The following actions use a deprecated Node.js version and will be forced to run on node20: actions/checkout@v3, actions/upload-artifact@v3. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/

The following actions use a deprecated Node.js version and will be forced to run on node20: actions/checkout@v3, actions/download-artifact@v3. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/

logger.info("Executing query to get all 'Blabs for me'") blabsForMe = sqlBlabsForMe.format(10, 0) - cursor.execute(blabsForMe % (username,)) + cursor.execute(blabsForMe, (username, )) blabsForMeResults = cursor.fetchall() feedBlabs = []

# Find the Blabs by this user logger.info("Executing query to get all of user's Blabs") - cursor.execute(sqlBlabsByMe % (username,)) + cursor.execute("SELECT * FROM blabsByMe %s;", (username, )) blabsByMeResults = cursor.fetchall() myBlabs = []

addBlabSql = "INSERT INTO blabs (blabber, content, timestamp) values ('%s', '%s', datetime('now'));" logger.info("Executing query to add new blab") - cursor.execute(addBlabSql % (username, blab)) + cursor.execute("INSERT INTO blabs (blabber, content, timestamp) values (?,?, datetime('now'))", [username, blab]) if not cursor.rowcount: request.error = "Failed to add blab"

except Exception as e: logger.error("Unexpected error", e) - return HttpResponse(ret) + return escape(HttpResponse(ret)) # Brings up the page to view a blab, or to write a blab def blab(request):

with connection.cursor() as cursor: logger.info("Executing query to see Blab details") - cursor.execute(blabDetailsSql % (blabid,)) + cursor.execute(blabDetailsSql, (blabid, )) blabDetailsResults = cursor.fetchone() if (blabDetailsResults):

# Get comments logger.info("Executing query to get all comments") - cursor.execute(blabCommentsSql % (blabid,)) + cursor.execute("%s %s" % (blabCommentsSql, (blabCommentsSql, ))) blabCommentsResults = cursor.fetchall() comments = []

logger.info(blabbersSql) logger.info("Executing query to see Blab details") - cursor.execute(blabbersSql % (username, username)) + cursor.execute("SELECT * FROM users WHERE username = %s;", (username, )) blabbersResults = cursor.fetchall() blabbers = []

len : 10 }, function(data) { if (data) { - $("#feed ul").append(data); +$("#feed ul").append(DOMPurify.sanitize(data)); } else { $(obj).remove(); }

$('input[name="' + key + '"]').val(val); if (key === "username") { - $('#profileImage').attr('src', image_path + val + '.png'); +$('#profileImage').attr('src', DOMPurify.sanitize(image_path + val + '.png')); } }); } if ('message' in data) { - $('body').append(data.message); +$('body').append(DOMPurify.sanitize(data.message)); } } },

elif(request.method == "POST"): return processReset(request) else: - h = httplib2.Http(".cache", disable_ssl_certificate_validation=True) #CWE-295 + h = httplib2.Http(".cache", disable_ssl_certificate_validation=False) #CWE-295 h.add_credentials('thiswaskevinsidea','hardcode') #CWE-798 data=h.request("http://localhost/",method='GET') return data

listenersStatement = "INSERT INTO listeners (blabber, listener, status) values ('%s', '%s', 'Active');" for blabber in users[2:]: for listener in users[2:]: - if rand.choice([False, True]) and (blabber != listener): + rand = random.SystemRandom() + if rand.choice([False, True]) and (blabber!= listener): logger.info("Adding " + listener.username + " as a listener of " + blabber.username)

blabsStatement = "INSERT INTO blabs (blabber, content, timestamp) values (%s, %s, datetime('now'));" for blabContent in blabsContent: # Get the array offset for a random user - randomUserOffset = rand.randint(2,len(users) - 1) + rand = random.SystemRandom() + randomUserOffset = rand.randint(2, len(users) - 1) # get the number or seconds until some time in the last 30 days. #vary = rand.randint(0,(30 * 24 * 3600)+1)

for i in range(len(blabsContent)): # Add a random number of comment count = rand.randint(0,5) # between 0 and 6 + rand = random.SystemRandom() for j in range(count) : # Get the array offset for a random user - randomUserOffset = rand.randint(2,len(users)-1) #removed +1 cause no admin, removed -2 because no admin and inclusive. + randomUserOffset = rand.SystemRandom().randint(2, len(users)-1) # removed +1 cause no admin, removed -2 because no admin and inclusive. username = users[randomUserOffset].username # Pick a random comment to add - commentNum = rand.randint(0,len(commentsContent)-1) + rand = random.SystemRandom() + commentNum = rand.randint(0, len(commentsContent)-1) comment = commentsContent[commentNum] # get the number or seconds until some time in the last 30 days. - vary = rand.randint(0,(30 * 24 * 3600)+1) + vary = rand.SystemRandom().randint(0, (30 * 24 * 3600)+1) logger.info("Adding a comment from " + username + " on blab ID " + str(i))

