/* goodB2G() - use badsource and goodsink by changing the second "if" so that
* both branches use the GoodSink */
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.staticReturnsTrueOrFalse()) {
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
} else {
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
}
if (IO.staticReturnsTrueOrFalse()) {
/* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */
if (data != null) {
data = URLEncoder.encode(data, "UTF-8");
response.addHeader("Location", "/author.jsp?lang=" + data);
}
} else {
/* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */
if (data != null) {
data = URLEncoder.encode(data, "UTF-8");
response.addHeader("Location", "/author.jsp?lang=" + data);
}
}
}
/* good2() reverses the bodies in the if statement */
private void good2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
if (IO.static_returns_t()) {
Logger tcLog = Logger.getLogger("cwe_testcases_logger");
if (request.getParameter("username") == null) {
return;
}
String username = request.getParameter("username");
if (username.matches("[a-zA-Z0-9]*")) {
HttpSession session = request.getSession(true);
/* FIX: logged message does not contain session id */
tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId());
} else {
response.getWriter().println("Invalid characters");
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Logger tcLog = Logger.getLogger("cwe_testcases_logger");
if (request.getParameter("username") == null) {
return;
}
String username = request.getParameter("username");
if (username.matches("[a-zA-Z0-9]*")) {
HttpSession session = request.getSession(true);
/* FLAW: leak session ID to debug log */
tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId());
} else {
response.getWriter().println("Invalid characters");
}
}
}
/* good2() reverses the bodies in the if statement */
private void good2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
if (IO.STATIC_FINAL_FIVE == 5) {
if (request.getParameter("username") == null) {
return;
}
String username = request.getParameter("username");
if (username.matches("[a-zA-Z0-9]*")) {
/* FIX: logged message does not contain session id */
log("Username: "******" logged in");
} else {
response.getWriter().println("Invalid characters");
}
}
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
if (IO.STATIC_FINAL_FIVE == 5) {
if (request.getParameter("username") == null) {
return;
}
String username = request.getParameter("username");
if (username.matches("[a-zA-Z0-9]*")) {
HttpSession session = request.getSession(true);
/* FLAW: Expose the session ID to server log */
log("Username: "******" Session ID:" + session.getId());
} else {
response.getWriter().println("Invalid characters");
}
}
}
/* goodB2G() - use badsource and goodsink */
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
int data;
data = Integer.MIN_VALUE; /* Initialize data */
/* POTENTIAL FLAW: Read data from a querystring using getParameter() */
{
String stringNumber = request.getParameter("name");
try {
data = Integer.parseInt(stringNumber.trim());
} catch (NumberFormatException exceptNumberFormat) {
IO.logger.log(
Level.WARNING,
"Number format exception reading data from parameter 'name'",
exceptNumberFormat);
}
}
/* FIX: Add a check to prevent an overflow from occurring */
/* NOTE: Math.abs of the minimum int or long will return that same value, so we must check for it */
if ((data != Integer.MIN_VALUE)
&& (data != Long.MIN_VALUE)
&& (Math.abs(data) <= (long) Math.sqrt(Integer.MAX_VALUE))) {
int result = (int) (data * data);
IO.writeLine("result: " + result);
} else {
IO.writeLine("data value is too large to perform squaring.");
}
}
/* goodG2B1() - use goodsource and badsink by changing first private_final_five==5 to private_final_five!=5 */
private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable {
int data;
/* INCIDENTAL: CWE 570 Statement is Always False */
if (private_final_five != 5) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Logger log_bad = Logger.getLogger("local-logger");
/* init Data$ */
data = -1;
/* read parameter from request */
String s_data = request.getParameter("name");
data = Integer.parseInt(s_data.trim());
} else {
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded number that won't cause underflow, overflow,
divide by zero, or loss-of-precision issues */
