public void bad() throws Throwable {
float data;
if (IO.staticReturnsTrue()) {
data = -1.0f; /* Initialize data */
/* get system property user.home */
/* POTENTIAL FLAW: Read data from a system property */
{
String stringNumber = System.getProperty("user.home");
if (stringNumber != null) {
try {
data = Float.parseFloat(stringNumber.trim());
} catch (NumberFormatException exceptNumberFormat) {
IO.logger.log(
Level.WARNING,
"Number format exception parsing data from string",
exceptNumberFormat);
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0.0f;
}
if (IO.staticReturnsTrue()) {
/* POTENTIAL FLAW: Possibly modulo by zero */
int result = (int) (100.0 % data);
IO.writeLine(result);
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */
private void goodG2B2() throws Throwable {
int data;
if (IO.staticReturnsTrue()) {
/* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */
data = 2;
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0;
}
if (IO.staticReturnsTrue()) {
int array[] = null;
/* POTENTIAL FLAW: Verify that data is non-negative, but still allow it to be 0 */
if (data >= 0) {
array = new int[data];
} else {
IO.writeLine("Array size is negative");
}
/* do something with the array */
array[0] = 5;
IO.writeLine(array[0]);
}
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2() throws Throwable {
float data;
if (IO.staticReturnsTrue()) {
data = -1.0f; /* Initialize data */
/* get system property user.home */
/* POTENTIAL FLAW: Read data from a system property */
{
String stringNumber = System.getProperty("user.home");
if (stringNumber != null) {
try {
data = Float.parseFloat(stringNumber.trim());
} catch (NumberFormatException exceptNumberFormat) {
IO.logger.log(
Level.WARNING,
"Number format exception parsing data from string",
exceptNumberFormat);
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0.0f;
}
if (IO.staticReturnsTrue()) {
/* FIX: Check for value of or near zero before modulo */
if (Math.abs(data) > 0.000001) {
int result = (int) (100.0 % data);
IO.writeLine(result);
} else {
IO.writeLine("This would result in a modulo by zero");
}
}
}
public void bad() throws Throwable {
int data;
if (IO.staticReturnsTrue()) {
data = Integer.MIN_VALUE; /* Initialize data */
/* get system property user.home */
/* POTENTIAL FLAW: Read data from a system property */
{
String stringNumber = System.getProperty("user.home");
try {
data = Integer.parseInt(stringNumber.trim());
} catch (NumberFormatException exceptNumberFormat) {
IO.logger.log(
Level.WARNING,
"Number format exception parsing data from string",
exceptNumberFormat);
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0;
}
if (IO.staticReturnsTrue()) {
/* POTENTIAL FLAW: if data == Integer.MIN_VALUE, this will overflow */
int result = (int) (data - 1);
IO.writeLine("result: " + result);
}
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2() throws Throwable {
int data;
if (IO.staticReturnsTrue()) {
data = Integer.MIN_VALUE; /* Initialize data */
/* get system property user.home */
/* POTENTIAL FLAW: Read data from a system property */
{
String stringNumber = System.getProperty("user.home");
try {
data = Integer.parseInt(stringNumber.trim());
} catch (NumberFormatException exceptNumberFormat) {
IO.logger.log(
Level.WARNING,
"Number format exception parsing data from string",
exceptNumberFormat);
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0;
}
if (IO.staticReturnsTrue()) {
/* FIX: Add a check to prevent an overflow from occurring */
if (data > Integer.MIN_VALUE) {
int result = (int) (data - 1);
IO.writeLine("result: " + result);
} else {
IO.writeLine("data value is too small to perform subtraction.");
}
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */
private void goodG2B2() throws Throwable {
String data;
if (IO.staticReturnsTrue()) {
/* FIX: Use a hardcoded int as a string */
data = "5";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (IO.staticReturnsTrue()) {
int numberOfLoops;
try {
numberOfLoops = Integer.parseInt(data);
} catch (NumberFormatException exceptNumberFormat) {
IO.writeLine("Invalid response. Numeric input expected. Assuming 1.");
numberOfLoops = 1;
}
for (int i = 0; i < numberOfLoops; i++) {
/* POTENTIAL FLAW: user supplied input used for loop counter test */
IO.writeLine("hello world");
}
}
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2() throws Throwable {
String data;
if (IO.staticReturnsTrue()) {
data = ""; /* Initialize data */
/* read input from URLConnection */
{
URLConnection urlConnection = (new URL("http://www.example.org/")).openConnection();
BufferedReader readerBuffered = null;
InputStreamReader readerInputStream = null;
try {
readerInputStream = new InputStreamReader(urlConnection.getInputStream(), "UTF-8");
readerBuffered = new BufferedReader(readerInputStream);
/* POTENTIAL FLAW: Read data from a web server with URLConnection */
