/* goodB2G1() - use badsource and goodsink by changing second PRIVATE_STATIC_FINAL_FIVE==5 to PRIVATE_STATIC_FINAL_FIVE!=5 */ private void goodB2G1() throws Throwable { short data; if (PRIVATE_STATIC_FINAL_FIVE == 5) { /* POTENTIAL FLAW: Use a random value */ data = (short) ((new java.security.SecureRandom()).nextInt(1 + Short.MAX_VALUE - Short.MIN_VALUE) + Short.MIN_VALUE); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = 0; } if (PRIVATE_STATIC_FINAL_FIVE != 5) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ IO.writeLine("Benign, fixed string"); } else { /* FIX: Add a check to prevent an overflow from occurring */ /* NOTE: Math.abs of the minimum int or long will return that same value, so we must check for it */ if ((data != Integer.MIN_VALUE) && (data != Long.MIN_VALUE) && (Math.abs(data) <= (long) Math.sqrt(Short.MAX_VALUE))) { short result = (short) (data * data); IO.writeLine("result: " + result); } else { IO.writeLine("data value is too large to perform squaring."); } } }
/* goodB2G1() - use badsource and goodsink by changing second privateReturnsTrue() to privateReturnsFalse() */ private void goodB2G1() throws Throwable { long data; if (privateReturnsTrue()) { /* POTENTIAL FLAW: Use the maximum size of the data type */ data = Long.MAX_VALUE; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = 0L; } if (privateReturnsFalse()) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ IO.writeLine("Benign, fixed string"); } else { /* FIX: Add a check to prevent an overflow from occurring */ /* NOTE: Math.abs of the minimum int or long will return that same value, so we must check for it */ if ((data != Integer.MIN_VALUE) && (data != Long.MIN_VALUE) && (Math.abs(data) <= (long) Math.sqrt(Long.MAX_VALUE))) { long result = (long) (data * data); IO.writeLine("result: " + result); } else { IO.writeLine("data value is too large to perform squaring."); } } }
/* goodB2G() - use badsource and goodsink */ private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable { int data; data = Integer.MIN_VALUE; /* Initialize data */ /* POTENTIAL FLAW: Read data from a querystring using getParameter() */ { String stringNumber = request.getParameter("name"); try { data = Integer.parseInt(stringNumber.trim()); } catch (NumberFormatException exceptNumberFormat) { IO.logger.log( Level.WARNING, "Number format exception reading data from parameter 'name'", exceptNumberFormat); } } /* FIX: Add a check to prevent an overflow from occurring */ /* NOTE: Math.abs of the minimum int or long will return that same value, so we must check for it */ if ((data != Integer.MIN_VALUE) && (data != Long.MIN_VALUE) && (Math.abs(data) <= (long) Math.sqrt(Integer.MAX_VALUE))) { int result = (int) (data * data); IO.writeLine("result: " + result); } else { IO.writeLine("data value is too large to perform squaring."); } }
/* goodB2G1() - use badsource and goodsink by changing second IO.staticReturnsTrue() to IO.staticReturnsFalse() */ private void goodB2G1() throws Throwable { int data; if (IO.staticReturnsTrue()) { data = Integer.MIN_VALUE; /* Initialize data */ /* retrieve the property */ { Properties properties = new Properties(); FileInputStream streamFileInput = null; try { streamFileInput = new FileInputStream("../common/config.properties"); properties.load(streamFileInput); /* POTENTIAL FLAW: Read data from a .properties file */ String stringNumber = properties.getProperty("data"); if (stringNumber != null) // avoid NPD incidental warnings { try { data = Integer.parseInt(stringNumber.trim()); } catch (NumberFormatException exceptNumberFormat) { IO.logger.log( Level.WARNING, "Number format exception parsing data from string", exceptNumberFormat); } } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading object */ try { if (streamFileInput != null) { streamFileInput.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO); } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = 0; } if (IO.staticReturnsFalse()) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ IO.writeLine("Benign, fixed string"); } else { /* FIX: Add a check to prevent an overflow from occurring */ /* NOTE: Math.abs of the minimum int or long will return that same value, so we must check for it */ if ((data != Integer.MIN_VALUE) && (data != Long.MIN_VALUE) && (Math.abs(data) <= (long) Math.sqrt(Integer.MAX_VALUE))) { int result = (int) (data * data); IO.writeLine("result: " + result); } else { IO.writeLine("data value is too large to perform squaring."); } } }
private void goodB2GSink(byte data) throws Throwable { /* FIX: Add a check to prevent an overflow from occurring */ /* NOTE: Math.abs of the minimum int or long will return that same value, so we must check for it */ if ((data != Integer.MIN_VALUE) && (data != Long.MIN_VALUE) && (Math.abs(data) <= (long) Math.sqrt(Byte.MAX_VALUE))) { byte result = (byte) (data * data); IO.writeLine("result: " + result); } else { IO.writeLine("data value is too large to perform squaring."); } }
/* goodB2G() - use badsource and goodsink */ private void goodB2G() throws Throwable { int data = (new CWE190_Integer_Overflow__int_Environment_square_61b()).goodB2GSource(); /* FIX: Add a check to prevent an overflow from occurring */ /* NOTE: Math.abs of the minimum int or long will return that same value, so we must check for it */ if ((data != Integer.MIN_VALUE) && (data != Long.MIN_VALUE) && (Math.abs(data) <= (long) Math.sqrt(Integer.MAX_VALUE))) { int result = (int) (data * data); IO.writeLine("result: " + result); } else { IO.writeLine("data value is too large to perform squaring."); } }
/* goodB2G() - use BadSource and GoodSink */ public void goodB2GSink(HashMap<Integer, Long> dataHashMap) throws Throwable { long data = dataHashMap.get(2); /* FIX: Add a check to prevent an overflow from occurring */ /* NOTE: Math.abs of the minimum int or long will return that same value, so we must check for it */ if ((data != Integer.MIN_VALUE) && (data != Long.MIN_VALUE) && (Math.abs(data) <= (long) Math.sqrt(Long.MAX_VALUE))) { long result = (long) (data * data); IO.writeLine("result: " + result); } else { IO.writeLine("data value is too large to perform squaring."); } }
