feat: Complete COBOL-to-Java/Spring Boot Migration (All 7 Phases)#76
Open
devin-ai-integration[bot] wants to merge 3 commits intomainfrom
Open
feat: Complete COBOL-to-Java/Spring Boot Migration (All 7 Phases)#76devin-ai-integration[bot] wants to merge 3 commits intomainfrom
devin-ai-integration[bot] wants to merge 3 commits intomainfrom
Conversation
- Phase 1: Spring Boot 3.2.5 project with Maven, Java 17, all dependencies - Phase 1: Data models (Account, Customer, CustomerType, ItemRecord, SerializableRecord, CustomerRecord) - Phase 1: Flyway migration V1__create_accounts_table.sql with test data - Phase 1: Golden-output test fixtures for JSON, XML, merge, report - Phase 2: StringUtils, SearchService, CommandLineArgsService, CompTestService, DisplayTimingService - Phase 3: JsonGeneratorService, XmlGeneratorService with Jackson - Phase 4: Account JPA Entity, AccountRepository, AccountService, AccountController REST API - Phase 4: SubProgramService for CALL BY CONTENT/REFERENCE patterns - Phase 5: MergeSortService, ReportService for file processing and reporting - Phase 6: Web frontend (index.html) replacing terminal ACCEPT/DISPLAY - Phase 6: MouseExampleNote.md documenting mouse handling migration - Phase 7: MIGRATION_REPORT.md with complete file-by-file mapping - Phase 7: Updated README.md with build/run instructions - Phase 7: Archived COBOL sources to archive/cobol/ - 104 JUnit 5 tests, all passing (0 failures) Co-Authored-By: Jerry Oliphant <jerry.oliphant@cognition.ai>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
- Change H2 dependency scope from 'test' to 'runtime' so it's available when running with test profile - Add application-test.properties for running locally with H2 in-memory database Co-Authored-By: Jerry Oliphant <jerry.oliphant@cognition.ai>
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Comment on lines
+98
to
+101
| await fetchAndDisplay( | ||
| `${API_BASE}/search?q=${encodeURIComponent(query)}`, | ||
| `Search Results for "${query}"` | ||
| ); |
Author
There was a problem hiding this comment.
🔴 DOM-based XSS via unsanitized search query rendered in innerHTML
The user's search query is interpolated directly into HTML via innerHTML without any escaping. In searchAccounts() (line 100), the raw query string is embedded into the title parameter: `Search Results for "${query}"`. This title is then rendered via innerHTML in fetchAndDisplay() at lines 114 and 118. If a user types <img src=x onerror=alert(document.cookie)> in the search box, it will execute as JavaScript. The same pattern also renders API response data (a.firstName, a.lastName, a.phone, a.address) via innerHTML at lines 128-132, enabling stored XSS if the database contains malicious data.
Prompt for agents
The index.html file has DOM-based XSS vulnerabilities because user input and API data are rendered via innerHTML without HTML escaping.
In searchAccounts() at line 100, the raw query variable is embedded in a template literal that becomes part of innerHTML. Additionally, in fetchAndDisplay() at lines 114 and 118, the title parameter (containing the unsanitized query) is rendered via innerHTML. And at lines 128-132, API response fields (firstName, lastName, phone, address) are also rendered via innerHTML.
To fix this:
1. Add a helper function to escape HTML entities, e.g.:
function escapeHtml(str) { const div = document.createElement('div'); div.textContent = str; return div.innerHTML; }
2. Use escapeHtml() around all user-provided or API-provided values before inserting them into HTML strings that get assigned to innerHTML. For example, change line 100 to use escapeHtml(query) in the title, and wrap each a.firstName, a.lastName, a.phone, a.address with escapeHtml() at lines 128-132.
3. Alternatively, use textContent instead of innerHTML where appropriate, or use DOM APIs (createElement/appendChild) instead of string concatenation.
Was this helpful? React with 👍 or 👎 to provide feedback.
