public override void Bad(HttpRequest req, HttpResponse resp) { string data; if (IO.staticTrue) { using (SecureString securePwd = new SecureString()) { using (SecureString secureUser = new SecureString()) { for (int i = 0; i < "AP@ssw0rd".Length; i++) { /* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */ securePwd.AppendChar("AP@ssw0rd"[i]); } for (int i = 0; i < "user".Length; i++) { /* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */ securePwd.AppendChar("user"[i]); } /* POTENTIAL FLAW: Set data to credentials (without hashing or encryption) */ data = secureUser.ToString() + ":" + securePwd.ToString(); } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } if (IO.staticTrue) { /* NOTE: potential incidental issues with not setting secure or HttpOnly flag */ /* POTENTIAL FLAW: Store data directly in cookie */ resp.AppendCookie(new HttpCookie("auth", data)); } }
/* goodB2G1() - use badsource and goodsink by changing second privateTrue to privateFalse */ private void GoodB2G1(HttpRequest req, HttpResponse resp) { string data; if (privateTrue) { data = ""; /* initialize data in case there are no cookies */ /* Read data from cookies */ { HttpCookieCollection cookieSources = req.Cookies; if (cookieSources != null) { /* POTENTIAL FLAW: Read data from the first cookie value */ data = cookieSources[0].Value; } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } if (privateFalse) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ IO.WriteLine("Benign, fixed string"); } else { if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", HttpUtility.UrlEncode(data, Encoding.UTF8)); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ resp.AppendCookie(cookieSink); } } }
/* goodB2G() - use badsource and goodsink */ private void GoodB2G(HttpRequest req, HttpResponse resp) { string data; data = ""; /* Initialize data */ /* Read data from a database */ { try { /* setup the connection */ using (SqlConnection connection = IO.GetDBConnection()) { connection.Open(); /* prepare and execute a (hardcoded) query */ using (SqlCommand command = new SqlCommand(null, connection)) { command.CommandText = "select name from users where id=0"; command.Prepare(); using (SqlDataReader dr = command.ExecuteReader()) { /* POTENTIAL FLAW: Read data from a database query SqlDataReader */ data = dr.GetString(1); } } } } catch (SqlException exceptSql) { IO.Logger.Log(NLog.LogLevel.Warn, exceptSql, "Error with SQL statement"); } } if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", HttpUtility.UrlEncode(data, Encoding.UTF8)); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ resp.AppendCookie(cookieSink); } }
public override void Bad(HttpRequest req, HttpResponse resp) { string data; data = ""; /* Initialize data */ /* Read data from a database */ { try { /* setup the connection */ using (SqlConnection connection = IO.GetDBConnection()) { connection.Open(); /* prepare and execute a (hardcoded) query */ using (SqlCommand command = new SqlCommand(null, connection)) { command.CommandText = "select name from users where id=0"; command.Prepare(); using (SqlDataReader dr = command.ExecuteReader()) { /* POTENTIAL FLAW: Read data from a database query SqlDataReader */ data = dr.GetString(1); } } } } catch (SqlException exceptSql) { IO.Logger.Log(NLog.LogLevel.Warn, exceptSql, "Error with SQL statement"); } } if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", data); /* POTENTIAL FLAW: Input not verified before inclusion in the cookie */ resp.AppendCookie(cookieSink); } }
/* goodB2G2() - use badsource and goodsink by reversing the blocks in the if in the sink function */ public static void GoodB2G2Sink(string data, HttpRequest req, HttpResponse resp) { if (CWE315_Cleartext_Storage_in_Cookie__Web_22a.goodB2G2PublicStatic) { /* FIX: Hash data before storing in cookie */ { string salt = "ThisIsMySalt"; using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider()) { byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data)); byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer); data = IO.ToHex(hashedCredsAsBytes); } } resp.AppendCookie(new HttpCookie("auth", data)); } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } }
