Security hardening: XSS fixes, HTTP headers, production config

SECURITY.md

@@ -0,0 +1,260 @@
+# Security Improvements and Recommendations
+
+## Recent Security Improvements (Implemented)
+
+### 1. HTTP Security Headers
+- **Added SecurityHeadersFilter** to set critical security headers on all responses:
+  - `X-Frame-Options: SAMEORIGIN` - Prevents clickjacking attacks
+  - `X-Content-Type-Options: nosniff` - Prevents MIME-sniffing attacks
+  - `X-XSS-Protection: 1; mode=block` - Enables XSS protection in older browsers
+  - `Content-Security-Policy` - Basic CSP to mitigate XSS and data injection attacks
+    - **Note**: Currently includes `unsafe-inline` and `unsafe-eval` for compatibility with legacy libraries (Prototype.js, Script.aculo.us). Should be removed after JavaScript modernization.
+  - Cache control headers applied selectively to dynamic pages only (not static resources) for performance
+
+### 2. XSS Vulnerability Fixes in JavaScript
+- **Fixed `eval()` vulnerabilities:**
+  - `submissionSummary.js`: Replaced `eval()` with `JSON.parse()` for parsing JSON responses
+  - `xp_progress.js`: Replaced `eval()` with `Function` constructor, added support for function callbacks
+
+- **Fixed `innerHTML` vulnerabilities:**
+  - `submissionSummary.js`: Replaced `innerHTML` with `textContent` and DOM manipulation
+  - `multiFileUpload.js`: Replaced `innerHTML` with proper DOM element creation
+  - `ajaxProgress.js`: Replaced `innerHTML` with `textContent` for displaying progress
+  - `analysisEditor.js`: Replaced string concatenation with proper DOM element creation
+
+**Note on xp_progress.js**: While Function constructor is used for legacy string-based actions, the code now prioritizes function callbacks. A deprecation warning is logged when string actions are used. Future development should migrate all usages to function callbacks.
+
+### 3. Production Security Settings in web.xml
+- **Disabled JavaMelody system actions** (`system-actions-enabled: false`)
+  - Prevents unauthorized users from running garbage collector, killing threads, or invalidating sessions
+
+- **Disabled DWR debug mode** (`debug: false`)
+  - Prevents exposure of internal application structure
+
+- **Disabled unsafe Safari workaround** (`allowGetForSafariButMakeForgeryEasier: false`)
+  - Removes CSRF vulnerability workaround
+
+### 4. JSP XSS Protection
+- **Removed `escapeXml="false"`** from multiple JSP files:
+  - `analysisStepForm.jsp`
+  - `analysisStepForm-software.jsp`
+  - `analyzedDataForm-treeBlockSelection.jsp`
+  - `userForm.jsp`
+  - `uploadFileSummary.jsp` - Now uses `<pre>` tag instead of HTML replacement
+
+## Urgent Remaining Issues
+
+### 1. Outdated and Vulnerable Dependencies (CRITICAL)
+
+#### Spring Framework
+- **Current**: Spring 2.0.7 (released 2007)
+- **Risk**: Contains multiple known security vulnerabilities
+- **Recommendation**: Upgrade to Spring 5.x or Spring Boot 2.x/3.x
+- **Impact**: High - Major refactoring required due to API changes
+
+#### JUnit
+- **Current**: JUnit 3.8.1 (released 2004)
+- **Risk**: Very outdated testing framework
+- **Recommendation**: Upgrade to JUnit 4.13.2 or JUnit 5.x
+- **Impact**: Medium - Test code will need updates
+
+#### Hibernate
+- **Current**: Hibernate 3.3.1.GA (released 2008)
+- **Risk**: Contains known security vulnerabilities
+- **Recommendation**: Upgrade to Hibernate 5.x or 6.x
+- **Impact**: High - May require schema and code changes
+
+#### Acegi Security
