private void good1() throws Throwable {
String fn = ".\\src\\testcases\\CWE379_File_Creation_in_Insecure_Dir\\basic\\insecureDir";
File dir = new File(fn);
if (dir.exists()) {
IO.writeLine("Directory already exists");
if (dir.delete()) {
IO.writeLine("Directory deleted");
} else {
return;
}
}
if (!dir.getParentFile().canWrite()) {
IO.writeLine("Cannot write to parent dir");
}
/* FIX: explicitly set directory permissions */
dir.setExecutable(false, true);
dir.setReadable(true);
dir.setWritable(false, true);
try {
boolean success = dir.mkdir();
if (success) {
IO.writeLine("Directory created");
File file = new File(dir.getAbsolutePath() + "\\newFile.txt");
file.createNewFile();
}
} catch (Exception e) {
System.out.println(e.getMessage());
}
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2() throws Throwable {
String data;
/* INCIDENTAL: CWE 571 Statement is Always True */
if (IO.static_t) {
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
File f = new File("C:\\data.txt");
BufferedReader buffread = null;
FileReader fread = null;
try {
/* read string from file into data */
fread = new FileReader(f);
buffread = new BufferedReader(fread);
data = buffread.readLine(); // This will be reading the first "line" of the file, which
// could be very long if there are little or no newlines in the file\
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} catch (NumberFormatException nfe) {
log_bad.warning("Error with number parsing");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (fread != null) {
fread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing fread");
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
data = "Testing.test";
}
/* INCIDENTAL: CWE 571 Statement is Always True */
if (IO.static_t) {
if (!data.equals("Testing.test")
&& /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) {
return;
}
Class<?> c = Class.forName(data);
Object instance = c.newInstance();
IO.writeLine(instance.toString());
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
}
public void bad() throws Throwable {
String fn =
".\\src\\testcases\\CWE379_File_Creation_in_Insecure_Dir\\insecureDir"; /* may have to be changed depending on script */
/* POSSIBLE FLAW: potentially insecure directory permissions */
File dir = new File(fn);
if (dir.exists()) {
IO.writeLine("Directory already exists");
if (dir.delete()) {
IO.writeLine("Directory deleted");
} else {
return;
}
}
if (!dir.getParentFile().canWrite()) {
IO.writeLine("Cannot write to parent dir");
}
try {
boolean success = dir.mkdir();
if (success) {
IO.writeLine("Directory created");
File file = new File(dir.getAbsolutePath() + "\\newFile.txt");
file.createNewFile();
}
} catch (Exception e) {
System.out.println(e.getMessage());
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */
private void goodG2B2() throws Throwable {
String data;
/* INCIDENTAL: CWE 571 Statement is Always True */
if (5 == 5) {
data = "Testing.test";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
/* read user input from console with readLine*/
BufferedReader buffread = null;
InputStreamReader instrread = null;
try {
instrread = new InputStreamReader(System.in);
buffread = new BufferedReader(instrread);
data = buffread.readLine();
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (instrread != null) {
instrread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing instrread");
}
}
}
}
/* INCIDENTAL: CWE 571 Statement is Always True */
if (5 == 5) {
Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */
Object instance = c.newInstance();
IO.writeLine(instance.toString());
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
if (!data.equals("Testing.test")
&& /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) {
return;
}
Class<?> c = Class.forName(data);
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
}
public void bad() throws Throwable {
String data;
/* INCIDENTAL: CWE 571 Statement is Always True */
if (private_final_five == 5) {
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
URLConnection conn = (new URL("http://www.example.org/")).openConnection();
BufferedReader buffread = null;
InputStreamReader instrread = null;
try {
/* read input from URLConnection */
instrread = new InputStreamReader(conn.getInputStream());
buffread = new BufferedReader(instrread);
data = buffread.readLine(); // This will be reading the first "line" of the response body,
// which could be very long if there are no newlines in the HTML
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (instrread != null) {
instrread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing instrread");