public override void Bad(HttpRequest req, HttpResponse resp) { string data; /* We need to have one source outside of a for loop in order * to prevent the compiler from generating an error because * data is uninitialized */ data = ""; /* Initialize data */ { try { /* read string from file into data */ using (StreamReader sr = new StreamReader("data.txt")) { /* POTENTIAL FLAW: Read data from a file */ /* This will be reading the first "line" of the file, which * could be very long if there are little or no newlines in the file */ data = sr.ReadLine(); } } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading"); } } for (int j = 0; j < 1; j++) { if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", data); /* POTENTIAL FLAW: Input not verified before inclusion in the cookie */ resp.AppendCookie(cookieSink); } } }
/* goodB2G() - use badsource and goodsink*/ private void GoodB2G(HttpRequest req, HttpResponse resp) { string data; using (SecureString securePwd = new SecureString()) { using (SecureString secureUser = new SecureString()) { for (int i = 0; i < "AP@ssw0rd".Length; i++) { /* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */ securePwd.AppendChar("AP@ssw0rd"[i]); } for (int i = 0; i < "user".Length; i++) { /* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */ securePwd.AppendChar("user"[i]); } /* POTENTIAL FLAW: Set data to credentials (without hashing or encryption) */ data = secureUser.ToString() + ":" + securePwd.ToString(); } } for (int k = 0; k < 1; k++) { /* FIX: Hash data before storing in cookie */ { string salt = "ThisIsMySalt"; using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider()) { byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data)); byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer); data = IO.ToHex(hashedCredsAsBytes); } } resp.AppendCookie(new HttpCookie("auth", data)); } }
/* goodB2G() - use badsource and goodsink */ private void GoodB2G(HttpRequest req, HttpResponse resp) { string dataCopy; { string data; data = ""; /* Initialize data */ { try { /* read string from file into data */ using (StreamReader sr = new StreamReader("data.txt")) { /* POTENTIAL FLAW: Read data from a file */ /* This will be reading the first "line" of the file, which * could be very long if there are little or no newlines in the file */ data = sr.ReadLine(); } } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading"); } } dataCopy = data; } { string data = dataCopy; if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", HttpUtility.UrlEncode(data, Encoding.UTF8)); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ resp.AppendCookie(cookieSink); } } }
/* goodB2G2() - use badsource and goodsink by reversing statements in second if */ private void GoodB2G2(HttpRequest req, HttpResponse resp) { string data; if (privateFive == 5) { data = ""; /* Initialize data */ { /* read user input from console with ReadLine */ try { /* POTENTIAL FLAW: Read data from the console using ReadLine */ data = Console.ReadLine(); } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading"); } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } if (privateFive == 5) { if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", HttpUtility.UrlEncode(data, Encoding.UTF8)); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ resp.AppendCookie(cookieSink); } } }
/* goodB2G() - use badsource and goodsink*/ private void GoodB2G(HttpRequest req, HttpResponse resp) { string data; data = ""; /* Initialize data */ /* read input from WebClient */ { try { using (WebClient client = new WebClient()) { using (StreamReader sr = new StreamReader(client.OpenRead("http://www.example.org/"))) { /* POTENTIAL FLAW: Read data from a web server with WebClient */ /* This will be reading the first "line" of the response body, * which could be very long if there are no newlines in the HTML */ data = sr.ReadLine(); } } } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading"); } } for (int k = 0; k < 1; k++) { if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", HttpUtility.UrlEncode(data, Encoding.UTF8)); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ resp.AppendCookie(cookieSink); } } }