+- **Current**: Acegi Security 1.0.1 (deprecated project)
+- **Risk**: No longer maintained, replaced by Spring Security
+- **Recommendation**: Migrate to Spring Security 5.x
+- **Impact**: High - Complete security framework migration needed
+
+#### C3P0 Connection Pool
+- **Current**: C3P0 0.9.1.2 (released 2007)
+- **Risk**: Known security vulnerabilities, outdated
+- **Recommendation**: Upgrade to C3P0 0.9.5.5 or migrate to HikariCP
+- **Impact**: Low - Configuration changes needed
+
+#### PostgreSQL JDBC Driver
+- **Current**: 42.3.3
+- **Status**: Relatively recent but should be updated
+- **Recommendation**: Upgrade to latest 42.x version
+- **Impact**: Low - Drop-in replacement
+
+#### Log4j
+- **Current**: Log4j 2.17.2
+- **Status**: Patched for Log4Shell but not latest
+- **Recommendation**: Upgrade to Log4j 2.20.0 or later
+- **Impact**: Low - Drop-in replacement
+
+### 2. Java Version
+- **Current**: Target Java 1.7 (Java 7)
+- **Risk**: Java 7 reached end of life in 2015
+- **Recommendation**: Upgrade to Java 11 (LTS) or Java 17 (LTS)
+- **Impact**: Medium - Code review needed for deprecated APIs
+
+### 3. Web Application Security
+
+#### Session Configuration
+- **Current**: 300-minute session timeout
+- **Risk**: Very long session timeout increases session hijacking risk
+- **Recommendation**: Reduce to 30 minutes or less
+- **Location**: `web.xml` line 14
+
+#### SSL/TLS Configuration
+- **Missing**: No SSL/TLS enforcement
+- **Recommendation**: 
+  - Enforce HTTPS for all traffic
+  - Add Strict-Transport-Security header
+  - Implement secure cookie flags (Secure, HttpOnly, SameSite)
+
+### 4. Third-party JavaScript Libraries
+
+#### Prototype.js
+- **Current**: Multiple versions (1.6.0.3, 1.6.1, unknown)
+- **Risk**: Very old JavaScript framework with known vulnerabilities
+- **Recommendation**: Migrate to modern framework or vanilla JavaScript
+
+#### Script.aculo.us
+- **Risk**: Deprecated library, no longer maintained
+- **Recommendation**: Replace with modern alternatives
+
+#### Minified JavaScript Files
+- **Issue**: Multiple minified `.min.js` files without source maps
+- **Risk**: Cannot audit for security issues
+- **Recommendation**: Use build process with source maps or unminified versions
+
+### 5. Code Quality Issues
+
+#### Document.write Usage
+- **Files**: `xp_progress.js`, `phylowidget/lib.js`
+- **Risk**: Can cause XSS and performance issues
+- **Status**: Partially addressed, some remain in third-party code
+
+#### SHA-1 Implementation
+- **File**: `sha1.js`
+- **Risk**: SHA-1 is cryptographically broken
+- **Recommendation**: Use SHA-256 or SHA-3, or better yet, don't do crypto in JavaScript
+- **Note**: If used for password hashing, migrate to bcrypt/scrypt/Argon2 on server-side
+
+#### Direct JSP Expressions
+- **Risk**: Using `<%= %>` instead of JSTL can lead to XSS
+- **Recommendation**: Audit all JSP files and convert to JSTL `<c:out>`
+
+### 6. Database Security
+
+#### SQL Injection Protection
+- **Status**: Using Hibernate ORM provides protection
+- **Risk**: Some JDBC code exists that could be vulnerable
+- **Files to audit**:
+  - `DiscreteMatrixJDBC.java`
+  - `ContinuousMatrixJDBC.java`
+  - `MatrixJDBC.java`
+- **Recommendation**: Audit all PreparedStatement usage for proper parameterization
+
+### 7. Input Validation
+
+#### File Upload
+- **Issue**: No visible file type validation or size limits in multiFileUpload.js
+- **Recommendation**: Implement server-side validation for:
+  - File types (whitelist allowed extensions)
