├── .github
└── workflows
│ └── complete-workflow.yml
├── CLI_reachable.png
├── README.md
├── UI_reachable.png
├── app
└── .jdk
│ └── bin
│ └── native2ascii
├── build.gradle
├── buildspec.yml
├── gradle
└── wrapper
│ ├── gradle-wrapper.jar
│ └── gradle-wrapper.properties
├── gradlew
├── gradlew.bat
├── java-reachable-goof.iml
├── malicious_file.zip
├── pom.xml
├── settings.gradle
└── src
├── main
└── java
│ ├── Butler.java
│ ├── Calculator.java
│ └── Unzipper.java
└── test
└── java
└── CalculatorTest.java
/.github/workflows/complete-workflow.yml:
--------------------------------------------------------------------------------
1 | name: Build code, run unit test, run SAST, SCA, DAST security scans
2 | on: push
3 |
4 | jobs:
5 | build:
6 | runs-on: ubuntu-latest
7 | name: Run unit tests and SAST scan on the source code
8 | steps:
9 | - uses: actions/checkout@v4
10 | - name: Set up JDK 21
11 | uses: actions/setup-java@v4
12 | with:
13 | java-version: '21'
14 | distribution: 'zulu'
15 | cache: maven
16 | - name: Run Sonar Analysis with cloud
17 | run: mvn -B verify sonar:sonar -Dsonar.projectKey=dotnetgithubactionsproject -Dsonar.organization=dotnetgithubactionsorg -Dsonar.host.url=https://sonarcloud.io -Dsonar.token=$SONAR_TOKEN
18 | env:
19 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
20 | SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
21 | security:
22 | runs-on: ubuntu-latest
23 | needs: build
24 | name: Run the SCA scan on the source code
25 | steps:
26 | - uses: actions/checkout@master
27 | - name: RunSnyk to check for vulnerabilities
28 | uses: snyk/actions/maven@master
29 | continue-on-error: true
30 | env:
31 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
32 | zap_scan:
33 | runs-on: ubuntu-latest
34 | needs: security
35 | name: Run DAST scan on the web application
36 | steps:
37 | - name: Checkout
38 | uses: actions/checkout@v4
39 | with:
40 | ref: master
41 | - name: ZAP Scan
42 | uses: zaproxy/action-baseline@v0.14.0
43 | with:
44 | target: 'http://testphp.vulnweb.com/'
45 | rules_file_name: '.zap/rules.tsv'
46 | cmd_options: '-a'
47 |
--------------------------------------------------------------------------------
/CLI_reachable.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/asecurityguru/devsecops-github-actions-all/ca359521c1929b94e55395f21fe74e246a32e643/CLI_reachable.png
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Java Reachability Playground Modified by ASecurityGuru for End to End Java DevSecOps Project Case Study
2 |
3 | # Updated on 11th June, 2022 - Added SonarCloud Code Coverage Changes
4 |
5 | This is an intentionally vulnerable application. It was purposely designed to demonstrate the capabilities of Snyk's Reachable
6 | Vulnerabilities feature and includes both a "Reachable" vulnerability (with a direct data flow to the vulnerable function) and a "Potentially Reachable" vulnerability (where only partial data exists for determining reachability).
7 |
8 |
9 | ## Included vulnerabilities
10 | ### [Arbitrary File Write via Archive Extraction](https://app.snyk.io/vuln/SNYK-JAVA-ORGND4J-72550)
11 | An exploit is using a vulnerability called [ZipSlip](https://snyk.io/research/zip-slip-vulnerability) - a critical vulnerability discovered
12 | by Snyk, which typically results in remote command execution. As part of the exploit, a special zip archive is
13 | crafted (attached as `malicious_file.zip`). When this file is extracted by a vulnerable function, it will create a file
14 | called `good.txt` in the folder `unzipped`, but it will also create a file called `evil.txt` in the `/tmp/` folder.
15 | This example is not dangerous, of course, but demonstrates the risk the vulnerability poses - imagine overwriting `.ssh/authorized_keys` or another sensitive file.