/* goodG2B() - use GoodSource and BadSink */ public static void GoodG2BSink(byte[] dataSerialized, HttpRequest req, HttpResponse resp) { try { string data; var binForm = new BinaryFormatter(); using (var memStream = new MemoryStream()) { memStream.Write(dataSerialized, 0, dataSerialized.Length); memStream.Seek(0, SeekOrigin.Begin); data = (string)binForm.Deserialize(memStream); } if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", data); /* POTENTIAL FLAW: Input not verified before inclusion in the cookie */ resp.AppendCookie(cookieSink); } } catch (SerializationException exceptSerialize) { IO.Logger.Log(NLog.LogLevel.Warn, "SerializationException in deserialization", exceptSerialize); } }
/* goodB2G() - use BadSource and GoodSink */ public static void GoodB2GSink(byte[] dataSerialized, HttpRequest req, HttpResponse resp) { try { string data; var binForm = new BinaryFormatter(); using (var memStream = new MemoryStream()) { memStream.Write(dataSerialized, 0, dataSerialized.Length); memStream.Seek(0, SeekOrigin.Begin); data = (string)binForm.Deserialize(memStream); } if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", HttpUtility.UrlEncode(data, Encoding.UTF8)); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ resp.AppendCookie(cookieSink); } } catch (SerializationException exceptSerialize) { IO.Logger.Log(NLog.LogLevel.Warn, "SerializationException in deserialization", exceptSerialize); } }
public override void Bad(HttpRequest req, HttpResponse resp) { string data; data = ""; /* Initialize data */ { /* read user input from console with ReadLine */ try { /* POTENTIAL FLAW: Read data from the console using ReadLine */ data = Console.ReadLine(); } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading"); } } if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", data); /* POTENTIAL FLAW: Input not verified before inclusion in the cookie */ resp.AppendCookie(cookieSink); } }
/* goodB2G() - use badsource and goodsink */ private void GoodB2G(HttpRequest req, HttpResponse resp) { string data; data = ""; /* Initialize data */ { /* read user input from console with ReadLine */ try { /* POTENTIAL FLAW: Read data from the console using ReadLine */ data = Console.ReadLine(); } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading"); } } if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", HttpUtility.UrlEncode(data, Encoding.UTF8)); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ resp.AppendCookie(cookieSink); } }
public override void Bad(HttpRequest req, HttpResponse resp) { string data; if (privateFive == 5) { data = ""; /* Initialize data */ { /* read user input from console with ReadLine */ try { /* POTENTIAL FLAW: Read data from the console using ReadLine */ data = Console.ReadLine(); } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading"); } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } if (privateFive == 5) { if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", data); /* POTENTIAL FLAW: Input not verified before inclusion in the cookie */ resp.AppendCookie(cookieSink); } } }
public override void Bad(HttpRequest req, HttpResponse resp) { string dataCopy; { string data; data = ""; /* Initialize data */ { try { /* read string from file into data */ using (StreamReader sr = new StreamReader("data.txt")) { /* POTENTIAL FLAW: Read data from a file */ /* This will be reading the first "line" of the file, which * could be very long if there are little or no newlines in the file */ data = sr.ReadLine(); } } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading"); } } dataCopy = data; } { string data = dataCopy; if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", data); /* POTENTIAL FLAW: Input not verified before inclusion in the cookie */ resp.AppendCookie(cookieSink); } } }
/* goodB2G() - use badsource and goodsink*/ private void GoodB2G(HttpRequest req, HttpResponse resp) { string data; data = ""; /* initialize data in case there are no cookies */ /* Read data from cookies */ { HttpCookieCollection cookieSources = req.Cookies; if (cookieSources != null) { /* POTENTIAL FLAW: Read data from the first cookie value */ data = cookieSources[0].Value; } } for (int k = 0; k < 1; k++) { if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", HttpUtility.UrlEncode(data, Encoding.UTF8)); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ resp.AppendCookie(cookieSink); } } }
