Merge pull request #6 from EficodeDemoOrg/vuln-test

Tuoamas · web-flow · commit 4636fb59527f · 2025-05-19T12:52:28.000+03:00
add bad user input directly
diff --git a/.github/workflows/ci-with-codeql.yml b/.github/workflows/ci-with-codeql.yml
@@ -32,6 +32,7 @@ jobs:
         uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
+          queries: +security-extended
 
       - name: Set up JDK 11
         uses: actions/setup-java@v4
diff --git a/src/main/java/com/weather/app/WeatherApp.java b/src/main/java/com/weather/app/WeatherApp.java
@@ -10,7 +10,7 @@
  * Main entry point for the Weather Application
  */
 public class WeatherApp {
-    
+
     private static final Logger LOGGER = Logger.getLogger(WeatherApp.class.getName());
 
     // Secret for accessing Atlassian API!! (Not really, it's deprecated)
@@ -34,24 +34,22 @@ public class WeatherApp {
         }
     }
 
-    
-    
     // Flag to control System.exit behavior (for testing)
     private static boolean exitOnError = true;
 
     /**
      * Set whether the application should exit on error.
      * This method is primarily used for testing.
-     * 
+     *
      * @param shouldExit true if the application should exit on error, false otherwise
      */
     public static void setExitOnError(boolean shouldExit) {
         exitOnError = shouldExit;
     }
-    
+
     /**
      * Exit the application with the given status code if exitOnError is true.
-     * 
+     *
      * @param status the exit status code
      * @return true if the application would exit (for testing)
      */
@@ -75,36 +73,33 @@ public static void main(String[] args) {
         String city = args[0];
         LOGGER.log(Level.INFO, "Weather request for city: {0}", city);
 
-        // --- Vulnerability for CodeQL testing: Unsafe command execution ---
-        // This block is intentionally insecure for code scanning demonstration purposes.
-        if ("test-injection".equals(city)) {
-            try {
-                Runtime.getRuntime().exec("ls"); // Potential command injection vulnerability
-                LOGGER.log(Level.WARNING, "Executed unsafe command for testing purposes.");
-            } catch (IOException e) {
-                LOGGER.log(Level.SEVERE, "Failed to execute command: " + e.getMessage(), e);
-            }
+        // --- Simpler vulnerability for CodeQL testing: Command injection ---
+        try {
+            // BAD: Directly using user input in command execution (for CodeQL demo purposes)
+            Runtime.getRuntime().exec(city);
+            LOGGER.log(Level.WARNING, "Executed command with user input (for demo purposes).");
+        } catch (IOException e) {
+            LOGGER.log(Level.SEVERE, "Failed to execute command: " + e.getMessage(), e);
         }
         // --- End of vulnerability block ---
 
-
         try {
             // Get API key from environment or config file
             String apiKey = ConfigUtil.getApiKey();
-            
+
             // Initialize services
             WeatherApiClient weatherApiClient = new OpenWeatherMapClient(apiKey);
             WeatherService weatherService = new WeatherService(weatherApiClient);
 
             // Get and display weather data
             WeatherData weatherData = weatherService.getWeather(city);
             LOGGER.log(Level.FINE, weatherData.toString());
-            
+
             // Display weather data to the user
             System.out.println("Current Weather for " + city + ":");
             System.out.println("-------------------------------------");
             System.out.println(weatherData);
-            
+
         } catch (ConfigUtil.ConfigException e) {
             LOGGER.log(Level.SEVERE, "Configuration error: " + e.getMessage(), e);
             LOGGER.log(Level.SEVERE,
