public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; /* We need to have one source outside of a for loop in order to prevent the Java compiler from generating an error because data is uninitialized */ /* POTENTIAL FLAW: data may be set to null */ data = request.getParameter("CWE690"); for (int for_index_i = 0; for_index_i < 0; for_index_i++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: Set data to a fixed, non-null String */ data = "CWE690"; } for (int for_index_j = 0; for_index_j < 1; for_index_j++) { /* POTENTIAL FLAW: data could be null */ String sOut = data.trim(); IO.writeLine(sOut); } for (int for_index_k = 0; for_index_k < 0; for_index_k++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: explicit check for null */ if (data != null) { String sOut = data.trim(); IO.writeLine(sOut); } } }
/* goodG2B() - use goodsource and badsink by changing the "if" so that * both branches use the GoodSource */ private void goodG2B() throws Throwable { String data; if (IO.staticReturnsTrueOrFalse()) { /* FIX: Use a hardcoded string */ data = "foo"; } else { /* FIX: Use a hardcoded string */ data = "foo"; } Connection dbConnection = null; try { dbConnection = IO.getDBConnection(); /* POTENTIAL FLAW: Set the catalog name with the value of data * allowing a nonexistent catalog name or unauthorized access to a portion of the DB */ dbConnection.setCatalog(data); } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql); } finally { try { if (dbConnection != null) { dbConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } }
/* goodG2B() - use goodsource and badsink by changing the first "if" so that both branches use the GoodSource */ private void goodG2B() throws Throwable { int data; if (IO.static_returns_t_or_f()) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } if (IO.static_returns_t_or_f()) { int valueToMult = (new SecureRandom()).nextInt(98) + 2; /* multiply by at least 2 */ if (data < 0) /* ensure we don't have an overflow */ { /* POTENTIAL FLAW: if (data*valueToMult) < MIN_VALUE, this will overflow */ int result = (data * valueToMult); IO.writeLine("result: " + result); } } else { int valueToMult = (new SecureRandom()).nextInt(98) + 2; /* multiply by at least 2 */ if (data < 0) /* ensure we don't have an overflow */ { /* POTENTIAL FLAW: if (data*valueToMult) < MIN_VALUE, this will overflow */ int result = (data * valueToMult); IO.writeLine("result: " + result); } } }
/* goodG2B1() - use goodsource and badsink by changing first IO.static_five==5 to IO.static_five!=5 */ private void goodG2B1() throws Throwable { int data; if (IO.static_five != 5) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* POTENTIAL FLAW: Use the maximum value for this type */ data = Integer.MAX_VALUE; } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } if (IO.static_five == 5) { int valueToAdd = (new SecureRandom()).nextInt(99) + 1; /* adding at least 1 */ /* POTENTIAL FLAW: if (data+valueToAdd) > MAX_VALUE, this will overflow */ int result = (data + valueToAdd); IO.writeLine("result: " + result); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ int result = 0; int valueToAdd = (new SecureRandom()).nextInt(99) + 1; /* adding at least 1 */ /* FIX: Add a check to prevent an overflow from occurring */ if (data <= (Integer.MAX_VALUE - valueToAdd)) { result = (data + valueToAdd); IO.writeLine("result: " + result); } else { IO.writeLine("Input value is too large to perform addition."); } } }
/* goodG2B1() - use goodsource and badsink by changing first private_final_t to private_final_f */ private void goodG2B1() throws Throwable { int data; /* INCIDENTAL: CWE 570 Statement is Always False */ if (private_final_f) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); SecureRandom r = new SecureRandom(); data = r.nextInt(); } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_t) { /* POTENTIAL FLAW: Zero denominator will cause an issue. An integer division will result in an exception. */ IO.writeLine("bad: 100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: test for a zero denominator */ if (data != 0) { IO.writeLine("100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { IO.writeLine("This would result in a divide by zero"); } } }
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */ private void goodG2B2(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (IO.static_final_five == 5) { /* FIX: Set data to a fixed, non-null String */ data = "CWE690"; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* POTENTIAL FLAW: data may be set to null */ data = request.getParameter("CWE690"); } if (IO.static_final_five == 5) { /* POTENTIAL FLAW: data could be null */ if (data.equals("CWE690")) { IO.writeLine("data is CWE690"); } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: call equals() on string literal (that is not null) */ if ("CWE690".equals(data)) { IO.writeLine("data is CWE690"); } } }
