/* goodG2B() - use goodsource and badsink by changing the first "if" so that both branches use the GoodSource */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { int data; if (IO.static_returns_t_or_f()) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } if (IO.static_returns_t_or_f()) { int valueToSub = (new SecureRandom()).nextInt(99) + 1; /* subtracting at least 1 */ /* POTENTIAL FLAW: if (data-valueToSub) < MIN_VALUE this will underflow */ int result = (data - valueToSub); IO.writeLine("result: " + result); } else { int valueToSub = (new SecureRandom()).nextInt(99) + 1; /* subtracting at least 1 */ /* POTENTIAL FLAW: if (data-valueToSub) < MIN_VALUE this will underflow */ int result = (data - valueToSub); IO.writeLine("result: " + result); } }
/* goodG2B() - use goodsource and badsink by changing the first "if" so that both branches use the GoodSource */ private void goodG2B() throws Throwable { int data; if (IO.static_returns_t_or_f()) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } if (IO.static_returns_t_or_f()) { int valueToMult = (new SecureRandom()).nextInt(98) + 2; /* multiply by at least 2 */ if (data < 0) /* ensure we don't have an overflow */ { /* POTENTIAL FLAW: if (data*valueToMult) < MIN_VALUE, this will overflow */ int result = (data * valueToMult); IO.writeLine("result: " + result); } } else { int valueToMult = (new SecureRandom()).nextInt(98) + 2; /* multiply by at least 2 */ if (data < 0) /* ensure we don't have an overflow */ { /* POTENTIAL FLAW: if (data*valueToMult) < MIN_VALUE, this will overflow */ int result = (data * valueToMult); IO.writeLine("result: " + result); } } }
/* goodG2B2() - use goodsource and badsink by reversing statements in if */ private void goodG2B2(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (IO.static_final_t) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); /* read parameter from cookie */ Cookie cookieSources[] = request.getCookies(); if (cookieSources != null) { data = cookieSources[0].getValue(); } else { data = null; } } String root = "C:\\uploads\\"; /* POTENTIAL FLAW: no validation of concatenated value */ File fIn = new File(root + data); if (fIn.exists() && fIn.isFile()) { IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine()); } }
public void bad() throws Throwable { String data; /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_returns_t()) { Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ URLConnection conn = (new URL("http://www.example.org/")).openConnection(); BufferedReader buffread = null; InputStreamReader instrread = null; try { /* read input from URLConnection */ instrread = new InputStreamReader(conn.getInputStream()); buffread = new BufferedReader(instrread); data = buffread.readLine(); // This will be reading the first "line" of the response body, // which could be very long if there are no newlines in the HTML } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (instrread != null) { instrread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing instrread"); } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_returns_t()) { try { int iConversion = Integer.valueOf(data); } catch (Exception e) { e.printStackTrace(); /* POTENTIAL FLAW: Print stack trace on error */ } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ try { int iConversion = Integer.valueOf(data); } catch (Exception e) { IO.writeLine("There was an error parsing the string"); /* FIX: print a generic message */ } } }
public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (IO.static_returns_t_or_f()) { Logger log_bad = Logger.getLogger("local-logger"); /* read parameter from cookie */ Cookie cookieSources[] = request.getCookies(); if (cookieSources != null) { data = cookieSources[0].getValue(); } else { data = null; } } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } if (IO.static_returns_t_or_f()) { /* POTENTIAL FLAW: Input from file not verified */ response.addHeader("Location", "/author.jsp?lang=" + data); } else { /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ data = URLEncoder.encode(data, "UTF-16"); response.addHeader("Location", "/author.jsp?lang=" + data); } }
/* goodG2B1() - use goodsource and badsink by changing first private_returns_t() to private_returns_f() */ private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; /* INCIDENTAL: CWE 570 Statement is Always False */ if (private_returns_f()) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); /* read parameter from request */ data = request.getParameter("name"); } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_returns_t()) { try { int iConversion = Integer.valueOf(data); } catch (Exception e) { e.printStackTrace(); /* POTENTIAL FLAW: Print stack trace on error */ } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ try { int iConversion = Integer.valueOf(data); } catch (Exception e) { IO.writeLine("There was an error parsing the string"); /* FIX: print a generic message */ } } }
