/* goodG2B2() - use goodsource and badsink by reversing statements in if */ private void goodG2B2(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (IO.static_final_t) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); /* read parameter from cookie */ Cookie cookieSources[] = request.getCookies(); if (cookieSources != null) { data = cookieSources[0].getValue(); } else { data = null; } } String root = "C:\\uploads\\"; /* POTENTIAL FLAW: no validation of concatenated value */ File fIn = new File(root + data); if (fIn.exists() && fIn.isFile()) { IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine()); } }
/* use badsource and badsink */ public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data = bad_source(request, response); /* POTENTIAL FLAW: unvalidated or sandboxed value */ File fIn = new File(data); if (fIn.exists() && fIn.isFile()) { IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine()); } }
/* uses badsource and badsink */ public void bad() throws Throwable { String data; /* get environment variable ADD */ /* POTENTIAL FLAW: Read data from an environment variable */ data = System.getenv("ADD"); String root; if (System.getProperty("os.name").toLowerCase().indexOf("win") >= 0) { /* running on Windows */ root = "C:\\uploads\\"; } else { /* running on non-Windows */ root = "/home/user/uploads/"; } if (data != null) { /* POTENTIAL FLAW: no validation of concatenated value */ File file = new File(root + data); FileInputStream streamFileInputSink = null; InputStreamReader readerInputStreamSink = null; BufferedReader readerBufferdSink = null; if (file.exists() && file.isFile()) { try { streamFileInputSink = new FileInputStream(file); readerInputStreamSink = new InputStreamReader(streamFileInputSink, "UTF-8"); readerBufferdSink = new BufferedReader(readerInputStreamSink); IO.writeLine(readerBufferdSink.readLine()); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading objects */ try { if (readerBufferdSink != null) { readerBufferdSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStreamSink != null) { readerInputStreamSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } try { if (streamFileInputSink != null) { streamFileInputSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO); } } } } }
/* goodG2B() - use goodsource and badsink */ public void goodG2B_sink(String data) throws Throwable { /* POTENTIAL FLAW: unvalidated or sandboxed value */ File fIn = new File(data); if (fIn.exists() && fIn.isFile()) { IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine()); } }
/* goodG2B() - use goodsource and badsink */ public void goodG2B_sink(String data) throws Throwable { String root = "C:\\uploads\\"; /* POTENTIAL FLAW: no validation of concatenated value */ File fIn = new File(root + data); if (fIn.exists() && fIn.isFile()) { IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine()); } }
/* goodG2B1() - use goodsource and badsink by changing 5==5 to 5!=5 */ private void goodG2B1() throws Throwable { String data; if (5 != 5) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } else { /* FIX: Use a hardcoded string */ data = "foo"; } /* POTENTIAL FLAW: unvalidated or sandboxed value */ if (data != null) { File file = new File(data); FileInputStream streamFileInputSink = null; InputStreamReader readerInputStreamSink = null; BufferedReader readerBufferdSink = null; if (file.exists() && file.isFile()) { try { streamFileInputSink = new FileInputStream(file); readerInputStreamSink = new InputStreamReader(streamFileInputSink, "UTF-8"); readerBufferdSink = new BufferedReader(readerInputStreamSink); IO.writeLine(readerBufferdSink.readLine()); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading objects */ try { if (readerBufferdSink != null) { readerBufferdSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStreamSink != null) { readerInputStreamSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } try { if (streamFileInputSink != null) { streamFileInputSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO); } } } } }
/* uses badsource and badsink */ public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (privateTrue) { /* POTENTIAL FLAW: Read data from a querystring using getParameter */ data = request.getParameter("name"); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } /* POTENTIAL FLAW: unvalidated or sandboxed value */ if (data != null) { File file = new File(data); FileInputStream streamFileInputSink = null; InputStreamReader readerInputStreamSink = null; BufferedReader readerBufferdSink = null; if (file.exists() && file.isFile()) { try { streamFileInputSink = new FileInputStream(file); readerInputStreamSink = new InputStreamReader(streamFileInputSink, "UTF-8"); readerBufferdSink = new BufferedReader(readerInputStreamSink); IO.writeLine(readerBufferdSink.readLine()); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading objects */ try { if (readerBufferdSink != null) { readerBufferdSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStreamSink != null) { readerInputStreamSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } try { if (streamFileInputSink != null) { streamFileInputSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO); } } } } }
