From 771a18899fa737eebb216fdd840b69d6df1ae70e Mon Sep 17 00:00:00 2001
From: bhill6 <brian.hill@wisc.edu>
Date: Tue, 11 Oct 2022 09:15:59 -0500
Subject: [PATCH] fix for CWE-93 issue in sample code raised by SAST

---
 .../DemonstrationOnlyPreAuthenticationConfiguration.java      | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java b/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java
index fa8c773..0f5f269 100644
--- a/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java
+++ b/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java
@@ -96,6 +96,10 @@ public class DemonstrationOnlyPreAuthenticationConfiguration {
           HttpServletRequest httpRequest = (HttpServletRequest) request;
           String uri = httpRequest.getRequestURI();
           String param = httpRequest.getParameter("_ignorepreauth");
+
+          // remove CRLF to avoid CWE-93
+          uri = (uri!=null) ? uri.replaceAll("([\\r\\n])", " ") : null;
+          param = (param!=null) ? param.replace("([\\r\\n])","") : null;
           logger.debug("uri={}, param={}", uri, param);
           if(null != param || IGNORED.contains(uri)) {
             logger.info("skipping PreAuthenticationSimulationServletFilter, either due to '_ignorepreauth' or visiting ignore uri");
-- 
GitLab