/* goodG2B1() - use goodsource and badsink by changing first private_final_t to private_final_f */ private void goodG2B1() throws Throwable { int data; /* INCIDENTAL: CWE 570 Statement is Always False */ if (private_final_f) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); SecureRandom r = new SecureRandom(); data = r.nextInt(); } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_t) { /* POTENTIAL FLAW: Zero denominator will cause an issue. An integer division will result in an exception. */ IO.writeLine("bad: 100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: test for a zero denominator */ if (data != 0) { IO.writeLine("100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { IO.writeLine("This would result in a divide by zero"); } } }
/* goodG2B1() - use goodsource and badsink by changing first 5==5 to 5!=5 */ private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; /* INCIDENTAL: CWE 570 Statement is Always False */ if (5 != 5) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); /* read parameter from cookie */ Cookie cookieSources[] = request.getCookies(); if (cookieSources != null) { data = cookieSources[0].getValue(); } else { data = null; } } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } /* INCIDENTAL: CWE 571 Statement is Always True */ if (5 == 5) { Cookie cookieSink = new Cookie("lang", data); /* POTENTIAL FLAW: Input not verified before inclusion in the cookie */ response.addCookie(cookieSink); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Cookie cookieSink = new Cookie("lang", URLEncoder.encode(data, "UTF-16")); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ response.addCookie(cookieSink); } }
/* goodG2B2() - use goodsource and badsink by reversing statements in if */ private void goodG2B2(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (IO.static_t) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); /* read parameter from cookie */ Cookie cookieSources[] = request.getCookies(); if (cookieSources != null) { data = cookieSources[0].getValue(); } else { data = null; } } if (data != null) { /* POTENTIAL FLAW: script code (e.g. id=<script>alert('xss')</script>) is sent to the client; The built-in J2EE server automatically does some HTML entity encoding. Therefore, to test this, change response.sendError to response.getWriter().println and remove the 404, */ response.sendError(404, "<br>bad() - Parameter name has value " + data); } }
/* goodG2B() - use goodsource and badsink by changing the conditions on the first and second while statements */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; boolean local_f = false; while (true) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; break; } while (local_f) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); /* get environment variable ADD */ data = System.getenv("ADD"); break; } while (true) { Cookie cookieSink = new Cookie("lang", data); /* POTENTIAL FLAW: Input not verified before inclusion in the cookie */ response.addCookie(cookieSink); break; } while (local_f) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Cookie cookieSink = new Cookie("lang", URLEncoder.encode(data, "UTF-16")); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ response.addCookie(cookieSink); break; } }
/* goodG2B1() - use goodsource and badsink by changing first IO.static_five==5 to IO.static_five!=5 */ private void goodG2B1() throws Throwable { int data; if (IO.static_five != 5) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* POTENTIAL FLAW: Use the maximum value for this type */ data = Integer.MAX_VALUE; } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } if (IO.static_five == 5) { int valueToAdd = (new SecureRandom()).nextInt(99) + 1; /* adding at least 1 */ /* POTENTIAL FLAW: if (data+valueToAdd) > MAX_VALUE, this will overflow */ int result = (data + valueToAdd); IO.writeLine("result: " + result); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ int result = 0; int valueToAdd = (new SecureRandom()).nextInt(99) + 1; /* adding at least 1 */ /* FIX: Add a check to prevent an overflow from occurring */ if (data <= (Integer.MAX_VALUE - valueToAdd)) { result = (data + valueToAdd); IO.writeLine("result: " + result); } else { IO.writeLine("Input value is too large to perform addition."); } } }
/* goodG2B1() - use goodsource and badsink by changing first private_final_five==5 to private_final_five!=5 */ private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable { int data; /* INCIDENTAL: CWE 570 Statement is Always False */ if (private_final_five != 5) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); /* init Data$ */ data = -1; /* read parameter from request */ String s_data = request.getParameter("name"); data = Integer.parseInt(s_data.trim()); } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_five == 5) { /* POTENTIAL FLAW: Zero denominator will cause an issue. An integer division will result in an exception. */ IO.writeLine("bad: 100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: test for a zero denominator */ if (data != 0) { IO.writeLine("100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { IO.writeLine("This would result in a divide by zero"); } } }