/* goodG2B1() - use goodsource and badsink by changing first private_final_five==5 to private_final_five!=5 */ private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable { int data; /* INCIDENTAL: CWE 570 Statement is Always False */ if (private_final_five != 5) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); /* init Data$ */ data = -1; /* read parameter from request */ String s_data = request.getParameter("name"); data = Integer.parseInt(s_data.trim()); } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_five == 5) { /* POTENTIAL FLAW: Zero denominator will cause an issue. An integer division will result in an exception. */ IO.writeLine("bad: 100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: test for a zero denominator */ if (data != 0) { IO.writeLine("100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { IO.writeLine("This would result in a divide by zero"); } } }
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */ private void goodB2G2() throws Throwable { String data; /* INCIDENTAL: CWE 571 Statement is Always True */ if (IO.static_t) { Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ File f = new File("C:\\data.txt"); BufferedReader buffread = null; FileReader fread = null; try { /* read string from file into data */ fread = new FileReader(f); buffread = new BufferedReader(fread); data = buffread.readLine(); // This will be reading the first "line" of the file, which // could be very long if there are little or no newlines in the file\ } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } catch (NumberFormatException nfe) { log_bad.warning("Error with number parsing"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (fread != null) { fread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing fread"); } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ data = "Testing.test"; } /* INCIDENTAL: CWE 571 Statement is Always True */ if (IO.static_t) { if (!data.equals("Testing.test") && /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) { return; } Class<?> c = Class.forName(data); Object instance = c.newInstance(); IO.writeLine(instance.toString()); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */ Object instance = c.newInstance(); IO.writeLine(instance.toString()); } }
/* goodG2B() - use goodsource and badsink by changing the conditions on the first and second while statements */ private void goodG2B() throws Throwable { String data; boolean local_f = false; while (true) { /* FIX: call getStringG(), which will never return null */ data = CWE690_NULL_Deref_from_Return__Class__Helper.getStringGood(); break; } while (local_f) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* POTENTIAL FLAW: Call getStringG(), which may return null */ data = CWE690_NULL_Deref_from_Return__Class__Helper.getStringBad(); break; } while (true) { /* POTENTIAL FLAW: data could be null */ String sOut = data.trim(); IO.writeLine(sOut); break; } while (local_f) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: explicit check for null */ if (data != null) { String sOut = data.trim(); IO.writeLine(sOut); } break; } }
/* goodB2G() - use badsource and goodsink */ private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable { int data_copy; { int data; Logger log_bad = Logger.getLogger("local-logger"); /* init Data$ */ data = -1; /* read parameter from cookie */ Cookie cookieSources[] = request.getCookies(); if (cookieSources != null) { String s_data = cookieSources[0].getValue(); data = Integer.parseInt(s_data.trim()); } data_copy = data; } { int data = data_copy; /* FIX: test for a zero modulus */ if (data != 0) { IO.writeLine("100%" + String.valueOf(data) + " = " + (100 % data) + "\n"); } else { IO.writeLine("This would result in a modulo by zero"); } } }
/* goodG2B() - use goodsource and badsink by changing the first "if" so that both branches use the GoodSource */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { int data; if (IO.static_returns_t_or_f()) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } if (IO.static_returns_t_or_f()) { int valueToSub = (new SecureRandom()).nextInt(99) + 1; /* subtracting at least 1 */ /* POTENTIAL FLAW: if (data-valueToSub) < MIN_VALUE this will underflow */ int result = (data - valueToSub); IO.writeLine("result: " + result); } else { int valueToSub = (new SecureRandom()).nextInt(99) + 1; /* subtracting at least 1 */ /* POTENTIAL FLAW: if (data-valueToSub) < MIN_VALUE this will underflow */ int result = (data - valueToSub); IO.writeLine("result: " + result); } }
