/* goodB2G1() - use badsource and goodsink by changing second IO.STATIC_FINAL_FIVE==5 to IO.STATIC_FINAL_FIVE!=5 */
private void goodB2G1() throws Throwable {
String data;
if (IO.STATIC_FINAL_FIVE == 5) {
/* get environment variable ADD */
/* POTENTIAL FLAW: Read data from an environment variable */
data = System.getenv("ADD");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (IO.STATIC_FINAL_FIVE != 5) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.writeLine("Benign, fixed string");
} else {
if (data != null) {
String names[] = data.split("-");
int successCount = 0;
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
try {
/* FIX: Use prepared statement and executeBatch (properly) */
dbConnection = IO.getDBConnection();
sqlStatement =
dbConnection.prepareStatement("update users set hitcount=hitcount+1 where name=?");
for (int i = 0; i < names.length; i++) {
sqlStatement.setString(1, names[i]);
sqlStatement.addBatch();
}
int resultsArray[] = sqlStatement.executeBatch();
for (int i = 0; i < names.length; i++) {
if (resultsArray[i] > 0) {
successCount++;
}
}
IO.writeLine("Succeeded in " + successCount + " out of " + names.length + " queries.");
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
}
/* goodG2B1() - use goodsource and badsink by setting the static variable to false instead of true */
private void goodG2B1() throws Throwable {
String data;
goodG2B1PublicStatic = false;
data =
(new CWE15_External_Control_of_System_or_Configuration_Setting__PropertiesFile_22b())
.goodG2B1Source();
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
/* goodG2B1() - use goodsource and badsink by setting the variable to false instead of true */
private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
goodG2B1_private = false;
data = goodG2B1_source(request, response);
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in if */
private void goodG2B2() throws Throwable {
String data;
if (PRIVATE_STATIC_FINAL_FIVE == 5) {
/* FIX: Use a hardcoded string */
data = "foo";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
/* goodG2B() - use goodsource and badsink */
public void goodG2BSink(String data) throws Throwable {
Connection dbConnection = null;
Statement sqlStatement = null;
try {
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.createStatement();
/* POTENTIAL FLAW: data concatenated into SQL statement used in executeUpdate(), which could result in SQL Injection */
int rowCount =
sqlStatement.executeUpdate(
"insert into users (status) values ('updated') where name='" + data + "'");
IO.writeLine("Updated " + rowCount + " rows successfully.");
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
/* uses badsource and badsink */
public void bad() throws Throwable {
String data;
/* get system property user.home */
/* POTENTIAL FLAW: Read data from a system property */
data = System.getProperty("user.home");
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
/* goodG2B() - uses goodsource and badsink */
private void goodG2B() throws Throwable {
String data;
/* FIX: Use a hardcoded string */
data = "foo";
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
/* goodB2G1() - use badsource and goodsink by changing second IO.staticTrue to IO.staticFalse */
private void goodB2G1() throws Throwable {
String data;
if (IO.staticTrue) {
/* get environment variable ADD */
/* POTENTIAL FLAW: Read data from an environment variable */
data = System.getenv("ADD");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (IO.staticFalse) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.writeLine("Benign, fixed string");
} else {
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
ResultSet resultSet = null;
try {
/* FIX: Use prepared statement and executeQuery (properly) */
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.prepareStatement("select * from users where name=?");
sqlStatement.setString(1, data);
resultSet = sqlStatement.executeQuery();
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
/* goodG2B() - use goodsource and badsink */
private void goodG2B() throws Throwable {
String data_copy;
{
String data;
java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
/* FIX: Use a hardcoded string */
data = "foo";
data_copy = data;
}
{
String data = data_copy;
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
Statement sqlstatement = null;
ResultSet sqlrs = null;
try {
conn_tmp2 = IO.getDBConnection();
sqlstatement = conn_tmp2.createStatement();
/* POTENTIAL FLAW: take user input and place into dynamic sql query */
sqlrs = sqlstatement.executeQuery("select * from users where name='" + data + "'");
IO.writeString(sqlrs.toString());
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlrs != null) {
