/* goodB2G() - use badsource and goodsink */
  public void goodB2G_sink(String data, HttpServletRequest request, HttpServletResponse response)
      throws Throwable {

    String prefix = "Tru3ly 0b$scUre";
    MessageDigest hash = MessageDigest.getInstance("SHA512");

    /* FIX: credentials hashed prior to setting in cookie */
    byte[] hashv = hash.digest((prefix + data).getBytes());

    response.addCookie(new Cookie("auth", IO.toHex(hashv)));
  }
  /* goodG2B() - use goodsource and badsink */
  public void goodG2B_sink(String data, HttpServletRequest request, HttpServletResponse response)
      throws Throwable {

    /* NOTE: potential incidental issues with not setting secure or HttpOnly flag */
    String fp = "../common/config.properties";

    /* simple pre-set key makes the stored password recoverable */
    String sharedKey = "0000000000000000";
    byte[] input = data.getBytes();
    SecretKeySpec key = new SecretKeySpec(sharedKey.getBytes(), "AES");
    Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", "BC");

    cipher.init(Cipher.ENCRYPT_MODE, key);
    byte[] cipherText = cipher.doFinal(input);

    /* FLAW: writing a recoverable password to a cookie */
    response.addCookie(new Cookie("auth", new String(cipherText)));
  }
  public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;
    /* INCIDENTAL: CWE 571 Statement is Always True */
    if (5 == 5) {
      Logger log_bad = Logger.getLogger("local-logger");
      data = ""; /* init data */
      /* read user input from console with readLine*/
      BufferedReader buffread = null;
      InputStreamReader instrread = null;
      try {
        instrread = new InputStreamReader(System.in);
        buffread = new BufferedReader(instrread);
        data = buffread.readLine();
      } catch (IOException ioe) {
        log_bad.warning("Error with stream reading");
      } finally {
        /* clean up stream reading objects */
        try {
          if (buffread != null) {
            buffread.close();
          }
        } catch (IOException ioe) {
          log_bad.warning("Error closing buffread");
        } finally {
          try {
            if (instrread != null) {
              instrread.close();
            }
          } catch (IOException ioe) {
            log_bad.warning("Error closing instrread");
          }
        }
      }
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");

      /* FIX: Use a hardcoded string */
      data = "foo";
    }
    /* INCIDENTAL: CWE 571 Statement is Always True */
    if (5 == 5) {
      /* NOTE: potential incidental issues with not setting secure or HttpOnly flag */
      String fp = "../common/config.properties";
      /* simple pre-set key makes the stored password recoverable */
      String sharedKey = "0000000000000000";
      byte[] input = data.getBytes();
      SecretKeySpec key = new SecretKeySpec(sharedKey.getBytes(), "AES");
      Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", "BC");
      cipher.init(Cipher.ENCRYPT_MODE, key);
      byte[] cipherText = cipher.doFinal(input);
      /* FLAW: writing a recoverable password to a cookie */
      response.addCookie(new Cookie("auth", new String(cipherText)));
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      String prefix = "Tru3ly 0b$scUre";
      MessageDigest hash = MessageDigest.getInstance("SHA512");

      /* FIX: credentials hashed prior to setting in cookie */
      byte[] hashv = hash.digest((prefix + data).getBytes());

      response.addCookie(new Cookie("auth", IO.toHex(hashv)));
    }
  }
  public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;
    /* INCIDENTAL: CWE 571 Statement is Always True */
    if (private_final_five == 5) {
      Logger log_bad = Logger.getLogger("local-logger");
      data = ""; /* init data */
      Connection conn = null;
      PreparedStatement statement = null;
      ResultSet rs = null;
      BufferedReader buffread = null;
      InputStreamReader instrread = null;
      try {
        /* setup the connection */
        conn = IO.getDBConnection();
        /* prepare the query */
        statement = conn.prepareStatement("select name from users where id=?");
        /* get user input for the userid */
        IO.writeLine("Enter a userid to login as (number): ");
        instrread = new InputStreamReader(System.in);
        buffread = new BufferedReader(instrread);
        int num = Integer.parseInt(buffread.readLine());
        statement.setInt(1, num);
        rs = statement.executeQuery();
        data = rs.getString(1);
      } catch (IOException ioe) {
        log_bad.warning("Error with stream reading");
      } finally {
        /* clean up stream reading objects */
        try {
          if (buffread != null) {
            buffread.close();
          }
        } catch (IOException ioe) {
          log_bad.warning("Error closing buffread");
        } finally {
          try {
            if (instrread != null) {
              instrread.close();
            }
          } catch (IOException ioe) {
            log_bad.warning("Error closing instrread");
          }
        }

        /* clean up database objects */
        try {
          if (rs != null) {
            rs.close();
          }
        } catch (SQLException se) {
          log_bad.warning("Error closing rs");
        } finally {
          try {
            if (statement != null) {
              statement.close();
            }
          } catch (SQLException se) {
            log_bad.warning("Error closing statement");
          } finally {
            try {
              if (conn != null) {
                conn.close();
              }
            } catch (SQLException se) {
              log_bad.warning("Error closing conn");
            }
          }
        }
      }
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");

      /* FIX: Use a hardcoded string */
      data = "foo";
    }
    /* INCIDENTAL: CWE 571 Statement is Always True */
    if (private_final_five == 5) {
      /* NOTE: potential incidental issues with not setting secure or HttpOnly flag */
      String fp = "../common/config.properties";
      /* simple pre-set key makes the stored password recoverable */
      String sharedKey = "0000000000000000";
      byte[] input = data.getBytes();
      SecretKeySpec key = new SecretKeySpec(sharedKey.getBytes(), "AES");
      Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding", "BC");
      cipher.init(Cipher.ENCRYPT_MODE, key);
      byte[] cipherText = cipher.doFinal(input);
      /* FLAW: writing a recoverable password to a cookie */
      response.addCookie(new Cookie("auth", new String(cipherText)));
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      String prefix = "Tru3ly 0b$scUre";
      MessageDigest hash = MessageDigest.getInstance("SHA512");

      /* FIX: credentials hashed prior to setting in cookie */
      byte[] hashv = hash.digest((prefix + data).getBytes());

      response.addCookie(new Cookie("auth", IO.toHex(hashv)));
    }
  }