Common reasons of vulnerabilities:
- Resource not closed properly
- Document XML not parsed with security injection
- Exceptions not handled
- Unused variables and declarations
- Usage of unbounded tag in XML schema
- Usage of System.out.println instead of loggers
- Naming conventions need to be corrected
Refactoring Resolutions
Issue 1 : Poor Error Handling: Overly Broad Catch
Solution : To catch specific exceptions that are expected and can be handled appropriately.
Issue Details :
JmsConnector : Line 111
EIG1.1.0/src/main/java/com/comviva/mfs/eig/connector/JmsConnector.java, line 111
(Poor Error Handling: Overly Broad Catch)
108 try {
109 respobject = consumer.receive(1000000);
110 returnedObject = ((ActiveMQTextMessage)respobject).getText();
111 } catch (Exception ex) {
112 log.error(“Exception has raised in JmsConnector: class “,ex)
Fix :
catch (JMSException jmse) {
log.error(“JMSException occurred in JmsConnector: “, jmse);
} catch (ClassCastException cce) {
log.error(“ClassCastException occurred in JmsConnector: “, cce);
} catch (Exception ex) {
log.error(“An unexpected exception occurred in JmsConnector: “, ex);
}
Issue 2 : Poor Error Handling: Overly Broad Throws
Solution : throw specific exceptions that are more meaningful to the context of the method.
Issue Details:
EIG1.1.1/src/test/java/com/comviva/mfs/eig/sample/webservices/Service.java, line 41 (Poor
Error Handling: Overly Broad Throws)
Kingdom: Errors
Scan Engine: SCA (Structural)
Sink Details
Sink: Function: hitXMLToEIG
Enclosing Method: hitXMLToEIG()
File: EIG1.1.1/src/test/java/com/comviva/mfs/eig/sample/webservices/Service.java:41
38 * @throws Exception
39 * @throws EIGExceptionObject
40 */
41 public static String hitXMLToEIG(String strMsg, String strUrl)
42 throws Exception, EIGExceptionObject {
43 // Code added for Tango 4.x and Tango 2.2 merging
Fix :
public static String hitXMLToEIG(String strMsg, String strUrl)
throws IOException, EIGExceptionObject {
// Code added for Tango 4.x and Tango 2.2 merging
strUrl = ProjectConfig.getProperty(URL_Path_Constant.valueOf(strUrl)
.toString());
String connectionTimeOut = ProjectConfig
.getProperty(Constants.CONN_TIMEOUT);
String readTimeOut = ProjectConfig
.getProperty(Constants.READ_TIME_OUT);
Issue 3 : Poor Error Handling: Program Catches NullPointerException
Solution : Handle Null issue with code
Issue Details:
Package: com.comviva.mfs.eig.exceptionhandlers
EIG1.1.1/src/main/java/com/comviva/mfs/eig/exceptionhandlers/
GenericExceptionHander.java, line 94 (Poor Error Handling: Program Catches
NullPointerException)
Kingdom: Errors
Scan Engine: SCA (Structural)
Sink Details
Sink: CatchBlock
Enclosing Method: transformMessage()
File: EIG1.1.1/src/main/java/com/comviva/mfs/eig/exceptionhandlers/GenericExceptionHander.java:94
91 StringBuilder msg = new StringBuilder(messageDescription);
92 msg.append(parameter);
93 messageDescription = msg.toString();
94 } catch (NullPointerException e) {
95 INFOLOG.info(“Null Property received from Properties file in GenericExceptionHandler: Class”,e);
96 messageCode = ProjectConfig.getProperty(Constants.DEFAULT_EXCEPTION_CODE);
97 if(XmlUtil.parametersAreNull(exceptionCause)) {
Fix :
try {
if (messageDescription != null && parameter != null) {
StringBuilder msg = new StringBuilder(messageDescription);
msg.append(parameter);
messageDescription = msg.toString();
} else {
// Handle the case where messageDescription or parameter is null
INFOLOG.warn(“Null value for messageDescription or parameter”);
}
} catch (Exception e) {
INFOLOG.error(“Unexpected exception in GenericExceptionHandler: “, e);
Issue 4 : Poor Logging Practice: Use of a System Output Stream
Solution : To use loggers in place of System output stream
Issue Details :
Package: com.comviva.mfs.eig.services
Core_EIG_UI/src/main/java/com/comviva/mfs/eig/services/
GenerateRuleAndTemplate.java, line 156 (Poor Logging Practice: Use of a System Output