Author
There was a problem hiding this comment.
Fixed in e499a7e. Added an escapeHtml() helper using textContent/innerHTML and applied it to all user input and API response data before rendering via innerHTML:
- Search query in title (
escapeHtml(query)) - All API fields:
id,firstName,lastName,phone,address - Error messages
- Title in empty-results and results header
- Add escapeHtml() helper that uses textContent/innerHTML to safely escape - Escape user search query before rendering in innerHTML - Escape all API response fields (firstName, lastName, phone, address, id) - Escape error messages before rendering - Addresses Devin Review finding on PR #76 Co-Authored-By: Jerry Oliphant <jerry.oliphant@cognition.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrates all 23 COBOL source files from this repository into a new Java 17 / Spring Boot 3.2.5 application under
java-migration/. The migration covers data models, business logic, database access, serialization, file processing, reporting, and a simple web UI — organized across the 7 phases outlined in the migration plan.Key components created:
Account(JPA entity),Customer(REDEFINES pattern),CustomerType,ItemRecord,SerializableRecord,CustomerRecordAccountService,SearchService,JsonGeneratorService,XmlGeneratorService,MergeSortService,ReportService,SubProgramService,CompTestService,DisplayTimingServiceStringUtils(trim, unstring, isNumeric, numval),CommandLineArgsServiceAccountControllerwith endpoints for listing/searching accountsV1__create_accounts_table.sqlwith seed data;AccountRepositorywith Spring Data JPAindex.htmlcalling the REST APIMIGRATION_REPORT.md(file-by-file mapping),MouseExampleNote.md, updatedREADME.mdarchive/cobol/Updates since last revision
application-test.propertiesso the app can run locally without PostgreSQL viamvn spring-boot:run -Dspring-boot.run.arguments="--spring.profiles.active=test". H2 dependency scope changed fromtesttoruntimeto support this.index.html: AddedescapeHtml()helper to sanitize all user input and API response data before rendering viainnerHTML. Applies to search query display, all account fields (id,firstName,lastName,phone,address), and error messages. Addresses DOM-based XSS vulnerability flagged by Devin Review.Web frontend with all accounts loaded from H2:
Review & Testing Checklist for Human
StringUtils.numval()usesdouble(IEEE 754) rather than COBOL packed decimal, which may produce different results for financial arithmetic.MergeSortServiceandReportServiceuse fixed-width string parsing that could have off-by-one errors.AccountRepository.searchAccounts()JPQL query — Uses%:searchValue%inline in the@Queryannotation. Verify this behaves correctly with special characters (e.g.,%,_) and doesn't produce unexpected matches.expected_merged_output.txtandexpected_report_output.txtare created as fixtures but the corresponding test classes (MergeSortServiceTest,ReportServiceTest) don't actually compare against these golden files. The golden JSON test reads from a relative path that may be fragile.testtoruntimescope so the test profile works at runtime. This means H2 is bundled in production builds. Confirm this is acceptable, or consider using a Maven profile to limit H2 to dev/test only.archive/cobol/but originals remain in their directories. Confirm whether the originals should be removed.Suggested test plan: Clone the branch, run
cd java-migration && mvn clean testwith Java 17 to confirm all 104 tests pass. To verify the web UI without PostgreSQL, runmvn spring-boot:run -Dspring-boot.run.arguments="--spring.profiles.active=test"and visithttp://localhost:8080. Test API endpoints:/api/accounts,/api/accounts/disabled,/api/accounts/search?q=John. Try entering<img src=x onerror=alert(1)>in the search box to confirm the XSS fix works.Notes
mvn test.@MockBeanannotation used inAccountControllerTestis deprecated in Spring Boot 3.2+ (still functional, but generates warnings).application.properties(postgres/password) are fine for local dev but should be externalized for any real deployment.Link to Devin session: https://app.devin.ai/sessions/6ef03d3fb74344e79d11891f49e51347
Requested by: @jerryoliphant-cog