/* goodB2G() - use badsource and goodsink */ private static void GoodB2G() { string password = CWE319_Cleartext_Tx_Sensitive_Info__listen_tcp_SqlConnection_61b.GoodB2GSource(); if (password != null) { /* FIX: Decrypt password before using in getConnection() */ { using (AesCryptoServiceProvider aesAlg = new AesCryptoServiceProvider()) { aesAlg.Padding = PaddingMode.None; aesAlg.Key = Encoding.UTF8.GetBytes("ABCDEFGHABCDEFGH"); // Create a decryptor to perform the stream transform. ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV); // Create the streams used for decryption. using (MemoryStream msDecrypt = new MemoryStream(Encoding.UTF8.GetBytes(password))) { using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read)) { using (StreamReader srDecrypt = new StreamReader(csDecrypt)) { // Read the decrypted bytes from the decrypting stream // and place them in a string. password = srDecrypt.ReadToEnd(); } } } } } try { /* POTENTIAL FLAW: use password directly in SqlConnection() */ using (SqlConnection connection = new SqlConnection(@"Data Source=(local);Initial Catalog=CWE256;User ID=" + "sa" + ";Password="******"select * from test_table", connection)) { command.ExecuteNonQuery(); } } } catch (SqlException exceptSql) { IO.Logger.Log(NLog.LogLevel.Warn, "Error with database connection", exceptSql); } } }
/* goodG2B() - use goodsource and badsink */ private static void GoodG2B() { string password = CWE319_Cleartext_Tx_Sensitive_Info__listen_tcp_SqlConnection_61b.GoodG2BSource(); try { /* POTENTIAL FLAW: use password directly in SqlConnection() */ using (SqlConnection connection = new SqlConnection(@"Data Source=(local);Initial Catalog=CWE256;User ID=" + "sa" + ";Password="******"select * from test_table", connection)) { command.ExecuteNonQuery(); } } } catch (SqlException exceptSql) { IO.Logger.Log(NLog.LogLevel.Warn, "Error with database connection", exceptSql); } }