/* This will be reading the first "line" of the response body,
* which could be very long if there are no newlines in the HTML */
data = readerBuffered.readLine();
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
} finally {
/* clean up stream reading objects */
try {
if (readerBuffered != null) {
readerBuffered.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO);
}
try {
if (readerInputStream != null) {
readerInputStream.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO);
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (IO.staticReturnsTrue()) {
int numberOfLoops;
try {
numberOfLoops = Integer.parseInt(data);
} catch (NumberFormatException exceptNumberFormat) {
IO.writeLine("Invalid response. Numeric input expected. Assuming 1.");
numberOfLoops = 1;
}
/* FIX: loop number thresholds validated */
if (numberOfLoops >= 0 && numberOfLoops <= 5) {
for (int i = 0; i < numberOfLoops; i++) {
IO.writeLine("hello world");
}
}
}
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2() throws Throwable {
int data;
if (IO.staticReturnsTrue()) {
data = Integer.MIN_VALUE; /* Initialize data */
/* retrieve the property */
{
Properties properties = new Properties();
FileInputStream streamFileInput = null;
try {
streamFileInput = new FileInputStream("../common/config.properties");
properties.load(streamFileInput);
/* POTENTIAL FLAW: Read data from a .properties file */
String stringNumber = properties.getProperty("data");
if (stringNumber != null) // avoid NPD incidental warnings
{
try {
data = Integer.parseInt(stringNumber.trim());
} catch (NumberFormatException exceptNumberFormat) {
IO.logger.log(
Level.WARNING,
"Number format exception parsing data from string",
exceptNumberFormat);
}
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
} finally {
/* Close stream reading object */
try {
if (streamFileInput != null) {
streamFileInput.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO);
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0;
}
if (IO.staticReturnsTrue()) {
/* FIX: Add a check to prevent an overflow from occurring */
/* NOTE: Math.abs of the minimum int or long will return that same value, so we must check for it */
if ((data != Integer.MIN_VALUE)
&& (data != Long.MIN_VALUE)
&& (Math.abs(data) <= (long) Math.sqrt(Integer.MAX_VALUE))) {
int result = (int) (data * data);
IO.writeLine("result: " + result);
} else {
IO.writeLine("data value is too large to perform squaring.");
}
}
}
public void bad() throws Throwable {
int data;
if (IO.staticReturnsTrue()) {
data = Integer.MIN_VALUE; /* Initialize data */
/* retrieve the property */
{
Properties properties = new Properties();
FileInputStream streamFileInput = null;
try {
streamFileInput = new FileInputStream("../common/config.properties");
properties.load(streamFileInput);
/* POTENTIAL FLAW: Read data from a .properties file */
String stringNumber = properties.getProperty("data");
if (stringNumber != null) // avoid NPD incidental warnings
{
try {
data = Integer.parseInt(stringNumber.trim());
} catch (NumberFormatException exceptNumberFormat) {
IO.logger.log(
Level.WARNING,
"Number format exception parsing data from string",
exceptNumberFormat);
}
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
} finally {
/* Close stream reading object */
try {
if (streamFileInput != null) {
streamFileInput.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO);
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0;
}
if (IO.staticReturnsTrue()) {
/* POTENTIAL FLAW: if (data*data) > Integer.MAX_VALUE, this will overflow */
int result = (int) (data * data);
IO.writeLine("result: " + result);
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */
private void goodG2B2() throws Throwable {
String data;
if (IO.staticReturnsTrue()) {
/* FIX: Use a hardcoded string */
data = "foo";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (IO.staticReturnsTrue()) {
Connection dbConnection = null;
Statement sqlStatement = null;
try {
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.createStatement();
/* POTENTIAL FLAW: data concatenated into SQL statement used in execute(), which could result in SQL Injection */
Boolean result =
sqlStatement.execute(
"insert into users (status) values ('updated') where name='" + data + "'");
if (result) {
IO.writeLine("Name, " + data + ", updated successfully");
} else {
IO.writeLine("Unable to update records for user: "******"Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
/* goodB2G1() - use badsource and goodsink by changing second IO.staticReturnsTrue() to IO.staticReturnsFalse() */
private void goodB2G1() throws Throwable {
long data;
if (IO.staticReturnsTrue()) {
/* POTENTIAL FLAW: Use the maximum size of the data type */
data = Long.MAX_VALUE;
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0L;
}
if (IO.staticReturnsFalse()) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.writeLine("Benign, fixed string");
