/* goodG2B() - use goodsource and badsink */ private static void GoodG2B() { string password = CWE256_Unprotected_Storage_of_Credentials__basic_61b.GoodG2BSource(); /* POTENTIAL FLAW: Use password as a password to connect to a DB (without being decrypted) */ using (SqlConnection dBConnection = new SqlConnection(@"Data Source=(local);Initial Catalog=CWE256;User ID=" + "sa" + ";Password="******"Error with database connection", exceptSql); } } }
/* goodB2G() - use badsource and goodsink */ private static void GoodB2G() { string password = CWE256_Unprotected_Storage_of_Credentials__basic_61b.GoodB2GSource(); /* FIX: password is decrypted before being used as a database password */ { using (AesCryptoServiceProvider aesAlg = new AesCryptoServiceProvider()) { aesAlg.Key = Encoding.UTF8.GetBytes("ABCDEFGHABCDEFGH"); aesAlg.IV = new byte[16]; // Create a decryptor to perform the stream transform. ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV); // Create the streams used for decryption. using (MemoryStream msDecrypt = new MemoryStream(File.ReadAllBytes("../../../common/strong_password_file.txt"))) { using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read)) { using (StreamReader srDecrypt = new StreamReader(csDecrypt)) { // Read the decrypted bytes from the decrypting stream // and place them in a string. password = srDecrypt.ReadToEnd(); } } } } } using (SqlConnection dBConnection = new SqlConnection(@"Data Source=(local);Initial Catalog=CWE256;User ID=sa;Password="******"Error with database connection", exceptSql); } } }