16 |
17 | ### [Deserialization of Untrusted Data](https://app.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-472711)
18 | This vulnerability is not exploited. It demonstrates potentially vulnerable code, for which data about vulnerable functions
19 | is not available.
20 |
21 | ## How to run the demo (Maven)
22 | 1. Checkout this repository (`git checkout git@github.com:snyk/java-reachability-playground.git`)
23 | 2. Install all the dependencies (`mvn install`)
24 | 3. Compile the project (`mvn compile`)
25 | 4. Run the main class (`mvn exec:java -Dexec.mainClass=Unzipper`); the application should throw an exception saying `Malicious file /tmp/evil.txt was created`.
26 | 5. Run snyk command with Reachable Vulnerabilities flag (`snyk test --reachable` or `snyk monitor --reachable`); you should see the vulnerability `SNYK-JAVA-ORGND4J-72550` marked as reachable
27 | and the function call path to the vulnerability
28 |
29 | ## For Gradle
30 | 1. Make sure you build the artifacts with `./gradlew build`
31 | 2. To see test results run `snyk test --file=build.gradle --reachable` or monitor: `snyk monitor --file=build.gradle --reachable`
32 | ---
33 |
34 | *Note: Once the java application is run, `malicious_file.zip` will be deleted by it. To run it again, run `git checkout .` prior
35 | to next java run.*
36 |
--------------------------------------------------------------------------------
/UI_reachable.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/asecurityguru/devsecops-github-actions-all/ca359521c1929b94e55395f21fe74e246a32e643/UI_reachable.png
--------------------------------------------------------------------------------
/app/.jdk/bin/native2ascii:
--------------------------------------------------------------------------------
1 | echo "MWHAHAHAHAH GOTCHA!"
2 |
--------------------------------------------------------------------------------
/build.gradle:
--------------------------------------------------------------------------------
1 | /*
2 | * This file was generated by the Gradle 'init' task.
3 | */
4 |
5 | plugins {
6 | id 'java'
7 | id 'maven-publish'
8 | }
9 |
10 | repositories {
11 | mavenLocal()
12 | maven {
13 | url = uri('http://repo.maven.apache.org/maven2')
14 | }
15 | }
16 |
17 | dependencies {
18 | implementation 'commons-collections:commons-collections:3.2.1'
19 | implementation 'org.nd4j:nd4j-common:1.0.0-beta2'
20 | }
21 |
22 | group = 'org.example'
23 | version = '1.0-SNAPSHOT'
24 | sourceCompatibility = '1.8'
25 |
26 | publishing {
27 | publications {
28 | maven(MavenPublication) {
29 | from(components.java)
30 | }
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/buildspec.yml:
--------------------------------------------------------------------------------
1 | version: 0.1
2 | phases:
3 | build:
4 | commands:
5 | - mvn verify sonar:sonar -Dsonar.projectKey=projectKey -Dsonar.organization=projectOrg -Dsonar.host.url=https://sonarcloud.io -Dsonar.login=token
6 |
--------------------------------------------------------------------------------
/gradle/wrapper/gradle-wrapper.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/asecurityguru/devsecops-github-actions-all/ca359521c1929b94e55395f21fe74e246a32e643/gradle/wrapper/gradle-wrapper.jar
--------------------------------------------------------------------------------
/gradle/wrapper/gradle-wrapper.properties:
--------------------------------------------------------------------------------
1 | distributionBase=GRADLE_USER_HOME
2 | distributionPath=wrapper/dists
3 | distributionUrl=https\://services.gradle.org/distributions/gradle-6.6.1-bin.zip
4 | zipStoreBase=GRADLE_USER_HOME
5 | zipStorePath=wrapper/dists
6 |
--------------------------------------------------------------------------------
/gradlew:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env sh
2 |
3 | #
4 | # Copyright 2015 the original author or authors.
5 | #
6 | # Licensed under the Apache License, Version 2.0 (the "License");
7 | # you may not use this file except in compliance with the License.
8 | # You may obtain a copy of the License at
9 | #
10 | # https://www.apache.org/licenses/LICENSE-2.0
11 | #
12 | # Unless required by applicable law or agreed to in writing, software
13 | # distributed under the License is distributed on an "AS IS" BASIS,
14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | # See the License for the specific language governing permissions and
16 | # limitations under the License.