data = 2;
}
/* INCIDENTAL: CWE 571 Statement is Always True */
if (private_final_five == 5) {
/* POTENTIAL FLAW: Zero denominator will cause an issue. An integer division will
result in an exception. */
IO.writeLine("bad: 100/" + String.valueOf(data) + " = " + (100 / data) + "\n");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* FIX: test for a zero denominator */
if (data != 0) {
IO.writeLine("100/" + String.valueOf(data) + " = " + (100 / data) + "\n");
} else {
IO.writeLine("This would result in a divide by zero");
}
}
}
/* goodG2B1() - use goodsource and badsink by changing first private_returns_t() to private_returns_f() */
private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
/* INCIDENTAL: CWE 570 Statement is Always False */
if (private_returns_f()) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Logger log_bad = Logger.getLogger("local-logger");
/* read parameter from request */
data = request.getParameter("name");
} else {
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
}
/* INCIDENTAL: CWE 571 Statement is Always True */
if (private_returns_t()) {
try {
int iConversion = Integer.valueOf(data);
} catch (Exception e) {
e.printStackTrace(); /* POTENTIAL FLAW: Print stack trace on error */
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
try {
int iConversion = Integer.valueOf(data);
} catch (Exception e) {
IO.writeLine("There was an error parsing the string"); /* FIX: print a generic message */
}
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */
private void goodG2B2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.static_final_five == 5) {
/* FIX: Set data to a fixed, non-null String */
data = "CWE690";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* POTENTIAL FLAW: data may be set to null */
data = request.getParameter("CWE690");
}
if (IO.static_final_five == 5) {
/* POTENTIAL FLAW: data could be null */
if (data.equals("CWE690")) {
IO.writeLine("data is CWE690");
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* FIX: call equals() on string literal (that is not null) */
if ("CWE690".equals(data)) {
IO.writeLine("data is CWE690");
}
}
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
/* We need to have one source outside of a for loop in order
to prevent the Java compiler from generating an error because
data is uninitialized */
/* POTENTIAL FLAW: data may be set to null */
data = request.getParameter("CWE690");
for (int for_index_i = 0; for_index_i < 0; for_index_i++) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* FIX: Set data to a fixed, non-null String */
data = "CWE690";
}
for (int for_index_j = 0; for_index_j < 1; for_index_j++) {
/* POTENTIAL FLAW: data could be null */
String sOut = data.trim();
IO.writeLine(sOut);
}
for (int for_index_k = 0; for_index_k < 0; for_index_k++) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* FIX: explicit check for null */
if (data != null) {
String sOut = data.trim();
IO.writeLine(sOut);
}
}
}
/* goodG2B() - use goodsource and badsink by moving BadSource and BadSink to after return */
private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
{
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
/* POTENTIAL FLAW: Input not verified before inclusion in header */
response.setHeader("Location", "/author.jsp?lang=" + data);
}
if (true) return; /* INCIDENTAL: CWE 571 Expression is Always True.
We need the "if(true)" because the Java Language Spec requires that
unreachable code generate a compiler error */
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
Logger log_bad = Logger.getLogger("local-logger");
/* read parameter from request */
data = request.getParameter("name");
/* POTENTIAL FLAW: Input not verified before inclusion in header */
response.setHeader("Location", "/author.jsp?lang=" + data);
}
}
/* goodB2G() - use badsource and goodsink by switching statements around return */
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
Logger log_bad = Logger.getLogger("local-logger");
/* read parameter from request */
data = request.getParameter("name");
{
/* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */
data = URLEncoder.encode(data, "UTF-16");
response.setHeader("Location", "/author.jsp?lang=" + data);
}
if (true) return; /* INCIDENTAL: CWE 571 Expression is Always True.
