github-code-scanning[bot] commented on code in PR #351:
URL: https://github.com/apache/syncope/pull/351#discussion_r896839451
##########
wa/starter/src/test/java/org/apache/syncope/wa/starter/pac4j/saml/BaseWASAML2ClientTest.java:
##########
@@ -99,19 +99,19 @@
~
~ protected static KeyStore getKeystore() throws Exception {
~ KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
~ char[] pwdArray = "password".toCharArray();
~ ks.load(null, pwdArray);
~ KeyPairGenerator keyPairGenerator =
KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(4096);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
Certificate certificate = createSelfSignedCert(keyPair);
- ks.setKeyEntry("Syncope", keyPair.getPrivate(),
"password".toCharArray(), new Certificate[]{certificate});
+ ks.setKeyEntry("Syncope", keyPair.getPrivate(),
"password".toCharArray(), new Certificate[] { certificate });
Review Comment:
## Hard-coded credential in API call
Hard-coded value flows to [sensitive API call](1).
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1033)
##########
wa/starter/src/test/java/org/apache/syncope/wa/starter/pac4j/saml/BaseWASAML2ClientTest.java:
##########
@@ -91,7 +90,8 @@
saml2Configuration.setPrivateKeyPassword("password");
saml2Configuration.setKeystoreAlias("Syncope");
saml2Configuration.setIdentityProviderMetadataResource(new
ClassPathResource("idp-metadata.xml"));
- saml2Configuration.setServiceProviderMetadataResource(new
FileSystemResource(File.createTempFile("sp-metadata", ".xml")));
+ saml2Configuration.setServiceProviderMetadataResource(new
FileSystemResource(File.createTempFile("sp-metadata",
+ ".xml")));
Review Comment:
## Local information disclosure in a temporary directory
Local information disclosure vulnerability due to use of file readable by
other local users.
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1029)
##########
common/am/lib/src/main/java/org/apache/syncope/common/lib/wa/WAClientApp.java:
##########
@@ -56,6 +63,12 @@
this.accessPolicy = accessPolicy;
}
+ @JacksonXmlElementWrapper(localName = "authModules")
+ @JacksonXmlProperty(localName = "authModule")
+ public List<AuthModuleTO> getAuthModules() {
Review Comment:
## Exposing internal representation
getAuthModules exposes the internal representation stored in field
authModules. The value may be modified [after this call to getAuthModules](1).
[Show more
details](https://github.com/apache/syncope/security/code-scanning/1028)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
