/* uses badsource and badsink - see how tools report flaws that don't always occur */ public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (IO.static_returns_t_or_f()) { Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ /* retrieve the property */ Properties props = new Properties(); FileInputStream finstr = null; try { finstr = new FileInputStream("../common/config.properties"); props.load(finstr); data = props.getProperty("data"); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (finstr != null) { finstr.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } } } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } Hashtable<String, String> env = new Hashtable<String, String>(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext ctx = new InitialDirContext(env); String search = "(cn=" + data + ")"; /* POTENTIAL FLAW: unsanitized data from untrusted source */ NamingEnumeration<SearchResult> answer = ctx.search("", search, null); while (answer.hasMore()) { SearchResult sr = answer.next(); Attributes a = sr.getAttributes(); NamingEnumeration<?> attrs = a.getAll(); while (attrs.hasMore()) { Attribute attr = (Attribute) attrs.next(); NamingEnumeration<?> values = attr.getAll(); while (values.hasMore()) { response.getWriter().println(" Value: " + values.next().toString()); } } } }
/* goodG2B1() - use goodsource and badsink by changing IO.staticTrue to IO.staticFalse */ private void goodG2B1() throws Throwable { String data; if (IO.staticFalse) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } else { /* FIX: Use a hardcoded string */ data = "foo"; } Hashtable<String, String> environmentHashTable = new Hashtable<String, String>(); environmentHashTable.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); environmentHashTable.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext directoryContext = null; try { directoryContext = new InitialDirContext(environmentHashTable); /* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection */ String search = "(cn=" + data + ")"; NamingEnumeration<SearchResult> answer = directoryContext.search("", search, null); while (answer.hasMore()) { SearchResult searchResult = answer.next(); Attributes attributes = searchResult.getAttributes(); NamingEnumeration<?> allAttributes = attributes.getAll(); while (allAttributes.hasMore()) { Attribute attribute = (Attribute) allAttributes.next(); NamingEnumeration<?> allValues = attribute.getAll(); while (allValues.hasMore()) { IO.writeLine(" Value: " + allValues.next().toString()); } } } } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "The LDAP service was not found or login failed.", exceptNaming); } finally { if (directoryContext != null) { try { directoryContext.close(); } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "Error closing DirContext", exceptNaming); } } } }
public void bad() throws Throwable { String data; badPrivate = true; data = bad_source(); Hashtable<String, String> environmentHashTable = new Hashtable<String, String>(); environmentHashTable.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); environmentHashTable.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext directoryContext = null; try { directoryContext = new InitialDirContext(environmentHashTable); /* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection */ String search = "(cn=" + data + ")"; NamingEnumeration<SearchResult> answer = directoryContext.search("", search, null); while (answer.hasMore()) { SearchResult searchResult = answer.next(); Attributes attributes = searchResult.getAttributes(); NamingEnumeration<?> allAttributes = attributes.getAll(); while (allAttributes.hasMore()) { Attribute attribute = (Attribute) allAttributes.next(); NamingEnumeration<?> allValues = attribute.getAll(); while (allValues.hasMore()) { IO.writeLine(" Value: " + allValues.next().toString()); } } } } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "The LDAP service was not found or login failed.", exceptNaming); } finally { if (directoryContext != null) { try { directoryContext.close(); } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "Error closing DirContext", exceptNaming); } } } }
/* goodG2B() - use goodsource and badsink by changing the "if" so that both branches use the GoodSource */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (IO.static_returns_t_or_f()) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } Hashtable<String, String> env = new Hashtable<String, String>(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext ctx = new InitialDirContext(env); String search = "(cn=" + data + ")"; /* POTENTIAL FLAW: unsanitized data from untrusted source */ NamingEnumeration<SearchResult> answer = ctx.search("", search, null); while (answer.hasMore()) { SearchResult sr = answer.next(); Attributes a = sr.getAttributes(); NamingEnumeration<?> attrs = a.getAll(); while (attrs.hasMore()) { Attribute attr = (Attribute) attrs.next(); NamingEnumeration<?> values = attr.getAll(); while (values.hasMore()) { response.getWriter().println(" Value: " + values.next().toString()); } } } }
/* uses badsource and badsink */ public void bad() throws Throwable { String data; if (IO.staticTrue) { data = ""; /* Initialize data */ /* Read data using a listening tcp connection */ { ServerSocket listener = null; Socket socket = null; BufferedReader readerBuffered = null; InputStreamReader readerInputStream = null; /* Read data using a listening tcp connection */ try { listener = new ServerSocket(39543); socket = listener.accept(); /* read input from socket */ readerInputStream = new InputStreamReader(socket.getInputStream(), "UTF-8"); readerBuffered = new BufferedReader(readerInputStream); /* POTENTIAL FLAW: Read data using a listening tcp connection */ data = readerBuffered.readLine(); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading objects */ try { if (readerBuffered != null) { readerBuffered.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStream != null) { readerInputStream.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } /* Close socket objects */ try { if (socket != null) { socket.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing Socket", exceptIO); } try { if (listener != null) { listener.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing ServerSocket", exceptIO); } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } Hashtable<String, String> environmentHashTable = new Hashtable<String, String>(); environmentHashTable.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); environmentHashTable.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext directoryContext = null; try { directoryContext = new InitialDirContext(environmentHashTable); /* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection */ String search = "(cn=" + data + ")"; NamingEnumeration<SearchResult> answer = directoryContext.search("", search, null); while (answer.hasMore()) { SearchResult searchResult = answer.next(); Attributes attributes = searchResult.getAttributes(); NamingEnumeration<?> allAttributes = attributes.getAll(); while (allAttributes.hasMore()) { Attribute attribute = (Attribute) allAttributes.next(); NamingEnumeration<?> allValues = attribute.getAll(); while (allValues.hasMore()) { IO.writeLine(" Value: " + allValues.next().toString()); } } } } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "The LDAP service was not found or login failed.", exceptNaming); } finally { if (directoryContext != null) { try { directoryContext.close(); } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "Error closing DirContext", exceptNaming); } } } }