sqlrs.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlrs");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
}
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (privateFive == 5) {
data = ""; /* initialize data in case id is not in query string */
/* POTENTIAL FLAW: Parse id param out of the URL querystring (without using getParameter()) */
{
StringTokenizer tokenizer = new StringTokenizer(request.getQueryString(), "&");
while (tokenizer.hasMoreTokens()) {
String token = tokenizer.nextToken(); /* a token will be like "id=foo" */
if (token.startsWith("id=")) /* check if we have the "id" parameter" */ {
data = token.substring(3); /* set data to "foo" */
break; /* exit while loop */
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (privateFive == 5) {
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
try {
/* FIX: Use prepared statement and execute (properly) */
dbConnection = IO.getDBConnection();
sqlStatement =
dbConnection.prepareStatement(
"insert into users (status) values ('updated') where name=?");
sqlStatement.setString(1, data);
Boolean result = sqlStatement.execute();
if (result) {
IO.writeLine("Name, " + data + ", updated successfully");
} else {
IO.writeLine("Unable to update records for user: "******"Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
/* goodB2G1() - use badsource and goodsink by changing second privateTrue to privateFalse */
private void goodB2G1(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (privateTrue) {
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (privateFalse) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.writeLine("Benign, fixed string");
} else {
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
try {
/* FIX: Use prepared statement and execute (properly) */
dbConnection = IO.getDBConnection();
sqlStatement =
dbConnection.prepareStatement(
"insert into users (status) values ('updated') where name=?");
sqlStatement.setString(1, data);
Boolean result = sqlStatement.execute();
if (result) {
IO.writeLine("Name, " + data + ", updated successfully");
} else {
IO.writeLine("Unable to update records for user: "******"Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
/* goodG2B1() - use goodsource and badsink by changing first IO.STATIC_FINAL_FIVE==5 to IO.STATIC_FINAL_FIVE!=5 */
private void goodG2B1() throws Throwable {
String data;
if (IO.STATIC_FINAL_FIVE != 5) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
} else {
/* FIX: Use a hardcoded string */
data = "foo";
}
if (IO.STATIC_FINAL_FIVE == 5) {
if (data != null) {
String names[] = data.split("-");
int successCount = 0;
Connection dbConnection = null;
Statement sqlStatement = null;
try {
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.createStatement();
for (int i = 0; i < names.length; i++) {
/* POTENTIAL FLAW: data concatenated into SQL statement used in executeBatch(), which could result in SQL Injection */
sqlStatement.addBatch(
"update users set hitcount=hitcount+1 where name='" + names[i] + "'");
}
int resultsArray[] = sqlStatement.executeBatch();
for (int i = 0; i < names.length; i++) {
if (resultsArray[i] > 0) {
successCount++;
}
}
IO.writeLine("Succeeded in " + successCount + " out of " + names.length + " queries.");
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Statament", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
}
/* goodG2B() - use goodsource and badsink */
private void goodG2B() throws Throwable {
String dataCopy;
{
String data;
/* FIX: Use a hardcoded string */
data = "foo";
dataCopy = data;
}
{
String data = dataCopy;
if (data != null) {
String names[] = data.split("-");
int successCount = 0;
Connection dbConnection = null;
Statement sqlStatement = null;
try {
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.createStatement();
for (int i = 0; i < names.length; i++) {
/* POTENTIAL FLAW: data concatenated into SQL statement used in executeBatch(), which could result in SQL Injection */
sqlStatement.addBatch(
"update users set hitcount=hitcount+1 where name='" + names[i] + "'");
}
int resultsArray[] = sqlStatement.executeBatch();
for (int i = 0; i < names.length; i++) {
if (resultsArray[i] > 0) {
successCount++;
}
}
IO.writeLine("Succeeded in " + successCount + " out of " + names.length + " queries.");
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Statament", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
}
/* goodG2B() - use goodsource and badsink */
public void goodG2BSink(byte[] dataSerialized) throws Throwable {
/* unserialize data */
ByteArrayInputStream streamByteArrayInput = null;
ObjectInputStream streamObjectInput = null;
try {
streamByteArrayInput = new ByteArrayInputStream(dataSerialized);
streamObjectInput = new ObjectInputStream(streamByteArrayInput);