/* goodG2B2() - use goodsource and badsink by reversing statements in if */ private void goodG2B2() throws Throwable { String data; if (IO.static_returns_t()) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ File f = new File("C:\\data.txt"); BufferedReader buffread = null; FileReader fread = null; try { /* read string from file into data */ fread = new FileReader(f); buffread = new BufferedReader(fread); data = buffread.readLine(); // This will be reading the first "line" of the file, which // could be very long if there are little or no newlines in the file\ } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } catch (NumberFormatException nfe) { log_bad.warning("Error with number parsing"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (fread != null) { fread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing fread"); } } } } String osCommand; if (System.getProperty("os.name").toLowerCase().indexOf("win") >= 0) { /* running on Windows */ osCommand = "c:\\WINDOWS\\SYSTEM32\\cmd.exe /c dir "; } else { /* running on non-Windows */ osCommand = "/bin/ls "; } /* POTENTIAL FLAW: command injection */ Process p = Runtime.getRuntime().exec(osCommand + data); p.waitFor(); }
/* goodG2B() - use goodsource and badsink by moving BadSource and BadSink to after return */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; /* POTENTIAL FLAW: Input not verified before inclusion in header */ response.setHeader("Location", "/author.jsp?lang=" + data); } if (true) return; /* INCIDENTAL: CWE 571 Expression is Always True. We need the "if(true)" because the Java Language Spec requires that unreachable code generate a compiler error */ /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ { Logger log_bad = Logger.getLogger("local-logger"); /* read parameter from request */ data = request.getParameter("name"); /* POTENTIAL FLAW: Input not verified before inclusion in header */ response.setHeader("Location", "/author.jsp?lang=" + data); } }
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */ private void goodG2B2() throws Throwable { String data; /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_t) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ /* read user input from console with readLine*/ BufferedReader buffread = null; InputStreamReader instrread = null; try { instrread = new InputStreamReader(System.in); buffread = new BufferedReader(instrread); data = buffread.readLine(); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (instrread != null) { instrread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing instrread"); } } } } /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_final_t) { MessageDigest hash = MessageDigest.getInstance("SHA-512"); hash.update(data.getBytes()); /* FLAW: SHA512 with a predictable salt */ byte[] hashv = hash.digest("hash me".getBytes()); IO.writeLine(IO.toHex(hashv)); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ SecureRandom r = new SecureRandom(); MessageDigest hash = MessageDigest.getInstance("SHA-512"); hash.update(r.getSeed(32)); /* FIX: Use a sufficiently random salt */ byte[] hashv = hash.digest("hash me".getBytes()); IO.writeLine(IO.toHex(hashv)); } }
/* goodG2B1() - use goodsource and badsink by changing true to false */ private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (false) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ Socket sock = null; BufferedReader buffread = null; InputStreamReader instrread = null; try { /* Read data using an outbound tcp connection */ sock = new Socket("host.example.org", 39544); /* read input from socket */ instrread = new InputStreamReader(sock.getInputStream()); buffread = new BufferedReader(instrread); data = buffread.readLine(); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (instrread != null) { instrread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing instrread"); } } /* clean up socket objects */ try { if (sock != null) { sock.close(); } } catch (IOException e) { log_bad.warning("Error closing sock"); } } } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } if (data != null) { /* POTENTIAL FLAW: script code (e.g. id=<script>alert('xss')</script>) is sent to the client; The built-in J2EE server automatically does some HTML entity encoding. Therefore, to test this, change response.sendError to response.getWriter().println and remove the 404, */ response.sendError(404, "<br>bad() - Parameter name has value " + data); } }
/* goodG2B() - use goodsource and badsink by moving BadSource and BadSink to after return */ private void goodG2B() throws Throwable { String data; { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; /* POTENTIAL FLAW: assertion is evaluated */ assert data.length() > 0; } if (true) return; /* INCIDENTAL: CWE 571 Expression is Always True. We need the "if(true)" because the Java Language Spec requires that unreachable code generate a compiler error */ /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ { Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ File f = new File("C:\\data.txt"); BufferedReader buffread = null; FileReader fread = null; try { /* read string from file into data */ fread = new FileReader(f); buffread = new BufferedReader(fread); data = buffread.readLine(); // This will be reading the first "line" of the file, which // could be very long if there are little or no newlines in the file\ } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } catch (NumberFormatException nfe) { log_bad.warning("Error with number parsing"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (fread != null) { fread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing fread"); } } } /* POTENTIAL FLAW: assertion is evaluated */ assert data.length() > 0; } }
