/* good1() changes IO.static_returns_t() to IO.static_returns_f() */ private void good1(HttpServletRequest request, HttpServletResponse response) throws Throwable { if (IO.static_returns_f()) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger tcLog = Logger.getLogger("cwe_testcases_logger"); if (request.getParameter("username") == null) { return; } String username = request.getParameter("username"); if (username.matches("[a-zA-Z0-9]*")) { HttpSession session = request.getSession(true); /* FLAW: leak session ID to debug log */ tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId()); } else { response.getWriter().println("Invalid characters"); } } else { Logger tcLog = Logger.getLogger("cwe_testcases_logger"); if (request.getParameter("username") == null) { return; } String username = request.getParameter("username"); if (username.matches("[a-zA-Z0-9]*")) { HttpSession session = request.getSession(true); /* FIX: logged message does not contain session id */ tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId()); } else { response.getWriter().println("Invalid characters"); } } }
/* good1() changes IO.static_returns_t() to IO.static_returns_f() */ private void good1() throws Throwable { if (IO.static_returns_f()) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Random rand = new Random(); /* FLAW: seed is static, making the numbers always occur in the same sequence */ rand.setSeed(123456); IO.writeLine("Random int: " + rand.nextInt(100)); } else { /* FIX: use SecureRandom to be cryptographically secure */ SecureRandom rand = new SecureRandom(); IO.writeLine("Random int: " + rand.nextInt(100)); } }
/* goodB2G1() - use badsource and goodsink by changing second IO.static_returns_t() to IO.static_returns_f() */ private void goodB2G1() throws Throwable { String data; if (IO.static_returns_t()) { Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ Connection conn = null; PreparedStatement statement = null; ResultSet rs = null; BufferedReader buffread = null; InputStreamReader instrread = null; try { /* setup the connection */ conn = IO.getDBConnection(); /* prepare the query */ statement = conn.prepareStatement("select name from users where id=?"); /* get user input for the userid */ IO.writeLine("Enter a userid to login as (number): "); instrread = new InputStreamReader(System.in); buffread = new BufferedReader(instrread); int num = Integer.parseInt(buffread.readLine()); statement.setInt(1, num); rs = statement.executeQuery(); data = rs.getString(1); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (instrread != null) { instrread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing instrread"); } } /* clean up database objects */ try { if (rs != null) { rs.close(); } } catch (SQLException se) { log_bad.warning("Error closing rs"); } finally { try { if (statement != null) { statement.close(); } } catch (SQLException se) { log_bad.warning("Error closing statement"); } finally { try { if (conn != null) { conn.close(); } } catch (SQLException se) { log_bad.warning("Error closing conn"); } } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } if (IO.static_returns_f()) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ final String xmldoc = "\\src\\testcases\\CWE643_Unsafe_Treatment_of_XPath_Input\\console_to_evaluate\\CWE643_Unsafe_Treatment_of_XPath_Input__helper.xml"; /* assume username||password as source */ String[] tokens = data.split("||"); if (tokens.length < 2) { return; } String uname = tokens[0]; String pword = tokens[1]; /* build xpath */ XPath xp = XPathFactory.newInstance().newXPath(); InputSource inxml = new InputSource(xmldoc); /* INCIDENTAL: CWE180 Incorrect Behavior Order: Validate Before Canonicalize * The user input should be canonicalized before validation. */ /* FLAW: user input is used without validate */ String query = "//users/user[name/text()='" + uname + "' and pass/text()='" + pword + "']" + "/secret/text()"; String secret = (String) xp.evaluate(query, inxml, XPathConstants.STRING); } else { final String xmldoc = "\\src\\testcases\\CWE643_Unsafe_Treatment_of_XPath_Input\\console_to_evaluate\\CWE643_Unsafe_Treatment_of_XPath_Input__helper.xml"; /* assume username||password as source */ String[] tokens = data.split("||"); if (tokens.length < 2) { return; } /* FIX: validate input using StringEscapeUtils */ String uname = StringEscapeUtils.escapeXml(tokens[0]); String pword = StringEscapeUtils.escapeXml(tokens[1]); /* build xpath */ XPath xp = XPathFactory.newInstance().newXPath(); InputSource inxml = new InputSource(xmldoc); String query = "//users/user[name/text()='" + uname + "' and pass/text()='" + pword + "']" + "/secret/text()"; String secret = (String) xp.evaluate(query, inxml, XPathConstants.STRING); } }