Privacy Violation: Heap Inspection from secret manager

Author: sahildari

.gitignore

@@ -21,8 +21,6 @@ target/
 *.ear
 *.iml
 .gradle/
-.mvn/
-.mvn/wrapper/
 
 # Logs and temp files
 *.log

Path Manipulation/while File Read/java/fileread.pathmanipulation/src/main/java/securecodingexamples/fileread/pathmanipulation/DownloadController.java

@@ -110,7 +110,9 @@ private static boolean isValidName(String filename) {
     private static String validFilename(String filename) {
         int dotIndex = filename.lastIndexOf(".");
         String name = filename.substring(0, dotIndex);
-        String extension = filename.substring(dotIndex + 1);
+        name = name.replaceAll("[^a-zA-Z0-9-_]", "_");
+        String extension = filename.substring(dotIndex + 1).toLowerCase();
+        extension = extension.replaceAll("[^a-zA-Z0-9]", "");
         return name + "." + extension;
     }
 }

Path Manipulation/while File Read/python/README.md

@@ -38,4 +38,4 @@ python run.py
 2. Open in Browser:
 ```
 http://127.0.0.1:5000
-```
+```

Path Manipulation/while File Upload/java/fileupload.pathmanipulation/src/main/java/securecodingexamples/fileupload/pathmanipulation/UploadController.java

@@ -100,7 +100,9 @@ private static boolean isValidName(String filename) {
     private static String validFilename(String filename) {
         int dotIndex = filename.lastIndexOf(".");
         String name = filename.substring(0, dotIndex);
+        name = name.replaceAll("[^a-zA-Z0-9-_]", "_");
         String extension = filename.substring(dotIndex + 1).toLowerCase();
+        extension = extension.replaceAll("[^a-zA-Z0-9]", "");
         return name + "." + extension;
     }
 

Privacy Violation - Heap Inspection/csharp/HeapInspectionSecureStringExample.cs

@@ -0,0 +1,113 @@
+using System;
+using System.IO;
+using System.Runtime.InteropServices;
+using System.Text.Json;
+using System.Security;
+using Amazon;
+using Amazon.SecretsManager;
+using Amazon.SecretsManager.Model;
+
+public class HeapInspectionSecureStringExample
+{
+    public static SecureString GetPasswordFromSecretsManager(string secretName)
+    {
+        using (var client = new AmazonSecretsManagerClient(RegionEndpoint.USEast1)) // Change to your AWS region
+        {
+            var request = new GetSecretValueRequest { SecretId = secretName };
+            GetSecretValueResponse result = client.GetSecretValueAsync(request).Result;
+
+            SecureString securePassword = new SecureString();
+
+            if (result.SecretBinary != null)
+            {
+                // Handling binary secrets
+                byte[] decodedBinarySecret = Convert.FromBase64String(result.SecretBinary.ToString());
+                string secretString = System.Text.Encoding.UTF8.GetString(decodedBinarySecret);
+                ExtractPasswordToSecureString(secretString, securePassword);
+            }
+            else
+            {
+                // Handling JSON or plaintext secrets
+                ExtractPasswordToSecureString(result.SecretString, securePassword);
+            }
+
+            // Overwrite the original string immediately
+            OverwriteString(result.SecretString);
+
+            return securePassword;
+        }
+    }
+
+    private static void ExtractPasswordToSecureString(string secret, SecureString securePassword)
+    {
+        if (!string.IsNullOrEmpty(secret))
+        {
+            try
+            {
+                var secretJson = JsonSerializer.Deserialize<JsonElement>(secret);
+                if (secretJson.TryGetProperty("password", out JsonElement passwordElement))
+                {
+                    string password = passwordElement.GetString();
+                    foreach (char c in password)
+                    {
+                        securePassword.AppendChar(c);
+                    }
+                    securePassword.MakeReadOnly(); // Secure the SecureString
+                }
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("Error parsing secret JSON: " + ex.Message);
+            }
+        }
+    }
+
+    private static void OverwriteString(string str)
+    {
+        if (!string.IsNullOrEmpty(str))
+        {
+            char[] chars = str.ToCharArray();
+            for (int i = 0; i < chars.Length; i++)
+            {
+                chars[i] = '\0'; // Overwrite memory
+            }
+        }
+    }
+
+    public static void UseSecureString(SecureString securePassword)
+{
+    IntPtr ptr = Marshal.SecureStringToGlobalAllocUnicode(securePassword);
+    try
+    {
+        string password = Marshal.PtrToStringUni(ptr); // Extract password safely
+
+        // Construct connection string
