Deprecated test case
Description
CWE: 113 HTTP Response Splitting
BadSource: getQueryStringServlet Parse id param out of the querystring without getParam
GoodSource: A hardcoded string
Sinks: setHeaderServlet
GoodSink: URLEncode input
BadSink : querystring to setHeader()
Flow Variant: 17 Control flow: for loops
Flaws
Test Suites
Documentation
Trace
-
-
CWE113_HTTP_Response_Splitting__getQueryStringServlet_setHeaderServlet_17.javaline 72
- CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
-
CWE113_HTTP_Response_Splitting__getQueryStringServlet_setHeaderServlet_17.javaline 131
- CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
-
Files
src
main
java
testcases
CWE113_HTTP_Response_Splitting
CWE113_HTTP_Response_Splitting__getQueryStringServlet_setHeaderServlet_17.java
testcasesupport
AbstractTestCaseServlet.java
IO.java
manifest.sarif
xxxxxxxxxx369 /* TEMPLATE GENERATED TESTCASE FILEFilename: CWE113_HTTP_Response_Splitting__getQueryStringServlet_setHeaderServlet_17.javaLabel Definition File: CWE113_HTTP_Response_Splitting.label.xmlTemplate File: sources-sinks-17.tmpl.java*//** @description* CWE: 113 HTTP Response Splitting* BadSource: getQueryStringServlet Parse id param out of the querystring without getParam* GoodSource: A hardcoded string* Sinks: setHeaderServlet* GoodSink: URLEncode input* BadSink : querystring to setHeader()* Flow Variant: 17 Control flow: for loops** */package testcases.CWE113_HTTP_Response_Splitting;import testcasesupport.*;import javax.servlet.http.*;import javax.servlet.http.*;import java.util.StringTokenizer;import java.sql.*;import java.io.IOException;import java.util.logging.Logger;import java.net.URLEncoder;public class CWE113_HTTP_Response_Splitting__getQueryStringServlet_setHeaderServlet_17 extends AbstractTestCaseServlet{ public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; /* We need to have one source outside of a for loop in order to prevent the Java compiler from generating an error because data is uninitialized */ Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* parse the query string for value of 'id' */ String id_str = null; StringTokenizer st = new StringTokenizer(request.getQueryString(), "&"); while (st.hasMoreTokens()) { String token = st.nextToken(); int i = token.indexOf("="); if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) { id_str = token.substring(i + 1); break; } } if (id_str != null) { Connection conn = null; PreparedStatement statement = null; ResultSet rs = null; try { int id = Integer.parseInt(id_str); conn = IO.getDBConnection(); statement = conn.prepareStatement("select * from pages where id=?"); /* FLAW: no check to see whether the user has privileges to view the data */ statement.setInt(1, id); rs = statement.executeQuery(); data = rs.toString(); } catch( SQLException se ) { log_bad.warning("Error"); } finally { /* clean up database objects */ try { if( rs != null ) { rs.close(); } } catch( SQLException se ) { log_bad.warning("Error closing rs"); } finally { try { if( statement != null ) { statement.close(); } } catch( SQLException se ) { log_bad.warning("Error closing statement"); } finally { try { if( conn != null ) { conn.close(); } } catch( SQLException se) { log_bad.warning("Error closing conn"); } } } } } for(int for_index_i = 0; for_index_i < 0; for_index_i++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } for(int for_index_j = 0; for_index_j < 1; for_index_j++) { /* POTENTIAL FLAW: Input not verified before inclusion in header */ response.setHeader("Location", "/author.jsp?lang=" + data); } for(int for_index_k = 0; for_index_k < 0; for_index_k++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ data = URLEncoder.encode(data, "UTF-16"); response.setHeader("Location", "/author.jsp?lang=" + data); } } /* goodG2B() - use goodsource and badsink by reversing the block outside the for statements with the one in the first for statement */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; for(int for_index_i = 0; for_index_i < 0; for_index_i++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* parse the query string for value of 'id' */ String id_str = null; StringTokenizer st = new