/* goodG2B() - use goodsource and badsink */ public void goodG2BSink(String data) throws Throwable { Connection dbConnection = null; Statement sqlStatement = null; try { dbConnection = IO.getDBConnection(); sqlStatement = dbConnection.createStatement(); /* POTENTIAL FLAW: data concatenated into SQL statement used in executeUpdate(), which could result in SQL Injection */ int rowCount = sqlStatement.executeUpdate( "insert into users (status) values ('updated') where name='" + data + "'"); IO.writeLine("Updated " + rowCount + " rows successfully."); } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql); } finally { try { if (sqlStatement != null) { sqlStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql); } try { if (dbConnection != null) { dbConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } }
/* goodB2G1() - use badsource and goodsink by changing second IO.STATIC_FINAL_FIVE==5 to IO.STATIC_FINAL_FIVE!=5 */ private void goodB2G1() throws Throwable { String data; if (IO.STATIC_FINAL_FIVE == 5) { /* get environment variable ADD */ /* POTENTIAL FLAW: Read data from an environment variable */ data = System.getenv("ADD"); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } if (IO.STATIC_FINAL_FIVE != 5) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ IO.writeLine("Benign, fixed string"); } else { if (data != null) { String names[] = data.split("-"); int successCount = 0; Connection dbConnection = null; PreparedStatement sqlStatement = null; try { /* FIX: Use prepared statement and executeBatch (properly) */ dbConnection = IO.getDBConnection(); sqlStatement = dbConnection.prepareStatement("update users set hitcount=hitcount+1 where name=?"); for (int i = 0; i < names.length; i++) { sqlStatement.setString(1, names[i]); sqlStatement.addBatch(); } int resultsArray[] = sqlStatement.executeBatch(); for (int i = 0; i < names.length; i++) { if (resultsArray[i] > 0) { successCount++; } } IO.writeLine("Succeeded in " + successCount + " out of " + names.length + " queries."); } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql); } finally { try { if (sqlStatement != null) { sqlStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql); } try { if (dbConnection != null) { dbConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } } } }
/* goodB2G() - use badsource and goodsink by changing the conditions on the second and third for statements */ private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; /* POTENTIAL FLAW: data may be set to null */ data = request.getParameter("CWE690"); for (int for_index_i = 0; for_index_i < 0; for_index_i++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: Set data to a fixed, non-null String */ data = "CWE690"; } for (int for_index_j = 0; for_index_j < 0; for_index_j++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* POTENTIAL FLAW: data could be null */ String sOut = data.trim(); IO.writeLine(sOut); } for (int for_index_k = 0; for_index_k < 1; for_index_k++) { /* FIX: explicit check for null */ if (data != null) { String sOut = data.trim(); IO.writeLine(sOut); } } }
/* goodB2G1() - use badsource and goodsink by changing second IO.staticTrue to IO.staticFalse */ private void goodB2G1() throws Throwable { String data; if (IO.staticTrue) { /* get environment variable ADD */ /* POTENTIAL FLAW: Read data from an environment variable */ data = System.getenv("ADD"); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } if (IO.staticFalse) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ IO.writeLine("Benign, fixed string"); } else { Connection dbConnection = null; PreparedStatement sqlStatement = null; ResultSet resultSet = null; try { /* FIX: Use prepared statement and executeQuery (properly) */ dbConnection = IO.getDBConnection(); sqlStatement = dbConnection.prepareStatement("select * from users where name=?"); sqlStatement.setString(1, data); resultSet = sqlStatement.executeQuery(); IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */ } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql); } finally { try { if (resultSet != null) { resultSet.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql); } try { if (sqlStatement != null) { sqlStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql); } try { if (dbConnection != null) { dbConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } } }
