/* good2() reverses the bodies in the if statement */
private void good2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
if (IO.static_returns_t()) {
Logger tcLog = Logger.getLogger("cwe_testcases_logger");
if (request.getParameter("username") == null) {
return;
}
String username = request.getParameter("username");
if (username.matches("[a-zA-Z0-9]*")) {
HttpSession session = request.getSession(true);
/* FIX: logged message does not contain session id */
tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId());
} else {
response.getWriter().println("Invalid characters");
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Logger tcLog = Logger.getLogger("cwe_testcases_logger");
if (request.getParameter("username") == null) {
return;
}
String username = request.getParameter("username");
if (username.matches("[a-zA-Z0-9]*")) {
HttpSession session = request.getSession(true);
/* FLAW: leak session ID to debug log */
tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId());
} else {
response.getWriter().println("Invalid characters");
}
}
}
@Override
public boolean login(boolean isFail) {
try {
WebApp webApp = getWebApp();
if (webApp == null) {
if (log.isLoggable(Level.FINE)) log.finer("authentication failed, no web-app found");
getResponse().sendError(HttpServletResponse.SC_FORBIDDEN);
return false;
}
// If the authenticator can find the user, return it.
Login login = webApp.getLogin();
if (login != null) {
Principal user = login.login(this, getResponse(), isFail);
return user != null;
/*
if (user == null)
return false;
setAttribute(AbstractLogin.LOGIN_NAME, user);
return true;
*/
} else if (isFail) {
if (log.isLoggable(Level.FINE))
log.finer("authentication failed, no login module found for " + webApp);
getResponse().sendError(HttpServletResponse.SC_FORBIDDEN);
return false;
} else {
// if a non-failure, then missing login is fine
return false;
}
} catch (IOException e) {
log.log(Level.FINE, e.toString(), e);
return false;
}
}
/**
* Displays the Create Discussion page for a HTTP Get, or creates a Discussion Thread for a HTTP
* Post
*
* <p>- Requires a cookie for the session user - Requires a groupId request parameter for a GET -
* Requires a groupId and threadName request parameter for a POST - Requires a document request
* part for a POST
*
* @param req The HTTP Request
* @param res The HTTP Response
*/
public void createDiscussionAction(HttpServletRequest req, HttpServletResponse res) {
// Ensure there is a cookie for the session user
if (AccountController.redirectIfNoCookie(req, res)) return;
Map<String, Object> viewData = new HashMap<>();
if (req.getMethod() == HttpMethod.Get) {
viewData.put("title", "Create Discussion");
viewData.put("groupId", req.getParameter("groupId"));
view(req, res, "/views/group/CreateDiscussion.jsp", viewData);
return;
} else if (req.getMethod() == HttpMethod.Post) {
// save discussion
GroupManager groupMan = new GroupManager();
DiscussionThread thread = new DiscussionThread();
int groupId = Integer.parseInt(req.getParameter("groupId"));
thread.setGroupId(groupId);
thread.setGroup(groupMan.get(groupId));
thread.setThreadName(req.getParameter("threadName"));
DiscussionManager dm = new DiscussionManager();
dm.createDiscussion(thread);
try {
Part documentPart = req.getPart("document");
// if we have a document to upload
if (documentPart.getSize() > 0) {
String uuid = DocumentController.saveDocument(this.getServletContext(), documentPart);
Document doc = new Document();
doc.setDocumentName(getFileName(documentPart));
doc.setDocumentPath(uuid);
doc.setVersionNumber(1);
doc.setThreadId(thread.getId());
doc.setGroupId(thread.getGroupId());
DocumentManager docMan = new DocumentManager();
docMan.createDocument(doc);
// Get uploading User
HttpSession session = req.getSession();
Session userSession = (Session) session.getAttribute("userSession");
User uploader = userSession.getUser();
// Create a notification to all in the group
NotificationManager notificationMan = new NotificationManager();
groupMan = new GroupManager();
List<User> groupUsers = groupMan.getGroupUsers(groupId);
for (User u : groupUsers) {
Notification notification =
new Notification(
u.getId(),
u,
groupId,
null,
"User " + uploader.getFullName() + " has uploaded a document",
"/document/document?documentId=" + doc.getId());