private Map loadUserSettingsMap(String username) { Properties props = new Properties(); File userFile = new File(users, username + "_settings.properties"); if (!userFile.isFile()) return props; try { props.load(new FileInputStream(userFile)); } catch (FileNotFoundException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } return props; }
/** * Write a file to the response stream. Handles Range requests. * * @param servlet called from here * @param req the request * @param res the response * @param file to serve * @param contentType content type, if null, will try to guess * @throws IOException on write error */ public static void returnFile( HttpServlet servlet, HttpServletRequest req, HttpServletResponse res, File file, String contentType) throws IOException { // No file, nothing to view if (file == null) { log.info( "returnFile(): " + UsageLog.closingMessageForRequestContext(HttpServletResponse.SC_NOT_FOUND, 0)); res.sendError(HttpServletResponse.SC_NOT_FOUND); return; } // check that it exists if (!file.exists()) { log.info( "returnFile(): " + UsageLog.closingMessageForRequestContext(HttpServletResponse.SC_NOT_FOUND, 0)); res.sendError(HttpServletResponse.SC_NOT_FOUND); return; } // not a directory if (!file.isFile()) { log.info( "returnFile(): " + UsageLog.closingMessageForRequestContext(HttpServletResponse.SC_BAD_REQUEST, 0)); res.sendError(HttpServletResponse.SC_BAD_REQUEST); return; } // Set the type of the file String filename = file.getPath(); if (null == contentType) { if (filename.endsWith(".html")) contentType = "text/html; charset=iso-8859-1"; else if (filename.endsWith(".xml")) contentType = "text/xml; charset=iso-8859-1"; else if (filename.endsWith(".txt") || (filename.endsWith(".log"))) contentType = CONTENT_TEXT; else if (filename.indexOf(".log.") > 0) contentType = CONTENT_TEXT; else if (filename.endsWith(".nc")) contentType = "application/x-netcdf"; else contentType = servlet.getServletContext().getMimeType(filename); if (contentType == null) contentType = "application/octet-stream"; } returnFile(req, res, file, contentType); }
/* goodG2B() - use goodsource and badsink */ public void goodG2BSink(String dataArray[]) throws Throwable { String data = dataArray[2]; /* POTENTIAL FLAW: unvalidated or sandboxed value */ if (data != null) { File file = new File(data); FileInputStream streamFileInputSink = null; InputStreamReader readerInputStreamSink = null; BufferedReader readerBufferdSink = null; if (file.exists() && file.isFile()) { try { streamFileInputSink = new FileInputStream(file); readerInputStreamSink = new InputStreamReader(streamFileInputSink, "UTF-8"); readerBufferdSink = new BufferedReader(readerInputStreamSink); IO.writeLine(readerBufferdSink.readLine()); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading objects */ try { if (readerBufferdSink != null) { readerBufferdSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStreamSink != null) { readerInputStreamSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } try { if (streamFileInputSink != null) { streamFileInputSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO); } } } } }
/* goodG2B() - use goodsource and badsink by changing the "if" so that both branches use the GoodSource */ private void goodG2B() throws Throwable { String data; if (IO.static_returns_t_or_f()) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } /* POTENTIAL FLAW: unvalidated or sandboxed value */ File fIn = new File(data); if (fIn.exists() && fIn.isFile()) { IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine()); } }
/* goodG2B2() - use goodsource and badsink by reversing statements in if */ private void goodG2B2() throws Throwable { String data; if (IO.static_five == 5) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ /* retrieve the property */ Properties props = new Properties(); FileInputStream finstr = null; try { finstr = new FileInputStream("../common/config.properties"); props.load(finstr); data = props.getProperty("data"); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (finstr != null) { finstr.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } } } /* POTENTIAL FLAW: unvalidated or sandboxed value */ File fIn = new File(data); if (fIn.exists() && fIn.isFile()) { IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine()); } }
/* goodG2B1() - use goodsource and badsink by changing 5==5 to 5!=5 */ private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (5 != 5) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); /* read parameter from request */ data = request.getParameter("name"); } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } String root = "C:\\uploads\\"; /* POTENTIAL FLAW: no validation of concatenated value */ File fIn = new File(root + data); if (fIn.exists() && fIn.isFile()) { IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine()); } }
