Skip to content

Add task: ecvebench-nablarch-fw-web-001 #179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jotalis merged 1 commit into from
Apr 26, 2026
Merged

Add task: ecvebench-nablarch-fw-web-001 #179

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions benchmark/data/tasks/ecvebench-nablarch-fw-web-001.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
{
"task_id": "ecvebench-nablarch-fw-web-001",
"ghsa_id": "GHSA-hmx6-gc2p-5p82",
"codebase": {
"repo": "https://github.com/nablarch/nablarch-fw-web",
"language": "java",
"ecosystem": "maven",
"commit": "addb2885c30eb465b6e8ae79cef848cba7e0637f"
},
"hints": {
"L0": null,
"L1": {
"area": "Web session state persistence and data serialization infrastructure"
},
"L2": {
"description": "An incomplete cryptography vulnerability exists where session data stored in client-side form fields is only Base64-encoded without encryption. This allows remote attackers to obtain the stored session data, register invalid values, or alter session data transmitted between the client and server."
},
"L3": {
"area": "Hidden HTML form field-based session storage implementation and its data serialization logic",
"description": "An incomplete cryptography vulnerability exists where session data persisted via hidden HTML input fields is only Base64-encoded without any encryption. This allows remote attackers to decode and read session contents, inject forged session entries, or tamper with session data, as the stored values lack both confidentiality protection and integrity verification."
}
},
"ground_truth": {
"vulnerable": true,
"vuln_class": "crypto-weakness",
"cvss": 9.1,
"reason": "The HiddenStore session store serialized session entries to hidden HTML form fields using only Base64 encoding without encryption, allowing remote attackers to read, modify, or forge session data.",
"locations": [
{
"file": "src/main/java/nablarch/common/web/session/store/HiddenStore.java",
"function": "save"
},
{
"file": "src/main/java/nablarch/common/web/session/store/HiddenStore.java",
"function": "load"
}
]
}
}
8 changes: 8 additions & 0 deletions benchmark/internal/metadata/GHSA-hmx6-gc2p-5p82.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"ghsa_id": "GHSA-hmx6-gc2p-5p82",
"post_patch_commit": "8009877df067e72fb88fd0f749f09eb7c14fdf0e",
"noisy_patch": false,
"curation_notes": "Patch commit is PR #54 merged into release-5u14 branch. The fix modifies HiddenStore.java to add AES encryption (via Encryptor interface) and session ID validation to the hidden form field session store. Pre-patch, save() and load() only Base64-encoded session entries without any encryption, exposing session data to client-side reading and tampering. The patch also removes SecureHiddenStore.java (added by earlier PR #53) since HiddenStore itself now includes encryption. HttpSessionStore.java in the same directory was checked but is not a sibling — it stores data server-side in HTTP sessions, not in client-visible hidden fields. Pre-assigned class crypto-weakness (CWE-327) is correct: the vulnerability is lack of encryption on client-stored session data.",
"dataset_version": "0.1.0",
"snapshot_date": "2026-04-26"
}