/* goodB2G() - use badsource and goodsink */
private static void GoodB2G()
{
string password = CWE319_Cleartext_Tx_Sensitive_Info__listen_tcp_SqlConnection_61b.GoodB2GSource();
if (password != null)
{
/* FIX: Decrypt password before using in getConnection() */
{
using (AesCryptoServiceProvider aesAlg = new AesCryptoServiceProvider())
{
aesAlg.Padding = PaddingMode.None;
aesAlg.Key = Encoding.UTF8.GetBytes("ABCDEFGHABCDEFGH");
// Create a decryptor to perform the stream transform.
ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
// Create the streams used for decryption.
using (MemoryStream msDecrypt = new MemoryStream(Encoding.UTF8.GetBytes(password)))
{
using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
{
using (StreamReader srDecrypt = new StreamReader(csDecrypt))
{
// Read the decrypted bytes from the decrypting stream
// and place them in a string.
password = srDecrypt.ReadToEnd();
}
}
}
}
}
try
{
/* POTENTIAL FLAW: use password directly in SqlConnection() */
using (SqlConnection connection = new SqlConnection(@"Data Source=(local);Initial Catalog=CWE256;User ID=" + "sa" + ";Password="******"select * from test_table", connection))
{
command.ExecuteNonQuery();
}
}
}
catch (SqlException exceptSql)
{
IO.Logger.Log(NLog.LogLevel.Warn, "Error with database connection", exceptSql);
}
}
}
/* goodG2B() - use goodsource and badsink */
private static void GoodG2B()
{
string password = CWE319_Cleartext_Tx_Sensitive_Info__listen_tcp_SqlConnection_61b.GoodG2BSource();
try
{
/* POTENTIAL FLAW: use password directly in SqlConnection() */
using (SqlConnection connection = new SqlConnection(@"Data Source=(local);Initial Catalog=CWE256;User ID=" + "sa" + ";Password="******"select * from test_table", connection))
{
command.ExecuteNonQuery();
}
}
}
catch (SqlException exceptSql)
{
IO.Logger.Log(NLog.LogLevel.Warn, "Error with database connection", exceptSql);
}
}
