You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by GitBox <gi...@apache.org> on 2022/06/14 13:44:38 UTC

[GitHub] [syncope] github-code-scanning[bot] commented on a diff in pull request #351: [SYNCOPE-1545] Fixing MFA settings for RegisteredService instances

github-code-scanning[bot] commented on code in PR #351:
URL: https://github.com/apache/syncope/pull/351#discussion_r896839451


##########
wa/starter/src/test/java/org/apache/syncope/wa/starter/pac4j/saml/BaseWASAML2ClientTest.java:
##########
@@ -99,19 +99,19 @@
~
~    protected static KeyStore getKeystore() throws Exception {
~        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
~        char[] pwdArray = "password".toCharArray();
~        ks.load(null, pwdArray);
~        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
         keyPairGenerator.initialize(4096);
         KeyPair keyPair = keyPairGenerator.generateKeyPair();
         Certificate certificate = createSelfSignedCert(keyPair);
-        ks.setKeyEntry("Syncope", keyPair.getPrivate(), "password".toCharArray(), new Certificate[]{certificate});
+        ks.setKeyEntry("Syncope", keyPair.getPrivate(), "password".toCharArray(), new Certificate[] { certificate });

Review Comment:
   ## Hard-coded credential in API call
   
   Hard-coded value flows to [sensitive API call](1).
   
   [Show more details](https://github.com/apache/syncope/security/code-scanning/1033)



##########
wa/starter/src/test/java/org/apache/syncope/wa/starter/pac4j/saml/BaseWASAML2ClientTest.java:
##########
@@ -91,7 +90,8 @@
         saml2Configuration.setPrivateKeyPassword("password");
         saml2Configuration.setKeystoreAlias("Syncope");
         saml2Configuration.setIdentityProviderMetadataResource(new ClassPathResource("idp-metadata.xml"));
-        saml2Configuration.setServiceProviderMetadataResource(new FileSystemResource(File.createTempFile("sp-metadata", ".xml")));
+        saml2Configuration.setServiceProviderMetadataResource(new FileSystemResource(File.createTempFile("sp-metadata",
+                ".xml")));

Review Comment:
   ## Local information disclosure in a temporary directory
   
   Local information disclosure vulnerability due to use of file readable by other local users.
   
   [Show more details](https://github.com/apache/syncope/security/code-scanning/1029)



##########
common/am/lib/src/main/java/org/apache/syncope/common/lib/wa/WAClientApp.java:
##########
@@ -56,6 +63,12 @@
         this.accessPolicy = accessPolicy;
     }
 
+    @JacksonXmlElementWrapper(localName = "authModules")
+    @JacksonXmlProperty(localName = "authModule")
+    public List<AuthModuleTO> getAuthModules() {

Review Comment:
   ## Exposing internal representation
   
   getAuthModules exposes the internal representation stored in field authModules. The value may be modified [after this call to getAuthModules](1).
   
   [Show more details](https://github.com/apache/syncope/security/code-scanning/1028)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@syncope.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org