String data = (String) streamObjectInput.readObject();
Connection dbConnection = null;
try {
dbConnection = IO.getDBConnection();
/* POTENTIAL FLAW: Set the catalog name with the value of data
* allowing a nonexistent catalog name or unauthorized access to a portion of the DB */
dbConnection.setCatalog(data);
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "IOException in deserialization", exceptIO);
} catch (ClassNotFoundException exceptClassNotFound) {
IO.logger.log(
Level.WARNING, "ClassNotFoundException in deserialization", exceptClassNotFound);
} finally {
/* clean up stream reading objects */
try {
if (streamObjectInput != null) {
streamObjectInput.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing ObjectInputStream", exceptIO);
}
try {
if (streamByteArrayInput != null) {
streamByteArrayInput.close();
}
} catch (IOException exceptIO) {
IO.logger.log(Level.WARNING, "Error closing ByteArrayInputStream", exceptIO);
}
}
}
/* goodG2B() - use goodsource and badsink */
private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String dataCopy;
{
String data;
/* FIX: Use a hardcoded string */
data = "foo";
dataCopy = data;
}
{
String data = dataCopy;
Connection dbConnection = null;
Statement sqlStatement = null;
ResultSet resultSet = null;
try {
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.createStatement();
/* POTENTIAL FLAW: data concatenated into SQL statement used in executeQuery(), which could result in SQL Injection */
resultSet = sqlStatement.executeQuery("select * from users where name='" + data + "'");
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
/* goodB2G() - use badsource and goodsink */
public void goodB2G_sink(String data_array[]) throws Throwable {
String data = data_array[2];
String names[] = data.split("-");
int iSuccess = 0;
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
PreparedStatement sqlstatement = null;
try {
/* FIX: use prepared sqlstatement */
conn_tmp2 = IO.getDBConnection();
sqlstatement =
conn_tmp2.prepareStatement("update users set hitcount=hitcount+1 where name=?");
for (int i = 0; i < names.length; ++i) {
sqlstatement.setString(1, names[i]);
sqlstatement.addBatch();
}
int dbResults[] = sqlstatement.executeBatch();
for (int i = 0; i < names.length; ++i) {
if (dbResults[i] > 0) {
iSuccess++;
}
}
IO.writeString("Succeeded in " + iSuccess + " out of " + names.length + " queries.");
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
/* goodG2B1() - use goodsource and badsink by changing first IO.STATIC_FINAL_FIVE==5 to IO.STATIC_FINAL_FIVE!=5 */
private void goodG2B1() throws Throwable {
String data;
if (IO.STATIC_FINAL_FIVE != 5) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
} else {
/* FIX: Use a hardcoded string */
data = "foo";
}
if (IO.STATIC_FINAL_FIVE == 5) {
Connection dbConnection = null;
Statement sqlStatement = null;
ResultSet resultSet = null;
try {
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.createStatement();
/* POTENTIAL FLAW: data concatenated into SQL statement used in executeQuery(), which could result in SQL Injection */
resultSet = sqlStatement.executeQuery("select * from users where name='" + data + "'");
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
public void bad() throws Throwable {
String data;
if (IO.staticTrue) {
/* get environment variable ADD */
/* POTENTIAL FLAW: Read data from an environment variable */
data = System.getenv("ADD");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (IO.staticTrue) {
Connection dbConnection = null;
Statement sqlStatement = null;
ResultSet resultSet = null;
try {
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.createStatement();
/* POTENTIAL FLAW: data concatenated into SQL statement used in executeQuery(), which could result in SQL Injection */
resultSet = sqlStatement.executeQuery("select * from users where name='" + data + "'");
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
/* goodB2G1() - use badsource and goodsink by setting the static variable to false instead of true */
public void goodB2G1Sink(String data) throws Throwable {
if (CWE89_SQL_Injection__Environment_executeBatch_22a.goodB2G1PublicStatic) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
} else {
if (data != null) {
String names[] = data.split("-");
int successCount = 0;
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
try {
/* FIX: Use prepared statement and executeBatch (properly) */
dbConnection = IO.getDBConnection();
sqlStatement =
dbConnection.prepareStatement("update users set hitcount=hitcount+1 where name=?");
for (int i = 0; i < names.length; i++) {
sqlStatement.setString(1, names[i]);
sqlStatement.addBatch();
}
int resultsArray[] = sqlStatement.executeBatch();
