/* goodG2B2() - use goodsource and badsink by reversing statements in if */
private void goodG2B2() throws Throwable {
String data;
if (IO.static_returns_t()) {
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
File f = new File("C:\\data.txt");
BufferedReader buffread = null;
FileReader fread = null;
try {
/* read string from file into data */
fread = new FileReader(f);
buffread = new BufferedReader(fread);
data = buffread.readLine(); // This will be reading the first "line" of the file, which
// could be very long if there are little or no newlines in the file\
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} catch (NumberFormatException nfe) {
log_bad.warning("Error with number parsing");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (fread != null) {
fread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing fread");
}
}
}
}
String osCommand;
if (System.getProperty("os.name").toLowerCase().indexOf("win") >= 0) {
/* running on Windows */
osCommand = "c:\\WINDOWS\\SYSTEM32\\cmd.exe /c dir ";
} else {
/* running on non-Windows */
osCommand = "/bin/ls ";
}
/* POTENTIAL FLAW: command injection */
Process p = Runtime.getRuntime().exec(osCommand + data);
p.waitFor();
}
/* good2() reverses the bodies in the if statement */
private void good2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
if (IO.static_returns_t()) {
Logger tcLog = Logger.getLogger("cwe_testcases_logger");
if (request.getParameter("username") == null) {
return;
}
String username = request.getParameter("username");
if (username.matches("[a-zA-Z0-9]*")) {
HttpSession session = request.getSession(true);
/* FIX: logged message does not contain session id */
tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId());
} else {
response.getWriter().println("Invalid characters");
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Logger tcLog = Logger.getLogger("cwe_testcases_logger");
if (request.getParameter("username") == null) {
return;
}
String username = request.getParameter("username");
if (username.matches("[a-zA-Z0-9]*")) {
HttpSession session = request.getSession(true);
/* FLAW: leak session ID to debug log */
tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId());
} else {
response.getWriter().println("Invalid characters");
}
}
}
/* good2() reverses the bodies in the if statement */
private void good2() throws Throwable {
if (IO.static_returns_t()) {
/* FIX: use SecureRandom to be cryptographically secure */
SecureRandom rand = new SecureRandom();
IO.writeLine("Random int: " + rand.nextInt(100));
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Random rand = new Random();
/* FLAW: seed is static, making the numbers always occur in the same sequence */
rand.setSeed(123456);
IO.writeLine("Random int: " + rand.nextInt(100));
}
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2() throws Throwable {
String data;
if (IO.static_returns_t()) {
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
/* Read data using a listening tcp connection */
ServerSocket listener = null;
Socket sock = null;
BufferedReader buffread = null;
InputStreamReader instrread = null;
try {
/* read input from socket */
listener = new ServerSocket(39543);
sock = listener.accept();
instrread = new InputStreamReader(sock.getInputStream());
buffread = new BufferedReader(instrread);
data = buffread.readLine();
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (instrread != null) {
instrread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing instrread");
}
}
/* clean up socket objects */
try {
if (sock != null) {
sock.close();
}
} catch (IOException e) {
log_bad.warning("Error closing sock");
} finally {
try {
if (listener != null) {
listener.close();
}
} catch (IOException e) {
log_bad.warning("Error closing listener");
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
}
if (IO.static_returns_t()) {
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
PreparedStatement sqlstatement = null;
try {
/* FIX: use prepared sqlstatements */
conn_tmp2 = IO.getDBConnection();
sqlstatement =
conn_tmp2.prepareStatement(
"insert into users (status) values ('updated') where name=?");
sqlstatement.setString(1, data);
Boolean bResult = sqlstatement.execute();
if (bResult) {
IO.writeString("Name, " + data + ", updated successfully");
} else {
IO.writeString("Unable to update records for user: "******"Error getting database connection");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
Statement sqlstatement = null;
try {
conn_tmp2 = IO.getDBConnection();
sqlstatement = conn_tmp2.createStatement();