17 | #
18 |
19 | ##############################################################################
20 | ##
21 | ## Gradle start up script for UN*X
22 | ##
23 | ##############################################################################
24 |
25 | # Attempt to set APP_HOME
26 | # Resolve links: $0 may be a link
27 | PRG="$0"
28 | # Need this for relative symlinks.
29 | while [ -h "$PRG" ] ; do
30 | ls=`ls -ld "$PRG"`
31 | link=`expr "$ls" : '.*-> \(.*\)$'`
32 | if expr "$link" : '/.*' > /dev/null; then
33 | PRG="$link"
34 | else
35 | PRG=`dirname "$PRG"`"/$link"
36 | fi
37 | done
38 | SAVED="`pwd`"
39 | cd "`dirname \"$PRG\"`/" >/dev/null
40 | APP_HOME="`pwd -P`"
41 | cd "$SAVED" >/dev/null
42 |
43 | APP_NAME="Gradle"
44 | APP_BASE_NAME=`basename "$0"`
45 |
46 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
47 | DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
48 |
49 | # Use the maximum available, or set MAX_FD != -1 to use that value.
50 | MAX_FD="maximum"
51 |
52 | warn () {
53 | echo "$*"
54 | }
55 |
56 | die () {
57 | echo
58 | echo "$*"
59 | echo
60 | exit 1
61 | }
62 |
63 | # OS specific support (must be 'true' or 'false').
64 | cygwin=false
65 | msys=false
66 | darwin=false
67 | nonstop=false
68 | case "`uname`" in
69 | CYGWIN* )
70 | cygwin=true
71 | ;;
72 | Darwin* )
73 | darwin=true
74 | ;;
75 | MINGW* )
76 | msys=true
77 | ;;
78 | NONSTOP* )
79 | nonstop=true
80 | ;;
81 | esac
82 |
83 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
84 |
85 |
86 | # Determine the Java command to use to start the JVM.
87 | if [ -n "$JAVA_HOME" ] ; then
88 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
89 | # IBM's JDK on AIX uses strange locations for the executables
90 | JAVACMD="$JAVA_HOME/jre/sh/java"
91 | else
92 | JAVACMD="$JAVA_HOME/bin/java"
93 | fi
94 | if [ ! -x "$JAVACMD" ] ; then
95 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
96 |
97 | Please set the JAVA_HOME variable in your environment to match the
98 | location of your Java installation."
99 | fi
100 | else
101 | JAVACMD="java"
102 | which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
103 |
104 | Please set the JAVA_HOME variable in your environment to match the
105 | location of your Java installation."
106 | fi
107 |
108 | # Increase the maximum file descriptors if we can.
109 | if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
110 | MAX_FD_LIMIT=`ulimit -H -n`
111 | if [ $? -eq 0 ] ; then
112 | if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
113 | MAX_FD="$MAX_FD_LIMIT"
114 | fi
115 | ulimit -n $MAX_FD
116 | if [ $? -ne 0 ] ; then
117 | warn "Could not set maximum file descriptor limit: $MAX_FD"
118 | fi
119 | else
120 | warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
121 | fi
122 | fi
123 |
124 | # For Darwin, add options to specify how the application appears in the dock
125 | if $darwin; then
126 | GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
127 | fi
128 |
129 | # For Cygwin or MSYS, switch paths to Windows format before running java
130 | if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
131 | APP_HOME=`cygpath --path --mixed "$APP_HOME"`
132 | CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
133 |
134 | JAVACMD=`cygpath --unix "$JAVACMD"`
135 |
136 | # We build the pattern for arguments to be converted via cygpath
137 | ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
138 | SEP=""
139 | for dir in $ROOTDIRSRAW ; do
140 | ROOTDIRS="$ROOTDIRS$SEP$dir"
141 | SEP="|"
142 | done
143 | OURCYGPATTERN="(^($ROOTDIRS))"
144 | # Add a user-defined pattern to the cygpath arguments
145 | if [ "$GRADLE_CYGPATTERN" != "" ] ; then
146 | OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
147 | fi
148 | # Now convert the arguments - kludge to limit ourselves to /bin/sh
149 | i=0
150 | for arg in "$@" ; do
151 | CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
152 | CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
153 |
