WSClient.url(0) + app/controllers/HomeController.scala(215) : <=> (attackerUrl) + app/controllers/HomeController.scala(215) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(215) : <->AnyContent.asText(this->return) + app/controllers/HomeController.scala(215) : <- WrappedRequest.body(return) [2D3C1DE38D160DC1111779E2B1CB792A : critical : Open Redirect : dataflow ] -app/controllers/HomeController.scala(135) : ->Results.Redirect(0) - app/controllers/HomeController.scala(133) : <=> (attackerLocation) - app/controllers/HomeController.scala(133) : <->Some.value(this->return) - app/controllers/HomeController.scala(132) : <->Headers.get(this->return) - app/controllers/HomeController.scala(132) : <- WrappedRequest.headers(return) +app/controllers/HomeController.scala(136) : ->Results.Redirect(0) + app/controllers/HomeController.scala(134) : <=> (attackerLocation) + app/controllers/HomeController.scala(134) : <->Some.value(this->return) + app/controllers/HomeController.scala(133) : <->Headers.get(this->return) + app/controllers/HomeController.scala(133) : <- WrappedRequest.headers(return) [6D5A6D191A67348160822F3A70E73B41 : critical : Command Injection : dataflow ] app/controllers/HomeController.scala(48) : ->ProcessBuilder.!(this) @@ -124,17 +124,17 @@ app/controllers/HomeController.scala(66) : ->ProcessBuilder.!(this) app/controllers/HomeController.scala(62) : <- RequestHeader.cookies(return) [7539909C6B48052B774D20F0F9D4B833 : critical : Command Injection : dataflow ] -app/controllers/HomeController.scala(230) : ->ProcessBuilder.!!(this) - app/controllers/HomeController.scala(230) : <->ProcessImplicits.stringToProcess(0->return) - app/controllers/HomeController.scala(228) : ->controllers.HomeController$anonfun$attackerCustomBodyParser$2.apply(0) - app/controllers/HomeController.scala(228) : <- RequestHeader.getQueryString(return) +app/controllers/HomeController.scala(231) : ->ProcessBuilder.!!(this) + app/controllers/HomeController.scala(231) : <->ProcessImplicits.stringToProcess(0->return) + app/controllers/HomeController.scala(229) : ->controllers.HomeController$anonfun$attackerCustomBodyParser$2.apply(0) + app/controllers/HomeController.scala(229) : <- RequestHeader.getQueryString(return) [7AA03F985E923884F14D7CCCEBCAFC97 : critical : Cross-Site Scripting : Reflected : dataflow ] app/views/xss.scala.html(3) : ->BaseScalaTemplate._display_(0) app/views/xss.scala.html(3) : <->Html.apply(0->return) - app/controllers/HomeController.scala(201) : ->xss.apply(0) - app/controllers/HomeController.scala(202) : ->controllers.HomeController$anonfun$twirlXSS$2.apply(0) - app/controllers/HomeController.scala(202) : <- RequestHeader.getQueryString(return) + app/controllers/HomeController.scala(202) : ->xss.apply(0) + app/controllers/HomeController.scala(203) : ->controllers.HomeController$anonfun$twirlXSS$2.apply(0) + app/controllers/HomeController.scala(203) : <- RequestHeader.getQueryString(return) [7D28392534D22625D25CE2901CD24E92 : critical : Password Management : Hardcoded Password : configuration ] Fortify/Fortify_SCA_23.1.1/Core/go/src/net/http/request.go(954) @@ -155,25 +155,25 @@ app/views/xss.scala.html(3) : ->BaseScalaTemplate._display_(0) Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(226) [A6529A7EBCDA4CEA93D49376FA2E103A : low : Code Correctness : Non-Static Inner Class Implements Serializable : structural ] - app/controllers/HomeController.scala(239) + app/controllers/HomeController.scala(240) [A054B8CF843466C9C08F7C31A431AF62 : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(277) + app/controllers/HomeController.scala(278) [B2934DA20E3AD7BB839D019DDB7EF610 : low : Missing Form Field Validation : structural ] - app/controllers/HomeController.scala(277) + app/controllers/HomeController.scala(278) [3123D430AEB62E4FF2BB7F6A775DE9F4 : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(277) + app/controllers/HomeController.scala(278) [EF0E143E15EB85C0226B44014A79E298 : low : Missing Form Field Validation : structural ] - app/controllers/HomeController.scala(277) + app/controllers/HomeController.scala(278) [3F112D268BC9CC49AEA7DD1B65D2543E : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(284) + app/controllers/HomeController.scala(285) [1D7A640F7D4C395E44AE1B510CA5FA05 : low : Missing Form Field Validation : structural ] - app/controllers/HomeController.scala(284) + app/controllers/HomeController.scala(285) [00132A9E4889966ADB911CACDED783FE : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(284) + app/controllers/HomeController.scala(285) diff --git a/vulnerabilities-3.x.txt b/vulnerabilities-3.x.txt index 66a7779..cdc12f7 100644 --- a/vulnerabilities-3.x.txt +++ b/vulnerabilities-3.x.txt @@ -136,6 +136,24 @@ target/scala-3.3.1/twirl/main/views/html/xss.template.scala(28) : ->BaseScalaTe app/controllers/HomeController.scala(201) : ->controllers.HomeControllertwirlXSS$$anonfun$1$$anonfun$1.apply(0) app/controllers/HomeController.scala(201) : <- RequestHeader.getQueryString(return) +[7D28392534D22625D25CE2901CD24E92 : critical : Password Management : Hardcoded Password : configuration ] + Fortify/Fortify_SCA_23.1.1/Core/go/src/net/http/request.go(954) + +[16E724BE48E9A475B158F8B7BB09E34B : low : Password Management : Password in Comment : configuration ] + Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(108) + +[7D60AB57B5E6F97588B47E1727BBDF01 : low : Password Management : Password in Comment : configuration ] + Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(110) + +[CD014C42A1C713E32626350CE46374E1 : low : Password Management : Password in Comment : configuration ] + Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(210) + +[FFC84141D7968A38A4E2DD0AE4D63023 : low : Password Management : Password in Comment : configuration ] + Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(222) + +[EB2255E14A58F1EA53655CCF5E4A9331 : low : Password Management : Password in Comment : configuration ] + Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(226) + [1810A9D7ABBD32A9C113C3F821AF3E2A : low : Poor Style : Value Never Read : structural ] app/controllers/HomeController.scala(66) Variable: port [app/controllers/HomeController.scala(66)]