/* good2() reverses the bodies in the if statement */ private void good2(HttpServletRequest request, HttpServletResponse response) throws Throwable { if (IO.static_returns_t()) { Logger tcLog = Logger.getLogger("cwe_testcases_logger"); if (request.getParameter("username") == null) { return; } String username = request.getParameter("username"); if (username.matches("[a-zA-Z0-9]*")) { HttpSession session = request.getSession(true); /* FIX: logged message does not contain session id */ tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId()); } else { response.getWriter().println("Invalid characters"); } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger tcLog = Logger.getLogger("cwe_testcases_logger"); if (request.getParameter("username") == null) { return; } String username = request.getParameter("username"); if (username.matches("[a-zA-Z0-9]*")) { HttpSession session = request.getSession(true); /* FLAW: leak session ID to debug log */ tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId()); } else { response.getWriter().println("Invalid characters"); } } }
private void getServices(HttpServletResponse res) { InputStream is = null; try { URL url = ctx.getResource(resourcesDir + XHP_CONFIG); // use classpath if not found locally. if (url == null) url = XmlHttpProxyServlet.class.getResource(classpathResourcesDir + XHP_CONFIG); is = url.openStream(); } catch (Exception ex) { try { getLogger().severe("XmlHttpProxyServlet error loading xhp.json : " + ex); PrintWriter writer = res.getWriter(); writer.write( "XmlHttpProxyServlet Error: Error loading xhp.json. Make sure it is available in the /resources directory of your applicaton."); writer.flush(); } catch (Exception iox) { } } services = xhp.loadServices(is); }
public void doProcess(HttpServletRequest req, HttpServletResponse res, boolean isPost) { StringBuffer bodyContent = null; OutputStream out = null; PrintWriter writer = null; String serviceKey = null; try { BufferedReader in = req.getReader(); String line = null; while ((line = in.readLine()) != null) { if (bodyContent == null) bodyContent = new StringBuffer(); bodyContent.append(line); } } catch (Exception e) { } try { if (requireSession) { // check to see if there was a session created for this request // if not assume it was from another domain and blow up // Wrap this to prevent Portlet exeptions HttpSession session = req.getSession(false); if (session == null) { res.setStatus(HttpServletResponse.SC_FORBIDDEN); return; } } serviceKey = req.getParameter("id"); // only to preven regressions - Remove before 1.0 if (serviceKey == null) serviceKey = req.getParameter("key"); // check if the services have been loaded or if they need to be reloaded if (services == null || configUpdated()) { getServices(res); } String urlString = null; String xslURLString = null; String userName = null; String password = null; String format = "json"; String callback = req.getParameter("callback"); String urlParams = req.getParameter("urlparams"); String countString = req.getParameter("count"); // encode the url to prevent spaces from being passed along if (urlParams != null) { urlParams = urlParams.replace(' ', '+'); } try { if (services.has(serviceKey)) { JSONObject service = services.getJSONObject(serviceKey); // default to the service default if no url parameters are specified if (urlParams == null && service.has("defaultURLParams")) { urlParams = service.getString("defaultURLParams"); } String serviceURL = service.getString("url"); // build the URL if (urlParams != null && serviceURL.indexOf("?") == -1) { serviceURL += "?"; } else if (urlParams != null) { serviceURL += "&"; } String apikey = ""; if (service.has("username")) userName = service.getString("username"); if (service.has("password")) password = service.getString("password"); if (service.has("apikey")) apikey = service.getString("apikey"); urlString = serviceURL + apikey; if (urlParams != null) urlString += "&" + urlParams; if (service.has("xslStyleSheet")) { xslURLString = service.getString("xslStyleSheet"); } } // code for passing the url directly through instead of using configuration file else if (req.getParameter("url") != null) { String serviceURL = req.getParameter("url"); // build the URL if (urlParams != null && serviceURL.indexOf("?") == -1) { serviceURL += "?"; } else if (urlParams != null) { serviceURL += "&"; } urlString = serviceURL; if (urlParams != null) urlString += urlParams; } else { writer = res.getWriter(); if (serviceKey == null) writer.write("XmlHttpProxyServlet Error: id parameter specifying serivce required."); else writer.write( "XmlHttpProxyServlet Error : service for id '" + serviceKey + "' not found."); writer.flush(); return; } } catch (Exception ex) { getLogger().severe("XmlHttpProxyServlet Error loading service: " + ex); } Map paramsMap = new HashMap(); paramsMap.put("format", format); // do not allow for xdomain unless the context level setting is enabled. if (callback != null && allowXDomain) { paramsMap.put("callback", callback); } if (countString != null) { paramsMap.put("count", countString); } InputStream xslInputStream = null; if (urlString == null) { writer = res.getWriter(); writer.write( "XmlHttpProxyServlet parameters: id[Required] urlparams[Optional] format[Optional] callback[Optional]"); writer.flush(); return; } // default to JSON res.setContentType(responseContentType); out = res.getOutputStream(); // get the stream for the xsl stylesheet if (xslURLString != null) { // check the web root for the resource URL xslURL = null; xslURL = ctx.getResource(resourcesDir + "xsl/" + xslURLString); // if not in the web root check the classpath if (xslURL == null) { xslURL = XmlHttpProxyServlet.class.getResource(classpathResourcesDir + "xsl/" + xslURLString); } if (xslURL != null) { xslInputStream = xslURL.openStream(); } else { String message = "Could not locate the XSL stylesheet provided for service