+  - File sizes (prevent DoS)
+  - File content validation (not just extension)
+
+#### Form Validation
+- **Status**: Uses validator-rules.xml
+- **Recommendation**: Audit all validation rules for completeness
+
+## Security Best Practices to Implement
+
+### 1. Regular Security Scanning
+- Implement OWASP Dependency-Check in Maven build
+- Set up automated vulnerability scanning
+- Regular penetration testing
+
+### 2. Security Headers Enhancement
+- Consider adding these headers:
+  - `Referrer-Policy: strict-origin-when-cross-origin`
+  - `Permissions-Policy` for feature controls
+  - Stricter CSP policy (remove 'unsafe-inline' and 'unsafe-eval')
+
+### 3. Authentication and Authorization
+- Review Acegi/Spring Security configuration
+- Implement account lockout policies
+- Add multi-factor authentication support
+- Implement proper password policies (complexity, expiration)
+
+### 4. Logging and Monitoring
+- Implement security event logging
+- Monitor for suspicious activities
+- Set up alerts for security events
+
+### 5. Error Handling
+- Ensure error pages don't leak sensitive information
+- Implement proper exception handling
+- Use custom error pages
+
+## Priority Recommendations
+
+### Immediate (Critical - Do Now)
+1. ✅ Add HTTP security headers (DONE)
+2. ✅ Fix XSS vulnerabilities in JavaScript (DONE)
+3. ✅ Disable debug modes in production (DONE)
+4. ✅ Fix JSP escapeXml issues (DONE)
+
+### Short-term (High Priority - Next Sprint)
+1. Update Log4j to latest version
+2. Update PostgreSQL JDBC driver
+3. Reduce session timeout to 30 minutes
+4. Implement SSL/TLS enforcement
+5. Update C3P0 or migrate to HikariCP
+
+### Medium-term (Important - Next Quarter)
+1. Upgrade to Java 11 or 17
+2. Plan Spring Framework migration (2.x → 5.x)
+3. Plan Hibernate migration (3.x → 5.x)
+4. Replace Acegi Security with Spring Security
+5. Update or replace Prototype.js and Script.aculo.us
+
+### Long-term (Strategic - Next Year)
+1. Complete framework migrations
+2. Modernize JavaScript codebase
+3. Implement comprehensive security testing
+4. Consider containerization and modern deployment
+
+## Testing Recommendations
+
+### Security Testing
+1. Run OWASP ZAP or Burp Suite for vulnerability scanning
+2. Perform SQL injection testing on all forms
+3. Test XSS protection on all input fields
+4. Verify CSRF protection is working
+5. Test authentication and authorization controls
+
+### Code Quality
+1. Run static code analysis (SonarQube, SpotBugs)
+2. Review all third-party dependencies
+3. Perform code coverage analysis
+4. Review all database queries for SQL injection risks
+
+## Resources
+
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
+- [OWASP Java Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Java_Security_Cheat_Sheet.html)
+- [Spring Security Documentation](https://spring.io/projects/spring-security)
+- [CWE Top 25](https://cwe.mitre.org/top25/)
+
+## Change Log
+
+- **2025-12-21**: Initial security audit and improvements
+  - Added SecurityHeadersFilter with selective cache control
+  - Fixed XSS vulnerabilities in JavaScript files
+  - Disabled production debug modes
+  - Fixed JSP XSS issues
+  - Created security documentation
+  - Addressed code review feedback:
+    - Improved CSP documentation regarding unsafe-inline/unsafe-eval
+    - Made cache headers selective for performance
+    - Removed eval() fallback in submissionSummary.js
+    - Enhanced xp_progress.js to prefer function callbacks over strings