public void bad() throws Throwable { int data; if (IO.static_returns_t_or_f()) { Logger log_bad = Logger.getLogger("local-logger"); /* init data */ data = -1; /* retrieve the "pid" property */ Properties props = new Properties(); FileInputStream finstr = null; try { finstr = new FileInputStream("../common/config.properties"); props.load(finstr); String s_data = props.getProperty("pid"); data = Integer.parseInt(s_data.trim()); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } catch (NumberFormatException nfe) { log_bad.warning("Error with number parsing"); } finally { /* clean up stream reading objects */ try { if (finstr != null) { finstr.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } } } else { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } if (IO.static_returns_t_or_f()) { int valueToMult = (new SecureRandom()).nextInt(98) + 2; /* multiply by at least 2 */ if (data > 0) /* ensure we don't have an underflow */ { /* POTENTIAL FLAW: if (data*valueToMult) > MAX_VALUE, this will overflow */ int result = (data * valueToMult); IO.writeLine("result: " + result); } } else { int valueToMult = (new SecureRandom()).nextInt(98) + 2; /* multiply by at least 2 */ if (data > 0) /* ensure we don't have an underflow */ { int result = 0; /* FIX: Add a check to prevent an overflow from occurring */ if (data <= (Integer.MAX_VALUE / valueToMult)) { result = (data * valueToMult); IO.writeLine("result: " + result); } else { IO.writeLine("Input value is too large to perform multiplication."); } } } }
/* goodG2B() - use goodsource and badsink */ private void goodG2B() throws Throwable { String data_copy; { String data; java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; data_copy = data; } { String data = data_copy; Logger log2 = Logger.getLogger("local-logger"); Connection conn_tmp2 = null; Statement sqlstatement = null; ResultSet sqlrs = null; try { conn_tmp2 = IO.getDBConnection(); sqlstatement = conn_tmp2.createStatement(); /* POTENTIAL FLAW: take user input and place into dynamic sql query */ sqlrs = sqlstatement.executeQuery("select * from users where name='" + data + "'"); IO.writeString(sqlrs.toString()); } catch (SQLException se) { log2.warning("Error getting database connection"); } finally { try { if (sqlrs != null) { sqlrs.close(); } } catch (SQLException e) { log2.warning("Error closing sqlrs"); } finally { try { if (sqlstatement != null) { sqlstatement.close(); } } catch (SQLException e) { log2.warning("Error closing sqlstatement"); } finally { try { if (conn_tmp2 != null) { conn_tmp2.close(); } } catch (SQLException e) { log2.warning("Error closing conn_tmp2"); } } } } } }
/* goodG2B() - use goodsource and badsink by moving BadSource and BadSink to after return */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; if (data != null) { /* This prevents \r\n (and other chars) and should prevent incidentals such * as HTTP Response Splitting and HTTP Header Injection. */ URI u; try { u = new URI(data); } catch (URISyntaxException e) { response.getWriter().write("Invalid redirect URL"); return; } /* POTENTIAL FLAW: redirect is sent verbatim; escape the string to prevent ancillary issues like XSS, Response splitting etc */ response.sendRedirect(data); return; } } if (true) return; /* INCIDENTAL: CWE 571 Expression is Always True. We need the "if(true)" because the Java Language Spec requires that unreachable code generate a compiler error */ /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ { Logger log_bad = Logger.getLogger("local-logger"); /* read parameter from cookie */ Cookie cookieSources[] = request.getCookies(); if (cookieSources != null) { data = cookieSources[0].getValue(); } else { data = null; } if (data != null) { /* This prevents \r\n (and other chars) and should prevent incidentals such * as HTTP Response Splitting and HTTP Header Injection. */ URI u; try { u = new URI(data); } catch (URISyntaxException e) { response.getWriter().write("Invalid redirect URL"); return; } /* POTENTIAL FLAW: redirect is sent verbatim; escape the string to prevent ancillary issues like XSS, Response splitting etc */ response.sendRedirect(data); return; } } }
