Privacy Violation: Heap Inspection

Author: sahildari

Path Manipulation/README.md

@@ -5,6 +5,10 @@
 
 This attack is also known as _“dot-dot-slash”_, _“directory traversal”_, _“directory climbing”_ and _“backtracking”_.
 
+## Mitigation
+
+Path Manipulation can be mitigated by validating the filename, folder name and extension validation and use the values further in the code only after the validations.
+
 ## NOTE 
 The code for the Path Manipulation only check for the Filename validation, Extension Validation, File Size Validation, Unique Filename Validation. ___It doesn't check for the File Contents and Magic Numbers. Use this logic when you are concerned about the Path Manipulation issue ONLY___.
 

Privacy Violation - Heap Inspection/README.md

@@ -0,0 +1,29 @@
+# Privacy Violation: Heap Inspection
+
+__Privacy Violation: Heap Inspection__ is a source code security issue that occurs mostly in C#, Java, and Swift applications. Strings are immutable in these languages, meaning that if they are used to store sensitive information such as passwords, credit card numbers, secrets, or tokens, these values will remain in memory until the JVM garbage collector (in Java) or ARC (Automatic Reference Counting) (in Swift) removes them.
+
+There is no guarantee as to when garbage collection will take place. In the event of an application crash, a memory dump might reveal sensitive data, making it accessible to anyone inspecting the heap before garbage collection occurs.
+
+## :warning: Important NOTE
+
+___Never hardcode passwords or sensitive information in your code___. Use secret managers or vaults to securely store passwords and other sensitive data.
+
+Even if you retrieve sensitive values from a secret manager or vault and assign them to a string variable, the issue remains. This is because sensitive data stored in a string cannot be cleared from memory immediately — it persists until garbage collection occurs.
+
+For example, even if you initialize a StringBuffer or StringBuilder as shown below, an anonymous string object ("SecurePassword") is still created in heap memory and will remain there until garbage collection takes place:
+
+```java
+StringBuffer password = new StringBuffer("SecurePassword");
+```
+
+## Mitigation
+
+To mitigate the Privacy Violation: Heap Inspection issue in Java, C#, and Swift applications:
+
+:white_check_mark: Use character arrays (char[]) instead of strings to store sensitive information. 
+
+:white_check_mark: Manually clear arrays after use (e.g., overwriting with '\0').
+
+:white_check_mark: Ensure cleanup happens in a finally block to guarantee execution.
+
+By following these best practices, you reduce the risk of exposing sensitive data in memory dumps.

Privacy Violation - Heap Inspection/csharp/privacyviolation.heapinspection/src/HeapInspection.cs

@@ -0,0 +1,57 @@
+using System;
+using System.Text;
+
+public class HeapInspectionCharArrayExample
+{
+    public static void Main(string[] args)
+    {
+        Console.WriteLine("Before clearing sensitive data");
+        /*
+        Never Hardcode the passwords or any sensitive information in your code and use the Secret Managers or Secret Vaults to store the sensitive data. If this value is being populated from the Secret Managers or Secret Vaults, even then follow the same approach to clear the sensitive data.
+        */
+
+        char[] passwordChars = { 'Y', 'o', 'u', 'r', 'S', 't', 'r', 'o', 'n', 'g', 'P', 'a', 's', 's', 'w', 'o', 'r', 'd', '1', '2', '3', '!' };
+        StringBuilder connectionString = new StringBuilder("jdbc:sqlserver://localhost:1433;encrypt=true;user=sa;password=").Append(passwordChars).Append("columnEncryptionSetting=Enabled;");
+
+        Console.WriteLine("Password: ");
+        foreach (char c in passwordChars)
+        {
+            Console.Write(c);
+        }
+        Console.WriteLine("");
+        Console.WriteLine("Connection String: " + connectionString);
+
+        /*
+        Codebase to do some operation with the sensitive data
+        */
+
+        // Clear the password and connection string from memory
+        ClearSensitiveData(passwordChars);
+        ClearSensitiveData(connectionString);
+
+        Console.WriteLine("");
+        Console.WriteLine("After clearing sensitive data");
+        Console.WriteLine("Password: ");
+        foreach (char c in passwordChars)
+        {
+            Console.Write(c);
+        }
+        Console.WriteLine("");
+        Console.WriteLine("Connection String: " + connectionString);
+    }
+
+    private static void ClearSensitiveData(char[] arr)
+    {
+        for (int i = 0; i < arr.Length; i++)
+        {
+            arr[i] = '\0';
+        }
+        arr = null;
+    }
+
+    private static void ClearSensitiveData(StringBuilder sb)
+    {
+        sb.Clear();
+        sb = null;
+    }
+}