public void bad() throws Throwable { int data; if (IO.static_returns_t_or_f()) { Logger log_bad = Logger.getLogger("local-logger"); /* init data */ data = -1; /* retrieve the "pid" property */ Properties props = new Properties(); FileInputStream finstr = null; try { finstr = new FileInputStream("../common/config.properties"); props.load(finstr); String s_data = props.getProperty("pid"); data = Integer.parseInt(s_data.trim()); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } catch (NumberFormatException nfe) { log_bad.warning("Error with number parsing"); } finally { /* clean up stream reading objects */ try { if (finstr != null) { finstr.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } } } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } if (IO.static_returns_t_or_f()) { int valueToMult = (new SecureRandom()).nextInt(98) + 2; /* multiply by at least 2 */ if (data > 0) /* ensure we don't have an underflow */ { /* POTENTIAL FLAW: if (data*valueToMult) > MAX_VALUE, this will overflow */ int result = (data * valueToMult); IO.writeLine("result: " + result); } } else { int valueToMult = (new SecureRandom()).nextInt(98) + 2; /* multiply by at least 2 */ if (data > 0) /* ensure we don't have an underflow */ { int result = 0; /* FIX: Add a check to prevent an overflow from occurring */ if (data <= (Integer.MAX_VALUE / valueToMult)) { result = (data * valueToMult); IO.writeLine("result: " + result); } else { IO.writeLine("Input value is too large to perform multiplication."); } } } }
public void bad() throws Throwable { String data; /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_five == 5) { Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ URLConnection conn = (new URL("http://www.example.org/")).openConnection(); BufferedReader buffread = null; InputStreamReader instrread = null; try { /* read input from URLConnection */ instrread = new InputStreamReader(conn.getInputStream()); buffread = new BufferedReader(instrread); data = buffread.readLine(); // This will be reading the first "line" of the response body, // which could be very long if there are no newlines in the HTML } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (instrread != null) { instrread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing instrread"); } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ data = "Testing.test"; } /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_five == 5) { Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */ Object instance = c.newInstance(); IO.writeLine(instance.toString()); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ if (!data.equals("Testing.test") && /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) { return; } Class<?> c = Class.forName(data); Object instance = c.newInstance(); IO.writeLine(instance.toString()); } }
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */ private void goodG2B2() throws Throwable { String data; /* INCIDENTAL: CWE 571 Statement is Always True */ if (5 == 5) { data = "Testing.test"; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ /* read user input from console with readLine*/ BufferedReader buffread = null; InputStreamReader instrread = null; try { instrread = new InputStreamReader(System.in); buffread = new BufferedReader(instrread); data = buffread.readLine(); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (instrread != null) { instrread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing instrread"); } } } } /* INCIDENTAL: CWE 571 Statement is Always True */ if (5 == 5) { Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */ Object instance = c.newInstance(); IO.writeLine(instance.toString()); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ if (!data.equals("Testing.test") && /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) { return; } Class<?> c = Class.forName(data); Object instance = c.newInstance(); IO.writeLine(instance.toString()); } }
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */ private void goodB2G2(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (privateFive == 5) { data = ""; /* initialize data in case id is not in query string */ /* POTENTIAL FLAW: Parse id param out of the URL querystring (without using getParameter()) */ { StringTokenizer tokenizer = new StringTokenizer(request.getQueryString(), "&"); while (tokenizer.hasMoreTokens()) { String token = tokenizer.nextToken(); /* a token will be like "id=foo" */ if (token.startsWith("id=")) /* check if we have the "id" parameter" */ { data = token.substring(3); /* set data to "foo" */ break; /* exit while loop */ } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } if (privateFive == 5) { Connection dbConnection = null; PreparedStatement sqlStatement = null; try { /* FIX: Use prepared statement and execute (properly) */ dbConnection = IO.getDBConnection(); sqlStatement = dbConnection.prepareStatement( "insert into users (status) values ('updated') where name=?"); sqlStatement.setString(1, data); Boolean result = sqlStatement.execute(); if (result) { IO.writeLine("Name, " + data + ", updated successfully"); } else { IO.writeLine("Unable to update records for user: "******"Error getting database connection", exceptSql); } finally { try { if (sqlStatement != null) { sqlStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql); } try { if (dbConnection != null) { dbConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } } }
