hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestions from code review

Browse Source 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
This commit is contained in:
Jonathan Leitschuh
2020-09-22 13:11:11 -04:00
committed by GitHub
parent ab618dcf2f
commit 24fe3d0663
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.qhelp
View File

@@ -3,7 +3,7 @@
"qhelp.dtd"> "qhelp.dtd">
<qhelp> <qhelp>
<overview> <overview>
<p>This query detects instances of <code>RandomUtil.java</code> generated by a <a href="https://www.jhipster.tech/">JHipster</a> version vulnerable to <a href="https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84">CVE-2019-16303</a>. <p>This query detects instances of <code>RandomUtil.java</code> generated by a <a href="https://www.jhipster.tech/">JHipster</a> version vulnerable to <a href="https://github.com/jhipster/jhipster-kotlin/security/advisories/GHSA-j3rh-8vwq-wh84">CVE-2019-16303</a>.</p>
<p>Using one password reset token from your app combined with the proof of concept (POC) linked below, an attacker can determine all future password reset tokens to be generated by this server. <p>Using one password reset token from your app combined with the proof of concept (POC) linked below, an attacker can determine all future password reset tokens to be generated by this server.
This allows an attacker to pick and choose what account they would like to takeover by sending account password reset requests for targeted accounts.</p> This allows an attacker to pick and choose what account they would like to takeover by sending account password reset requests for targeted accounts.</p>
@@ -16,7 +16,7 @@ This allows an attacker to pick and choose what account they would like to takeo
<example> <example>
<p>The example below shows the vulnerable <code>RandomUtil</code> class generated by JHipster. <p>The example below shows the vulnerable <code>RandomUtil</code> class generated by JHipster.</p>
<sample src="JHipsterGeneratedPRNGVulnerble.java" /> <sample src="JHipsterGeneratedPRNGVulnerble.java" />
<p>Below is a fixed version of the <code>RandomUtil</code> class.</p> <p>Below is a fixed version of the <code>RandomUtil</code> class.</p>
@@ -26,7 +26,7 @@ This allows an attacker to pick and choose what account they would like to takeo
<recommendation> <recommendation>
An automated refactoring <a href="https://github.com/openrewrite/rewrite">rewrite</a> module <a href="https://github.com/moderneinc/jhipster-cwe-338"> can be found here</a>. <p>An automated refactoring <a href="https://github.com/openrewrite/rewrite">rewrite</a> module <a href="https://github.com/moderneinc/jhipster-cwe-338"> can be found here</a>.</p>
</recommendation> </recommendation>
<references> <references>