From 5d505a2d21e2adaf341e2dea4af256f8b989a906 Mon Sep 17 00:00:00 2001 From: jayqwu Date: Sun, 26 Apr 2026 11:44:38 +0000 Subject: [PATCH] Add task: ecvebench-nablarch-fw-web-001 Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> --- .../tasks/ecvebench-nablarch-fw-web-001.json | 39 +++++++++++++++++++ .../metadata/GHSA-hmx6-gc2p-5p82.json | 8 ++++ 2 files changed, 47 insertions(+) create mode 100644 benchmark/data/tasks/ecvebench-nablarch-fw-web-001.json create mode 100644 benchmark/internal/metadata/GHSA-hmx6-gc2p-5p82.json diff --git a/benchmark/data/tasks/ecvebench-nablarch-fw-web-001.json b/benchmark/data/tasks/ecvebench-nablarch-fw-web-001.json new file mode 100644 index 00000000..f9f004c8 --- /dev/null +++ b/benchmark/data/tasks/ecvebench-nablarch-fw-web-001.json @@ -0,0 +1,39 @@ +{ + "task_id": "ecvebench-nablarch-fw-web-001", + "ghsa_id": "GHSA-hmx6-gc2p-5p82", + "codebase": { + "repo": "https://github.com/nablarch/nablarch-fw-web", + "language": "java", + "ecosystem": "maven", + "commit": "addb2885c30eb465b6e8ae79cef848cba7e0637f" + }, + "hints": { + "L0": null, + "L1": { + "area": "Web session state persistence and data serialization infrastructure" + }, + "L2": { + "description": "An incomplete cryptography vulnerability exists where session data stored in client-side form fields is only Base64-encoded without encryption. This allows remote attackers to obtain the stored session data, register invalid values, or alter session data transmitted between the client and server." + }, + "L3": { + "area": "Hidden HTML form field-based session storage implementation and its data serialization logic", + "description": "An incomplete cryptography vulnerability exists where session data persisted via hidden HTML input fields is only Base64-encoded without any encryption. This allows remote attackers to decode and read session contents, inject forged session entries, or tamper with session data, as the stored values lack both confidentiality protection and integrity verification." + } + }, + "ground_truth": { + "vulnerable": true, + "vuln_class": "crypto-weakness", + "cvss": 9.1, + "reason": "The HiddenStore session store serialized session entries to hidden HTML form fields using only Base64 encoding without encryption, allowing remote attackers to read, modify, or forge session data.", + "locations": [ + { + "file": "src/main/java/nablarch/common/web/session/store/HiddenStore.java", + "function": "save" + }, + { + "file": "src/main/java/nablarch/common/web/session/store/HiddenStore.java", + "function": "load" + } + ] + } +} diff --git a/benchmark/internal/metadata/GHSA-hmx6-gc2p-5p82.json b/benchmark/internal/metadata/GHSA-hmx6-gc2p-5p82.json new file mode 100644 index 00000000..2bb46ccf --- /dev/null +++ b/benchmark/internal/metadata/GHSA-hmx6-gc2p-5p82.json @@ -0,0 +1,8 @@ +{ + "ghsa_id": "GHSA-hmx6-gc2p-5p82", + "post_patch_commit": "8009877df067e72fb88fd0f749f09eb7c14fdf0e", + "noisy_patch": false, + "curation_notes": "Patch commit is PR #54 merged into release-5u14 branch. The fix modifies HiddenStore.java to add AES encryption (via Encryptor interface) and session ID validation to the hidden form field session store. Pre-patch, save() and load() only Base64-encoded session entries without any encryption, exposing session data to client-side reading and tampering. The patch also removes SecureHiddenStore.java (added by earlier PR #53) since HiddenStore itself now includes encryption. HttpSessionStore.java in the same directory was checked but is not a sibling — it stores data server-side in HTTP sessions, not in client-visible hidden fields. Pre-assigned class crypto-weakness (CWE-327) is correct: the vulnerability is lack of encryption on client-stored session data.", + "dataset_version": "0.1.0", + "snapshot_date": "2026-04-26" +}