/* goodG2B() - use goodsource and badsink */
private static void GoodG2B()
{
string data;
/* FIX: Set the path as the "system" path */
if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
{
data = "/bin";
}
else
{
data = "%SystemRoot%\\system32";
}
/* serialize data to a byte array */
byte[] dataSerialized = null;
try
{
BinaryFormatter bf = new BinaryFormatter();
using (var ms = new MemoryStream())
{
bf.Serialize(ms, data);
dataSerialized = ms.ToArray();
}
CWE427_Uncontrolled_Search_Path_Element__Database_75b.GoodG2BSink(dataSerialized);
}
catch (SerializationException exceptSerialize)
{
IO.Logger.Log(NLog.LogLevel.Warn, "Serialization exception in serialization", exceptSerialize);
}
}
public override void Bad()
{
string data;
data = ""; /* Initialize data */
/* Read data from a database */
{
try
{
/* setup the connection */
using (SqlConnection connection = IO.GetDBConnection())
{
connection.Open();
/* prepare and execute a (hardcoded) query */
using (SqlCommand command = new SqlCommand(null, connection))
{
command.CommandText = "select name from users where id=0";
command.Prepare();
using (SqlDataReader dr = command.ExecuteReader())
{
/* POTENTIAL FLAW: Read data from a database query SqlDataReader */
data = dr.GetString(1);
}
}
}
}
catch (SqlException exceptSql)
{
IO.Logger.Log(NLog.LogLevel.Warn, exceptSql, "Error with SQL statement");
}
}
/* serialize data to a byte array */
byte[] dataSerialized = null;
try
{
BinaryFormatter bf = new BinaryFormatter();
using (var ms = new MemoryStream())
{
bf.Serialize(ms, data);
dataSerialized = ms.ToArray();
}
CWE427_Uncontrolled_Search_Path_Element__Database_75b.BadSink(dataSerialized);
}
catch (SerializationException exceptSerialize)
{
IO.Logger.Log(NLog.LogLevel.Warn, "Serialization exception in serialization", exceptSerialize);
}
}
