/* goodG2B() - use goodsource and badsink */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; /* FIX: Use a hardcoded string */ data = "foo"; CWE80_XSS__Servlet_URLConnection_81_base baseObject = new CWE80_XSS__Servlet_URLConnection_81_goodG2B(); baseObject.action(data, request, response); }
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; data = ""; /* Initialize data */ /* read input from URLConnection */ { URLConnection urlConnection = (new URL("http://www.example.org/")).openConnection(); BufferedReader readerBuffered = null; InputStreamReader readerInputStream = null; try { readerInputStream = new InputStreamReader(urlConnection.getInputStream(), "UTF-8"); readerBuffered = new BufferedReader(readerInputStream); /* POTENTIAL FLAW: Read data from a web server with URLConnection */ /* This will be reading the first "line" of the response body, * which could be very long if there are no newlines in the HTML */ data = readerBuffered.readLine(); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* clean up stream reading objects */ try { if (readerBuffered != null) { readerBuffered.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStream != null) { readerInputStream.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } } } CWE80_XSS__Servlet_URLConnection_81_base baseObject = new CWE80_XSS__Servlet_URLConnection_81_bad(); baseObject.action(data, request, response); }