StringTokenizer(request.getQueryString(), "&"); while (st.hasMoreTokens()) { String token = st.nextToken(); int i = token.indexOf("="); if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) { id_str = token.substring(i + 1); break; } } if (id_str != null) { Connection conn = null; PreparedStatement statement = null; ResultSet rs = null; try { int id = Integer.parseInt(id_str); conn = IO.getDBConnection(); statement = conn.prepareStatement("select * from pages where id=?"); /* FLAW: no check to see whether the user has privileges to view the data */ statement.setInt(1, id); rs = statement.executeQuery(); data = rs.toString(); } catch( SQLException se ) { log_bad.warning("Error"); } finally { /* clean up database objects */ try { if( rs != null ) { rs.close(); } } catch( SQLException se ) { log_bad.warning("Error closing rs"); } finally { try { if( statement != null ) { statement.close(); } } catch( SQLException se ) { log_bad.warning("Error closing statement"); } finally { try { if( conn != null ) { conn.close(); } } catch( SQLException se) { log_bad.warning("Error closing conn"); } } } } } } for(int for_index_j = 0; for_index_j < 1; for_index_j++) { /* POTENTIAL FLAW: Input not verified before inclusion in header */ response.setHeader("Location", "/author.jsp?lang=" + data); } for(int for_index_k = 0; for_index_k < 0; for_index_k++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ data = URLEncoder.encode(data, "UTF-16"); response.setHeader("Location", "/author.jsp?lang=" + data); } } /* goodB2G() - use badsource and goodsink by changing the conditions on the second and third for statements */ private void goodB2G(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; Logger log_bad = Logger.getLogger("local-logger"); data = ""; /* parse the query string for value of 'id' */ String id_str = null; StringTokenizer st = new StringTokenizer(request.getQueryString(), "&"); while (st.hasMoreTokens()) { String token = st.nextToken(); int i = token.indexOf("="); if ((i > 0) && (i < (token.length() - 1)) && (token.substring(0, i).equals("id"))) { id_str = token.substring(i + 1); break; } } if (id_str != null) { Connection conn = null; PreparedStatement statement = null; ResultSet rs = null; try { int id = Integer.parseInt(id_str); conn = IO.getDBConnection(); statement = conn.prepareStatement("select * from pages where id=?"); /* FLAW: no check to see whether the user has privileges to view the data */ statement.setInt(1, id); rs = statement.executeQuery(); data = rs.toString(); } catch( SQLException se ) { log_bad.warning("Error"); } finally { /* clean up database objects */ try { if( rs != null ) { rs.close(); } } catch( SQLException se ) { log_bad.warning("Error closing rs"); } finally { try { if( statement != null ) { statement.close(); } } catch( SQLException se ) { log_bad.warning("Error closing statement"); } finally { try { if( conn != null ) { conn.close(); } } catch( SQLException se) { log_bad.warning("Error closing conn"); } } } } } for(int for_index_i = 0; for_index_i < 0; for_index_i++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger"); /* FIX: Use a hardcoded string */ data = "foo"; } for(int for_index_j = 0; for_index_j < 0; for_index_j++) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ /* POTENTIAL FLAW: Input not verified before inclusion in header */ response.setHeader("Location", "/author.jsp?lang=" + data); } for(int for_index_k = 0; for_index_k < 1; for_index_k++) { /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ data = URLEncoder.encode(data, "UTF-16"); response.setHeader("Location", "/author.jsp?lang=" + data); } } public void good(HttpServletRequest request, HttpServletResponse response) throws Throwable { goodG2B(request, response); goodB2G(request, response); } /* Below is the main(). It is only used when building this testcase on its own for testing or for building a binary to use in testing binary analysis tools. It is not used when compiling all the testcases as one application, which is how source code analysis tools are tested. */ public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException { mainFromParent(args); }}Have any comments on this test case? Please, send us an email.