/* goodG2B() - use goodsource and badsink */ private void goodG2B() throws Throwable { String data_copy; { String data; java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; data_copy = data; } { String data = data_copy; Logger log2 = Logger.getLogger("local-logger"); Connection conn_tmp2 = null; Statement sqlstatement = null; ResultSet sqlrs = null; try { conn_tmp2 = IO.getDBConnection(); sqlstatement = conn_tmp2.createStatement(); /* POTENTIAL FLAW: take user input and place into dynamic sql query */ sqlrs = sqlstatement.executeQuery("select * from users where name='" + data + "'"); IO.writeString(sqlrs.toString()); } catch (SQLException se) { log2.warning("Error getting database connection"); } finally { try { if (sqlrs != null) { sqlrs.close(); } } catch (SQLException e) { log2.warning("Error closing sqlrs"); } finally { try { if (sqlstatement != null) { sqlstatement.close(); } } catch (SQLException e) { log2.warning("Error closing sqlstatement"); } finally { try { if (conn_tmp2 != null) { conn_tmp2.close(); } } catch (SQLException e) { log2.warning("Error closing conn_tmp2"); } } } } } }
/* goodB2G() - use badsource and goodsink */ public void goodB2G_sink(int data) throws Throwable { /* FIX: test for a zero denominator */ if (data != 0) { IO.writeLine("100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { IO.writeLine("This would result in a divide by zero"); } }
/* goodB2G1() - use badsource and goodsink by changing second privateTrue to privateFalse */ private void goodB2G1(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (privateTrue) { /* POTENTIAL FLAW: Read data from a querystring using getParameter */ data = request.getParameter("name"); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } if (privateFalse) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ IO.writeLine("Benign, fixed string"); } else { Connection dbConnection = null; PreparedStatement sqlStatement = null; try { /* FIX: Use prepared statement and execute (properly) */ dbConnection = IO.getDBConnection(); sqlStatement = dbConnection.prepareStatement( "insert into users (status) values ('updated') where name=?"); sqlStatement.setString(1, data); Boolean result = sqlStatement.execute(); if (result) { IO.writeLine("Name, " + data + ", updated successfully"); } else { IO.writeLine("Unable to update records for user: "******"Error getting database connection", exceptSql); } finally { try { if (sqlStatement != null) { sqlStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql); } try { if (dbConnection != null) { dbConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } } }
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */ private void goodG2B2() throws Throwable { int data; /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_five == 5) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); /* init data */ data = -1; /* retrieve the "pid" property */ Properties props = new Properties(); FileInputStream finstr = null; try { finstr = new FileInputStream("../common/config.properties"); props.load(finstr); String s_data = props.getProperty("pid"); data = Integer.parseInt(s_data.trim()); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } catch (NumberFormatException nfe) { log_bad.warning("Error with number parsing"); } finally { /* clean up stream reading objects */ try { if (finstr != null) { finstr.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } } } /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_five == 5) { /* POTENTIAL FLAW: Zero denominator will cause an issue. An integer division will result in an exception. */ IO.writeLine("bad: 100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: test for a zero denominator */ if (data != 0) { IO.writeLine("100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { IO.writeLine("This would result in a divide by zero"); } } }
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable { int data = goodB2G_source(request, response); /* FIX: test for a zero denominator */ if (data != 0) { IO.writeLine("100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { IO.writeLine("This would result in a divide by zero"); } }
/* goodG2B() - use goodsource and badsink */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; data = "Testing.test"; Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */ Object instance = c.newInstance(); IO.writeLine(instance.toString()); }