+        StringBuilder connectionString = new StringBuilder("jdbc:sqlserver://localhost:1433;encrypt=true;user=sa;password=")
+            .Append(password)
+            .Append(";columnEncryptionSetting=Enabled;");
+
+        Console.WriteLine("Connection String: " + connectionString);
+
+        // Overwrite password in memory
+        OverwriteString(password);
+    }
+    finally
+    {
+        Marshal.ZeroFreeGlobalAllocUnicode(ptr); // Clears memory securely
+    }
+}
+
+    public static void Main(string[] args)
+    {
+        SecureString securePassword = GetPasswordFromSecretsManager("MyDatabaseSecret");
+
+        try
+        {
+            UseSecureString(securePassword);
+        }
+        finally
+        {
+            securePassword.Dispose(); // Clears memory securely
+        }
+    }
+}

Privacy Violation - Heap Inspection/java/HeapInspectionGuardedStringExample.java

@@ -0,0 +1,81 @@
+import com.amazonaws.regions.Regions;
+import com.amazonaws.services.secretsmanager.AWSSecretsManager;
+import com.amazonaws.services.secretsmanager.AWSSecretsManagerClientBuilder;
+import com.amazonaws.services.secretsmanager.model.GetSecretValueRequest;
+import com.amazonaws.services.secretsmanager.model.GetSecretValueResult;
+import org.identityconnectors.common.security.GuardedString;
+
+import java.nio.charset.StandardCharsets;
+import java.nio.ByteBuffer;
+
+public class HeapInspectionGuardedStringExample {
+
+    public static GuardedString getPasswordFromSecretsManager(String secretName) {
+        AWSSecretsManager client = AWSSecretsManagerClientBuilder.standard()
+                .withRegion(Regions.US_EAST_1) // Change to your AWS region
+                .build();
+
+        GetSecretValueRequest request = new GetSecretValueRequest()
+                .withSecretId(secretName);
+
+        GetSecretValueResult result = client.getSecretValue(request);
+
+        char[] passwordChars;
+        if (result.getSecretBinary() != null) {
+            // Convert binary secret to char array
+            ByteBuffer secretBinary = result.getSecretBinary();
+            byte[] secretBytes = new byte[secretBinary.remaining()];
+            secretBinary.get(secretBytes);
+            passwordChars = new String(secretBytes, StandardCharsets.UTF_8).toCharArray();
+
+            // Overwrite the original byte array immediately
+            overwriteByteArray(secretBytes);
+        } else {
+            // Fallback to getSecretString() (only use if necessary)
+            passwordChars = result.getSecretString().toCharArray();
+
+            // Overwrite the original string immediately
+            overwriteString(result.getSecretString());
+        }
+
+        return new GuardedString(passwordChars);
+    }
+
+    private static void overwriteByteArray(byte[] bytes) {
+        if (bytes != null) {
+            java.util.Arrays.fill(bytes, (byte) 0); // Overwrite memory
+        }
+    }
+
+    private static void overwriteString(String str) {
+        if (str != null) {
+            char[] chars = str.toCharArray();
+            java.util.Arrays.fill(chars, '\0'); // Overwrite memory
+        }
+    }
+
+    public static void usePasswordSecurely(GuardedString guardedPassword) {
+        // Securely access the password value
+        guardedPassword.access(chars -> {
+            // Construct the connection string securely
+            StringBuffer connectionString = new StringBuffer("jdbc:sqlserver://localhost:1433;encrypt=true;user=sa;password=")
+                    .append(chars)
+                    .append(";columnEncryptionSetting=Enabled;");
+    
+            System.out.println("Connection String: " + connectionString);
+    
+            // Overwrite the password in memory after use
+            overwriteCharArray(chars);
+        });
+    }
+
+    public static void main(String[] args) {
+        GuardedString password = getPasswordFromSecretsManager("myDatabasePassword");
+
+        try {
+            usePasswordSecurely(password);
+        } finally {
+            password.dispose(); // Clears memory securely
+        }
+    }
+}

Unrestriced File Upload/java/src/main/java/securecodingexamples/unrestricted/fileupload/UploadController.java

@@ -131,7 +131,9 @@ private static boolean isValidName(String filename) {
     private static String validFilename(String filename) {
         int dotIndex = filename.lastIndexOf(".");
         String name = filename.substring(0, dotIndex);
+        name = name.replaceAll("[^a-zA-Z0-9-_]", "_");
         String extension = filename.substring(dotIndex + 1).toLowerCase();
+        extension = extension.replaceAll("[^a-zA-Z0-9]", "");
         return name + "." + extension;
     }