We need the "if(true)" because the Java Language Spec requires that
unreachable code generate a compiler error */
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
{
/* POTENTIAL FLAW: Input not verified before inclusion in header */
response.setHeader("Location", "/author.jsp?lang=" + data);
}
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.staticReturnsTrueOrFalse()) {
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
} else {
/* FIX: Use a hardcoded string */
data = "foo";
}
if (IO.staticReturnsTrueOrFalse()) {
/* POTENTIAL FLAW: Input from file not verified */
if (data != null) {
response.addHeader("Location", "/author.jsp?lang=" + data);
}
} else {
/* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */
if (data != null) {
data = URLEncoder.encode(data, "UTF-8");
response.addHeader("Location", "/author.jsp?lang=" + data);
}
}
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
int data;
if (PRIVATE_STATIC_FINAL_TRUE) {
data = Integer.MIN_VALUE; /* Initialize data */
/* POTENTIAL FLAW: Read data from a querystring using getParameter() */
{
String stringNumber = request.getParameter("name");
try {
data = Integer.parseInt(stringNumber.trim());
} catch (NumberFormatException exceptNumberFormat) {
IO.logger.log(
Level.WARNING,
"Number format exception reading data from parameter 'name'",
exceptNumberFormat);
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0;
}
if (PRIVATE_STATIC_FINAL_TRUE) {
/* Need to ensure that the array is of size > 3 and < 101 due to the GoodSource and the large_fixed BadSource */
int array[] = {0, 1, 2, 3, 4};
/* POTENTIAL FLAW: Verify that data < array.length, but don't verify that data > 0, so may be attempting to read out of the array bounds */
if (data < array.length) {
IO.writeLine(array[data]);
} else {
IO.writeLine("Array index out of bounds");
}
}
}
/* uses badsource and badsink */
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
int data;
if (privateReturnsTrue()) {
data = Integer.MIN_VALUE; /* Initialize data */
/* POTENTIAL FLAW: Read data from a querystring using getParameter() */
{
String stringNumber = request.getParameter("name");
try {
data = Integer.parseInt(stringNumber.trim());
} catch (NumberFormatException exceptNumberFormat) {
IO.logger.log(
Level.WARNING,
"Number format exception reading data from parameter 'name'",
exceptNumberFormat);
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0;
}
/* POTENTIAL FLAW: Create an ArrayList using data as the initial size. data may be very large, creating memory issues */
ArrayList intArrayList = new ArrayList(data);
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
int data;
if (PRIVATE_STATIC_FINAL_TRUE) {
data = Integer.MIN_VALUE; /* Initialize data */
/* POTENTIAL FLAW: Read data from a querystring using getParameter() */
{
String stringNumber = request.getParameter("name");
try {
data = Integer.parseInt(stringNumber.trim());
} catch (NumberFormatException exceptNumberFormat) {
IO.logger.log(
Level.WARNING,
"Number format exception reading data from parameter 'name'",
exceptNumberFormat);
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = 0;
}
if (PRIVATE_STATIC_FINAL_TRUE) {
/* POTENTIAL FLAW: if data == Integer.MAX_VALUE, this will overflow */
int result = (int) (data + 1);
IO.writeLine("result: " + result);
}
}
/* goodB2G() - use badsource and goodsink by changing the conditions on
the second and third for statements */
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
/* POTENTIAL FLAW: data may be set to null */
data = request.getParameter("CWE690");
for (int for_index_i = 0; for_index_i < 0; for_index_i++) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* FIX: Set data to a fixed, non-null String */
data = "CWE690";
}
for (int for_index_j = 0; for_index_j < 0; for_index_j++) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
/* POTENTIAL FLAW: data could be null */
String sOut = data.trim();
IO.writeLine(sOut);
}
for (int for_index_k = 0; for_index_k < 1; for_index_k++) {
/* FIX: explicit check for null */
if (data != null) {
String sOut = data.trim();
IO.writeLine(sOut);
}
}
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
/* POTENTIAL FLAW: data may be set to null */
data = request.getParameter("CWE690");
badSink(data, request, response);
}
/* goodB2G() - use badsource and goodsink */
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
/* POTENTIAL FLAW: data may be set to null */
data = request.getParameter("CWE690");
goodB2GSink(data, request, response);
}
/* goodB2G() - use badsource and goodsink */
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
(new CWE89_SQL_Injection__getParameter_Servlet_executeBatch_54b())
.goodB2GSink(data, request, response);
}
/* goodB2G() - use badsource and goodsink */
private String goodB2G_source(HttpServletRequest request, HttpServletResponse response)
throws Throwable {
String data;
/* POTENTIAL FLAW: data may be set to null */
data = request.getParameter("CWE690");
return data;
}
public String badSource(HttpServletRequest request, HttpServletResponse response)
throws Throwable {
String data;
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
return data;
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
(new CWE15_External_Control_of_System_or_Configuration_Setting__getParameter_Servlet_51b())
