Skip to content

Latest commit

 

History

History
174 lines (101 loc) · 4.1 KB

README.md

File metadata and controls

174 lines (101 loc) · 4.1 KB

CoPilot Demo

NOTE: For the most effective demo, clone the project and import into IntelliJ fresh each time.

From IntelliJ, you can choose: File > Manage IDE Settings > Import Settings... and import the IntelliJIdeaLiveTemplateSettings.zip file to take advantage of the live templates as called out in the presentation notes.

Make sure you have copilot and snyk plugins installed.

For each of the instructions below, you'll want to hit after the comment, wait for copilot to generate the code and then hit to accept its response.

Refer to the script doc for more information.

0 - customize the src/main/resources/application.yml with your own auth.user.name OR just leave it as micah

1 - Launch the app, browse to: http://localhost:8081

2 - set up the index page: src/main/resources/templates/index.html

<!-- insert nav fragment here -->

<!-- insert eventsTable fragment here -->

3 - Add search functionality

In SearchRepository.searchTalk:

// lowercase the input

// create a native query 
// to search for talks 
// joined with the person table 
// with the input in the 
// description, title or speaker username
// format the code to make it more readable

// execute the query

// return the result

In the app: show that the search field works

4 - Demonstrate SQL injection

In the app, put this in the search field:

%'; update talk set start_date = dateadd(hour,-2,CURRENT_TIMESTAMP), end_date = dateadd(hour,1,CURRENT_TIMESTAMP) where id = 1; --

This moves your talks to the top of the list by adjusting the start times.

NOTE: Per the code in AiConferenceBookingApplication, the main speaker (set to username micah by default, will always have id 1)

5 - Fix the SQL injection

Delete the previous code in SearchRepository.searchTalk. Then:

// lowercase the input

// create a native query using named parameters 
// to search for talks 
// joined with the person table 
// with the input in the 
// description, title or speaker username
// format the code to make it more readable

// set the parameter

// execute the query

// return the result

6 - show that the sql injection no longer works using one of the above queries

7 - Add code to support a profile picture

In UploadController.uploadImage:

// get file name

// get path with file separator

// save file to the path

// get the person

// set the image name

// save the person

// add the message

8 - Show that upload of profile picture works

9 - Demonstrate a path traversal attack

Use burpsuite to capture profile pic upload POST use burpsuite to replay pic upload, BUT change the file name to ../image/snyklogo.png

10 - Fix the path traversal attack

Delete the previous code in UploadController.uploadImage. Then:

// get file name

// get path with file separator

// validate that there is not a path traversal by using the normalize method

// check for a path traversal

// save file to the path

// get the person

// set the image name

// save the person

// add the message

11 - Demonstrate that the path traversal attack no longer works

12 - Demonstrate XSS vuln

Use one of the links from the server output to show a speaker's talks listing

Replace the param with XSS:

http://localhost:8081/talks?username=<script>alert(1)</script>

13 - Update the code to provide links to the talks

Uncomment line 41 and comment line 40 in eventsTable.html

14 - Fix the XSS vuln

Use snyk code to scan (it will catch the XSS vuln)

Paste the code in ChatGPT and ask for analysis and fixes

Here's a conversation reference for this: https://chatgpt.com/share/53766a36-762f-4bd1-8d16-50a49b9516a6

Note that the prompt is:

I am going to upload some code. Identify and fix any security vulnerabilities with minimal changes to the code.

Show that ChatGPT suggests the fix that is idiomatic to Spring Boot: HtmlUtils.htmlEscape(username). That's great!

BUT, this is a great opportunity to show off DeepCodeAI Fix. In IntelliJ, you can click the lightning bolt and let snyk fix the code and you'll see it comes up with the same fix: HtmlUtils.htmlEscape(username)