/* goodB2G1() - use badsource and goodsink by changing second PRIVATE_CONST_FIVE==5 to PRIVATE_CONST_FIVE!=5 */ private void GoodB2G1(HttpRequest req, HttpResponse resp) { string data; if (PRIVATE_CONST_FIVE == 5) { data = ""; /* initialize data in case id is not in query string */ /* POTENTIAL FLAW: Parse id param out of the URL querystring (without using getParameter()) */ { if (req.QueryString["id"] != null) { data = req.QueryString["id"]; } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } if (PRIVATE_CONST_FIVE != 5) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ IO.WriteLine("Benign, fixed string"); } else { if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", HttpUtility.UrlEncode(data, Encoding.UTF8)); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ resp.AppendCookie(cookieSink); } } }
/* goodG2B() - use goodsource and badsink */ public static void GoodG2BSink(string data, HttpRequest req, HttpResponse resp) { /* NOTE: potential incidental issues with not setting secure or HttpOnly flag */ /* POTENTIAL FLAW: Store data directly in cookie */ resp.AppendCookie(new HttpCookie("auth", data)); }
/* goodB2G() - use badsource and goodsink by changing the second "if" so that * both branches use the GoodSink */ private void GoodB2G(HttpRequest req, HttpResponse resp) { string data; if (IO.StaticReturnsTrueOrFalse()) { data = ""; /* Initialize data */ /* Read data using an outbound tcp connection */ { try { /* Read data using an outbound tcp connection */ using (TcpClient tcpConn = new TcpClient("host.example.org", 39544)) { /* read input from socket */ using (StreamReader sr = new StreamReader(tcpConn.GetStream())) { /* POTENTIAL FLAW: Read data using an outbound tcp connection */ data = sr.ReadLine(); } } } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading"); } } } else { data = ""; /* Initialize data */ /* Read data using an outbound tcp connection */ { try { /* Read data using an outbound tcp connection */ using (TcpClient tcpConn = new TcpClient("host.example.org", 39544)) { /* read input from socket */ using (StreamReader sr = new StreamReader(tcpConn.GetStream())) { /* POTENTIAL FLAW: Read data using an outbound tcp connection */ data = sr.ReadLine(); } } } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading"); } } } if (IO.StaticReturnsTrueOrFalse()) { if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", HttpUtility.UrlEncode(data, Encoding.UTF8)); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ resp.AppendCookie(cookieSink); } } else { if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", HttpUtility.UrlEncode(data, Encoding.UTF8)); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ resp.AppendCookie(cookieSink); } } }
public override void Bad(HttpRequest req, HttpResponse resp) { string data; if (IO.StaticReturnsTrueOrFalse()) { data = ""; /* Initialize data */ /* Read data using a listening tcp connection */ { TcpListener listener = null; try { listener = new TcpListener(IPAddress.Parse("10.10.1.10"), 39543); listener.Start(); using (TcpClient tcpConn = listener.AcceptTcpClient()) { /* read input from socket */ using (StreamReader sr = new StreamReader(tcpConn.GetStream())) { /* POTENTIAL FLAW: Read data using a listening tcp connection */ data = sr.ReadLine(); } } } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading"); } finally { if (listener != null) { try { listener.Stop(); } catch (SocketException se) { IO.Logger.Log(NLog.LogLevel.Warn, se, "Error closing TcpListener"); } } } } } else { /* FIX: Use a hardcoded string */ data = "foo"; } if (IO.StaticReturnsTrueOrFalse()) { if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", data); /* POTENTIAL FLAW: Input not verified before inclusion in the cookie */ resp.AppendCookie(cookieSink); } } else { if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", HttpUtility.UrlEncode(data, Encoding.UTF8)); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ resp.AppendCookie(cookieSink); } } }