/* goodB2G() - use badsource and goodsink */ public void goodB2GSink(int data, HttpServletRequest request, HttpServletResponse response) throws Throwable { /* FIX: Add a check to prevent an overflow from occurring */ /* NOTE: Math.abs of the minimum int or long will return that same value, so we must check for it */ if ((data != Integer.MIN_VALUE) && (data != Long.MIN_VALUE) && (Math.abs(data) <= (long) Math.sqrt(Integer.MAX_VALUE))) { int result = (int) (data * data); IO.writeLine("result: " + result); } else { IO.writeLine("data value is too large to perform squaring."); } }
/* goodB2G() - use BadSource and GoodSink */ public void goodB2GSink(byte[] dataSerialized) throws Throwable { /* unserialize data */ ByteArrayInputStream streamByteArrayInput = null; ObjectInputStream streamObjectInput = null; try { streamByteArrayInput = new ByteArrayInputStream(dataSerialized); streamObjectInput = new ObjectInputStream(streamByteArrayInput); int data = (Integer) streamObjectInput.readObject(); /* FIX: Add a check to prevent an overflow from occurring */ /* NOTE: Math.abs of the minimum int or long will return that same value, so we must check for it */ if ((data != Integer.MIN_VALUE) && (data != Long.MIN_VALUE) && (Math.abs(data) <= (long) Math.sqrt(Integer.MAX_VALUE))) { int result = (int) (data * data); IO.writeLine("result: " + result); } else { IO.writeLine("data value is too large to perform squaring."); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "IOException in deserialization", exceptIO); } catch (ClassNotFoundException exceptClassNotFound) { IO.logger.log( Level.WARNING, "ClassNotFoundException in deserialization", exceptClassNotFound); } finally { /* clean up stream reading objects */ try { if (streamObjectInput != null) { streamObjectInput.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing ObjectInputStream", exceptIO); } try { if (streamByteArrayInput != null) { streamByteArrayInput.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing ByteArrayInputStream", exceptIO); } } }
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */ private void goodB2G2() throws Throwable { int data; if (PRIVATE_STATIC_FINAL_FIVE == 5) { data = Integer.MIN_VALUE; /* Initialize data */ { File file = new File("C:\\data.txt"); FileInputStream streamFileInput = null; InputStreamReader readerInputStream = null; BufferedReader readerBuffered = null; try { /* read string from file into data */ streamFileInput = new FileInputStream(file); readerInputStream = new InputStreamReader(streamFileInput, "UTF-8"); readerBuffered = new BufferedReader(readerInputStream); /* POTENTIAL FLAW: Read data from a file */ /* This will be reading the first "line" of the file, which * could be very long if there are little or no newlines in the file */ String stringNumber = readerBuffered.readLine(); if (stringNumber != null) /* avoid NPD incidental warnings */ { try { data = Integer.parseInt(stringNumber.trim()); } catch (NumberFormatException exceptNumberFormat) { IO.logger.log( Level.WARNING, "Number format exception parsing data from string", exceptNumberFormat); } } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading objects */ try { if (readerBuffered != null) { readerBuffered.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStream != null) { readerInputStream.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } try { if (streamFileInput != null) { streamFileInput.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO); } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = 0; } if (PRIVATE_STATIC_FINAL_FIVE == 5) { /* FIX: Add a check to prevent an overflow from occurring */ /* NOTE: Math.abs of the minimum int or long will return that same value, so we must check for it */ if ((data != Integer.MIN_VALUE) && (data != Long.MIN_VALUE) && (Math.abs(data) <= (long) Math.sqrt(Integer.MAX_VALUE))) { int result = (int) (data * data); IO.writeLine("result: " + result); } else { IO.writeLine("data value is too large to perform squaring."); } } }
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */ private void goodB2G2() throws Throwable { int data; if (IO.staticTrue) { data = Integer.MIN_VALUE; /* Initialize data */ /* Read data from a database */ { Connection connection = null; PreparedStatement preparedStatement = null; ResultSet resultSet = null; try { /* setup the connection */ connection = IO.getDBConnection(); /* prepare and execute a (hardcoded) query */ preparedStatement = connection.prepareStatement("select name from users where id=0"); resultSet = preparedStatement.executeQuery(); /* POTENTIAL FLAW: Read data from a database query resultset */ String stringNumber = resultSet.getString(1); if (stringNumber != null) /* avoid NPD incidental warnings */ { try { data = Integer.parseInt(stringNumber.trim()); } catch (NumberFormatException exceptNumberFormat) { IO.logger.log( Level.WARNING, "Number format exception parsing data from string", exceptNumberFormat); } } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error with SQL statement", exceptSql); } finally { /* Close database objects */ try { if (resultSet != null) { resultSet.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql); } try { if (preparedStatement != null) { preparedStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql); } try { if (connection != null) { connection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = 0; } if (IO.staticTrue) { /* FIX: Add a check to prevent an overflow from occurring */ /* NOTE: Math.abs of the minimum int or long will return that same value, so we must check for it */ if ((data != Integer.MIN_VALUE) && (data != Long.MIN_VALUE) && (Math.abs(data) <= (long) Math.sqrt(Integer.MAX_VALUE))) { int result = (int) (data * data); IO.writeLine("result: " + result); } else { IO.writeLine("data value is too large to perform squaring."); } } }