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
data = "Testing.test";
}
/* INCIDENTAL: CWE 571 Statement is Always True */
if (private_final_five == 5) {
Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */
Object instance = c.newInstance();
IO.writeLine(instance.toString());
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
if (!data.equals("Testing.test")
&& /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) {
return;
}
Class<?> c = Class.forName(data);
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
}
/* goodG2B1() - use goodsource and badsink by changing the first switch to switch(5) */
private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
switch (5) {
case 6:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
/* POTENTIAL FLAW: sending login credentials information */
data = "Your username is: user1\nYour password is: w8KNdsa9\n";
}
break;
default:
{
/*FIX: send non-sensitive information */
data = "The weather is San Diego is 75 and sunny";
}
break;
}
switch (7) {
case 7:
{
PrintWriter out = null;
try {
out = response.getWriter();
/* POTENTIAL FLAW: transmitting login credentials across a possibly non-SSL connection */
out.println(data);
} catch (IOException e) {
IO.writeLine("There was a problem writing");
} finally {
if (out != null) {
out.close();
}
}
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
PrintWriter out = null;
try {
/* FIX: ensure the connection is secure */
if (request.isSecure()) {
out = response.getWriter();
out.println(data);
}
} catch (IOException e) {
IO.writeLine("There was a problem writing");
} finally {
if (out != null) {
out.close();
}
}
}
break;
}
}
/* good2() reverses the bodies in the if statement */
private void good2() throws Throwable {
if (IO.static_final_five == 5) {
/* FIX: don't have those types of comments :) */
IO.writeLine("This a test of the emergency broadcast system");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* FLAW: This is the suspicious comment */
/* LATER: There is a bug at this location...I'm not sure why! */
IO.writeLine("This a test of the emergency broadcast system");
}
}
/* good2() reverses the bodies in the if statement */
private void good2() throws Throwable {
if (IO.static_returns_t()) {
/* FIX: use SecureRandom to be cryptographically secure */
SecureRandom rand = new SecureRandom();
IO.writeLine("Random int: " + rand.nextInt(100));
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Random rand = new Random();
/* FLAW: seed is static, making the numbers always occur in the same sequence */
rand.setSeed(123456);
IO.writeLine("Random int: " + rand.nextInt(100));
}
}
/* good1() changes IO.staticReturnsTrue() to IO.staticReturnsFalse() */
private void good1() throws Throwable {
if (IO.staticReturnsFalse()) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.writeLine("Benign, fixed string");
} else {
BufferedReader readerBuffered = null;
InputStreamReader readerInputStream = null;
try {
readerInputStream = new InputStreamReader(System.in, "UTF-8");
readerBuffered = new BufferedReader(readerInputStream);
double num = 0;
IO.writeString("Enter double number (1e-50): ");
try {
num = Double.parseDouble(readerBuffered.readLine());
} catch (NumberFormatException exceptionNumberFormat) {
IO.writeLine("Error parsing number");
}
/* FIX: check for conversion error */
if (num > Float.MAX_VALUE || num < Float.MIN_VALUE) {
IO.writeLine("Error, cannot safely cast this number to a float!");
return;
}
IO.writeLine("" + (float) num);
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
} finally {
try {
if (readerBuffered != null) {
readerBuffered.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO);
}
try {
if (readerInputStream != null) {
readerInputStream.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO);
}
}
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in if */
private void goodG2B2() throws Throwable {
String data;
if (privateFive == 5) {
data = ""; /* init data */
/* FIX: Read data from the console using readLine() */
try {
InputStreamReader readerInputStream = new InputStreamReader(System.in, "UTF-8");
BufferedReader readerBuffered = new BufferedReader(readerInputStream);
/* POTENTIAL FLAW: Read data from the console using readLine */
data = readerBuffered.readLine();
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
}
/* NOTE: Tools may report a flaw here because readerBuffered and readerInputStream are not closed. Unfortunately, closing those will close System.in, which will cause any future attempts to read from the console to fail and throw an exception */