// ***************************************************** // Process the initial request from Proshop_main // ***************************************************** // @SuppressWarnings("deprecation") public void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { // // Prevent caching so sessions are not mangled // resp.setHeader("Pragma", "no-cache"); // for HTTP 1.0 resp.setHeader("Cache-Control", "no-store, no-cache, must-revalidate"); // for HTTP 1.1 resp.setDateHeader("Expires", 0); // prevents caching at the proxy server resp.setContentType("text/html"); PrintWriter out = resp.getWriter(); HttpSession session = SystemUtils.verifyPro(req, out); // check for intruder if (session == null) { return; } String club = (String) session.getAttribute("club"); // get club name String templott = (String) session.getAttribute("lottery"); // get lottery support indicator int lottery = Integer.parseInt(templott); // // Call is to display the new features page. // // Display a page to provide a link to the new feature page // out.println("<html><head>"); out.println("<meta http-equiv=\"Content-Type\" content=\"text/html; charset=windows-1252\">"); out.println("<meta http-equiv=\"Content-Language\" content=\"en-us\">"); out.println("<title> \"ForeTees Proshop Announcement Page\"</title>"); // out.println("<link rel=\"stylesheet\" href=\"/" +rev+ "/web utilities/foretees.css\" // type=\"text/css\"></link>"); out.println( "<script language=\"JavaScript\" src=\"/" + rev + "/web utilities/foretees.js\"></script>"); out.println("</head>"); out.println("<body bgcolor=\"#FFFFFF\" text=\"#000000\">"); SystemUtils.getProshopSubMenu(req, out, lottery); File f; FileReader fr; BufferedReader br; String tmp = ""; String path = ""; try { path = req.getRealPath(""); tmp = "/proshop_features.htm"; // "/" +rev+ f = new File(path + tmp); fr = new FileReader(f); br = new BufferedReader(fr); if (!f.isFile()) { // do nothing } } catch (FileNotFoundException e) { out.println("<br><br><p align=center>Missing New Features Page.</p>"); out.println("</BODY></HTML>"); out.close(); return; } catch (SecurityException se) { out.println("<br><br><p align=center>Access Denied.</p>"); out.println("</BODY></HTML>"); out.close(); return; } while ((tmp = br.readLine()) != null) out.println(tmp); br.close(); out.println("</BODY></HTML>"); out.close(); } // end of doGet
/* uses badsource and badsink - see how tools report flaws that don't always occur */ public void bad() throws Throwable { String data; if (IO.static_returns_t_or_f()) { Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ /* Read data using a listening tcp connection */ ServerSocket listener = null; Socket sock = null; BufferedReader buffread = null; InputStreamReader instrread = null; try { /* read input from socket */ listener = new ServerSocket(39543); sock = listener.accept(); instrread = new InputStreamReader(sock.getInputStream()); buffread = new BufferedReader(instrread); data = buffread.readLine(); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (instrread != null) { instrread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing instrread"); } } /* clean up socket objects */ try { if (sock != null) { sock.close(); } } catch (IOException e) { log_bad.warning("Error closing sock"); } finally { try { if (listener != null) { listener.close(); } } catch (IOException e) { log_bad.warning("Error closing listener"); } } } } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } /* POTENTIAL FLAW: unvalidated or sandboxed value */ File fIn = new File(data); if (fIn.exists() && fIn.isFile()) { IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine()); } }
/* goodG2B1() - use goodsource and badsink by changing PRIVATE_STATIC_FINAL_TRUE to PRIVATE_STATIC_FINAL_FALSE */ private void goodG2B1() throws Throwable { String data; if (PRIVATE_STATIC_FINAL_FALSE) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } else { /* FIX: Use a hardcoded string */ data = "foo"; } String root; if (System.getProperty("os.name").toLowerCase().indexOf("win") >= 0) { /* running on Windows */ root = "C:\\uploads\\"; } else { /* running on non-Windows */ root = "/home/user/uploads/"; } if (data != null) { /* POTENTIAL FLAW: no validation of concatenated value */ File file = new File(root + data); FileInputStream streamFileInputSink = null; InputStreamReader readerInputStreamSink = null; BufferedReader readerBufferdSink = null; if (file.exists() && file.isFile()) { try { streamFileInputSink = new FileInputStream(file); readerInputStreamSink = new InputStreamReader(streamFileInputSink, "UTF-8"); readerBufferdSink = new BufferedReader(readerInputStreamSink); IO.writeLine(readerBufferdSink.readLine()); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading objects */ try { if (readerBufferdSink != null) { readerBufferdSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStreamSink != null) { readerInputStreamSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } try { if (streamFileInputSink != null) { streamFileInputSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO); } } } } }
