/* uses badsource and badsink */
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (true) {
data = ""; /* initialize data in case id is not in query string */
/* POTENTIAL FLAW: Parse id param out of the URL querystring (without using getParameter()) */
{
StringTokenizer tokenizer = new StringTokenizer(request.getQueryString(), "&");
while (tokenizer.hasMoreTokens()) {
String token = tokenizer.nextToken(); /* a token will be like "id=foo" */
if (token.startsWith("id=")) /* check if we have the "id" parameter" */ {
data = token.substring(3); /* set data to "foo" */
break; /* exit while loop */
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
/* POTENTIAL FLAW: Instantiate object of class named in data (which may be from external input) */
Class<?> tempClass = Class.forName(data);
Object tempClassObject = tempClass.newInstance();
IO.writeLine(tempClassObject.toString()); /* Use tempClassObject in some way */
}
/* goodG2B() - use goodsource and badsink */
public void goodG2B_sink(String data) throws Throwable {
Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
public void action(String data) throws Throwable {
/* POTENTIAL FLAW: Instantiate object of class named in data (which may be from external input) */
Class<?> tempClass = Class.forName(data);
Object tempClassObject = tempClass.newInstance();
IO.writeLine(tempClassObject.toString()); /* Use tempClassObject in some way */
}
/* goodG2B() - use goodsource and badsink */
private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
data = "Testing.test";
Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
/* goodG2B1() - use goodsource and badsink by setting the variable to false instead of true */
private void goodG2B1() throws Throwable {
String data;
goodG2B1_private = false;
data = goodG2B1_source();
/* POTENTIAL FLAW: Instantiate object of class named in data (which may be from external input) */
Class<?> tempClass = Class.forName(data);
Object tempClassObject = tempClass.newInstance();
IO.writeLine(tempClassObject.toString()); /* Use tempClassObject in some way */
}
/* goodB2G() - use badsource and goodsink */
public void goodB2G_sink(String data) throws Throwable {
if (!data.equals("Testing.test")
&& /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) {
return;
}
Class<?> c = Class.forName(data);
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
/* goodG2B() - use goodsource and badsink */
public void goodG2B_sink(
CWE470_Unsafe_Reflection__getParameterServlet_67a.Container data_container,
HttpServletRequest request,
HttpServletResponse response)
throws Throwable {
String data = data_container.a;
Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
/* goodG2B() - use goodsource and badsink */
public void goodG2BSink(
HashMap<Integer, String> dataHashMap,
HttpServletRequest request,
HttpServletResponse response)
throws Throwable {
String data = dataHashMap.get(2);
/* POTENTIAL FLAW: Instantiate object of class named in data (which may be from external input) */
Class<?> tempClass = Class.forName(data);
Object tempClassObject = tempClass.newInstance();
IO.writeLine(tempClassObject.toString()); /* Use tempClassObject in some way */
}
/* goodG2B2() - use goodsource and badsink by reversing statements in if */
private void goodG2B2() throws Throwable {
String data;
if (privateReturnsTrue()) {
/* FIX: Use a hardcoded class name */
data = "Testing.test";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
/* POTENTIAL FLAW: Instantiate object of class named in data (which may be from external input) */
Class<?> tempClass = Class.forName(data);
Object tempClassObject = tempClass.newInstance();
IO.writeLine(tempClassObject.toString()); /* Use tempClassObject in some way */
}
/* goodB2G() - use badsource and goodsink */
public void goodB2G_sink(
CWE470_Unsafe_Reflection__getParameterServlet_67a.Container data_container,
HttpServletRequest request,
HttpServletResponse response)
throws Throwable {
String data = data_container.a;
if (!data.equals("Testing.test")
&& /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) {
return;
}
Class<?> c = Class.forName(data);
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
/* uses badsource and badsink */
public void bad() throws Throwable {
String data;
if (privateReturnsTrue()) {
/* get system property user.home */
/* POTENTIAL FLAW: Read data from a system property */
data = System.getProperty("user.home");
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
/* POTENTIAL FLAW: Instantiate object of class named in data (which may be from external input) */
Class<?> tempClass = Class.forName(data);
Object tempClassObject = tempClass.newInstance();
IO.writeLine(tempClassObject.toString()); /* Use tempClassObject in some way */
}
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */
private void goodB2G2() throws Throwable {
String data;
/* INCIDENTAL: CWE 571 Statement is Always True */
if (IO.static_t) {
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
File f = new File("C:\\data.txt");
BufferedReader buffread = null;
FileReader fread = null;
try {
/* read string from file into data */
fread = new FileReader(f);
buffread = new BufferedReader(fread);
data = buffread.readLine(); // This will be reading the first "line" of the file, which
// could be very long if there are little or no newlines in the file\
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} catch (NumberFormatException nfe) {
log_bad.warning("Error with number parsing");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (fread != null) {
fread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing fread");
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
data = "Testing.test";
}
/* INCIDENTAL: CWE 571 Statement is Always True */
if (IO.static_t) {
if (!data.equals("Testing.test")
&& /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) {
return;
}
Class<?> c = Class.forName(data);
Object instance = c.newInstance();
IO.writeLine(instance.toString());
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
}
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */
private void goodG2B2() throws Throwable {
String data;
/* INCIDENTAL: CWE 571 Statement is Always True */
if (5 == 5) {
data = "Testing.test";
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
/* read user input from console with readLine*/
BufferedReader buffread = null;
InputStreamReader instrread = null;
try {
