/* good1() changes PRIVATE_STATIC_FINAL_TRUE to PRIVATE_STATIC_FINAL_FALSE */ private void good1() throws Throwable { if (PRIVATE_STATIC_FINAL_FALSE) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ IO.writeLine("Benign, fixed string"); } else { InputStreamReader readerInputStream = null; BufferedReader readerBuffered = null; StringBuffer password = new StringBuffer(); Connection dBConnection = null; /* read user input from console with readLine */ try { readerInputStream = new InputStreamReader(System.in, "UTF-8"); readerBuffered = new BufferedReader(readerInputStream); password.append(readerBuffered.readLine()); dBConnection = DriverManager.getConnection("192.168.105.23", "sa", password.toString()); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql); } finally { /* FIX: Zeroize the password */ password.delete(0, password.length()); try { if (dBConnection != null) { dBConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } try { if (readerBuffered != null) { readerBuffered.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStream != null) { readerInputStream.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } } } }
/* good2() reverses the bodies in the if statement */ private void good2() throws Throwable { if (privateTrue) { InputStreamReader readerInputStream = null; BufferedReader readerBuffered = null; StringBuffer password = new StringBuffer(); Connection dBConnection = null; /* read user input from console with readLine */ try { readerInputStream = new InputStreamReader(System.in, "UTF-8"); readerBuffered = new BufferedReader(readerInputStream); password.append(readerBuffered.readLine()); dBConnection = DriverManager.getConnection("192.168.105.23", "sa", password.toString()); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql); } finally { /* FIX: Zeroize the password */ password.delete(0, password.length()); try { if (dBConnection != null) { dBConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } try { if (readerBuffered != null) { readerBuffered.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStream != null) { readerInputStream.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } } } }
public void bad() throws Throwable { if (PRIVATE_STATIC_FINAL_TRUE) { InputStreamReader readerInputStream = null; BufferedReader readerBuffered = null; StringBuffer password = new StringBuffer(); Connection dBConnection = null; /* read user input from console with readLine */ try { readerInputStream = new InputStreamReader(System.in, "UTF-8"); readerBuffered = new BufferedReader(readerInputStream); password.append(readerBuffered.readLine()); dBConnection = DriverManager.getConnection("192.168.105.23", "sa", password.toString()); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error getting database connection", exceptSql); } finally { /* FLAW: the password is stored in a mutable object (StringBuffer) and it is not cleared */ try { if (dBConnection != null) { dBConnection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } try { if (readerBuffered != null) { readerBuffered.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStream != null) { readerInputStream.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } } } }