Patched results for branch: master

src/main/java/io/shiftleft/controller/AdminController.java

@@ -32,7 +32,8 @@ private boolean isAdmin(String auth)
   {
     try {
       ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth));
-      ObjectInputStream objectInputStream = new ObjectInputStream(bis);
+      // Securely deserialize the object
+      ObjectInputStream objectInputStream = new LookAheadObjectInputStream(bis);
       Object authToken = objectInputStream.readObject();
       return ((AuthToken) authToken).isAdmin();
     } catch (Exception ex) {
@@ -107,7 +108,10 @@ public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset")
         ObjectOutputStream oos = new ObjectOutputStream(bos);
         oos.writeObject(authToken);
         String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray()));
-        response.addCookie(new Cookie("auth", cookieValue ));
+        Cookie authCookie = new Cookie("auth", cookieValue);
+        authCookie.setHttpOnly(true);
+        authCookie.setSecure(true);
+        response.addCookie(authCookie);
 
         // cookie is lost after redirection
         request.getSession().setAttribute("auth",cookieValue);
@@ -135,3 +139,19 @@ public String doGetLogin(HttpServletResponse response, HttpServletRequest reques
     return "redirect:/";
   }
 }
+
+// Custom LookAheadObjectInputStream to prevent deserialization of untrusted data
+class LookAheadObjectInputStream extends ObjectInputStream {
+
+  public LookAheadObjectInputStream(InputStream inputStream) throws IOException {
+    super(inputStream);
+  }
+
+  @Override
+  protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+    if (!desc.getName().equals(AuthToken.class.getName())) {
+      throw new ClassNotFoundException("Unauthorized deserialization attempt");
+    }
+    return super.resolveClass(desc);
+  }
+}

src/main/java/io/shiftleft/controller/SearchController.java

@@ -2,15 +2,11 @@
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import org.springframework.expression.Expression;
-import org.springframework.expression.ExpressionParser;
-import org.springframework.expression.spel.standard.SpelExpressionParser;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 
-
 /**
  * Search login
  */
@@ -19,14 +15,8 @@ public class SearchController {
 
   @RequestMapping(value = "/search/user", method = RequestMethod.GET)
   public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) {
-    java.lang.Object message = new Object();
-    try {
-      ExpressionParser parser = new SpelExpressionParser();
-      Expression exp = parser.parseExpression(foo);
-      message = (Object) exp.getValue();
-    } catch (Exception ex) {
-      System.out.println(ex.getMessage());
-    }
-    return message.toString();
+    // Instead of evaluating the expression, treat it as a plain string
+    String message = foo;
+    return message;
   }
 }