instrread = new InputStreamReader(System.in);
buffread = new BufferedReader(instrread);
data = buffread.readLine();
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (instrread != null) {
instrread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing instrread");
}
}
}
}
/* INCIDENTAL: CWE 571 Statement is Always True */
if (5 == 5) {
Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */
Object instance = c.newInstance();
IO.writeLine(instance.toString());
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
if (!data.equals("Testing.test")
&& /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) {
return;
}
Class<?> c = Class.forName(data);
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
}
public void bad() throws Throwable {
String data;
/* INCIDENTAL: CWE 571 Statement is Always True */
if (private_final_five == 5) {
Logger log_bad = Logger.getLogger("local-logger");
data = ""; /* init data */
URLConnection conn = (new URL("http://www.example.org/")).openConnection();
BufferedReader buffread = null;
InputStreamReader instrread = null;
try {
/* read input from URLConnection */
instrread = new InputStreamReader(conn.getInputStream());
buffread = new BufferedReader(instrread);
data = buffread.readLine(); // This will be reading the first "line" of the response body,
// which could be very long if there are no newlines in the HTML
} catch (IOException ioe) {
log_bad.warning("Error with stream reading");
} finally {
/* clean up stream reading objects */
try {
if (buffread != null) {
buffread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing buffread");
} finally {
try {
if (instrread != null) {
instrread.close();
}
} catch (IOException ioe) {
log_bad.warning("Error closing instrread");
}
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
data = "Testing.test";
}
/* INCIDENTAL: CWE 571 Statement is Always True */
if (private_final_five == 5) {
Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */
Object instance = c.newInstance();
IO.writeLine(instance.toString());
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
if (!data.equals("Testing.test")
&& /* FIX: classname must be one of 2 values */ !data.equals("Test.test")) {
return;
}
Class<?> c = Class.forName(data);
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
}
/* uses badsource and badsink */
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
if (PRIVATE_STATIC_FINAL_TRUE) {
data = ""; /* initialize data in case there are no cookies */
/* Read data from cookies */
{
Cookie cookieSources[] = request.getCookies();
if (cookieSources != null) {
/* POTENTIAL FLAW: Read data from the first cookie value */
data = cookieSources[0].getValue();
}
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run
* but ensure data is inititialized before the Sink to avoid compiler errors */
data = null;
}
/* POTENTIAL FLAW: Instantiate object of class named in data (which may be from external input) */
Class<?> tempClass = Class.forName(data);
Object tempClassObject = tempClass.newInstance();
IO.writeLine(tempClassObject.toString()); /* Use tempClassObject in some way */
}
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable {
String data;
Logger log_bad = Logger.getLogger("local-logger");
data = "";
/* parse the query string for value of 'id' */
String id_str = null;
StringTokenizer st = new StringTokenizer(request.getQueryString(), "&");
while (st.hasMoreTokens()) {
String token = st.nextToken();
int i = token.indexOf("=");
if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) {
id_str = token.substring(i + 1);
break;
}
}
if (id_str != null) {
Connection conn = null;
PreparedStatement statement = null;
ResultSet rs = null;
try {
int id = Integer.parseInt(id_str);
conn = IO.getDBConnection();
statement = conn.prepareStatement("select * from pages where id=?");
/* FLAW: no check to see whether the user has privileges to view the data */
statement.setInt(1, id);
rs = statement.executeQuery();
data = rs.toString();
} catch (SQLException se) {
log_bad.warning("Error");
} finally {
/* clean up database objects */
try {
if (rs != null) {
rs.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing rs");
} finally {
try {
if (statement != null) {
statement.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing statement");
} finally {
try {
if (conn != null) {
conn.close();
}
} catch (SQLException se) {
log_bad.warning("Error closing conn");
}
}
}
}
}
Class<?> c = Class.forName(data); /* FLAW: loading arbitrary class */
Object instance = c.newInstance();
IO.writeLine(instance.toString());
}
public static void main(String[] args) {
if (args.length != 0) {
if (args[0].equals("-h") || args[0].equals("--help")) {
System.err.println(
"To use this main, you can either run the program with no "
+ "command line arguments to run all test cases or you can specify one or more classes to test");
System.err.println("For example:");
System.err.println(
"java testcasesupport.Main testcases.CWE690_Unchecked_Return_Value_to_NULL_Pointer_Dereference.custom_function.CWE690_Unchecked_Return_Value_to_NULL_Pointer_Dereference__custom_function_01 testcases.CWE481_Assigning_instead_of_Comparing.bool.CWE481_Assigning_instead_of_Comparing__bool_01");
System.exit(1);
}
/* User supplied some class names on the command line, just use those with introspection
*
* String classNames[] = { "CWE481_Assigning_instead_of_Comparing__boolean_01",
* "CWE476_Null_Pointer_Dereference__getProperty_01" };
* could read class names from command line or use
* http://sadun-util.sourceforge.net/api/org/sadun/util/
* ClassPackageExplorer.html
*/
for (String className : args) {
try {
/* String classNameWithPackage = "testcases." + className; */
/* IO.writeLine("classNameWithPackage = " + classNameWithPackage); */
Class<?> myClass = Class.forName(className);
AbstractTestCase myObject = (AbstractTestCase) myClass.newInstance();
myObject.runTest(className);
} catch (Exception ex) {
IO.writeLine("Could not run test for class " + className);
ex.printStackTrace();
}
IO.writeLine(""); /* leave a blank line between classes */
}
} else {
/* No command line args were used, we want to run every testcase */
/* needed to separate these calls into other methods because
we were running into the size limit Java has for a single method */
runTestCWE1();
runTestCWE2();
runTestCWE3();
runTestCWE4();
runTestCWE5();
runTestCWE6();
runTestCWE7();
runTestCWE8();
runTestCWE9();
}
}