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (data != null) {
KerberosPrincipal principal = new KerberosPrincipal("test");
/* POTENTIAL FLAW: data used as password in KerberosKey() */
KerberosKey key = new KerberosKey(principal, data.toCharArray(), null);
IO.writeLine(key.toString());
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in if */
private void goodG2B2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.static_final_t) {
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Logger log_bad = Logger.getLogger("local-logger");
/* read parameter from cookie */
Cookie cookieSources[] = request.getCookies();
if (cookieSources != null) {
data = cookieSources[0].getValue();
} else {
data = null;
}
}
String root = "C:\\uploads\\";
/* POTENTIAL FLAW: no validation of concatenated value */
File fIn = new File(root + data);
if (fIn.exists() && fIn.isFile()) {
IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine());
}
}
/* goodG2B() - use goodsource and badsink */
public void goodG2B_sink(String data) throws Throwable {
Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
/* uses badsource and badsink */
public void bad() throws Throwable {
String data;
/* get environment variable ADD */
/* POTENTIAL FLAW: Read data from an environment variable */
data = System.getenv("ADD");
String root;
if (System.getProperty("os.name").toLowerCase().indexOf("win") >= 0) {
/* running on Windows */
root = "C:\\uploads\\";
} else {
/* running on non-Windows */
root = "/home/user/uploads/";
}
if (data != null) {
/* POTENTIAL FLAW: no validation of concatenated value */
File file = new File(root + data);
FileInputStream streamFileInputSink = null;
InputStreamReader readerInputStreamSink = null;
BufferedReader readerBufferdSink = null;
if (file.exists() && file.isFile()) {
try {
streamFileInputSink = new FileInputStream(file);
readerInputStreamSink = new InputStreamReader(streamFileInputSink, "UTF-8");
readerBufferdSink = new BufferedReader(readerInputStreamSink);
IO.writeLine(readerBufferdSink.readLine());
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
} finally {
/* Close stream reading objects */
try {
if (readerBufferdSink != null) {
readerBufferdSink.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO);
}
try {
if (readerInputStreamSink != null) {
readerInputStreamSink.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO);
}
try {
if (streamFileInputSink != null) {
streamFileInputSink.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO);
}
}
}
}
}
/* good1() change the conditions on the while statements */
private void good1() throws Throwable {
boolean local_f = false;
while (local_f) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* FLAW: This is the suspicious comment */
/* TODO: There is a bug at this location...I'm not sure why! */
IO.writeLine("This a test of the emergency broadcast system");
break;
}
while (true) {
/* FIX: don't have those types of comments :) */
IO.writeLine("This a test of the emergency broadcast system");
break;
}
}
/* goodG2B() - use goodsource and badsink */
public void goodG2B_sink(String data) throws Throwable {
/* POTENTIAL FLAW: unvalidated or sandboxed value */
File fIn = new File(data);
if (fIn.exists() && fIn.isFile()) {
IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine());
}
}
/* use badsource and badsink */
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data = bad_source(request, response);
/* POTENTIAL FLAW: unvalidated or sandboxed value */
File fIn = new File(data);
if (fIn.exists() && fIn.isFile()) {
IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine());
}
}
/* good2() reverses the blocks in the switch */
private void good2() throws Throwable {
switch (7) {
case 7:
{
/* FIX: don't have those types of comments :) */
IO.writeLine("This a test of the emergency broadcast system");
}
break;
default:
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
/* FLAW: This is the suspicious comment */
/* BUG: There is a bug at this location...I'm not sure why! */
IO.writeLine("This a test of the emergency broadcast system");
}
break;
}
}
/* uses badsource and badsink */
public void bad() throws Throwable {
String data;
boolean local_f = false; /* This local variable is used becuase the
Java compiler will generate an error on while(false) and similar
constructs that evaluate to false. This is the simplest construct
that will always be false and still compile. */
while (local_f) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
}
while (true) {
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