/* uses badsource and badsink */ public void bad() throws Throwable { String data; if (5 == 5) { data = ""; /* Initialize data */ /* Read data using an outbound tcp connection */ { Socket socket = null; BufferedReader readerBuffered = null; InputStreamReader readerInputStream = null; try { /* Read data using an outbound tcp connection */ socket = new Socket("host.example.org", 39544); /* read input from socket */ readerInputStream = new InputStreamReader(socket.getInputStream(), "UTF-8"); readerBuffered = new BufferedReader(readerInputStream); /* POTENTIAL FLAW: Read data using an outbound tcp connection */ data = readerBuffered.readLine(); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* clean up stream reading objects */ try { if (readerBuffered != null) { readerBuffered.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStream != null) { readerInputStream.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } /* clean up socket objects */ try { if (socket != null) { socket.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing Socket", exceptIO); } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } /* POTENTIAL FLAW: unvalidated or sandboxed value */ if (data != null) { File file = new File(data); FileInputStream streamFileInputSink = null; InputStreamReader readerInputStreamSink = null; BufferedReader readerBufferdSink = null; if (file.exists() && file.isFile()) { try { streamFileInputSink = new FileInputStream(file); readerInputStreamSink = new InputStreamReader(streamFileInputSink, "UTF-8"); readerBufferdSink = new BufferedReader(readerInputStreamSink); IO.writeLine(readerBufferdSink.readLine()); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading objects */ try { if (readerBufferdSink != null) { readerBufferdSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStreamSink != null) { readerInputStreamSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } try { if (streamFileInputSink != null) { streamFileInputSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO); } } } } }
/* uses badsource and badsink */ public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (privateReturnsTrue()) { /* POTENTIAL FLAW: Read data from a querystring using getParameter */ data = request.getParameter("name"); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } String root; if (System.getProperty("os.name").toLowerCase().indexOf("win") >= 0) { /* running on Windows */ root = "C:\\uploads\\"; } else { /* running on non-Windows */ root = "/home/user/uploads/"; } if (data != null) { /* POTENTIAL FLAW: no validation of concatenated value */ File file = new File(root + data); FileInputStream streamFileInputSink = null; InputStreamReader readerInputStreamSink = null; BufferedReader readerBufferdSink = null; if (file.exists() && file.isFile()) { try { streamFileInputSink = new FileInputStream(file); readerInputStreamSink = new InputStreamReader(streamFileInputSink, "UTF-8"); readerBufferdSink = new BufferedReader(readerInputStreamSink); IO.writeLine(readerBufferdSink.readLine()); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading objects */ try { if (readerBufferdSink != null) { readerBufferdSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStreamSink != null) { readerInputStreamSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } try { if (streamFileInputSink != null) { streamFileInputSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO); } } } } }
/* uses badsource and badsink - see how tools report flaws that don't always occur */ public void bad() throws Throwable { String data; if (IO.staticReturnsTrueOrFalse()) { data = ""; /* Initialize data */ /* Read data from a database */ { Connection connection = null; PreparedStatement preparedStatement = null; ResultSet resultSet = null; try { /* setup the connection */ connection = IO.getDBConnection(); /* prepare and execute a (hardcoded) query */ preparedStatement = connection.prepareStatement("select name from users where id=0"); resultSet = preparedStatement.executeQuery(); /* POTENTIAL FLAW: Read data from a database query resultset */ data = resultSet.getString(1); } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error with SQL statement", exceptSql); } finally { /* Close database objects */ try { if (resultSet != null) { resultSet.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql); } try { if (preparedStatement != null) { preparedStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql); } try { if (connection != null) { connection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } } } else { /* FIX: Use a hardcoded string */ data = "foo"; } String root; if (System.getProperty("os.name").toLowerCase().indexOf("win") >= 0) { /* running on Windows */ root = "C:\\uploads\\"; } else { /* running on non-Windows */ root = "/home/user/uploads/"; } if (data != null) { /* POTENTIAL FLAW: no validation of concatenated value */ File file = new File(root + data); FileInputStream streamFileInputSink = null; InputStreamReader readerInputStreamSink = null; BufferedReader readerBufferdSink = null; if (file.exists() && file.isFile()) { try { streamFileInputSink = new FileInputStream(file); readerInputStreamSink = new InputStreamReader(streamFileInputSink, "UTF-8"); readerBufferdSink = new BufferedReader(readerInputStreamSink); IO.writeLine(readerBufferdSink.readLine()); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading objects */ try { if (readerBufferdSink != null) { readerBufferdSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStreamSink != null) { readerInputStreamSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } try { if (streamFileInputSink != null) { streamFileInputSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO); } } } } }