/* goodG2B() - use goodsource and badsink */ private void goodG2B() throws Throwable { String dataCopy; { String data; /* FIX: Use a hardcoded string */ data = "foo"; dataCopy = data; } { String data = dataCopy; if (data != null) { String names[] = data.split("-"); int successCount = 0; Connection dbConnection = null; Statement sqlStatement = null; try { dbConnection = IO.getDBConnection(); sqlStatement = dbConnection.createStatement(); for (int i = 0; i < names.length; i++) { /* POTENTIAL FLAW: data concatenated into SQL statement used in executeBatch(), which could result in SQL Injection */ sqlStatement.addBatch( "update users set hitcount=hitcount+1 where name='" + names[i] + "'"); } int resultsArray[] = sqlStatement.executeBatch(); for (int i = 0; i < names.length; i++) { if (resultsArray[i] > 0) { successCount++; } } IO.writeLine("Succeeded in " + successCount + " out of " + names.length + " queries."); } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql); } finally { try { if (sqlStatement != null) { sqlStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Statament", exceptSql); } try { if (dbConnection != null) { dbConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } } } }
/* goodG2B1() - use goodsource and badsink by changing first IO.STATIC_FINAL_FIVE==5 to IO.STATIC_FINAL_FIVE!=5 */ private void goodG2B1() throws Throwable { String data; if (IO.STATIC_FINAL_FIVE != 5) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } else { /* FIX: Use a hardcoded string */ data = "foo"; } if (IO.STATIC_FINAL_FIVE == 5) { if (data != null) { String names[] = data.split("-"); int successCount = 0; Connection dbConnection = null; Statement sqlStatement = null; try { dbConnection = IO.getDBConnection(); sqlStatement = dbConnection.createStatement(); for (int i = 0; i < names.length; i++) { /* POTENTIAL FLAW: data concatenated into SQL statement used in executeBatch(), which could result in SQL Injection */ sqlStatement.addBatch( "update users set hitcount=hitcount+1 where name='" + names[i] + "'"); } int resultsArray[] = sqlStatement.executeBatch(); for (int i = 0; i < names.length; i++) { if (resultsArray[i] > 0) { successCount++; } } IO.writeLine("Succeeded in " + successCount + " out of " + names.length + " queries."); } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql); } finally { try { if (sqlStatement != null) { sqlStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Statament", exceptSql); } try { if (dbConnection != null) { dbConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } } } }
/* goodG2B() - use goodsource and badsink */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { String dataCopy; { String data; /* FIX: Use a hardcoded string */ data = "foo"; dataCopy = data; } { String data = dataCopy; Connection dbConnection = null; Statement sqlStatement = null; ResultSet resultSet = null; try { dbConnection = IO.getDBConnection(); sqlStatement = dbConnection.createStatement(); /* POTENTIAL FLAW: data concatenated into SQL statement used in executeQuery(), which could result in SQL Injection */ resultSet = sqlStatement.executeQuery("select * from users where name='" + data + "'"); IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */ } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql); } finally { try { if (resultSet != null) { resultSet.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql); } try { if (sqlStatement != null) { sqlStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql); } try { if (dbConnection != null) { dbConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } } }
/* goodB2G() - use badsource and goodsink */ public void goodB2G_sink(CWE369_Divide_By_Zero__random_modulo_67a.Container data_container) throws Throwable { int data = data_container.a; /* FIX: test for a zero modulus */ if (data != 0) { IO.writeLine("100%" + String.valueOf(data) + " = " + (100 % data) + "\n"); } else { IO.writeLine("This would result in a modulo by zero"); } }
/* goodG2B1() - use goodsource and badsink by changing the first switch to switch(5) */ private void goodG2B1() throws Throwable { int data; switch (5) { case 6: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ { Logger log_bad = Logger.getLogger("local-logger"); /* init data */ data = -1; /* get environment variable ADD */ String s_data = System.getenv("ADD"); try { data = Integer.parseInt(s_data.trim()); } catch (NumberFormatException nfe) { log_bad.warning("Error with number parsing"); } } break; default: { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } break; } switch (7) { case 7: { int valueToAdd = (new SecureRandom()).nextInt(99) + 1; /* adding at least 1 */ /* POTENTIAL FLAW: if (data+valueToAdd) > MAX_VALUE, this will overflow */ int result = (data + valueToAdd); IO.writeLine("result: " + result); } break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ { int result = 0; int valueToAdd = (new SecureRandom()).nextInt(99) + 1; /* adding at least 1 */ /* FIX: Add a check to prevent an overflow from occurring */ if (data <= (Integer.MAX_VALUE - valueToAdd)) { result = (data + valueToAdd); IO.writeLine("result: " + result); } else { IO.writeLine("Input value is too large to perform addition."); } } break; } }