File f = new File("C:\\data.txt");
BufferedReader buffread = null;
FileReader fread = null;
try {
/* read string from file into data */
fread = new FileReader(f);
buffread = new BufferedReader(fread);
data = buffread.readLine(); // This will be reading the first "line" of the file, which
// could be very long if there are little or no newlines in the file\
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} catch (NumberFormatException nfe) {
log_bad.warning("Error with number parsing");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (fread != null) {
fread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing fread");
}
}
}
break;
}
/* POTENTIAL FLAW: unvalidated or sandboxed value */
File fIn = new File(data);
if (fIn.exists() && fIn.isFile()) {
IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine());
}
}
/* goodG2B() - use goodsource and badsink */
public void goodG2B_sink(String data) throws Throwable {
String root = "C:\\uploads\\";
/* POTENTIAL FLAW: no validation of concatenated value */
File fIn = new File(root + data);
if (fIn.exists() && fIn.isFile()) {
IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine());
}
}
/* goodG2B() - use goodsource and badsink */
public void goodG2BSink(LinkedList<String> dataLinkedList) throws Throwable {
String data = dataLinkedList.remove(2);
if (data != null) {
/* POTENTIAL FLAW: data used as password in PasswordAuthentication() */
PasswordAuthentication credentials = new PasswordAuthentication("user", data.toCharArray());
IO.writeLine(credentials.toString());
}
}
/* goodG2B() - use goodsource and badsink */
private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
data = "Testing.test";
Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
/* goodG2B1() - use goodsource and badsink by changing first IO.static_final_five==5 to IO.static_final_five!=5 */
private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.static_final_five != 5) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* POTENTIAL FLAW: sending sensitive information */
data = "This is your bank account info: Account Number: 12345, Balance: $1,000,000";
} else {
/*FIX: send non-sensitive information */
data = "The weather is San Diego is 75 and sunny";
}
if (IO.static_final_five == 5) {
PrintWriter out = null;
try {
out = response.getWriter();
/* POTENTIAL FLAW: transmitting sensitive info across a possibly non-SSL connection */
out.println(data);
} catch (IOException e) {
IO.writeLine("There was a problem writing");
} finally {
if (out != null) {
out.close();
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
PrintWriter out = null;
try {
/* FIX: ensure the connection is secure */
if (request.isSecure()) {
out = response.getWriter();
out.println(data);
}
} catch (IOException e) {
IO.writeLine("There was a problem writing");
} finally {
if (out != null) {
out.close();
}
}
}
}
/* goodG2B1() - use goodsource and badsink by changing 5==5 to 5!=5 */
private void goodG2B1() throws Throwable {
String data;
if (5 != 5) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
} else {
/* FIX: Use a hardcoded string */
data = "foo";
}
/* POTENTIAL FLAW: unvalidated or sandboxed value */
if (data != null) {
File file = new File(data);
FileInputStream streamFileInputSink = null;
InputStreamReader readerInputStreamSink = null;
BufferedReader readerBufferdSink = null;
if (file.exists() && file.isFile()) {
try {
streamFileInputSink = new FileInputStream(file);
readerInputStreamSink = new InputStreamReader(streamFileInputSink, "UTF-8");
readerBufferdSink = new BufferedReader(readerInputStreamSink);
IO.writeLine(readerBufferdSink.readLine());
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
} finally {
/* Close stream reading objects */
try {
if (readerBufferdSink != null) {
readerBufferdSink.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO);
}
try {
if (readerInputStreamSink != null) {
readerInputStreamSink.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO);
}
try {
if (streamFileInputSink != null) {
streamFileInputSink.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO);
}
}
}
}
}
public void bad() throws Throwable {
for (int j = 0; j < 1; j++) {
BufferedReader readerBuffered = null;
InputStreamReader readerInputStream = null;
try {
/* Enter: 1e-50, result should be 0.0 (for bad case)
*
* Note: alternate input
* 999999999999999999999999999999999999999999999999999999999999999
*/
readerInputStream = new InputStreamReader(System.in, "UTF-8");
readerBuffered = new BufferedReader(readerInputStream);
double doubleNumber = 0;
IO.writeString("Enter double number (1e-50): ");
