-
Notifications
You must be signed in to change notification settings - Fork 0
/
CWE259_Hard_Coded_Password__driverManager_53a.java
77 lines (63 loc) · 2.69 KB
/
CWE259_Hard_Coded_Password__driverManager_53a.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
/* TEMPLATE GENERATED TESTCASE FILE
Filename: CWE259_Hard_Coded_Password__driverManager_53a.java
Label Definition File: CWE259_Hard_Coded_Password.label.xml
Template File: sources-sink-53a.tmpl.java
*/
/*
* @description
* CWE: 259 Hard Coded Password
* BadSource: hardcodedPassword Set data to a hardcoded string
* GoodSource: Read data from the console using readLine()
* Sinks: driverManager
* BadSink : data used as password in database connection
* Flow Variant: 53 Data flow: data passed as an argument from one method through two others to a fourth; all four functions are in different classes in the same package
*
* */
package testcases.CWE259_Hard_Coded_Password;
import testcasesupport.*;
import java.util.logging.Level;
import java.io.*;
public class CWE259_Hard_Coded_Password__driverManager_53a extends AbstractTestCase
{
public void bad() throws Throwable
{
String data;
/* FLAW: Set data to a hardcoded string */
data = "7e5tc4s3";
(new CWE259_Hard_Coded_Password__driverManager_53b()).badSink(data );
}
public void good() throws Throwable
{
goodG2B();
}
/* goodG2B() - use goodsource and badsink */
private void goodG2B() throws Throwable
{
String data;
data = ""; /* init data */
/* FIX: Read data from the console using readLine() */
try
{
InputStreamReader readerInputStream = new InputStreamReader(System.in, "UTF-8");
BufferedReader readerBuffered = new BufferedReader(readerInputStream);
/* POTENTIAL FLAW: Read data from the console using readLine */
data = readerBuffered.readLine();
}
catch (IOException exceptIO)
{
IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO);
}
/* NOTE: Tools may report a flaw here because readerBuffered and readerInputStream are not closed. Unfortunately, closing those will close System.in, which will cause any future attempts to read from the console to fail and throw an exception */
(new CWE259_Hard_Coded_Password__driverManager_53b()).goodG2BSink(data );
}
/* Below is the main(). It is only used when building this testcase on
* its own for testing or for building a binary to use in testing binary
* analysis tools. It is not used when compiling all the testcases as one
* application, which is how source code analysis tools are tested.
*/
public static void main(String[] args) throws ClassNotFoundException,
InstantiationException, IllegalAccessException
{
mainFromParent(args);
}
}