public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; data = ""; /* Initialize data */ /* Read data using an outbound tcp connection */ { Socket socket = null; BufferedReader readerBuffered = null; InputStreamReader readerInputStream = null; try { /* Read data using an outbound tcp connection */ socket = new Socket("host.example.org", 39544); /* read input from socket */ readerInputStream = new InputStreamReader(socket.getInputStream(), "UTF-8"); readerBuffered = new BufferedReader(readerInputStream); /* POTENTIAL FLAW: Read data using an outbound tcp connection */ data = readerBuffered.readLine(); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* clean up stream reading objects */ try { if (readerBuffered != null) { readerBuffered.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStream != null) { readerInputStream.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } /* clean up socket objects */ try { if (socket != null) { socket.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing Socket", exceptIO); } } } CWE83_XSS_Attribute__Servlet_connect_tcp_81_base baseObject = new CWE83_XSS_Attribute__Servlet_connect_tcp_81_bad(); baseObject.action(data, request, response); }
/* goodG2B() - use goodsource and badsink */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; /* FIX: Use a hardcoded string */ data = "foo"; CWE83_XSS_Attribute__Servlet_connect_tcp_81_base baseObject = new CWE83_XSS_Attribute__Servlet_connect_tcp_81_goodG2B(); baseObject.action(data, request, response); }