/* goodB2G() - use badsource and goodsink by changing the conditions on the second and third for statements */ private void goodB2G() throws Throwable { String data; Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ File f = new File("C:\\data.txt"); BufferedReader buffread = null; FileReader fread = null; try { /* read string from file into data */ fread = new FileReader(f); buffread = new BufferedReader(fread); data = buffread.readLine(); // This will be reading the first "line" of the file, which // could be very long if there are little or no newlines in the file\ } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } catch (NumberFormatException nfe) { log_bad.warning("Error with number parsing"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (fread != null) { fread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing fread"); } } } for (int for_index_i = 0; for_index_i < 0; for_index_i++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } for (int for_index_j = 0; for_index_j < 0; for_index_j++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* POTENTIAL FLAW: uncontrolled string formatting */ System.out.printf(data); } for (int for_index_k = 0; for_index_k < 1; for_index_k++) { /* FIX: explicitly defined string formatting */ System.out.printf("%s\n", data); } }
/* goodG2B() - use goodsource and badsink */ private void goodG2B() throws Throwable { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; (new CWE36_Absolute_Path_Traversal__console_readLine_68b()).goodG2B_sink(); }
/* goodG2B() - use goodsource and badsink */ private void goodG2B() throws Throwable { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; (new CWE760_Predictable_Salt_One_Way_Hash__Environment_68b()).goodG2B_sink(); }
/* goodG2B() - use goodsource and badsink */ private void goodG2B() throws Throwable { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; (new CWE23_Relative_Path_Traversal__listen_tcp_68b()).goodG2B_sink(); }
/* goodG2B() - use goodsource and badsink */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; (new CWE83_XSS_Attribute__Servlet_connect_tcp_68b()).goodG2B_sink(request, response); }
/* uses badsource and badsink */ public void bad() throws Throwable { String data; boolean local_f = false; /* This local variable is used becuase the Java compiler will generate an error on while(false) and similar constructs that evaluate to false. This is the simplest construct that will always be false and still compile. */ while (local_f) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } while (true) { Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* init data */ File f = new File("C:\\data.txt"); BufferedReader buffread = null; FileReader fread = null; try { /* read string from file into data */ fread = new FileReader(f); buffread = new BufferedReader(fread); data = buffread.readLine(); // This will be reading the first "line" of the file, which // could be very long if there are little or no newlines in the file\ } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } catch (NumberFormatException nfe) { log_bad.warning("Error with number parsing"); } finally { /* clean up stream reading objects */ try { if (buffread != null) { buffread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } finally { try { if (fread != null) { fread.close(); } } catch (IOException ioe) { log_bad.warning("Error closing fread"); } } } break; } /* POTENTIAL FLAW: unvalidated or sandboxed value */ File fIn = new File(data); if (fIn.exists() && fIn.isFile()) { IO.writeLine(new BufferedReader(new FileReader(fIn)).readLine()); } }
/* goodG2B() - use goodsource and badsink */ private void goodG2B() throws Throwable { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; (new CWE89_SQL_Injection__URLConnection_executeQuery_68b()).goodG2B_sink(); }
/* goodG2B() - use goodsource and badsink */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; (new CWE90_LDAP_Injection__Servlet_fromFile_68b()).goodG2B_sink(request, response); }
/* goodG2B2() - use goodsource and badsink by reversing statements in first if */ private void goodG2B2() throws Throwable { int data; /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_five == 5) { java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); /* init data */ data = -1; /* retrieve the "pid" property */ Properties props = new Properties(); FileInputStream finstr = null; try { finstr = new FileInputStream("../common/config.properties"); props.load(finstr); String s_data = props.getProperty("pid"); data = Integer.parseInt(s_data.trim()); } catch (IOException ioe) { log_bad.warning("Error with stream reading"); } catch (NumberFormatException nfe) { log_bad.warning("Error with number parsing"); } finally { /* clean up stream reading objects */ try { if (finstr != null) { finstr.close(); } } catch (IOException ioe) { log_bad.warning("Error closing buffread"); } } } /* INCIDENTAL: CWE 571 Statement is Always True */ if (private_five == 5) { /* POTENTIAL FLAW: Zero denominator will cause an issue. An integer division will result in an exception. */ IO.writeLine("bad: 100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: test for a zero denominator */ if (data != 0) { IO.writeLine("100/" + String.valueOf(data) + " = " + (100 / data) + "\n"); } else { IO.writeLine("This would result in a divide by zero"); } } }
/* goodG2B() - use goodsource and badsink */ private String goodG2B_source() throws Throwable { String data; java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; return data; }