Privacy Violation - Heap Inspection/java/privacyviolation.heapinspection/src/HeapInspectionCharArrayExample.java

@@ -0,0 +1,48 @@
+public class HeapInspectionCharArrayExample {
+    public static void main(String[] args) {
+
+        System.out.println("Before clearing sensitive data");
+        /*
+        Never Hardcode the passwords or any sensitive information in your code and user the Secret Managers or Secret Vaults to store the sensitive data. If this value is being populated from the Secret Managers or Secret Vaults, even then follow the same approach to clear the sensitive data.
+         */
+        
+        char[] passwordChars = {'Y', 'o', 'u', 'r', 'S', 't', 'r', 'o', 'n', 'g', 'P', 'a', 's', 's', 'w', 'o', 'r', 'd', '1', '2', '3', '!'}; 
+        StringBuffer connectionString = new StringBuffer("jdbc:sqlserver://localhost:1433;encrypt=true;user=sa;password=").append(passwordChars).append("columnEncryptionSetting=Enabled;");
+
+        System.out.println("Password: ");
+        for(char c : passwordChars) {
+            System.out.print(c);
+        }
+        System.out.println("");
+        System.out.println("Connection String: " + connectionString);
+
+        /*
+        Codebase to do some operation with the sensitive data
+        */
+
+        // Clear the password and connection string from memory
+        clearSensitiveData(passwordChars);
+        clearSensitiveData(connectionString);
+
+        System.out.println("");
+        System.out.println("After clearing sensitive data");
+        System.out.println("Password: ");
+        for(char c : passwordChars) {
+            System.out.print(c);
+        }
+        System.out.println("");
+        System.out.println("Connection String: " + connectionString);
+    }
+
+    private static void clearSensitiveData(char[] arr){
+        for(int i = 0; i < arr.length; i++) {
+            arr[i] = '\0';
+        }
+        arr = null;
+    }
+
+    private static void clearSensitiveData(StringBuffer sb){
+        sb.delete(0, sb.length());
+        sb = null;
+    }
+}

README.md

@@ -1,19 +1,21 @@
-# secure-coding-examples
+# Secure Coding Examples
 
 ![Java CI](https://github.com/sahildari/secure-coding-examples/actions/workflows/java-ci.yml/badge.svg)
 ![Python CI](https://github.com/sahildari/secure-coding-examples/actions/workflows/python-ci.yml/badge.svg)
 ![GitHub repo size](https://img.shields.io/github/repo-size/sahildari/secure-coding-examples)
 ![GitHub last commit](https://img.shields.io/github/last-commit/sahildari/secure-coding-examples)
 ![GitHub contributors](https://img.shields.io/github/contributors/sahildari/secure-coding-examples)
 
-The purpose of this repo is to serve as secure coding examples targetting the most popular vulnerabilities.
+This repository is a collection of Secure Coding Examples. Here you will be able to find the code level fixes for the issues in your application. Currently the repo contains the code examples for the Java and Python Languages. You can use the logics implemented in the code examples to mitigate the issues in your Applications and we can follow to the Secure Coding Principles.
 
 ## Tech Stack
 
 ![Made with Python3](https://img.shields.io/badge/python-3670A0?style=for-the-badge&logo=python&logoColor=ffdd54) ![Made with Flask](https://img.shields.io/badge/flask-%23000.svg?style=for-the-badge&logo=flask&logoColor=white) 
 ![Made with Java](https://img.shields.io/badge/java-%23ED8B00.svg?style=for-the-badge&logo=openjdk&logoColor=white) ![Made with Spring](https://img.shields.io/badge/spring-%236DB33F.svg?style=for-the-badge&logo=spring&logoColor=white)
 
+Tech Stack used in this repository to create the Secure Coding Examples : __Java with SpringBoot__, __Python with Flask__.
+
 ## Licensing
 This project is licensed under the [GPL-3.0 license](https://opensource.org/license/gpl-3-0)
 
-[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)
+[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)