/* goodG2B2() - use goodsource and badsink by reversing statements in first if */ private void goodG2B2() throws Throwable { String data; /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_t) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ /* read user input from console with readLine*/ BufferedReader buffread = null; InputStreamReader instrread = null; try { instrread = new InputStreamReader(System.in); buffread = new BufferedReader(instrread); data = buffread.readLine(); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (instrread != null) { instrread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing instrread"); } } } } /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_t) { MessageDigest hash = MessageDigest.getInstance("SHA-512"); hash.update(data.getBytes()); /* FLAW: SHA512 with a predictable salt */ byte[] hashv = hash.digest("hash me".getBytes()); IO.writeLine(IO.toHex(hashv)); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ SecureRandom r = new SecureRandom(); MessageDigest hash = MessageDigest.getInstance("SHA-512"); hash.update(r.getSeed(32)); /* FIX: Use a sufficiently random salt */ byte[] hashv = hash.digest("hash me".getBytes()); IO.writeLine(IO.toHex(hashv)); } }
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */ private void goodG2B2() throws Throwable { String data; /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_five == 5) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ /* retrieve the property */ Properties props = new Properties(); FileInputStream finstr = null; try { finstr = new FileInputStream("../common/config.properties"); props.load(finstr); data = props.getProperty("data"); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (finstr != null) { finstr.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } } } /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_five == 5) { MessageDigest hash = MessageDigest.getInstance("SHA-512"); hash.update(data.getBytes()); /* FLAW: SHA512 with a predictable salt */ byte[] hashv = hash.digest("hash me".getBytes()); IO.writeLine(IO.toHex(hashv)); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ SecureRandom r = new SecureRandom(); MessageDigest hash = MessageDigest.getInstance("SHA-512"); hash.update(r.getSeed(32)); /* FIX: Use a sufficiently random salt */ byte[] hashv = hash.digest("hash me".getBytes()); IO.writeLine(IO.toHex(hashv)); } }
/* good2() reverses the bodies in the if statement */ private void good2() throws Throwable { if (IO.static_t) { SecureRandom r = new SecureRandom(); MessageDigest hash = MessageDigest.getInstance("SHA-512"); hash.update(r.getSeed(32)); /* FIX: Use a sufficiently random salt */ byte[] hashv = hash.digest("hash me".getBytes()); IO.writeLine(IO.toHex(hashv)); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ MessageDigest hash = MessageDigest.getInstance("SHA-512"); /* FLAW: SHA512 with no salt */ byte[] hashv = hash.digest("hash me".getBytes()); IO.writeLine(IO.toHex(hashv)); } }
/* goodG2B() - use goodsource and badsink */ public void goodG2B_sink(String data) throws Throwable { MessageDigest hash = MessageDigest.getInstance("SHA-512"); hash.update(data.getBytes()); /* FLAW: SHA512 with a predictable salt */ byte[] hashv = hash.digest("hash me".getBytes()); IO.writeLine(IO.toHex(hashv)); }
/* goodB2G() - use badsource and goodsink */ public void goodB2G_sink(String data) throws Throwable { SecureRandom r = new SecureRandom(); MessageDigest hash = MessageDigest.getInstance("SHA-512"); hash.update(r.getSeed(32)); /* FIX: Use a sufficiently random salt */ byte[] hashv = hash.digest("hash me".getBytes()); IO.writeLine(IO.toHex(hashv)); }
/* goodB2G() - use badsource and goodsink */ public void goodB2G_sink(String data, HttpServletRequest request, HttpServletResponse response) throws Throwable { String prefix = "Tru3ly 0b$scUre"; MessageDigest hash = MessageDigest.getInstance("SHA512"); /* FIX: credentials hashed prior to setting in cookie */ byte[] hashv = hash.digest((prefix + data).getBytes()); response.addCookie(new Cookie("auth", IO.toHex(hashv))); }
/* good2() reverses the bodies in the if statement */ private void good2() throws Throwable { if (privateFive == 5) { String input = "Test Input"; /* FIX: Secure cryptographic hashing algorithm (SHA-512) */ MessageDigest messageDigest = MessageDigest.getInstance("SHA-512"); byte[] hashValue = messageDigest.digest( input.getBytes("UTF-8")); /* INCIDENTAL FLAW: Hard-coded input to hash algorithm */ IO.writeLine(IO.toHex(hashValue)); } }
/* good2() reverses the blocks in the switch */ private void good2() throws Throwable { switch (7) { case 7: String input = "Test Input"; /* FIX: Secure cryptographic hashing algorithm (SHA-512) */ MessageDigest messageDigest = MessageDigest.getInstance("SHA-512"); byte[] hashValue = messageDigest.digest( input.getBytes("UTF-8")); /* INCIDENTAL FLAW: Hard-coded input to hash algorithm */ IO.writeLine(IO.toHex(hashValue)); break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ IO.writeLine("Benign, fixed string"); break; } }
/* goodG2B() - use goodsource and badsink */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; /* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */ PasswordAuthentication credentials = new PasswordAuthentication("user", "GP@ssw0rd".toCharArray()); /* FIX: Set data to a hash of credentials */ { String salt = "ThisIsMySalt"; MessageDigest messageDigest = MessageDigest.getInstance("SHA-512"); messageDigest.reset(); String credentialsToHash = credentials.getUserName() + ":" + (new String(credentials.getPassword())); byte[] hashedCredsAsBytes = messageDigest.digest((salt + credentialsToHash).getBytes("UTF-8")); data = IO.toHex(hashedCredsAsBytes); } (new CWE315_Plaintext_Storage_in_Cookie__Servlet_53b()).goodG2BSink(data, request, response); }
