public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
Logger log_bad = Logger.getLogger("local-logger");
data = "";
/* parse the query string for value of 'id' */
String id_str = null;
StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
while (st.hasMoreTokens()) {
String token = st.nextToken();
int i = token.indexOf("=");
if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
id_str = token.substring(i + 1);
break;
}
}
if (id_str != null) {
Connection conn = null;
PreparedStatement statement = null;
ResultSet rs = null;
try {
int id = Integer.parseInt(id_str);
conn = IO.getDBConnection();
statement = conn.prepareStatement("select * from pages where id=?");
/* FLAW: no check to see whether the user has privileges to view the data */
statement.setInt(1, id);
rs = statement.executeQuery();
data = rs.toString();
} catch (SQLException se) {
log_bad.warning("Error");
} finally {
/* clean up database objects */
try {
if (rs != null) {
rs.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing rs");
} finally {
try {
if (statement != null) {
statement.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing statement");
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing conn");
}
}
}
}
}
{
try {
int iConversion = Integer.valueOf(data);
} catch (Exception e) {
e.printStackTrace(); /* POTENTIAL FLAW: Print stack trace on error */
}
}
if (true) return; /* INCIDENTAL: CWE 571 Expression is Always True.
We need the "if(true)" because the Java Language Spec requires that
unreachable code generate a compiler error */
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
try {
int iConversion = Integer.valueOf(data);
} catch (Exception e) {
IO.writeLine("There was an error parsing the string"); /* FIX: print a generic message */
}
}
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
Logger log_bad = Logger.getLogger("local-logger");
data = "";
/* parse the query string for value of 'id' */
String id_str = null;
StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
while (st.hasMoreTokens()) {
String token = st.nextToken();
int i = token.indexOf("=");
if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
id_str = token.substring(i + 1);
break;
}
}
if (id_str != null) {
Connection conn = null;
PreparedStatement statement = null;
ResultSet rs = null;
try {
int id = Integer.parseInt(id_str);
conn = IO.getDBConnection();
statement = conn.prepareStatement("select * from pages where id=?");
/* FLAW: no check to see whether the user has privileges to view the data */
statement.setInt(1, id);
rs = statement.executeQuery();
data = rs.toString();
} catch (SQLException se) {
log_bad.warning("Error");
} finally {
/* clean up database objects */
try {
if (rs != null) {
rs.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing rs");
} finally {
try {
if (statement != null) {
statement.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing statement");
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing conn");
}
}
}
}
}
(new CWE89_SQL_Injection__getQueryStringServlet_executeUpdate_53b())
.bad_sink(data, request, response);
}
/* goodB2G() - use badsource and goodsink */
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
Logger log_bad = Logger.getLogger("local-logger");
data = "";
/* parse the query string for value of 'id' */
String id_str = null;
StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
while (st.hasMoreTokens()) {
String token = st.nextToken();
int i = token.indexOf("=");
if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
id_str = token.substring(i + 1);
break;
}
}
if (id_str != null) {
Connection conn = null;
PreparedStatement statement = null;
ResultSet rs = null;
try {
int id = Integer.parseInt(id_str);
conn = IO.getDBConnection();
statement = conn.prepareStatement("select * from pages where id=?");
/* FLAW: no check to see whether the user has privileges to view the data */
statement.setInt(1, id);
rs = statement.executeQuery();
data = rs.toString();
} catch (SQLException se) {
log_bad.warning("Error");
} finally {
/* clean up database objects */
try {
if (rs != null) {
rs.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing rs");
} finally {
try {
if (statement != null) {
statement.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing statement");
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing conn");
}
}
}
}
}
if (!data.equals("Testing.test")
&& /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) {
return;
}
Class<?> c = Class.forName(data);
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch */
private void goodB2G2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
int data;
switch (6) {
case 6:
{
Logger log_bad = Logger.getLogger("local-logger");
/* init Data$ */
data = -1;
/* parse the query string for value of 'id' */
String id_str = null;
StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
while (st.hasMoreTokens()) {
String token = st.nextToken();
int i = token.indexOf("=");
if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
id_str = token.substring(i + 1);
break;
}
}
if (id_str != null) {
Connection conn = null;
PreparedStatement statement = null;
ResultSet rs = null;
try {
int id = Integer.parseInt(id_str);
conn = IO.getDBConnection();
statement = conn.prepareStatement("select * from pages where id=?");
/* FLAW: no check to see whether the user has privileges to view the data */
statement.setInt(1, id);
rs = statement.executeQuery();
String s_data = rs.toString();
data = Integer.parseInt(s_data.trim());
} catch (SQLException se) {
log_bad.warning("Error");
} finally {
/* clean up database objects */
try {
if (rs != null) {
rs.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing rs");
} finally {
try {
if (statement != null) {
statement.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing statement");
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing conn");
}
}
}
}
}
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded number that won't cause underflow, overflow,
divide by zero, or loss-of-precision issues */
data = 2;
}
break;
}
switch (7) {
case 7:
{
/* FIX: test for a zero modulus */
if (data != 0) {
IO.writeLine("100%" + String.valueOf(data) + " = " + (100 % data) + "\n");
} else {
IO.writeLine("This would result in a modulo by zero");
}
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
/* POTENTIAL FLAW: Zero modulus will cause an issue. An integer division will
result in an exception. */
IO.writeLine("100%" + String.valueOf(data) + " = " + (100 % data) + "\n");
}
break;
}
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.static_returns_t_or_f()) {
Logger log_bad = Logger.getLogger("local-logger");
data = "";
/* parse the query string for value of 'id' */