for (int i = 0; i < names.length; i++) {
if (resultsArray[i] > 0) {
successCount++;
}
}
IO.writeLine("Succeeded in " + successCount + " out of " + names.length + " queries.");
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2() throws Throwable {
String data;
if (PRIVATE_STATIC_FINAL_TRUE) {
/* get environment variable ADD */
/* POTENTIAL FLAW: Read data from an environment variable */
data = System.getenv("ADD");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (PRIVATE_STATIC_FINAL_TRUE) {
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
try {
/* FIX: Use prepared statement and execute (properly) */
dbConnection = IO.getDBConnection();
sqlStatement =
dbConnection.prepareStatement(
"insert into users (status) values ('updated') where name=?");
sqlStatement.setString(1, data);
Boolean result = sqlStatement.execute();
if (result) {
IO.writeLine("Name, " + data + ", updated successfully");
} else {
IO.writeLine("Unable to update records for user: "******"Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
/* goodB2G1() - use badsource and goodsink by setting the static variable to false instead of true */
public void goodB2G1Sink(String data) throws Throwable {
if (CWE89_SQL_Injection__connect_tcp_executeQuery_22a.goodB2G1PublicStatic) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
} else {
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
ResultSet resultSet = null;
try {
/* FIX: Use prepared statement and executeQuery (properly) */
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.prepareStatement("select * from users where name=?");
sqlStatement.setString(1, data);
resultSet = sqlStatement.executeQuery();
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
/* goodG2B() - use goodsource and badsink */
public void goodG2B_sink(String data_array[]) throws Throwable {
String data = data_array[2];
String names[] = data.split("-");
int iSuccess = 0;
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
Statement sqlstatement = null;
try {
conn_tmp2 = IO.getDBConnection();
sqlstatement = conn_tmp2.createStatement();
for (int i = 0; i < names.length; ++i) {
/* POTENTIAL FLAW: take user input and place into dynamic sql query */
sqlstatement.addBatch("update users set hitcount=hitcount+1 where name='" + names[i] + "'");
}
int dbResults[] = sqlstatement.executeBatch();
for (int i = 0; i < names.length; ++i) {
if (dbResults[i] > 0) {
iSuccess++;
}
}
IO.writeString("Succeeded in " + iSuccess + " out of " + names.length + " queries.");
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */
private void goodG2B2() throws Throwable {
String data;
if (IO.staticReturnsTrue()) {
/* FIX: Use a hardcoded string */
data = "foo";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (IO.staticReturnsTrue()) {
Connection dbConnection = null;
Statement sqlStatement = null;
try {
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.createStatement();
/* POTENTIAL FLAW: data concatenated into SQL statement used in execute(), which could result in SQL Injection */
Boolean result =
sqlStatement.execute(
"insert into users (status) values ('updated') where name='" + data + "'");
if (result) {
IO.writeLine("Name, " + data + ", updated successfully");
} else {
IO.writeLine("Unable to update records for user: "******"Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
public void bad() throws Throwable {
String data;
if (PRIVATE_STATIC_FINAL_TRUE) {
/* get environment variable ADD */
/* POTENTIAL FLAW: Read data from an environment variable */
data = System.getenv("ADD");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (PRIVATE_STATIC_FINAL_TRUE) {
Connection dbConnection = null;
Statement sqlStatement = null;
try {
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.createStatement();
/* POTENTIAL FLAW: data concatenated into SQL statement used in execute(), which could result in SQL Injection */
Boolean result =
sqlStatement.execute(
"insert into users (status) values ('updated') where name='" + data + "'");
if (result) {
IO.writeLine("Name, " + data + ", updated successfully");
} else {
IO.writeLine("Unable to update records for user: "******"Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Statement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
private void goodB2G1Sink(String data) throws Throwable {
if (goodB2G1Private) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.writeLine("Benign, fixed string");
} else {
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
ResultSet resultSet = null;
try {
/* FIX: Use prepared statement and executeQuery (properly) */
dbConnection = IO.getDBConnection();
sqlStatement = dbConnection.prepareStatement("select * from users where name=?");
