Skip to content

Fix critical security vulnerabilities: dependency CVEs, injection attacks, and SSRF #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Fix critical security vulnerabilities: dependency CVEs, injection attacks, and SSRF #133

Copilot wants to merge 5 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Dec 19, 2025
edited
Loading

Remediated multiple critical security vulnerabilities across the application including outdated dependencies with known CVEs, command injection, SQL injection, and SSRF attack vectors.

Dependency Upgrades

  • commons-text: 1.9 → 1.10.0 (CVE-2022-42889 - Text4Shell RCE)
  • log4j-core: 2.3 → 2.23.1 (CVE-2021-44228 - Log4Shell RCE)
  • mysql-connector-java: 5.1.42 → 8.0.33 (multiple authentication/injection CVEs)

Command Injection Prevention

Replaced Runtime.getRuntime().exec() with ProcessBuilder and input validation:

// Before: Direct string concatenation
String find = "find " + command;
Runtime.getRuntime().exec(find);

// After: Validated input with ProcessBuilder
if (!command.matches("[a-zA-Z0-9\\s\\-_./]+")) {
    throw new IllegalArgumentException("Invalid characters");
}
ProcessBuilder pb = new ProcessBuilder(command.split("\\s+"));

SQL Injection Prevention

Converted string concatenation to parameterized PreparedStatements:

// Before: String concatenation
String query = String.format("SELECT * FROM CUSTOMERS WHERE LAST='%s' AND PASSWORD='%s'", last, pass);
stmt.executeQuery(query);

// After: Parameterized query
PreparedStatement stmt = conn.prepareStatement("SELECT * FROM CUSTOMERS WHERE LAST=? AND PASSWORD=?");
stmt.setString(1, last);
stmt.setString(2, pass);

Applied to all query methods in BooksServlet.java including IN clause handling with dynamic parameter binding.

SSRF Protection

Added URL validation and private network blocking:

private boolean isInternalAddress(String host) {
    // Blocks localhost, 10.x, 192.168.x, 172.16-31.x, link-local, metadata endpoints
    // Consolidated from duplicate validation logic
}

Validates protocol restrictions (HTTPS-only) and hostname format before connection attempts.

Additional Hardening

  • Sanitized error messages to prevent information disclosure
  • Added .gitignore for build artifacts
Original prompt

Hey I found a bunch of secuirty issues. Go solve them

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 4 commits December 19, 2025 16:53
@IAmATeaPot418
Fix vulnerable dependencies and command injection/SSRF vulnerabilities
3b292cd 
Co-authored-by: IAmATeaPot418 <5336227+IAmATeaPot418@users.noreply.github.com>
@IAmATeaPot418
Fix SQL injection vulnerabilities in BooksServlet.java
3fde40a 
Co-authored-by: IAmATeaPot418 <5336227+IAmATeaPot418@users.noreply.github.com>
@IAmATeaPot418
Fix error message exposure vulnerability
a8e7c29 
Co-authored-by: IAmATeaPot418 <5336227+IAmATeaPot418@users.noreply.github.com>
@IAmATeaPot418
Address code review feedback and add .gitignore
c473182 
Co-authored-by: IAmATeaPot418 <5336227+IAmATeaPot418@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix security issues identified in the code Fix critical security vulnerabilities: dependency CVEs, injection attacks, and SSRF Dec 19, 2025
Copilot AI requested a review from IAmATeaPot418 December 19, 2025 17:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IAmATeaPot418 IAmATeaPot418 Awaiting requested review from IAmATeaPot418

Assignees

@IAmATeaPot418 IAmATeaPot418

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@IAmATeaPot418