} else {
/* FIX: Add a check to prevent an overflow from occurring */
if (data < Long.MAX_VALUE) {
long result = (long) (data + 1);
IO.writeLine("result: " + result);
} else {
IO.writeLine("data value is too large to perform addition.");
}
}
}
public void bad() throws Throwable {
long data;
if (IO.staticReturnsTrue()) {
/* POTENTIAL FLAW: Use the maximum size of the data type */
data = Long.MAX_VALUE;
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0L;
}
if (IO.staticReturnsTrue()) {
/* POTENTIAL FLAW: if data == Long.MAX_VALUE, this will overflow */
long result = (long) (data + 1);
IO.writeLine("result: " + result);
}
}
/* uses badsource and badsink */
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.staticReturnsTrue()) {
data = ""; /* Initialize data */
/* Read data from a database */
{
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet resultSet = null;
try {
/* setup the connection */
connection = IO.getDBConnection();
/* prepare and execute a (hardcoded) query */
preparedStatement = connection.prepareStatement("select name from users where id=0");
resultSet = preparedStatement.executeQuery();
/* POTENTIAL FLAW: Read data from a database query resultset */
data = resultSet.getString(1);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error with SQL statement", exceptSql);
} finally {
/* Close database objects */
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (preparedStatement != null) {
preparedStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (connection != null) {
connection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (data != null) {
/* POTENTIAL FLAW: Display of data in web page without any encoding or validation */
response.getWriter().println("<br>bad(): data = " + data);
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */
private void goodG2B2() throws Throwable {
float data;
if (IO.staticReturnsTrue()) {
/* FIX: Use a hardcoded number that won't a divide by zero */
data = 2.0f;
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0.0f;
}
if (IO.staticReturnsTrue()) {
/* POTENTIAL FLAW: Possibly modulo by zero */
int result = (int) (100.0 % data);
IO.writeLine(result);
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */
private void goodG2B2() throws Throwable {
long data;
if (IO.staticReturnsTrue()) {
/* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */
data = 2;
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0L;
}
if (IO.staticReturnsTrue()) {
/* POTENTIAL FLAW: if data == Long.MAX_VALUE, this will overflow */
long result = (long) (data + 1);
IO.writeLine("result: " + result);
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */
private void goodG2B2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.staticReturnsTrue()) {
/* FIX: Use a hardcoded string */
data = "foo";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (IO.staticReturnsTrue()) {
if (data != null) {
/* POTENTIAL FLAW: Input not verified before inclusion in header */
response.setHeader("Location", "/author.jsp?lang=" + data);
}
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */
private void goodG2B2() throws Throwable {
String data;
if (IO.staticReturnsTrue()) {
/* FIX: Use a hardcoded string */
data = "foo";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (IO.staticReturnsTrue()) {
if (data != null) {
/* POTENTIAL FLAW: uncontrolled string formatting */
System.out.format(data);
}
}
}
/* good2() reverses the bodies in the if statement */
private void good2() throws Throwable {
if (IO.staticReturnsTrue()) {
{
/* FIX: Check for null and do not dereference the object if it is null */
String myString = null;
if (myString == null) {
IO.writeLine("The string is null");
}
}
}
}
/* uses badsource and badsink */
public void bad() throws Throwable {
int data;
if (IO.staticReturnsTrue()) {
data = Integer.MIN_VALUE; /* Initialize data */
{
InputStreamReader readerInputStream = null;
BufferedReader readerBuffered = null;
/* read user input from console with readLine */
try {
readerInputStream = new InputStreamReader(System.in, "UTF-8");
readerBuffered = new BufferedReader(readerInputStream);
/* POTENTIAL FLAW: Read data from the console using readLine */
String stringNumber = readerBuffered.readLine();
if (stringNumber != null) // avoid NPD incidental warnings
{
try {
data = Integer.parseInt(stringNumber.trim());
} catch (NumberFormatException exceptNumberFormat) {
IO.logger.log(
Level.WARNING,
"Number format exception parsing data from string",
exceptNumberFormat);
}
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
} finally {
try {
if (readerBuffered != null) {
readerBuffered.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO);
}
try {
if (readerInputStream != null) {
readerInputStream.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO);
}
}
}
