/* goodB2G() - use badsource and goodsink */ private void GoodB2G() { string password; password = ""; /* init password */ /* retrieve the password */ try { password = Encoding.UTF8.GetString(File.ReadAllBytes("../../../common/strong_password_file.txt")); } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, "Error with file reading", exceptIO); } /* POTENTIAL FLAW: The raw password read from the .txt file is passed on (without being decrypted) */ CWE256_Unprotected_Storage_of_Credentials__basic_54b.GoodB2GSink(password); }
/* goodG2B() - use goodsource and badsink */ private void GoodG2B() { string password; password = ""; /* init password */ /* retrieve the password */ try { password = Encoding.UTF8.GetString(File.ReadAllBytes("../../../common/strong_password_file.txt")); } catch (IOException exceptIO) { IO.Logger.Log(NLog.LogLevel.Warn, "Error with file reading", exceptIO); } /* FIX: password is decrypted before being passed on */ { using (AesCryptoServiceProvider aesAlg = new AesCryptoServiceProvider()) { aesAlg.Key = Encoding.UTF8.GetBytes("ABCDEFGHABCDEFGH"); aesAlg.IV = new byte[16]; // Create a decryptor to perform the stream transform. ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV); // Create the streams used for decryption. using (MemoryStream msDecrypt = new MemoryStream(File.ReadAllBytes("../../../common/strong_password_file.txt"))) { using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read)) { using (StreamReader srDecrypt = new StreamReader(csDecrypt)) { // Read the decrypted bytes from the decrypting stream // and place them in a string. password = srDecrypt.ReadToEnd(); } } } } } CWE256_Unprotected_Storage_of_Credentials__basic_54b.GoodG2BSink(password); }