.badSink(data, request, response);
}
/* goodB2G() - use badsource and goodsink by changing the second "if" so that
both branches use the GoodSink */
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
int data;
if (IO.static_returns_t_or_f()) {
Logger log_bad = Logger.getLogger("local-logger");
/* init Data$ */
data = -1;
/* read parameter from request */
String s_data = request.getParameter("name");
data = Integer.parseInt(s_data.trim());
} else {
Logger log_bad = Logger.getLogger("local-logger");
/* init Data$ */
data = -1;
/* read parameter from request */
String s_data = request.getParameter("name");
data = Integer.parseInt(s_data.trim());
}
if (IO.static_returns_t_or_f()) {
int valueToSub = (new SecureRandom()).nextInt(99) + 1; /* subtracting at least 1 */
int result = 0;
/* FIX: Add a check to prevent an underflow from occurring */
if (data >= (Integer.MIN_VALUE + valueToSub)) {
result = (data - valueToSub);
IO.writeLine("result: " + result);
} else {
IO.writeLine("Input value is too small to perform subtraction.");
}
} else {
int valueToSub = (new SecureRandom()).nextInt(99) + 1; /* subtracting at least 1 */
int result = 0;
/* FIX: Add a check to prevent an underflow from occurring */
if (data >= (Integer.MIN_VALUE + valueToSub)) {
result = (data - valueToSub);
IO.writeLine("result: " + result);
} else {
IO.writeLine("Input value is too small to perform subtraction.");
}
}
}
/* goodB2G1() - use badsource and goodsink by changing second privateTrue to privateFalse */
private void goodB2G1(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (privateTrue) {
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (privateFalse) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.writeLine("Benign, fixed string");
} else {
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
try {
/* FIX: Use prepared statement and execute (properly) */
dbConnection = IO.getDBConnection();
sqlStatement =
dbConnection.prepareStatement(
"insert into users (status) values ('updated') where name=?");
sqlStatement.setString(1, data);
Boolean result = sqlStatement.execute();
if (result) {
IO.writeLine("Name, " + data + ", updated successfully");
} else {
IO.writeLine("Unable to update records for user: "******"Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
/* goodB2G2() - use badsource and goodsink by reversing the blocks in the if in the sink function */
private void goodB2G2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data = null;
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
goodB2G2PublicStatic = true;
(new CWE89_SQL_Injection__getParameter_Servlet_prepareStatement_22b())
.goodB2G2Sink(data, request, response);
}
/* goodB2G() - use badsource and goodsink by changing the second "if" so that
* both branches use the GoodSink */
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.staticReturnsTrueOrFalse()) {
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
} else {
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
}
if (IO.staticReturnsTrueOrFalse()) {
int numberOfLoops;
try {
numberOfLoops = Integer.parseInt(data);
} catch (NumberFormatException exceptNumberFormat) {
IO.writeLine("Invalid response. Numeric input expected. Assuming 1.");
numberOfLoops = 1;
}
/* FIX: loop number thresholds validated */
if (numberOfLoops >= 0 && numberOfLoops <= 5) {
for (int i = 0; i < numberOfLoops; i++) {
IO.writeLine("hello world");
}
}
} else {
int numberOfLoops;
try {
numberOfLoops = Integer.parseInt(data);
} catch (NumberFormatException exceptNumberFormat) {
IO.writeLine("Invalid response. Numeric input expected. Assuming 1.");
numberOfLoops = 1;
}
/* FIX: loop number thresholds validated */
if (numberOfLoops >= 0 && numberOfLoops <= 5) {
for (int i = 0; i < numberOfLoops; i++) {
IO.writeLine("hello world");
}
}
}
}
/* goodB2G() - use badsource and goodsink */
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
Logger log_bad = Logger.getLogger("local-logger");
/* read parameter from request */
data = request.getParameter("name");
(new CWE113_HTTP_Response_Splitting__getParameterServlet_addCookieServlet_71b())
.goodB2G_sink((Object) data, request, response);
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
String[] dataArray = new String[5];
dataArray[2] = data;
(new CWE83_XSS_Attribute__Servlet_getParameter_Servlet_66b())
.badSink(dataArray, request, response);
}
/* goodB2G() - use badsource and goodsink */
private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
Logger log_bad = Logger.getLogger("local-logger");
/* read parameter from request */
data = request.getParameter("name");
(new CWE352_Cross_Site_Request_Forgery__getParameterServlet_71b())
.goodB2G_sink((Object) data, request, response);
}
/* good1() changes IO.STATIC_FINAL_FIVE==5 to IO.STATIC_FINAL_FIVE!=5 */
private void good1(HttpServletRequest request, HttpServletResponse response) throws Throwable {
if (IO.STATIC_FINAL_FIVE != 5) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.writeLine("Benign, fixed string");
} else {
if (request.getParameter("username") == null) {
return;
}
String username = request.getParameter("username");
if (username.matches("[a-zA-Z0-9]*")) {
/* FIX: logged message does not contain session id */
log("Username: "******" logged in");
} else {
response.getWriter().println("Invalid characters");
}
}
}