/* NOTE: Tools may report a flaw here because readerBuffered and readerInputStream are not closed. Unfortunately, closing those will close System.in, which will cause any future attempts to read from the console to fail and throw an exception */
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0;
}
/* POTENTIAL FLAW: Create an ArrayList using data as the initial size. data may be very large, creating memory issues */
ArrayList intArrayList = new ArrayList(data);
}
public void bad() throws Throwable {
if (IO.staticReturnsTrue()) {
{
/* FLAW: Check for null, but still dereference the object */
String myString = null;
if (myString == null) {
IO.writeLine(myString.length());
}
}
}
}
public void bad() throws Throwable {
if (IO.staticReturnsTrue()) {
int x;
x = (new SecureRandom()).nextInt();
if (x == 0) {
IO.writeLine("Inside the else statement");
}
/* FLAW: An empty else statement has no effect */
else {
}
IO.writeLine("Hello from bad()");
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in if */
private void goodG2B2() throws Throwable {
int data;
if (IO.staticReturnsTrue()) {
/* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */
data = 2;
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0;
}
/* POTENTIAL FLAW: Create a HashMap using data as the initial size. data may be very large, creating memory issues */
HashMap intHashMap = new HashMap(data);
}
/* uses badsource and badsink */
public void bad() throws Throwable {
int data;
if (IO.staticReturnsTrue()) {
/* FLAW: Set data to Integer.MAX_VALUE */
data = Integer.MAX_VALUE;
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0;
}
/* POTENTIAL FLAW: Create a HashMap using data as the initial size. data may be very large, creating memory issues */
HashMap intHashMap = new HashMap(data);
}
/* good2() reverses the bodies in the if statement */
private void good2() throws Throwable {
if (IO.staticReturnsTrue()) {
int x;
x = (new SecureRandom()).nextInt();
if (x == 0) {
IO.writeLine("Inside the if statement");
}
/* FIX: Do not include an empty else statement */
else {
IO.writeLine("Inside the else statement");
}
IO.writeLine("Hello from good()");
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */
private void goodG2B2() throws Throwable {
int data;
if (IO.staticReturnsTrue()) {
/* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */
data = 2;
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0;
}
if (IO.staticReturnsTrue()) {
/* Need to ensure that the array is of size > 3 and < 101 due to the GoodSource and the large_fixed BadSource */
int array[] = {0, 1, 2, 3, 4};
/* POTENTIAL FLAW: Verify that data >= 0, but don't verify that data < array.length, so may be attempting to read out of the array bounds */
if (data >= 0) {
IO.writeLine(array[data]);
} else {
IO.writeLine("Array index out of bounds");
}
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in if */
private void goodG2B2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.staticReturnsTrue()) {
/* FIX: Use a hardcoded string */
data = "foo";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (data != null) {
/* POTENTIAL FLAW: Display of data in web page without any encoding or validation */
response.getWriter().println("<br>bad(): data = " + data);
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in if */
private void goodG2B2() throws Throwable {
int data;
if (IO.staticReturnsTrue()) {
/* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */
data = 2;
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0;
}
{
/* POTENTIAL FLAW: Convert data to a byte, possibly causing a truncation error */
IO.writeLine((byte) data);
}
}
public void bad() throws Throwable {
if (IO.staticReturnsTrue()) {
String stringIntValue = "";
int x = (new SecureRandom()).nextInt(3);
switch (x) {
case 0:
stringIntValue = "0";
break;
case 1:
stringIntValue = "1";
break;
/* FLAW: x could be 2, and there is no 'default' case for that */
}
IO.writeLine(stringIntValue);
}
}
/* good2() reverses the bodies in the if statement */
private void good2() throws Throwable {
if (IO.staticReturnsTrue()) {
String stringIntValue = "";
int x = (new SecureRandom()).nextInt(3);
switch (x) {
case 0:
stringIntValue = "0";
break;
case 1:
stringIntValue = "1";
break;
/* FIX: Add a default case */
default:
stringIntValue = "2";
}
IO.writeLine(stringIntValue);
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in if */
private void goodG2B2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.staticReturnsTrue()) {
/* FIX: Use a hardcoded string */
data = "foo";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (data != null) {
/* POTENTIAL FLAW: script code (e.g. id=<script>alert('xss')</script>) is sent to the client;
* The built-in J2EE server automatically does some HTML entity encoding.
* Therefore, to test this, change response.sendError to response.getWriter().println and remove the 404,
*/
response.sendError(404, "<br>bad() - Parameter name has value " + data);
}
}