/* POTENTIAL FLAW: value of "name" taken directly from an untrusted source and inserted into a command string executed against a SQL interpreter */
Boolean bResult =
sqlstatement.execute(
"insert into users (status) values ('updated') where name='" + data + "'");
if (bResult) {
IO.writeString("Name, " + data + ", updated successfully");
} else {
IO.writeString("Unable to update records for user: "******"Error getting database connection");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.static_returns_t()) {
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
Connection conn = null;
PreparedStatement statement = null;
ResultSet rs = null;
BufferedReader buffread = null;
InputStreamReader instrread = null;
try {
/* setup the connection */
conn = IO.getDBConnection();
/* prepare the query */
statement = conn.prepareStatement("select name from users where id=?");
/* get user input for the userid */
IO.writeLine("Enter a userid to login as (number): ");
instrread = new InputStreamReader(System.in);
buffread = new BufferedReader(instrread);
int num = Integer.parseInt(buffread.readLine());
statement.setInt(1, num);
rs = statement.executeQuery();
data = rs.getString(1);
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (instrread != null) {
instrread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing instrread");
}
}
/* clean up database objects */
try {
if (rs != null) {
rs.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing rs");
} finally {
try {
if (statement != null) {
statement.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing statement");
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing conn");
}
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
}
if (IO.static_returns_t()) {
/* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */
data = URLEncoder.encode(data, "UTF-16");
response.sendRedirect("/author.jsp?lang=" + data);
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* POTENTIAL FLAW: Input not verified before inclusion in redirect */
response.sendRedirect("/author.jsp?lang=" + data);
}
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2() throws Throwable {
int data;
if (IO.static_returns_t()) {
Logger log_bad = Logger.getLogger("local-logger");
/* init data */
data = -1;
Connection conn = null;
PreparedStatement statement = null;
ResultSet rs = null;
BufferedReader buffread = null;
InputStreamReader instrread = null;
try {
/* setup the connection */
conn = IO.getDBConnection();
/* prepare the query */
statement = conn.prepareStatement("select name from users where id=?");
/* get user input for the userid */
IO.writeLine("Enter a userid to login as (number): ");
instrread = new InputStreamReader(System.in);
buffread = new BufferedReader(instrread);
int num = Integer.parseInt(buffread.readLine());
statement.setInt(1, num);
rs = statement.executeQuery();
String s_data = rs.getString(1);
data = Integer.parseInt(s_data.trim());
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} catch (NumberFormatException nfe) {
log_bad.warning("Error with number parsing");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (instrread != null) {
instrread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing instrread");
}
}
/* clean up database objects */
try {
if (rs != null) {
rs.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing rs");
} finally {
try {
if (statement != null) {
statement.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing statement");
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing conn");
}
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded number that won't cause underflow, overflow,
divide by zero, or loss-of-precision issues */
data = 2;
}
if (IO.static_returns_t()) {
/* FIX: test for a zero denominator */
if (data != 0) {
IO.writeLine("100/" + String.valueOf(data) + " = " + (100 / data) + "\n");
} else {
IO.writeLine("This would result in a divide by zero");
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* POTENTIAL FLAW: Zero denominator will cause an issue. An integer division will
result in an exception. */
IO.writeLine("bad: 100/" + String.valueOf(data) + " = " + (100 / data) + "\n");
}
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2() throws Throwable {
String data;
if (IO.static_returns_t()) {
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
URLConnection conn = (new URL("http://www.example.org/")).openConnection();
BufferedReader buffread = null;
InputStreamReader instrread = null;
try {
/* read input from URLConnection */
instrread = new InputStreamReader(conn.getInputStream());
buffread = new BufferedReader(instrread);
data = buffread.readLine(); // This will be reading the first "line" of the response body,