public void bad() throws Throwable { String data; boolean local_f = false; /* This local variable is used becuase the Java compiler will generate an error on while(false) and similar constructs that evaluate to false. This is the simplest construct that will always be false and still compile. */ while (local_f) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; break; } while (true) { Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ Socket sock = null; BufferedReader buffread = null; InputStreamReader instrread = null; try { /* Read data using an outbound tcp connection */ sock = new Socket("host.example.org", 39544); /* read input from socket */ instrread = new InputStreamReader(sock.getInputStream()); buffread = new BufferedReader(instrread); data = buffread.readLine(); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (instrread != null) { instrread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing instrread"); } } /* clean up socket objects */ try { if (sock != null) { sock.close(); } } catch (IOException e) { log_bad.warning("Error closing sock"); } } break; } while (true) { MessageDigest hash = MessageDigest.getInstance("SHA-512"); hash.update(data.getBytes()); /* FLAW: SHA512 with a predictable salt */ byte[] hashv = hash.digest("hash me".getBytes()); IO.writeLine(IO.toHex(hashv)); break; } while (local_f) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ SecureRandom r = new SecureRandom(); MessageDigest hash = MessageDigest.getInstance("SHA-512"); hash.update(r.getSeed(32)); /* FIX: Use a sufficiently random salt */ byte[] hashv = hash.digest("hash me".getBytes()); IO.writeLine(IO.toHex(hashv)); break; } }
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; /* INCIDENTAL: CWE 571 Statement is Always True */ if (5 == 5) { Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ /* read user input from console with readLine*/ BufferedReader buffread = null; InputStreamReader instrread = null; try { instrread = new InputStreamReader(System.in); buffread = new BufferedReader(instrread); data = buffread.readLine(); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (instrread != null) { instrread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing instrread"); } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } /* INCIDENTAL: CWE 571 Statement is Always True */ if (5 == 5) { /* NOTE: potential incidental issues with not setting secure or HttpOnly flag */ String fp = "../common/config.properties"; /* simple pre-set key makes the stored password recoverable */ String sharedKey = "0000000000000000"; byte[] input = data.getBytes(); SecretKeySpec key = new SecretKeySpec(sharedKey.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", "BC"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] cipherText = cipher.doFinal(input); /* FLAW: writing a recoverable password to a cookie */ response.addCookie(new Cookie("auth", new String(cipherText))); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ String prefix = "Tru3ly 0b$scUre"; MessageDigest hash = MessageDigest.getInstance("SHA512"); /* FIX: credentials hashed prior to setting in cookie */ byte[] hashv = hash.digest((prefix + data).getBytes()); response.addCookie(new Cookie("auth", IO.toHex(hashv))); } }
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_five == 5) { Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ Connection conn = null; PreparedStatement statement = null; ResultSet rs = null; BufferedReader buffread = null; InputStreamReader instrread = null; try { /* setup the connection */ conn = IO.getDBConnection(); /* prepare the query */ statement = conn.prepareStatement("select name from users where id=?"); /* get user input for the userid */ IO.writeLine("Enter a userid to login as (number): "); instrread = new InputStreamReader(System.in); buffread = new BufferedReader(instrread); int num = Integer.parseInt(buffread.readLine()); statement.setInt(1, num); rs = statement.executeQuery(); data = rs.getString(1); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (instrread != null) { instrread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing instrread"); } } /* clean up database objects */ try { if (rs != null) { rs.close(); } } catch (SQLException se) { log_bad.warning("Error closing rs"); } finally { try { if (statement != null) { statement.close(); } } catch (SQLException se) { log_bad.warning("Error closing statement"); } finally { try { if (conn != null) { conn.close(); } } catch (SQLException se) { log_bad.warning("Error closing conn"); } } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_five == 5) { /* NOTE: potential incidental issues with not setting secure or HttpOnly flag */ String fp = "../common/config.properties"; /* simple pre-set key makes the stored password recoverable */ String sharedKey = "0000000000000000"; byte[] input = data.getBytes(); SecretKeySpec key = new SecretKeySpec(sharedKey.getBytes(), "AES"); Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", "BC"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] cipherText = cipher.doFinal(input); /* FLAW: writing a recoverable password to a cookie */ response.addCookie(new Cookie("auth", new String(cipherText))); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ String prefix = "Tru3ly 0b$scUre"; MessageDigest hash = MessageDigest.getInstance("SHA512"); /* FIX: credentials hashed prior to setting in cookie */ byte[] hashv = hash.digest((prefix + data).getBytes()); response.addCookie(new Cookie("auth", IO.toHex(hashv))); } }