sqlStatement.setString(1, data);
resultSet = sqlStatement.executeQuery();
IO.writeLine(resultSet.getRow()); /* Use ResultSet in some way */
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (resultSet != null) {
resultSet.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql);
}
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (IO.staticTrue) {
/* POTENTIAL FLAW: Read data from a querystring using getParameter */
data = request.getParameter("name");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
if (IO.staticTrue) {
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
try {
/* POTENTIAL FLAW: data concatenated into SQL statement used in prepareStatement() call, which could result in SQL Injection */
dbConnection = IO.getDBConnection();
sqlStatement =
dbConnection.prepareStatement(
"insert into users (status) values ('updated') where name='" + data + "'");
Boolean result = sqlStatement.execute();
if (result) {
IO.writeLine("Name, " + data + ", updated successfully");
} else {
IO.writeLine("Unable to update records for user: "******"Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
/* goodB2G() - use badsource and goodsink */
public void goodB2G_sink(String data, HttpServletRequest request, HttpServletResponse response)
throws Throwable {
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
PreparedStatement sqlstatement = null;
ResultSet sqlrs = null;
try {
/* FIX: use prepared sqlstatement */
conn_tmp2 = IO.getDBConnection();
sqlstatement = conn_tmp2.prepareStatement("select * from users where name=?");
sqlstatement.setString(1, data);
sqlrs = sqlstatement.executeQuery();
IO.writeString(sqlrs.toString());
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlrs != null) {
sqlrs.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlrs");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
}
/* goodG2B() - use goodsource and badsink */
public void goodG2B_sink(String data, HttpServletRequest request, HttpServletResponse response)
throws Throwable {
Logger log2 = Logger.getLogger("local-logger");
Connection conn_tmp2 = null;
Statement sqlstatement = null;
ResultSet sqlrs = null;
try {
conn_tmp2 = IO.getDBConnection();
sqlstatement = conn_tmp2.createStatement();
/* POTENTIAL FLAW: take user input and place into dynamic sql query */
sqlrs = sqlstatement.executeQuery("select * from users where name='" + data + "'");
IO.writeString(sqlrs.toString());
} catch (SQLException se) {
log2.warning("Error getting database connection");
} finally {
try {
if (sqlrs != null) {
sqlrs.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlrs");
} finally {
try {
if (sqlstatement != null) {
sqlstatement.close();
}
} catch (SQLException e) {
log2.warning("Error closing sqlstatement");
} finally {
try {
if (conn_tmp2 != null) {
conn_tmp2.close();
}
} catch (SQLException e) {
log2.warning("Error closing conn_tmp2");
}
}
}
}
}
private void goodB2G1Sink(String data) throws Throwable {
if (goodB2G1Private) {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
IO.writeLine("Benign, fixed string");
} else {
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
try {
/* FIX: Use prepared statement and execute (properly) */
dbConnection = IO.getDBConnection();
sqlStatement =
dbConnection.prepareStatement(
"insert into users (status) values ('updated') where name=?");
sqlStatement.setString(1, data);
Boolean result = sqlStatement.execute();
if (result) {
IO.writeLine("Name, " + data + ", updated successfully");
} else {
IO.writeLine("Unable to update records for user: "******"Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}
public void action(String data, HttpServletRequest request, HttpServletResponse response)
throws Throwable {
if (data != null) {
String names[] = data.split("-");
int successCount = 0;
Connection dbConnection = null;
PreparedStatement sqlStatement = null;
try {
/* FIX: Use prepared statement and executeBatch (properly) */
dbConnection = IO.getDBConnection();
sqlStatement =
dbConnection.prepareStatement("update users set hitcount=hitcount+1 where name=?");
for (int i = 0; i < names.length; i++) {
sqlStatement.setString(1, names[i]);
sqlStatement.addBatch();
}
int resultsArray[] = sqlStatement.executeBatch();
for (int i = 0; i < names.length; i++) {
if (resultsArray[i] > 0) {
successCount++;
}
}
IO.writeLine("Succeeded in " + successCount + " out of " + names.length + " queries.");
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql);
} finally {
try {
if (sqlStatement != null) {
sqlStatement.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql);
}
try {
if (dbConnection != null) {
dbConnection.close();
}
} catch (SQLException exceptSql) {
IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql);
}
}
}
}