try {
doubleNumber = Double.parseDouble(readerBuffered.readLine());
} catch (NumberFormatException exceptionNumberFormat) {
IO.writeLine("Error parsing number");
}
/* FLAW: should not cast without checking if conversion is safe */
IO.writeLine("" + (float) doubleNumber);
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
} finally {
try {
if (readerBuffered != null) {
readerBuffered.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO);
}
try {
if (readerInputStream != null) {
readerInputStream.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO);
}
}
}
}
public void bad() throws Throwable {
boolean local_f = false; /* This local variable is used because the
Java compiler will generate an error on while(false) and similar
constructs that evaluate to false. This is the simplest construct
that will always be false and still compile. */
while (true) {
/* FLAW: This is the suspicious comment */
/* TODO: There is a bug at this location...I'm not sure why! */
IO.writeLine("This a test of the emergency broadcast system");
break;
}
while (local_f) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* FIX: don't have those types of comments :) */
IO.writeLine("This a test of the emergency broadcast system");
break;
}
}
/* uses badsource and badsink */
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (privateTrue) {
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
/* POTENTIAL FLAW: unvalidated or sandboxed value */
if (data != null) {
File file = new File(data);
FileInputStream streamFileInputSink = null;
InputStreamReader readerInputStreamSink = null;
BufferedReader readerBufferdSink = null;
if (file.exists() && file.isFile()) {
try {
streamFileInputSink = new FileInputStream(file);
readerInputStreamSink = new InputStreamReader(streamFileInputSink, "UTF-8");
readerBufferdSink = new BufferedReader(readerInputStreamSink);
IO.writeLine(readerBufferdSink.readLine());
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
} finally {
/* Close stream reading objects */
try {
if (readerBufferdSink != null) {
readerBufferdSink.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO);
}
try {
if (readerInputStreamSink != null) {
readerInputStreamSink.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO);
}
try {
if (streamFileInputSink != null) {
streamFileInputSink.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing FileInputStream", exceptIO);
}
}
}
}
}
/* good1() use the GoodSinkBody in the for statement */
private void good1() throws Throwable {
for (int k = 0; k < 1; k++) {
BufferedReader readerBuffered = null;
InputStreamReader readerInputStream = null;
try {
readerInputStream = new InputStreamReader(System.in, "UTF-8");
readerBuffered = new BufferedReader(readerInputStream);
double num = 0;
IO.writeString("Enter double number (1e-50): ");
try {
num = Double.parseDouble(readerBuffered.readLine());
} catch (NumberFormatException exceptionNumberFormat) {
IO.writeLine("Error parsing number");
}
/* FIX: check for conversion error */
if (num > Float.MAX_VALUE || num < Float.MIN_VALUE) {
IO.writeLine("Error, cannot safely cast this number to a float!");
return;
}
IO.writeLine("" + (float) num);
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
} finally {
try {
if (readerBuffered != null) {
readerBuffered.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO);
}
try {
if (readerInputStream != null) {
readerInputStream.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO);
}
}
}
}
/* goodB2G() - use badsource and goodsink */
public void goodB2G_sink(String data) throws Throwable {
if (!data.equals("Testing.test")
&& /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) {
return;
}
Class<?> c = Class.forName(data);
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
/* goodG2B() - use goodsource and badsink */
public void goodG2B_sink(
CWE470_Unsafe_Reflection__getParameterServlet_67a.Container data_container,
HttpServletRequest request,
HttpServletResponse response)
throws Throwable {
String data = data_container.a;
Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
/* good1() changes IO.staticReturnsTrue() to IO.staticReturnsFalse() */
private void good1() throws Throwable {
if (IO.staticReturnsFalse()) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.writeLine("Benign, fixed string");
} else {
String stringIntValue = "";
int x = (new SecureRandom()).nextInt(3);
switch (x) {
case 0:
stringIntValue = "0";
break;
case 1:
stringIntValue = "1";
break;
/* FIX: Add a default case */
default:
stringIntValue = "2";
}
IO.writeLine(stringIntValue);
}
}