public void Methods_Deny_Unrestricted() { HttpResponse response = new HttpResponse(writer); response.AddCacheItemDependencies(new ArrayList()); response.AddCacheItemDependency(String.Empty); response.AddFileDependencies(new ArrayList()); response.AddFileDependency(fname); #if NET_2_0 response.AddCacheDependency(new CacheDependency[0]); response.AddCacheItemDependencies(new string [0]); response.AddFileDependencies(new string [0]); #endif try { response.AppendCookie(new HttpCookie("mono")); } catch (NullReferenceException) { // ms } try { Assert.IsNull(response.ApplyAppPathModifier(null), "ApplyAppPathModifier"); } catch (NullReferenceException) { // ms } try { response.Clear(); } catch (NullReferenceException) { // ms } try { response.ClearContent(); } catch (NullReferenceException) { // ms } try { response.ClearHeaders(); } catch (NullReferenceException) { // ms } try { response.Redirect("http://www.mono-project.com"); } catch (NullReferenceException) { // ms } try { response.Redirect("http://www.mono-project.com", false); } catch (NullReferenceException) { // ms } try { response.SetCookie(new HttpCookie("mono")); } catch (NullReferenceException) { // ms } response.Write(String.Empty); response.Write(Char.MinValue); response.Write(new char[0], 0, 0); response.Write(this); #if NET_2_0 response.WriteSubstitution(new HttpResponseSubstitutionCallback(Callback)); #endif response.Flush(); response.Close(); try { response.End(); } catch (NullReferenceException) { // ms } }
public override void Bad(HttpRequest req, HttpResponse resp) { string data; if (IO.StaticReturnsTrueOrFalse()) { using (SecureString securePwd = new SecureString()) { using (SecureString secureUser = new SecureString()) { for (int i = 0; i < "AP@ssw0rd".Length; i++) { /* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */ securePwd.AppendChar("AP@ssw0rd"[i]); } for (int i = 0; i < "user".Length; i++) { /* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */ securePwd.AppendChar("user"[i]); } /* POTENTIAL FLAW: Set data to credentials (without hashing or encryption) */ data = secureUser.ToString() + ":" + securePwd.ToString(); } } } else { using (SecureString securePwd = new SecureString()) { using (SecureString secureUser = new SecureString()) { for (int i = 0; i < "AP@ssw0rd".Length; i++) { /* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */ securePwd.AppendChar("AP@ssw0rd"[i]); } for (int i = 0; i < "user".Length; i++) { /* INCIDENTAL: CWE-798 Use of Hard-coded Credentials */ securePwd.AppendChar("user"[i]); } /* FIX: Set data to a hash of credentials */ { string salt = "ThisIsMySalt"; using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider()) { string credentialsToHash = secureUser.ToString() + ":" + securePwd.ToString(); byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, credentialsToHash)); byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer); data = IO.ToHex(hashedCredsAsBytes); } } } } } if (IO.StaticReturnsTrueOrFalse()) { /* NOTE: potential incidental issues with not setting secure or HttpOnly flag */ /* POTENTIAL FLAW: Store data directly in cookie */ resp.AppendCookie(new HttpCookie("auth", data)); } else { /* FIX: Hash data before storing in cookie */ { string salt = "ThisIsMySalt"; using (SHA512CryptoServiceProvider sha512 = new SHA512CryptoServiceProvider()) { byte[] buffer = Encoding.UTF8.GetBytes(string.Concat(salt, data)); byte[] hashedCredsAsBytes = sha512.ComputeHash(buffer); data = IO.ToHex(hashedCredsAsBytes); } } resp.AppendCookie(new HttpCookie("auth", data)); } }