from app.models import User, Blabber from app.forms import RegisterForm +from html import escape # Get logger

blab_name=row["blab_name"]) response = updateInResponse(currentUser, response) - update = "UPDATE users SET last_login=datetime('now') WHERE username='" + row['username'] + "';" - cursor.execute(update) + update = "UPDATE users SET last_login=datetime(%s) WHERE username='" + row['username'] + "';" + cursor.execute(update, (row["last_login"],)) # if the username ends with "totp", add the TOTP login step if username[-4:].lower() == "totp":

try: logger.info("Creating the Database connection") with connection.cursor() as cursor: - sql = "SELECT password_hint FROM users WHERE username = '" + username + "'" + sql = "SELECT password_hint FROM users WHERE username = %s" logger.info(sql) - cursor.execute(sql) + cursor.execute(sql, (username,)) row = cursor.fetchone() if (row):

formatString = "Username '" + username + "' has password: {}" hint = formatString.format(password[:2] + ("*" * (len(password) - 2))) logger.info(hint) - return HttpResponse(hint) + return HttpResponse(escape(hint)) else: - return HttpResponse("No password found for " + username) + return HttpResponse(escape("No password found for " + username)) except DatabaseError as db_err: logger.error("Database error", db_err) return HttpResponse("ERROR!")

#Create db connection with connection.cursor() as cursor: - sql = "SELECT totp_secret FROM users WHERE username = '" + username + "'" + sql = "SELECT totp_secret FROM users WHERE username = %s" logger.info(sql) - cursor.execute(sql) + cursor.execute(sql, (username,)) result = cursor.fetchone() if result:

with connection.cursor() as cursor: - sql = "SELECT totp_secret FROM users WHERE username = '" + username + "'" + sql = "SELECT totp_secret FROM users WHERE username = %s" logger.info(sql) - cursor.execute(sql) + cursor.execute(sql, (username,)) result = cursor.fetchone() if result:

logger.info("Creating the Database connection") try: with connection.cursor() as cursor: - sqlQuery = "SELECT username FROM users WHERE username = '" + username + "'" - cursor.execute(sqlQuery) + sqlQuery = "SELECT username FROM users WHERE username = %s" + cursor.execute(sqlQuery, (username,)) row = cursor.fetchone() if (row): request.error = "Username '" + username + "' already exists!"

query += ("'" + blabName + "'") query += (");") #execute query - cursor.execute(query) + cursor.execute('%s', (password, )) sqlStatement = cursor.fetchone() #<- variable for response logger.info(query) # END EXAMPLE VULNERABILITY

events = [] # START EXAMPLE VULNERABILITY - sqlMyEvents = "select event from users_history where blabber=\"" + username + "\" ORDER BY eventid DESC; " + sqlMyEvents = "select event from users_history where blabber=%s ORDER BY eventid DESC; " logger.info(sqlMyEvents) - cursor.execute(sqlMyEvents) + cursor.execute(sqlMyEvents, (username,)) userHistoryResult = cursor.fetchall() # END EXAMPLE VULNERABILITY

events.append(result[0]) # Get the users information - sql = "SELECT username, real_name, blab_name, totp_secret FROM users WHERE username = '" + username + "'" + sql = "SELECT username, real_name, blab_name, totp_secret FROM users WHERE username = %s" logger.info(sql) - cursor.execute(sql) + cursor.execute(sql, (username,)) myInfoResults = cursor.fetchone() if not myInfoResults: return JsonResponse({'message':'Error, no Inforesults found'})

# Initial response only get returns if everything else succeeds. # This must be here in order to use set_cookie later in the program msg = f"<script>alert('Successfully changed values!\\nusername: {username.lower()}\\nReal Name: {realName}\\nBlab Name: {blabName}');</script>" - response = JsonResponse({'values':{"username": username.lower(), "realName": realName, "blabName": blabName}, 'message':msg},status=200) + response = escape(JsonResponse({'values':{"username": username.lower(), "realName": realName, "blabName": blabName},'message':msg}, status=200)) logger.info("entering processProfile") sessionUsername = request.session.get('username')

The following actions use a deprecated Node.js version and will be forced to run on node20: actions/checkout@v3. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/