Description
CWE: 191 Integer Underflow
BadSource: database Read data from a database
GoodSource: A hardcoded non-zero, non-min, non-max, even number
Sinks: sub
GoodSink: Ensure there will not be an underflow before subtracting 1 from data
BadSink : Subtract 1 from data, which can cause an Underflow
Flow Variant: 71 Data flow: data passed as an Object reference argument from one method to another in different classes in the same package
Flaws
Test Suites
Documentation
Trace
-
-
CWE191_Integer_Underflow__int_database_predec_71a.javaline 54
- CWE-191 Integer Underflow (Wrap or Wraparound)
-
Files
src
main
java
testcases
CWE191_Integer_Underflow
s05
CWE191_Integer_Underflow__int_database_predec_71a.java
CWE191_Integer_Underflow__int_database_predec_71b.java
testcasesupport
AbstractTestCase.java
AbstractTestCaseBase.java
IO.java
manifest.sarif
xxxxxxxxxx227 /* TEMPLATE GENERATED TESTCASE FILEFilename: CWE191_Integer_Underflow__int_database_predec_71a.javaLabel Definition File: CWE191_Integer_Underflow__int.label.xmlTemplate File: sources-sinks-71a.tmpl.java*//* * @description * CWE: 191 Integer Underflow * BadSource: database Read data from a database * GoodSource: A hardcoded non-zero, non-min, non-max, even number * Sinks: decrement * GoodSink: Ensure there will not be an underflow before decrementing data * BadSink : Decrement data, which can cause an Underflow * Flow Variant: 71 Data flow: data passed as an Object reference argument from one method to another in different classes in the same package * * */package testcases.CWE191_Integer_Underflow.s05;import testcasesupport.*;import javax.servlet.http.*;import java.sql.Connection;import java.sql.PreparedStatement;import java.sql.ResultSet;import java.sql.SQLException;import java.util.logging.Level;public class CWE191_Integer_Underflow__int_database_predec_71a extends AbstractTestCase{ public void bad() throws Throwable { int data; data = Integer.MIN_VALUE; /* Initialize data */ /* Read data from a database */ { Connection connection = null; PreparedStatement preparedStatement = null; ResultSet resultSet = null; try { /* setup the connection */ connection = IO.getDBConnection(); /* prepare and execute a (hardcoded) query */ preparedStatement = connection.prepareStatement("select name from users where id=0"); resultSet = preparedStatement.executeQuery(); /* POTENTIAL FLAW: Read data from a database query resultset */ String stringNumber = resultSet.getString(1); if (stringNumber != null) /* avoid NPD incidental warnings */ { try { data = Integer.parseInt(stringNumber.trim()); } catch (NumberFormatException exceptNumberFormat) { IO.logger.log(Level.WARNING, "Number format exception parsing data from string", exceptNumberFormat); } } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error with SQL statement", exceptSql); } finally { /* Close database objects */ try { if (resultSet != null) { resultSet.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql); } try { if (preparedStatement != null) { preparedStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql); } try { if (connection != null) { connection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } } (new CWE191_Integer_Underflow__int_database_predec_71b()).badSink((Object)data ); } public void good() throws Throwable { goodG2B(); goodB2G(); } /* goodG2B() - use goodsource and badsink */ private void goodG2B() throws Throwable { int data; /* FIX: Use a hardcoded number that won't cause underflow, overflow, divide by zero, or loss-of-precision issues */ data = 2; (new CWE191_Integer_Underflow__int_database_predec_71b()).goodG2BSink((Object)data ); } /* goodB2G() - use badsource and goodsink */ private void goodB2G() throws Throwable { int data; data = Integer.MIN_VALUE; /* Initialize data */ /* Read data from a database */ { Connection connection = null; PreparedStatement preparedStatement = null; ResultSet resultSet = null; try { /* setup the connection */ connection = IO.getDBConnection(); /* prepare and execute a (hardcoded) query */ preparedStatement = connection.prepareStatement("select name from users where id=0"); resultSet = preparedStatement.executeQuery(); /* POTENTIAL FLAW: Read data from a database query resultset */ String stringNumber = resultSet.getString(1); if (stringNumber != null) /* avoid NPD incidental warnings */ { try { data = Integer.parseInt(stringNumber.trim()); } catch (NumberFormatException exceptNumberFormat) { IO.logger.log(Level.WARNING, "Number format exception parsing data from string", exceptNumberFormat); } } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error with SQL statement", exceptSql); } finally { /* Close database objects */ try { if (resultSet != null) { resultSet.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing ResultSet", exceptSql); } try { if (preparedStatement != null) { preparedStatement.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing PreparedStatement", exceptSql); } try { if (connection != null) { connection.close(); } } catch (SQLException exceptSql) { IO.logger.log(Level.WARNING, "Error closing Connection", exceptSql); } } } (new CWE191_Integer_Underflow__int_database_predec_71b()).goodB2GSink((Object)data ); } /* Below is the main(). It is only used when building this testcase on * its own for testing or for building a binary to use in testing binary * analysis tools. It is not used when compiling all the testcases as one * application, which is how source code analysis tools are tested. */ public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException { mainFromParent(args); }}Have any comments on this test case? Please, send us an email.