package goodCodeComplexity; /* This software was developed at the National Institute of Standards and * Technology by employees of the Federal Government in the course of their * official duties. Pursuant to title 17 Section 105 of the United States * Code this software is not subject to copyright protection and is in the * public domain. NIST assumes no responsibility whatsoever for its use by * other parties, and makes no guarantees, expressed or implied, about its * quality, reliability, or any other characteristic. * We would appreciate acknowledgement if the software is used. * The SAMATE project website is: http://samate.nist.gov */ /* * This servlet implements an SQL injection vulnerability * Parameters: * - name: source of the vulnerability * Example: * - url: http://server_address/path_to_servlet/SQLInjection_089?name=' OR ''=' */ import java.io.IOException; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.SQLException; import java.util.logging.Logger; import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NamingException; import javax.servlet.ServletException; import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.sql.DataSource; public class SQLInjection_good_scope_089 extends HttpServlet { private static final long serialVersionUID = 1L; public SQLInjection_good_scope_089() { super(); } // Table of allowed names to use final String allowed_names[] = { "Mickael", "Mary", "Peter", "Laura", "John"}; // Function to check if the current name takes part of the allowed ones public boolean allowed( String in ) { boolean bool = false; for( int i = 0; i < 5; i++ ) { if( in.equals( allowed_names[i] ) ) { // the current name is allowed to use bool = true; break; } } return bool; } public PreparedStatement function( Connection conn, String name ) { PreparedStatement p = null; try { // Prepare a SQL request p = conn.prepareStatement( "SELECT * FROM users WHERE firstname LIKE ?" ); // replace the first parameter by name p.setString(1, name); } catch (SQLException se) { final Logger logger = Logger.getAnonymousLogger(); String exception = "Exception " + se; logger.warning( exception ); } return p; } // Method which will be called to handle HTTP GET requests protected void doGet( HttpServletRequest req, HttpServletResponse resp ) throws ServletException, IOException { // Initialize the output stream resp.setContentType("text/html"); ServletOutputStream out = resp.getOutputStream(); out.println("

");
		Connection conn = null;
				
		// Get the parameter "name" from the data provided by the user
		String name = req.getParameter( "name" );
		
		if ( (name != null) && (allowed(name) == true) )
		{
			try
			{
				// Set the context factory to use to create the initial context
				System.setProperty (Context.INITIAL_CONTEXT_FACTORY, "your.ContextFactory");

				// Create the initial context and use it to lookup the data source
				InitialContext ic = new InitialContext ();
				DataSource dataSrc = (DataSource) ic.lookup ("java:comp/env/jdbc:/mydb");

				// Create a connection to the SQL database from the data source
				conn = dataSrc.getConnection();
				
				// Send a SQL request to the database
				PreparedStatement ps = function(conn, name);
				ps.executeQuery ();
		    }
		    catch( NamingException e )
		    {
		    	out.println( "Naming exception");
			}
		    catch( SQLException e )
		    {
		    	out.println( "SQL exception");
		    }
		    finally
		    {
		    	try
		    	{
		    		if (conn != null)
		    			conn.close ();
		    	}
		    	catch (SQLException se)
		    	{
		    		out.println("SQL Exception");
		    	}
		    }
		}
		else
			return;
		
		out.println( "

" ); } protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { } }