/**
* OWASP Benchmark Project v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/packageorg.owasp.benchmark.testcode;importjava.io.IOException;importjavax.servlet.ServletException;importjavax.servlet.annotation.WebServlet;importjavax.servlet.http.HttpServlet;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;@WebServlet(value="/crypto-01/BenchmarkTest00943")publicclassBenchmarkTest00943extendsHttpServlet{privatestaticfinallongserialVersionUID=1L;@OverridepublicvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{response.setContentType("text/html;charset=UTF-8");javax.servlet.http.CookieuserCookie=newjavax.servlet.http.Cookie("BenchmarkTest00943","someSecret");userCookie.setMaxAge(60*3);// Store cookie for 3 minutesuserCookie.setPath(request.getRequestURI());userCookie.setDomain(newjava.net.URL(request.getRequestURL().toString()).getHost());response.addCookie(userCookie);javax.servlet.RequestDispatcherrd=request.getRequestDispatcher("/crypto-01/BenchmarkTest00943.html");rd.include(request,response);}@OverridepublicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{response.setContentType("text/html;charset=UTF-8");javax.servlet.http.Cookie[]theCookies=request.getCookies();Stringparam="noCookieValueSupplied";if(theCookies!=null){for(javax.servlet.http.CookietheCookie:theCookies){if(theCookie.getName().equals("BenchmarkTest00943")){param=java.net.URLDecoder.decode(theCookie.getValue(),"UTF-8");break;}}}Stringbar=newTest().doSomething(request,param);// Code based on example from:// http://examples.javacodegeeks.com/core-java/crypto/encrypt-decrypt-file-stream-with-des/try{javax.crypto.Cipherc=org.owasp.benchmark.helpers.Utils.getCipher();// encrypt and store the resultsbyte[]input={(byte)'?'};ObjectinputParam=bar;if(inputParaminstanceofString)input=((String)inputParam).getBytes();if(inputParaminstanceofjava.io.InputStream){byte[]strInput=newbyte[1000];inti=((java.io.InputStream)inputParam).read(strInput);if(i==-1){response.getWriter().println("This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");return;}input=java.util.Arrays.copyOf(strInput,i);}byte[]result=c.doFinal(input);java.io.FilefileTarget=newjava.io.File(newjava.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR),"passwordFile.txt");java.io.FileWriterfw=newjava.io.FileWriter(fileTarget,true);// the true will append the new datafw.write("secret_value="+org.owasp.esapi.ESAPI.encoder().encodeForBase64(result,true)+"\n");fw.close();response.getWriter().println("Sensitive value: '"+org.owasp.esapi.ESAPI.encoder().encodeForHTML(newString(input))+"' encrypted and stored<br/>");}catch(javax.crypto.IllegalBlockSizeExceptione){response.getWriter().println("Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");e.printStackTrace(response.getWriter());thrownewServletException(e);}catch(javax.crypto.BadPaddingExceptione){response.getWriter().println("Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");e.printStackTrace(response.getWriter());thrownewServletException(e);}response.getWriter().println("Crypto Test javax.crypto.Cipher.getInstance(java.lang.String,java.lang.String) executed");}// end doPostprivateclassTest{publicStringdoSomething(HttpServletRequestrequest,Stringparam)throwsServletException,IOException{Stringbar="";if(param!=null){java.util.List<String>valuesList=newjava.util.ArrayList<String>();valuesList.add("safe");valuesList.add(param);valuesList.add("moresafe");valuesList.remove(0);// remove the 1st safe valuebar=valuesList.get(0);// get the param value}returnbar;}}// end innerclass Test}// end DataflowThruInnerClass
classNotCompliant{publicvoidsetCookie(Stringfield,Stringvalue){Cookiecookie=newCookie(field,value);cookie.setMaxAge(60*3);// Store cookie for 3 minutesresponse.addCookie(cookie);response.addCookie(userCookie);javax.servlet.RequestDispatcherrd=request.getRequestDispatcher("/weakrand-00/BenchmarkTest00078.html");rd.include(request,response)}}