/* goodB2G() - use badsource and goodsink */
private void GoodB2G()
{
string password;
password = ""; /* init password */
/* retrieve the password */
try
{
password = Encoding.UTF8.GetString(File.ReadAllBytes("../../../common/strong_password_file.txt"));
}
catch (IOException exceptIO)
{
IO.Logger.Log(NLog.LogLevel.Warn, "Error with file reading", exceptIO);
}
/* POTENTIAL FLAW: The raw password read from the .txt file is passed on (without being decrypted) */
CWE256_Unprotected_Storage_of_Credentials__basic_53b.GoodB2GSink(password );
}
/* goodG2B() - use goodsource and badsink */
private void GoodG2B()
{
string password;
password = ""; /* init password */
/* retrieve the password */
try
{
password = Encoding.UTF8.GetString(File.ReadAllBytes("../../../common/strong_password_file.txt"));
}
catch (IOException exceptIO)
{
IO.Logger.Log(NLog.LogLevel.Warn, "Error with file reading", exceptIO);
}
/* FIX: password is decrypted before being passed on */
{
using (AesCryptoServiceProvider aesAlg = new AesCryptoServiceProvider())
{
aesAlg.Key = Encoding.UTF8.GetBytes("ABCDEFGHABCDEFGH");
aesAlg.IV = new byte[16];
// Create a decryptor to perform the stream transform.
ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
// Create the streams used for decryption.
using (MemoryStream msDecrypt = new MemoryStream(File.ReadAllBytes("../../../common/strong_password_file.txt")))
{
using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
{
using (StreamReader srDecrypt = new StreamReader(csDecrypt))
{
// Read the decrypted bytes from the decrypting stream
// and place them in a string.
password = srDecrypt.ReadToEnd();
}
}
}
}
}
CWE256_Unprotected_Storage_of_Credentials__basic_53b.GoodG2BSink(password );
}