public override void Bad(HttpRequest req, HttpResponse resp) { string data; switch (6) { case 6: data = ""; /* Initialize data */ /* Read data using a listening tcp connection */ { TcpListener listener = null; try { listener = new TcpListener(IPAddress.Parse("10.10.1.10"), 39543); listener.Start(); using (TcpClient tcpConn = listener.AcceptTcpClient()) { /* read input from socket */ using (StreamReader sr = new StreamReader(tcpConn.GetStream())) { /* POTENTIAL FLAW: Read data using a listening tcp connection */ data = sr.ReadLine(); } } } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading"); } finally { if (listener != null) { try { listener.Stop(); } catch (SocketException se) { IO.Logger.Log(NLog.LogLevel.Warn, se, "Error closing TcpListener"); } } } } break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; break; } switch (7) { case 7: if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", data); /* POTENTIAL FLAW: Input not verified before inclusion in the cookie */ resp.AppendCookie(cookieSink); } break; default: /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ IO.WriteLine("Benign, fixed string"); break; } }
public override void AppendCookie(HttpCookie cookie) { _httpResponse.AppendCookie(cookie); }
public virtual void AppendCookie(HttpCookie cookie) { _response.AppendCookie(cookie); }
public void AppendCookie(HttpCookie cookie) { response.AppendCookie(cookie); }
/* goodB2G1() - use badsource and goodsink by changing second PRIVATE_CONST_TRUE to PRIVATE_CONST_FALSE */ private void GoodB2G1(HttpRequest req, HttpResponse resp) { string data; if (PRIVATE_CONST_TRUE) { data = ""; /* Initialize data */ /* Read data using a listening tcp connection */ { TcpListener listener = null; try { listener = new TcpListener(IPAddress.Parse("10.10.1.10"), 39543); listener.Start(); using (TcpClient tcpConn = listener.AcceptTcpClient()) { /* read input from socket */ using (StreamReader sr = new StreamReader(tcpConn.GetStream())) { /* POTENTIAL FLAW: Read data using a listening tcp connection */ data = sr.ReadLine(); } } } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, exceptIO, "Error with stream reading"); } finally { if (listener != null) { try { listener.Stop(); } catch (SocketException se) { IO.Logger.Log(NLog.LogLevel.Warn, se, "Error closing TcpListener"); } } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } if (PRIVATE_CONST_FALSE) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */ IO.WriteLine("Benign, fixed string"); } else { if (data != null) { HttpCookie cookieSink = new HttpCookie("lang", HttpUtility.UrlEncode(data, Encoding.UTF8)); /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */ resp.AppendCookie(cookieSink); } } }
public void ProcessRequest(HttpContext context) { context.Response.ContentType = "text/plain"; Request = context.Request; Response = context.Response; switch (Request["operType"]) { case "verifyvote": DateTime begin = DateTime.Parse(Discuz.Common.ConfigOperator.ConfigReadValue("startvotetime")); DateTime end = DateTime.Parse(Discuz.Common.ConfigOperator.ConfigReadValue("endvotetime")).AddDays(1); if (DateTime.Now < begin) { Response.Write("{\"result\":\"0\",\"msg\":\"投票太早了,投票时间为:" + begin.ToString("yyyy年MM月dd日") + "到" + end.AddDays(-1).ToString("yyyy年MM月dd日") + "\"}"); } else if (end < DateTime.Now) { Response.Write("{\"result\":\"0\",\"msg\":\"投票来晚了,投票时间为:" + begin.ToString("yyyy年MM月dd日") + "到" + end.AddDays(-1).ToString("yyyy年MM月dd日") + "\"}"); } else { //判断指定的IP是否已投过票了,如果已经投过了,则弹出提示对话框 string UserIP = Request.UserHostAddress.ToString(); HttpCookie oldCookie = Request.Cookies["userIP"]; if (oldCookie == null) { //定义新的Cookie对象 HttpCookie newCookie = new HttpCookie("IPaddress"); newCookie.Expires = DateTime.Now.AddMinutes(5); //添加新的Cookie变量IPaddress,值为UserIP newCookie.Value = UserIP; //将变量写入Cookie文件中 Response.AppendCookie(newCookie); Response.Write("{\"result\":\"1\"}"); } else { string userIP = oldCookie.Values["IPaddress"]; if (UserIP.Trim() == userIP.Trim()) { Response.Write("{\"result\":\"0\",\"msg\":\"一个IP地址只能投一次票,谢谢您的参与!\"}"); } else { //定义新的Cookie对象 HttpCookie newCookie = new HttpCookie("IPaddress"); newCookie.Expires = DateTime.Now.AddMinutes(5); //添加新的Cookie变量IPaddress,值为UserIP newCookie.Value = UserIP; //将变量写入Cookie文件中 Response.AppendCookie(newCookie); Response.Write("{\"result\":\"1\"}"); } } } break; case "vote": if (Attachments.UpdatePicVote(int.Parse(Request["Aid"]), string.Empty) > 0) { CookiesHelper.AddNoDomainCoolie("userIP", "IPaddress", CookiesHelper.GetCookieValue("IPaddress"), 60 * 24); Response.Write("{\"result\":\"1\",\"msg\":\"投票成功,谢谢您的参与!\"}"); } else { Response.Write("{\"result\":\"0\",\"msg\":\"投票失败,请稍后重试!\"}"); } break; } }