154 | if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
155 | eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
156 | else
157 | eval `echo args$i`="\"$arg\""
158 | fi
159 | i=`expr $i + 1`
160 | done
161 | case $i in
162 | 0) set -- ;;
163 | 1) set -- "$args0" ;;
164 | 2) set -- "$args0" "$args1" ;;
165 | 3) set -- "$args0" "$args1" "$args2" ;;
166 | 4) set -- "$args0" "$args1" "$args2" "$args3" ;;
167 | 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
168 | 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
169 | 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
170 | 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
171 | 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
172 | esac
173 | fi
174 |
175 | # Escape application args
176 | save () {
177 | for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
178 | echo " "
179 | }
180 | APP_ARGS=`save "$@"`
181 |
182 | # Collect all arguments for the java command, following the shell quoting and substitution rules
183 | eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
184 |
185 | exec "$JAVACMD" "$@"
186 |
--------------------------------------------------------------------------------
/gradlew.bat:
--------------------------------------------------------------------------------
1 | @rem
2 | @rem Copyright 2015 the original author or authors.
3 | @rem
4 | @rem Licensed under the Apache License, Version 2.0 (the "License");
5 | @rem you may not use this file except in compliance with the License.
6 | @rem You may obtain a copy of the License at
7 | @rem
8 | @rem https://www.apache.org/licenses/LICENSE-2.0
9 | @rem
10 | @rem Unless required by applicable law or agreed to in writing, software
11 | @rem distributed under the License is distributed on an "AS IS" BASIS,
12 | @rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | @rem See the License for the specific language governing permissions and
14 | @rem limitations under the License.
15 | @rem
16 |
17 | @if "%DEBUG%" == "" @echo off
18 | @rem ##########################################################################
19 | @rem
20 | @rem Gradle startup script for Windows
21 | @rem
22 | @rem ##########################################################################
23 |
24 | @rem Set local scope for the variables with windows NT shell
25 | if "%OS%"=="Windows_NT" setlocal
26 |
27 | set DIRNAME=%~dp0
28 | if "%DIRNAME%" == "" set DIRNAME=.
29 | set APP_BASE_NAME=%~n0
30 | set APP_HOME=%DIRNAME%
31 |
32 | @rem Resolve any "." and ".." in APP_HOME to make it shorter.
33 | for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
34 |
35 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
36 | set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
37 |
38 | @rem Find java.exe
39 | if defined JAVA_HOME goto findJavaFromJavaHome
40 |
41 | set JAVA_EXE=java.exe
42 | %JAVA_EXE% -version >NUL 2>&1
43 | if "%ERRORLEVEL%" == "0" goto execute
44 |
45 | echo.
46 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
47 | echo.
48 | echo Please set the JAVA_HOME variable in your environment to match the
49 | echo location of your Java installation.
50 |
51 | goto fail
52 |
53 | :findJavaFromJavaHome
54 | set JAVA_HOME=%JAVA_HOME:"=%
55 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe
56 |
57 | if exist "%JAVA_EXE%" goto execute
58 |
59 | echo.
60 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
61 | echo.
62 | echo Please set the JAVA_HOME variable in your environment to match the
63 | echo location of your Java installation.
64 |
65 | goto fail
66 |
67 | :execute
68 | @rem Setup the command line
69 |
70 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
71 |
72 |
73 | @rem Execute Gradle
74 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
75 |
76 | :end
77 | @rem End local scope for the variables with windows NT shell
78 | if "%ERRORLEVEL%"=="0" goto mainEnd
79 |
80 | :fail
81 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
82 | rem the _cmd.exe /c_ return code!