String id_str = null;
StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
while (st.hasMoreTokens()) {
String token = st.nextToken();
int i = token.indexOf("=");
if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
id_str = token.substring(i + 1);
break;
}
}
if (id_str != null) {
Connection conn = null;
PreparedStatement statement = null;
ResultSet rs = null;
try {
int id = Integer.parseInt(id_str);
conn = IO.getDBConnection();
statement = conn.prepareStatement("select * from pages where id=?");
/* FLAW: no check to see whether the user has privileges to view the data */
statement.setInt(1, id);
rs = statement.executeQuery();
data = rs.toString();
} catch (SQLException se) {
log_bad.warning("Error");
} finally {
/* clean up database objects */
try {
if (rs != null) {
rs.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing rs");
} finally {
try {
if (statement != null) {
statement.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing statement");
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing conn");
}
}
}
}
}
} else {
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
}
if (IO.static_returns_t_or_f()) {
String names[] = data.split("-");
int iSuccess = 0;
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
Statement sqlstatement = null;
try {
conn_tmp2 = IO.getDBConnection();
sqlstatement = conn_tmp2.createStatement();
for (int i = 0; i < names.length; ++i) {
/* POTENTIAL FLAW: take user input and place into dynamic sql query */
sqlstatement.addBatch(
"update users set hitcount=hitcount+1 where name='" + names[i] + "'");
}
int dbResults[] = sqlstatement.executeBatch();
for (int i = 0; i < names.length; ++i) {
if (dbResults[i] > 0) {
iSuccess++;
}
}
IO.writeString("Succeeded in " + iSuccess + " out of " + names.length + " queries.");
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
} else {
String names[] = data.split("-");
int iSuccess = 0;
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
PreparedStatement sqlstatement = null;
try {
/* FIX: use prepared sqlstatement */
conn_tmp2 = IO.getDBConnection();
sqlstatement =
conn_tmp2.prepareStatement("update users set hitcount=hitcount+1 where name=?");
for (int i = 0; i < names.length; ++i) {
sqlstatement.setString(1, names[i]);
sqlstatement.addBatch();
}
int dbResults[] = sqlstatement.executeBatch();
for (int i = 0; i < names.length; ++i) {
if (dbResults[i] > 0) {
iSuccess++;
}
}
IO.writeString("Succeeded in " + iSuccess + " out of " + names.length + " queries.");
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
}
/* goodB2G2() - use badsource and goodsink by reversing the blocks in the second switch */
private void goodB2G2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
int data;
switch (6) {
case 6:
{
Logger log_bad = Logger.getLogger("local-logger");
/* init Data$ */
data = -1;
/* parse the query string for value of 'id' */
String id_str = null;
StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
while (st.hasMoreTokens()) {
String token = st.nextToken();
int i = token.indexOf("=");
if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
id_str = token.substring(i + 1);
break;
}
}
if (id_str != null) {
Connection conn = null;
PreparedStatement statement = null;
ResultSet rs = null;
try {
int id = Integer.parseInt(id_str);
conn = IO.getDBConnection();
statement = conn.prepareStatement("select * from pages where id=?");
/* FLAW: no check to see whether the user has privileges to view the data */
statement.setInt(1, id);
rs = statement.executeQuery();
String s_data = rs.toString();
data = Integer.parseInt(s_data.trim());
} catch (SQLException se) {
log_bad.warning("Error");
} finally {
/* clean up database objects */
try {
if (rs != null) {
rs.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing rs");
} finally {
try {
if (statement != null) {
statement.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing statement");
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing conn");
}
}
}
}
}
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded number that won't cause underflow, overflow,
divide by zero, or loss-of-precision issues */
data = 2;
}
break;
}
switch (7) {
case 7:
{
int result = 0;
int valueToAdd = (new SecureRandom()).nextInt(99) + 1; /* adding at least 1 */
/* FIX: Add a check to prevent an overflow from occurring */
if (data <= (Integer.MAX_VALUE - valueToAdd)) {
result = (data + valueToAdd);
IO.writeLine("result: " + result);
} else {
IO.writeLine("Input value is too large to perform addition.");
}
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
int valueToAdd = (new SecureRandom()).nextInt(99) + 1; /* adding at least 1 */
/* POTENTIAL FLAW: if (data+valueToAdd) > MAX_VALUE, this will overflow */
int result = (data + valueToAdd);
IO.writeLine("result: " + result);
}
break;
}
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
/* We need to have one source outside of a for loop in order
to prevent the Java compiler from generating an error because
data is uninitialized */
Logger log_bad = Logger.getLogger("local-logger");
data = "";
/* parse the query string for value of 'id' */
String id_str = null;
StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
while (st.hasMoreTokens()) {
String token = st.nextToken();
int i = token.indexOf("=");
if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
id_str = token.substring(i + 1);
break;
}
}
if (id_str != null) {
Connection conn = null;
PreparedStatement statement = null;
ResultSet rs = null;
try {
int id = Integer.parseInt(id_str);
conn = IO.getDBConnection();
statement = conn.prepareStatement("select * from pages where id=?");
/* FLAW: no check to see whether the user has privileges to view the data */
statement.setInt(1, id);
rs = statement.executeQuery();
data = rs.toString();
} catch (SQLException se) {
log_bad.warning("Error");
} finally {
/* clean up database objects */
try {
if (rs != null) {
rs.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing rs");
} finally {
try {
if (statement != null) {
statement.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing statement");
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing conn");
}
}
}
}
}
for (int for_index_i = 0; for_index_i < 0; for_index_i++) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
}
for (int for_index_j = 0; for_index_j < 1; for_index_j++) {
/* POTENTIAL FLAW: Input from file not verified */
response.addHeader("Location", "/author.jsp?lang=" + data);
}
for (int for_index_k = 0; for_index_k < 0; for_index_k++) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */
data = URLEncoder.encode(data, "UTF-16");
response.addHeader("Location", "/author.jsp?lang=" + data);
}
}
