/* goodG2B() - use goodsource and badsink */
private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
/* FIX: Use a hardcoded string */
data = "foo";
CWE80_XSS__Servlet_URLConnection_81_base baseObject =
new CWE80_XSS__Servlet_URLConnection_81_goodG2B();
baseObject.action(data, request, response);
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
data = ""; /* Initialize data */
/* read input from URLConnection */
{
URLConnection urlConnection = (new URL("http://www.example.org/")).openConnection();
BufferedReader readerBuffered = null;
InputStreamReader readerInputStream = null;
try {
readerInputStream = new InputStreamReader(urlConnection.getInputStream(), "UTF-8");
readerBuffered = new BufferedReader(readerInputStream);
/* POTENTIAL FLAW: Read data from a web server with URLConnection */
/* This will be reading the first "line" of the response body,
* which could be very long if there are no newlines in the HTML */
data = readerBuffered.readLine();
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
} finally {
/* clean up stream reading objects */
try {
if (readerBuffered != null) {
readerBuffered.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO);
}
try {
if (readerInputStream != null) {
readerInputStream.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO);
}
}
}
CWE80_XSS__Servlet_URLConnection_81_base baseObject =
new CWE80_XSS__Servlet_URLConnection_81_bad();
baseObject.action(data, request, response);
}