// which could be very long if there are no newlines in the HTML
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (instrread != null) {
instrread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing instrread");
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
}
if (IO.static_returns_t()) {
String names[] = data.split("-");
int iSuccess = 0;
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
PreparedStatement sqlstatement = null;
try {
/* FIX: use prepared sqlstatement */
conn_tmp2 = IO.getDBConnection();
sqlstatement =
conn_tmp2.prepareStatement("update users set hitcount=hitcount+1 where name=?");
for (int i = 0; i < names.length; ++i) {
sqlstatement.setString(1, names[i]);
sqlstatement.addBatch();
}
int dbResults[] = sqlstatement.executeBatch();
for (int i = 0; i < names.length; ++i) {
if (dbResults[i] > 0) {
iSuccess++;
}
}
IO.writeString("Succeeded in " + iSuccess + " out of " + names.length + " queries.");
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
String names[] = data.split("-");
int iSuccess = 0;
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
Statement sqlstatement = null;
try {
conn_tmp2 = IO.getDBConnection();
sqlstatement = conn_tmp2.createStatement();
for (int i = 0; i < names.length; ++i) {
/* POTENTIAL FLAW: take user input and place into dynamic sql query */
sqlstatement.addBatch(
"update users set hitcount=hitcount+1 where name='" + names[i] + "'");
}
int dbResults[] = sqlstatement.executeBatch();
for (int i = 0; i < names.length; ++i) {
if (dbResults[i] > 0) {
iSuccess++;
}
}
IO.writeString("Succeeded in " + iSuccess + " out of " + names.length + " queries.");
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2() throws Throwable {
String data;
if (IO.static_returns_t()) {
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
Connection conn = null;
PreparedStatement statement = null;
ResultSet rs = null;
BufferedReader buffread = null;
InputStreamReader instrread = null;
try {
/* setup the connection */
conn = IO.getDBConnection();
/* prepare the query */
statement = conn.prepareStatement("select name from users where id=?");
/* get user input for the userid */
IO.writeLine("Enter a userid to login as (number): ");
instrread = new InputStreamReader(System.in);
buffread = new BufferedReader(instrread);
int num = Integer.parseInt(buffread.readLine());
statement.setInt(1, num);
rs = statement.executeQuery();
data = rs.getString(1);
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (instrread != null) {
instrread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing instrread");
}
}
/* clean up database objects */
try {
if (rs != null) {
rs.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing rs");
} finally {
try {
if (statement != null) {
statement.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing statement");
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing conn");
}
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
}
if (IO.static_returns_t()) {
final String xmldoc =
"\\src\\testcases\\CWE643_Unsafe_Treatment_of_XPath_Input\\console_to_evaluate\\CWE643_Unsafe_Treatment_of_XPath_Input__helper.xml";
/* assume username||password as source */
String[] tokens = data.split("||");
if (tokens.length < 2) {
return;
}
/* FIX: validate input using StringEscapeUtils */
String uname = StringEscapeUtils.escapeXml(tokens[0]);
String pword = StringEscapeUtils.escapeXml(tokens[1]);
/* build xpath */
XPath xp = XPathFactory.newInstance().newXPath();
InputSource inxml = new InputSource(xmldoc);
String query =
"//users/user[name/text()='"
+ uname
+ "' and pass/text()='"
+ pword
+ "']"
+ "/secret/text()";
String secret = (String) xp.evaluate(query, inxml, XPathConstants.STRING);
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
final String xmldoc =
"\\src\\testcases\\CWE643_Unsafe_Treatment_of_XPath_Input\\console_to_evaluate\\CWE643_Unsafe_Treatment_of_XPath_Input__helper.xml";
/* assume username||password as source */
String[] tokens = data.split("||");
if (tokens.length < 2) {
return;
}
String uname = tokens[0];
String pword = tokens[1];
/* build xpath */
XPath xp = XPathFactory.newInstance().newXPath();
InputSource inxml = new InputSource(xmldoc);
/* INCIDENTAL: CWE180 Incorrect Behavior Order: Validate Before Canonicalize
* The user input should be canonicalized before validation.
*/
/* FLAW: user input is used without validate */
String query =
"//users/user[name/text()='"
+ uname
+ "' and pass/text()='"
+ pword
+ "']"
+ "/secret/text()";
String secret = (String) xp.evaluate(query, inxml, XPathConstants.STRING);
}
}