83 | if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
84 | exit /b 1
85 |
86 | :mainEnd
87 | if "%OS%"=="Windows_NT" endlocal
88 |
89 | :omega
90 |
--------------------------------------------------------------------------------
/java-reachable-goof.iml:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/malicious_file.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/asecurityguru/devsecops-github-actions-all/ca359521c1929b94e55395f21fe74e246a32e643/malicious_file.zip
--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 | 4.0.0
6 | org.example
7 | java-vulnerable-code-asecurityguru
8 | 1.0-SNAPSHOT
9 |
10 | 1.8
11 | 1.8
12 |
13 |
14 |
15 | commons-collections
16 | commons-collections
17 | 3.2.1
18 |
19 |
20 | org.nd4j
21 | nd4j-common
22 | 1.0.0-beta2
23 |
24 |
25 |
30 |
31 | junit
32 | junit
33 | 4.12
34 | test
35 |
36 |
37 |
38 |
39 |
40 |
41 |
46 |
47 | org.jacoco
48 | jacoco-maven-plugin
49 | 0.8.7
50 |
51 |
52 | prepare-agent
53 |
54 | prepare-agent
55 |
56 |
57 |
58 | report
59 |
60 | report
61 |
62 |
63 |
64 | XML
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
--------------------------------------------------------------------------------
/settings.gradle:
--------------------------------------------------------------------------------
1 | /*
2 | * This file was generated by the Gradle 'init' task.
3 | */
4 |
5 | rootProject.name = 'java-reachable-goof'
6 |
--------------------------------------------------------------------------------
/src/main/java/Butler.java:
--------------------------------------------------------------------------------
1 | import org.apache.commons.collections.ListUtils;
2 | import java.util.ArrayList;
3 |
4 | public class Butler {
5 |
6 | public void welcome() {
7 |
8 | // https://app.snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-472711
9 | // Should appear as Potentially Reachable
10 | ArrayList list1 = new ArrayList();
11 | list1.add("Hello");
12 | ArrayList list2 = new ArrayList();
13 | list2.add("World");
14 |
15 | System.out.println(ListUtils.union(list1, list2));
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/src/main/java/Calculator.java:
--------------------------------------------------------------------------------
1 | /*
2 | #Added a Java File for Demonstration of Code Coverage Percentage update on SonarCloud Dashboard
3 | #By ASecurityGuru
4 | #5/11/2022 11:14 AM IST
5 | */
6 | public class Calculator {
7 |
8 | public int addition(String arguments) {
9 |
10 | int sum = 0;
11 | for (String add : arguments.split("\\+"))
12 | sum += Integer.valueOf(add);
13 | return sum;
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/src/main/java/Unzipper.java:
--------------------------------------------------------------------------------
1 | import org.nd4j.util.ArchiveUtils;
2 | import java.io.File;
3 |
4 | public class Unzipper {
5 | public static void main(String[] args) throws Exception {
6 |
7 | Butler butler = new Butler();
8 | butler.welcome();
9 | // https://app.snyk.io/vuln/SNYK-JAVA-ORGND4J-72550
10 | // should appear as Reachable
11 | ArchiveUtils.unzipFileTo("./malicious_file.zip", "./unzipped/");
12 | File f = new File("/tmp/evil.txt");
13 | if (f.exists()) {
14 | throw new Exception("Malicious file /tmp/evil.txt was created");
15 | };
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/src/test/java/CalculatorTest.java:
--------------------------------------------------------------------------------
1 | /*
2 | #Added a Java Test File for Demonstration of Code Coverage Percentage update on SonarCloud Dashboard
3 | #By ASecurityGuru
4 | #5/11/2022 11:14 AM IST
5 | */
6 |
7 | import static org.junit.Assert.assertEquals;
8 | import org.junit.Test;
9 |
10 | public class CalculatorTest {
11 |
12 | @Test
13 | public void verifyAdditionOne() {
14 |
15 | Calculator calculator = new Calculator();
16 | int sum = calculator.addition("5+2");
17 | assertEquals(7, sum);
18 | }
19 |
20 | @Test
21 | public void verifyAdditionTwo() {
22 |
23 | Calculator calculator = new Calculator();
24 | int sum = calculator.addition("13+27");
25 | assertEquals(40, sum);
26 | }
27 | }
28 |
--------------------------------------------------------------------------------