Stream)
153 }
154
155 } catch (FileNotFoundException | UnsupportedEncodingException e1) {
156 System.out.println(“”);
157 } catch (IOException e) {
158 // TODO Auto-generated catch block
159 e.printStackTrace();
Fix :
LOGGER.info(“Completion of method”));
Issue 5 : Poor Style: Confusing Naming
Solution : To use consistent naming conventions
Issue Details :
EIG1.1.1/src/main/java/com/comviva/mfs/eig/datatypes/Id.java, line 34 (Poor Style:
Confusing Naming)
Kingdom: Code Quality
Scan Engine: SCA (Structural)
Sink Details
Sink: Field: hashCode
File: EIG1.1.1/src/main/java/com/comviva/mfs/eig/datatypes/Id.java:34
31
32 private String interfaceId;
33 private String serviceId;
34 private final int hashCode;
35
36 public Id(String interfaceId, String serviceId) {
37 this.interfaceId = interfaceId;
Fix :
public class Identifier {
private String interfaceIdentifier;
private String serviceIdentifier;
private final int cachedHashCode;
public Identifier(String interfaceIdentifier, String serviceIdentifier, int cachedHashCode) {
this.interfaceIdentifier = interfaceIdentifier;
this.serviceIdentifier = serviceIdentifier;
this.cachedHashCode = cachedHashCode;
}
Issue 6 :Poor Style: Value Never Read
Solution : To remove such fields which are never used
Issue 7 : Portability Flaw: Locale Dependent Comparison
Solution : Use Pattern.quote(): we can ensure that the separator strings are treated as literals, avoiding issues with locale-dependent characters or special regex characters.
Issue Details :
Package: com.comviva.mfs.eig.rulesEngine
Core_EIG_UI/src/main/java/com/comviva/mfs/eig/rulesEngine/EIGRulesEngine.java, line
383 (Portability Flaw: Locale Dependent Comparison)
380 String tlvLengthValues[] = counter[13].split(
381 EIG_AutomationConstants.VALUESPLITBY.getStatusCode());
382 for(String lengthValuePair : tlvLengthValues){
383 writer.println();
384 String valuesMap[] = lengthValuePair.split(
385 EIG_AutomationConstants.SUBVALUESPLITBY.getStatusCode());
386 if(valuesMap.length>1)
Fix :
private static void writeValueChangeRequiredRules(PrintWriter writer, String[] counter) {
String[] conversionValues = counter[10].split(Pattern.quote(EIG_AutomationConstants.VALUESPLITBY.getStatusCode()));
for (String values : conversionValues) {
writer.println();
String[] valuesMap = values.split(Pattern.quote(EIG_AutomationConstants.SUBVALUESPLITBY.getStatusCode()));
if (valuesMap.length > 1) {
writer.println(“<value parameter_value_client=\”” + valuesMap[0] +
“\” parameter_value_server=\”” + valuesMap[1] +
“\” />”);
Issue 8 : Privacy Violation
Solution : to use standard base64 encoder/decoder in java8.
Issue Details :
Sink: java.net.URLConnection.setRequestProperty()
Enclosing Method: getConnection()
File: EIG1.1.1/src/main/java/com/comviva/mfs/eig/transformers/mapper/ExtGetwayUtility.java:133
Taint Flags: BASE64_ENCODED, NO_NEW_LINE, PRIVATE, VALIDATED_HTTP_PARAMETER_POLLUTION
130 url = new URL(strUrl);
131 urlConnection = (HttpURLConnection) url.openConnection();
132 if(bProxySet){
133 urlConnection.setRequestProperty(“Proxy-Authorization”,”Basic “ + new sun.misc.BASE64Encoder().encode(
134 (proxyUser + “:” + proxyPassword).getBytes())
135 );
136 }
Fix :
public static HttpURLConnection getConnection(String strUrl) throws MalformedURLException, IOException, ProtocolException {
URL url = new URL(strUrl);
HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection();
String proxyEnabled = System.getProperty(“http.proxySet”);
if (proxyEnabled != null && “true”.equalsIgnoreCase(proxyEnabled)) {
String proxyUser = System.getProperty(“http.proxyUser”);
String proxyPassword = System.getProperty(“http.proxyPassword”);
if (proxyUser != null && proxyPassword != null) {
String encodedCredentials = Base64.getEncoder().encodeToString((proxyUser + “:” + proxyPassword).getBytes());
urlConnection.setRequestProperty(“Proxy-Authorization”, “Basic “ + encodedCredentials);
}
}
return urlConnection;
