/* goodG2B() - use goodsource and badsink */
public void goodG2B_sink(String data, HttpServletRequest request, HttpServletResponse response)
throws Throwable {
PrintWriter out = null;
try {
out = response.getWriter();
/* POTENTIAL FLAW: transmitting login credentials across a possibly non-SSL connection */
out.println(data);
} catch (IOException e) {
IO.writeLine("There was a problem writing");
} finally {
if (out != null) {
out.close();
}
}
}
/* goodB2G() - use badsource and goodsink */
public void goodB2G_sink(String data, HttpServletRequest request, HttpServletResponse response)
throws Throwable {
PrintWriter out = null;
try {
/* FIX: ensure the connection is secure */
if (request.isSecure()) {
out = response.getWriter();
out.println(data);
}
} catch (IOException e) {
IO.writeLine("There was a problem writing");
} finally {
if (out != null) {
out.close();
}
}
}
/* goodG2B1() - use goodsource and badsink by changing the first switch to switch(5) */
private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
switch (5) {
case 6:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
/* POTENTIAL FLAW: sending login credentials information */
data = "Your username is: user1\nYour password is: w8KNdsa9\n";
}
break;
default:
{
/*FIX: send non-sensitive information */
data = "The weather is San Diego is 75 and sunny";
}
break;
}
switch (7) {
case 7:
{
PrintWriter out = null;
try {
out = response.getWriter();
/* POTENTIAL FLAW: transmitting login credentials across a possibly non-SSL connection */
out.println(data);
} catch (IOException e) {
IO.writeLine("There was a problem writing");
} finally {
if (out != null) {
out.close();
}
}
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
PrintWriter out = null;
try {
/* FIX: ensure the connection is secure */
if (request.isSecure()) {
out = response.getWriter();
out.println(data);
}
} catch (IOException e) {
IO.writeLine("There was a problem writing");
} finally {
if (out != null) {
out.close();
}
}
}
break;
}
}
/* goodG2B1() - use goodsource and badsink by changing first IO.static_final_five==5 to IO.static_final_five!=5 */
private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.static_final_five != 5) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* POTENTIAL FLAW: sending sensitive information */
data = "This is your bank account info: Account Number: 12345, Balance: $1,000,000";
} else {
/*FIX: send non-sensitive information */
data = "The weather is San Diego is 75 and sunny";
}
if (IO.static_final_five == 5) {
PrintWriter out = null;
try {
out = response.getWriter();
/* POTENTIAL FLAW: transmitting sensitive info across a possibly non-SSL connection */
out.println(data);
} catch (IOException e) {
IO.writeLine("There was a problem writing");
} finally {
if (out != null) {
out.close();
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
PrintWriter out = null;
try {
/* FIX: ensure the connection is secure */
if (request.isSecure()) {
out = response.getWriter();
out.println(data);
}
} catch (IOException e) {
IO.writeLine("There was a problem writing");
} finally {
if (out != null) {
out.close();
}
}
}
}
public void bad() throws Throwable {
if (IO.static_returns_t_or_f()) {
java.util.logging.Logger log_bs = java.util.logging.Logger.getLogger("local-logger");
Socket sock = null;
PrintWriter out = null;
try {
sock = new Socket("remote_host", 1337);
out = new PrintWriter(sock.getOutputStream(), true);
/* FLAW: sending over an unencrypted (non-SSL) channel */
out.println("plaintext send");
} catch (Exception ex) {
IO.writeLine("Error writing to the socket");
} finally {
try {
if (out != null) {
out.close();
}
} catch (Exception e) {
log_bs.warning("Error closing out");
}
try {
if (sock != null) {
sock.close();
}
} catch (Exception e) {
log_bs.warning("Error closing sock");
}
}
} else {
java.util.logging.Logger log_gs = java.util.logging.Logger.getLogger("local-logger");
OutputStream outStream = null;
BufferedWriter bWriter = null;
OutputStreamWriter outStreamWriter = null;
SSLSocketFactory sslssocketfactory = null;
SSLSocket sslsocket = null;
try {
sslssocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
sslsocket = (SSLSocket) sslssocketfactory.createSocket("remote_host", 1337);
outStream = sslsocket.getOutputStream();
outStreamWriter = new OutputStreamWriter(outStream);
bWriter = new BufferedWriter(outStreamWriter);
/* FIX: sending over an SSL encrypted channel */
bWriter.write("encrypted send");
bWriter.flush();
} catch (Exception ex) {
IO.writeLine("Error writing to the socket");
} finally {
try {
if (bWriter != null) {
bWriter.close();
}
} catch (IOException e) {
log_gs.warning("Error closing bWriter");
} finally {
try {
if (outStreamWriter != null) {
outStreamWriter.close();
}
} catch (IOException e) {
log_gs.warning("Error closing outStreamWriter");
}
}
try {
if (sslsocket != null) {
sslsocket.close();
}
} catch (Exception e) {
log_gs.warning("Error closing sslsocket");
}
}
}
}