id " + serviceKey + ". Please check the XMLHttpProxy configuration."; getLogger().severe(message); try { out.write(message.getBytes()); out.flush(); return; } catch (java.io.IOException iox) { } } } if (!isPost) { xhp.doGet(urlString, out, xslInputStream, paramsMap, userName, password); } else { if (bodyContent == null) getLogger() .info( "XmlHttpProxyServlet attempting to post to url " + urlString + " with no body content"); xhp.doPost( urlString, out, xslInputStream, paramsMap, bodyContent.toString(), req.getContentType(), userName, password); } } catch (Exception iox) { iox.printStackTrace(); getLogger().severe("XmlHttpProxyServlet: caught " + iox); try { writer = res.getWriter(); writer.write(iox.toString()); writer.flush(); } catch (java.io.IOException ix) { ix.printStackTrace(); } return; } finally { try { if (out != null) out.close(); if (writer != null) writer.close(); } catch (java.io.IOException iox) { } } }
@Override public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { resp.setContentType("text/html"); resp.getWriter().println("<html><body>"); String keyname = req.getParameter("keyname"); String value = req.getParameter("value"); DatastoreService datastore = DatastoreServiceFactory.getDatastoreService(); // Using the synchronous cache. MemcacheService syncCache = MemcacheServiceFactory.getMemcacheService(); syncCache.setErrorHandler(ErrorHandlers.getConsistentLogAndContinue(Level.INFO)); // display every element of kind TaskData for /datastore if (req.getParameterMap().isEmpty()) { // querying from datastore resp.getWriter().println("<h3>Datastore results:</h3>"); List<String> listOfKeys = new ArrayList<String>(); Query q = new Query("TaskData"); PreparedQuery pq = datastore.prepare(q); for (Entity result : pq.asIterable()) { String datastore_key = result.getKey().getName(); String taskData_value = (String) result.getProperty("value"); Date taskData_date = (Date) result.getProperty("date"); resp.getWriter() .println( "<p>keyname = " + datastore_key + " value = " + taskData_value + " date = " + taskData_date.toString() + "</p>"); listOfKeys.add(datastore_key); } // check which of the keys exist in memcache String memcache_value; resp.getWriter().println("<h3>Memcache results:</h3>"); for (String datastore_key : listOfKeys) { memcache_value = (String) syncCache.get(datastore_key); if (memcache_value != null) { // String decoded = new String(memcache_value, "UTF-8"); resp.getWriter() .println("<p>keyname = " + datastore_key + " value = " + memcache_value + "</p>"); } } } // display element of kind TaskData with key=keyname else if (keyname != null && value == null) { // first check in the cache String memcache_value = (String) syncCache.get(keyname); // Read from cache. // Get value from datastore Key task_key = KeyFactory.createKey("TaskData", keyname); try { Entity tne = datastore.get(task_key); if (memcache_value == null) { resp.getWriter().println("<h2>Datastore</h2>"); } else { resp.getWriter().println("<h2>Both</h2>"); } } catch (EntityNotFoundException e) { resp.getWriter().println("<h2>Neither</h2>"); } } // store element of kind TaskData with key=keyname and value=value else if (keyname != null && value != null) { Entity tne = new Entity("TaskData", keyname); tne.setProperty("value", value); tne.setProperty("date", new Date()); datastore.put(tne); syncCache.put(keyname, value); // Populate cache. resp.getWriter() .println("<h2>Stored " + keyname + " and " + value + " in Datastore and Memcache</h2>"); } else { resp.getWriter().println("<h2>You entered wrong query parameters</h2>"); } /* Entity tne = new Entity("TaskData", "Person"); alice.setProperty("gender", "female"); alice.setProperty("age", 20); */ resp.getWriter().println("</body></html>"); }
private boolean sendError(FacesContext context, String lifecycle, Exception e) { for (Throwable cause = e; cause != null; cause = cause.getCause()) { if (cause instanceof DisplayableException) { if (e instanceof RuntimeException) throw (RuntimeException) e; else throw new FacesException(e); } else if (cause instanceof ServletException) throw new FacesException(e); else if (cause instanceof JspException) throw new FacesException(e); } ExternalContext extContext = context.getExternalContext(); Object response = extContext.getResponse(); if (!(response instanceof HttpServletResponse)) { context.renderResponse(); if (e instanceof RuntimeException) throw (RuntimeException) e; else throw new RuntimeException(e); } log.log(Level.WARNING, e.toString(), e); HttpServletResponse res = (HttpServletResponse) response; try { context.renderResponse(); context.responseComplete(); res.setStatus(500, "JSF Exception"); res.setContentType("text/html"); PrintWriter out = res.getWriter(); out.println("<body>"); out.println("<h3>JSF exception detected in " + lifecycle + " phase</h3>"); String msg = e.getMessage(); out.println("<span style='color:red;font:bold'>" + Html.escapeHtml(msg) + "</span><br/>"); out.println("<h3>Context: " + context.getViewRoot() + "</h3>"); out.println("<code><pre>"); String errorId = null; if (e instanceof FacesException && msg.startsWith("id=")) { int p = msg.indexOf(' '); errorId = msg.substring(3, p); } printComponentTree(out, errorId, context, context.getViewRoot(), 0); out.println("</pre></code>"); if (!Alarm.isTest()) { out.println("<h3>Stack Trace</h3>"); out.println("<pre>"); if (e.getCause() != null) e.getCause().printStackTrace(out); else e.printStackTrace(out); out.println("</pre>"); } out.println("</body>"); // clear, so we don't just loop Application app = context.getApplication(); ViewHandler view = app.getViewHandler(); UIViewRoot viewRoot = context.getViewRoot(); viewRoot = view.createView(context, viewRoot.getViewId()); context.setViewRoot(viewRoot); // view.writeState(context); // XXX: no need to output state, but review. return true; } catch (IOException e1) { throw new RuntimeException(e); } }