/* goodG2B() - use goodsource and badsink */ private void goodG2B() throws Throwable { String data; /* FIX: Use a hardcoded class name */ data = "Testing.test"; CWE470_Unsafe_Reflection__database_81_base baseObject = new CWE470_Unsafe_Reflection__database_81_goodG2B(); baseObject.action(data); }
public void bad() throws Throwable { String data; data = ""; /* Initialize data */ /* Read data from a database */ { Connection connection = null; PreparedStatement preparedStatement = null; ResultSet resultSet = null; try { /* setup the connection */ connection = IO.getDBConnection(); /* prepare and execute a (hardcoded) query */ preparedStatement = connection.prepareStatement("select name from users where id=0"); resultSet = preparedStatement.executeQuery(); /* POTENTIAL FLAW: Read data from a database query resultset */ data = resultSet.getString(1); } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error with SQL statement", exceptSql); } finally { /* Close database objects */ try { if (resultSet != null) { resultSet.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql); } try { if (preparedStatement != null) { preparedStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql); } try { if (connection != null) { connection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } } CWE470_Unsafe_Reflection__database_81_base baseObject = new CWE470_Unsafe_Reflection__database_81_bad(); baseObject.action(data); }