From 337f9548da793849555557f2918c32140e16f61d Mon Sep 17 00:00:00 2001 From: Ryan Amari Date: Tue, 17 Dec 2024 15:49:36 -0500 Subject: [PATCH] Low risk checkmarx changes --- .../avillach/LoggerReaderInterceptor.java | 54 ++++++++++--------- .../dbmi/avillach/service/SystemService.java | 3 +- 2 files changed, 30 insertions(+), 27 deletions(-) diff --git a/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/LoggerReaderInterceptor.java b/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/LoggerReaderInterceptor.java index 6fd312bc..ca0d01d0 100644 --- a/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/LoggerReaderInterceptor.java +++ b/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/LoggerReaderInterceptor.java @@ -19,37 +19,39 @@ public class LoggerReaderInterceptor implements ReaderInterceptor { public Object aroundReadFrom(ReaderInterceptorContext interceptorContext) throws IOException, WebApplicationException { //Capture the request body to be logged when request completes - InputStream inputStream = interceptorContext.getInputStream(); - String requestContent = IOUtils.toString(inputStream, "UTF-8"); - - //Totally manually redact resourceCredentials from this string - String requestString = requestContent; - while (requestString.contains("resourceCredentials")){ - int rcBegin = requestString.indexOf("resourceCredentials"); - int startBracket = requestString.indexOf("{", rcBegin); - int bracketCount = 0; - int endBracket = -1; - for (int i = startBracket; i < requestString.length(); i++){ - if (requestString.charAt(i) == '{'){ - bracketCount++; - } if (requestString.charAt(i) == '}'){ - bracketCount--; - } - if (bracketCount < 1){ - endBracket = i; - break; + try (InputStream inputStream = interceptorContext.getInputStream()) { + + String requestContent = IOUtils.toString(inputStream, "UTF-8"); + + //Totally manually redact resourceCredentials from this string + String requestString = requestContent; + while (requestString.contains("resourceCredentials")){ + int rcBegin = requestString.indexOf("resourceCredentials"); + int startBracket = requestString.indexOf("{", rcBegin); + int bracketCount = 0; + int endBracket = -1; + for (int i = startBracket; i < requestString.length(); i++){ + if (requestString.charAt(i) == '{'){ + bracketCount++; + } if (requestString.charAt(i) == '}'){ + bracketCount--; + } + if (bracketCount < 1){ + endBracket = i; + break; + } } + requestString = requestString.substring(0, rcBegin-1) +sentinel+ requestString.substring(endBracket+1); } - requestString = requestString.substring(0, rcBegin-1) +sentinel+ requestString.substring(endBracket+1); - } - //Put string to context for logging - interceptorContext.setProperty("requestContent", requestString); + //Put string to context for logging + interceptorContext.setProperty("requestContent", requestString); - //Return original body to the request - interceptorContext.setInputStream(new ByteArrayInputStream(requestContent.getBytes())); + //Return original body to the request + interceptorContext.setInputStream(new ByteArrayInputStream(requestContent.getBytes())); - return interceptorContext.proceed(); + return interceptorContext.proceed(); + } } } diff --git a/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/service/SystemService.java b/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/service/SystemService.java index 64895b26..8a8b0f4b 100755 --- a/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/service/SystemService.java +++ b/pic-sure-api-war/src/main/java/edu/harvard/dbmi/avillach/service/SystemService.java @@ -4,6 +4,7 @@ import java.io.IOException; import java.util.List; +import java.util.Locale; import java.util.UUID; import javax.annotation.PostConstruct; @@ -88,7 +89,7 @@ public String status() { // This because both are included in the database, but only one is actually deployed. // if the name contains hpds and is not the default application uuid, remove it. resourcesToTest.removeIf( - resource -> resource.getName().toLowerCase().contains("hpds") && !resource.getUuid().equals(defaultApplicationUUID) + resource -> resource.getName().toLowerCase(Locale.ENGLISH).contains("hpds") && !resource.getUuid().equals(defaultApplicationUUID) ); // This proves the MySQL database is serving queries