/* goodB2G() - use badsource and goodsink */ public static void GoodB2GSink(CWE319_Cleartext_Tx_Sensitive_Info__NetClient_SqlConnection_67a.Container passwordContainer) { string password = passwordContainer.containerOne; if (password != null) { /* FIX: Decrypt password before using in getConnection() */ { using (AesCryptoServiceProvider aesAlg = new AesCryptoServiceProvider()) { aesAlg.Padding = PaddingMode.None; aesAlg.Key = Encoding.UTF8.GetBytes("ABCDEFGHABCDEFGH"); // Create a decryptor to perform the stream transform. ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV); // Create the streams used for decryption. using (MemoryStream msDecrypt = new MemoryStream(Encoding.UTF8.GetBytes(password))) { using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read)) { using (StreamReader srDecrypt = new StreamReader(csDecrypt)) { // Read the decrypted bytes from the decrypting stream // and place them in a string. password = srDecrypt.ReadToEnd(); } } } } } try { /* POTENTIAL FLAW: use password directly in SqlConnection() */ using (SqlConnection connection = new SqlConnection(@"Data Source=(local);Initial Catalog=CWE256;User ID=" + "sa" + ";Password="******"select * from test_table", connection)) { command.ExecuteNonQuery(); } } } catch (SqlException exceptSql) { IO.Logger.Log(NLog.LogLevel.Warn, "Error with database connection", exceptSql); } } }
/* goodG2B() - use goodsource and badsink */ public static void GoodG2BSink(CWE319_Cleartext_Tx_Sensitive_Info__NetClient_SqlConnection_67a.Container passwordContainer) { string password = passwordContainer.containerOne; try { /* POTENTIAL FLAW: use password directly in SqlConnection() */ using (SqlConnection connection = new SqlConnection(@"Data Source=(local);Initial Catalog=CWE256;User ID=" + "sa" + ";Password="******"select * from test_table", connection)) { command.ExecuteNonQuery(); } } } catch (SqlException exceptSql) { IO.Logger.Log(NLog.LogLevel.Warn, "Error with database connection", exceptSql); } }