/* goodG2B() - use goodsource and badsink by changing the "if" so that * both branches use the GoodSource */ private void goodG2B() throws Throwable { String data; if (IO.staticReturnsTrueOrFalse()) { /* FIX: Use a hardcoded string */ data = "foo"; } else { /* FIX: Use a hardcoded string */ data = "foo"; } String root; if (System.getProperty("os.name").toLowerCase().indexOf("win") >= 0) { /* running on Windows */ root = "C:\\uploads\\"; } else { /* running on non-Windows */ root = "/home/user/uploads/"; } if (data != null) { /* POTENTIAL FLAW: no validation of concatenated value */ File file = new File(root + data); FileInputStream streamFileInputSink = null; InputStreamReader readerInputStreamSink = null; BufferedReader readerBufferdSink = null; if (file.exists() && file.isFile()) { try { streamFileInputSink = new FileInputStream(file); readerInputStreamSink = new InputStreamReader(streamFileInputSink, "UTF-8"); readerBufferdSink = new BufferedReader(readerInputStreamSink); IO.writeLine(readerBufferdSink.readLine()); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading objects */ try { if (readerBufferdSink != null) { readerBufferdSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStreamSink != null) { readerInputStreamSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } try { if (streamFileInputSink != null) { streamFileInputSink.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO); } } } } }
/* uses badsource and badsink */ public void bad() throws Throwable { String data; /* We need to have one source outside of a for loop in order to prevent the Java compiler from generating an error because data is uninitialized */ Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ Connection conn = null; PreparedStatement statement = null; ResultSet rs = null; BufferedReader buffread = null; InputStreamReader instrread = null; try { /* setup the connection */ conn = IO.getDBConnection(); /* prepare the query */ statement = conn.prepareStatement("select name from users where id=?"); /* get user input for the userid */ IO.writeLine("Enter a userid to login as (number): "); instrread = new InputStreamReader(System.in); buffread = new BufferedReader(instrread); int num = Integer.parseInt(buffread.readLine()); statement.setInt(1, num); rs = statement.executeQuery(); data = rs.getString(1); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (instrread != null) { instrread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing instrread"); } } /* clean up database objects */ try { if (rs != null) { rs.close(); } } catch (SQLException se) { log_bad.warning("Error closing rs"); } finally { try { if (statement != null) { statement.close(); } } catch (SQLException se) { log_bad.warning("Error closing statement"); } finally { try { if (conn != null) { conn.close(); } } catch (SQLException se) { log_bad.warning("Error closing conn"); } } } } for (int for_index_i = 0; for_index_i < 0; for_index_i++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } /* POTENTIAL FLAW: unvalidated or sandboxed value */ File fIn = new File(data); if (fIn.exists() && fIn.isFile()) { IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine()); } }
/* uses badsource and badsink - see how tools report flaws that don't always occur */ public void bad() throws Throwable { String data; if (IO.static_returns_t_or_f()) { Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ Connection conn = null; PreparedStatement statement = null; ResultSet rs = null; BufferedReader buffread = null; InputStreamReader instrread = null; try { /* setup the connection */ conn = IO.getDBConnection(); /* prepare the query */ statement = conn.prepareStatement("select name from users where id=?"); /* get user input for the userid */ IO.writeLine("Enter a userid to login as (number): "); instrread = new InputStreamReader(System.in); buffread = new BufferedReader(instrread); int num = Integer.parseInt(buffread.readLine()); statement.setInt(1, num); rs = statement.executeQuery(); data = rs.getString(1); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (instrread != null) { instrread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing instrread"); } } /* clean up database objects */ try { if (rs != null) { rs.close(); } } catch (SQLException se) { log_bad.warning("Error closing rs"); } finally { try { if (statement != null) { statement.close(); } } catch (SQLException se) { log_bad.warning("Error closing statement"); } finally { try { if (conn != null) { conn.close(); } } catch (SQLException se) { log_bad.warning("Error closing conn"); } } } } } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } String root = "C:\\uploads\\"; /* POTENTIAL FLAW: no validation of concatenated value */ File fIn = new File(root + data); if (fIn.exists() && fIn.isFile()) { IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine()); } }