notificationMan.createNotification(notification);
}
}
} catch (Exception e) {
logger.log(Level.SEVERE, "Document save error", e);
}
redirectToLocal(req, res, "/group/discussion/?threadId=" + thread.getId());
return;
}
httpNotFound(req, res);
}
public void execute(FacesContext context) throws FacesException {
boolean isFiner = log.isLoggable(Level.FINER);
if (context.getResponseComplete() || context.getRenderResponse()) return;
beforePhase(context, PhaseId.RESTORE_VIEW);
try {
if (isFiner) log.finer("JSF[] before restore view");
restoreView(context);
} finally {
afterPhase(context, PhaseId.RESTORE_VIEW);
}
if (context.getResponseComplete() || context.getRenderResponse()) return;
UIViewRoot viewRoot = context.getViewRoot();
beforePhase(context, PhaseId.APPLY_REQUEST_VALUES);
try {
if (isFiner) log.finer(context.getViewRoot() + " before process decodes");
viewRoot.processDecodes(context);
} catch (RuntimeException e) {
log.log(Level.WARNING, e.toString(), e);
} finally {
afterPhase(context, PhaseId.APPLY_REQUEST_VALUES);
}
//
// Process Validations (processValidators)
//
if (context.getResponseComplete() || context.getRenderResponse()) return;
beforePhase(context, PhaseId.PROCESS_VALIDATIONS);
try {
if (isFiner) log.finer(context.getViewRoot() + " before process validators");
viewRoot.processValidators(context);
} finally {
afterPhase(context, PhaseId.PROCESS_VALIDATIONS);
}
//
// Update Model Values (processUpdates)
//
if (context.getResponseComplete() || context.getRenderResponse()) return;
beforePhase(context, PhaseId.UPDATE_MODEL_VALUES);
try {
if (isFiner) log.finer(context.getViewRoot() + " before process updates");
viewRoot.processUpdates(context);
} catch (RuntimeException e) {
if (sendError(context, "processUpdates", e)) return;
} finally {
afterPhase(context, PhaseId.UPDATE_MODEL_VALUES);
}
//
// Invoke Application (processApplication)
//
if (context.getResponseComplete() || context.getRenderResponse()) return;
beforePhase(context, PhaseId.INVOKE_APPLICATION);
try {
if (isFiner) log.finer(context.getViewRoot() + " before process application");
viewRoot.processApplication(context);
} finally {
afterPhase(context, PhaseId.INVOKE_APPLICATION);
}
}
private boolean sendError(FacesContext context, String lifecycle, Exception e) {
for (Throwable cause = e; cause != null; cause = cause.getCause()) {
if (cause instanceof DisplayableException) {
if (e instanceof RuntimeException) throw (RuntimeException) e;
else throw new FacesException(e);
} else if (cause instanceof ServletException) throw new FacesException(e);
else if (cause instanceof JspException) throw new FacesException(e);
}
ExternalContext extContext = context.getExternalContext();
Object response = extContext.getResponse();
if (!(response instanceof HttpServletResponse)) {
context.renderResponse();
if (e instanceof RuntimeException) throw (RuntimeException) e;
else throw new RuntimeException(e);
}
log.log(Level.WARNING, e.toString(), e);
HttpServletResponse res = (HttpServletResponse) response;
try {
context.renderResponse();
context.responseComplete();
res.setStatus(500, "JSF Exception");
res.setContentType("text/html");
PrintWriter out = res.getWriter();
out.println("<body>");
out.println("<h3>JSF exception detected in " + lifecycle + " phase</h3>");
String msg = e.getMessage();
out.println("<span style='color:red;font:bold'>" + Html.escapeHtml(msg) + "</span><br/>");
out.println("<h3>Context: " + context.getViewRoot() + "</h3>");
out.println("<code><pre>");
String errorId = null;
if (e instanceof FacesException && msg.startsWith("id=")) {
int p = msg.indexOf(' ');
errorId = msg.substring(3, p);
}
printComponentTree(out, errorId, context, context.getViewRoot(), 0);
out.println("</pre></code>");
if (!Alarm.isTest()) {
out.println("<h3>Stack Trace</h3>");
out.println("<pre>");
if (e.getCause() != null) e.getCause().printStackTrace(out);
else e.printStackTrace(out);
out.println("</pre>");
}
out.println("</body>");
// clear, so we don't just loop
Application app = context.getApplication();
ViewHandler view = app.getViewHandler();
UIViewRoot viewRoot = context.getViewRoot();
viewRoot = view.createView(context, viewRoot.getViewId());
context.setViewRoot(viewRoot);
// view.writeState(context); // XXX: no need to output state, but review.
return true;
} catch (IOException e1) {
throw new RuntimeException(e);
}
}
