奇安信CodeSafe issues

Results 348 issues of


                                            奇安信CodeSafe

Useless break statement

https://github.com/google/goexpect/blob/c416f18ae5af08f6c8e6b116ab427441cc67a593/expect.go#L1262-L1264 The `switch case` block does not require `break`. If `break` `for loop`, you need a label.

https://github.com/gephi/gephi/blob/936a659bbd23c4e5f8abf48f8a1f30a0a079458b/modules/SettingsUpgrader/src/main/java/org/gephi/ui/upgrader/CopyFiles.java#L75 The program can potentially fail to release a system resource.

To review

Unused Field

https://github.com/bilibili/boxing/blob/bd1eeff8405a74c201ca489d6f753e306e84d195/boxing-impl/src/main/java/com/bilibili/boxing_impl/view/MediaItemLayout.java#L48 This field is never used.

Weak Cryptographic Hash

https://github.com/bilibili/boxing/blob/bd1eeff8405a74c201ca489d6f753e306e84d195/boxing/src/main/java/com/bilibili/boxing/utils/ImageCompressor.java#L323 Weak cryptographic hashes cannot guarantee data integrity and should not be used in security-critical contexts.

Unused Field

https://github.com/Meituan-Dianping/Robust/blob/955adcc21e4fbcb52054a8f7f4bbb11f462aeb2f/autopatchbase/src/main/java/com/meituan/robust/utils/PatchTemplate.java#L18 This field is never used

sql注入

您好：我是360代码卫士的工作人员，在我们的开源代码检测项目中发现Movie_Recommend存在sql注入漏洞。详细信息如下：在indexController.java文件的showtypesortmovie()中接受了请求中的sort参数并绑定到Selectquery对象中 ![default](https://user-images.githubusercontent.com/39950310/52933885-b87c3b00-338f-11e9-82f8-6e5405f0e671.png) 最后调用了SortMoiveBycategory方法，跟进该方法对应的xml ![default](https://user-images.githubusercontent.com/39950310/52933921-e1043500-338f-11e9-9f14-91cd44b59df9.png) 由于mybatis中order by 后面的参数如果是用的#,排序将不起效果，所以开发人员用的$，但这样同时也导致了sql注入的存在。复现：略修复方法：在java层面上做映射，比如说用户只能输入1-5，然后在代码层面将其映射为字段名，然后再使用${}

There is a vulnerability in OkHttp 3.8.1,upgrade recommended

https://github.com/google/android-classyshark/blob/9c61d6df79c971a0b6c83795e7a91f2a375585cf/ClassySharkWS/build.gradle#L42 CVE-2018-20200 Recommended upgrade version：3.12.1

There is a vulnerability in Guava: Google Core Libraries for Java 22.0,upgrade recommended

https://github.com/google/android-classyshark/blob/9c61d6df79c971a0b6c83795e7a91f2a375585cf/ClassySharkWS/build.gradle#L41 CVE-2018-10237 CVE-2020-8908 Recommended upgrade version：24.1.1.jre

There is a vulnerability insquare-retrofit 2.3.0,upgrade recommended

https://github.com/google/android-classyshark/blob/9c61d6df79c971a0b6c83795e7a91f2a375585cf/ClassySharkWS/build.gradle#L44 CVE-2018-1000850 Recommended upgrade version： 2.5.0

xxe

The xml external entity is not disabled when parsing the xml string. When analyzing malicious apk or app, it may cause xml external entity injection. ![图片](https://user-images.githubusercontent.com/39950310/61424403-eb7a2900-a945-11e9-9ba7-80dfd70cf37d.png)