UnsafeTaintedByAnnotationEndpoint.java example

Explorer
find-sec-bugs-master
package testcode.taint;

import org.hibernate.SessionFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;

@Controller
@RequestMapping("/testme")
public abstract class UnsafeTaintedByAnnotationEndpoint {


    @Autowired
    private SessionFactory sessionFactory;

    public abstract String getUnknownValue();

    //No tainted annotation therefore, the level of confidence should not be rise

    public void noTaintAnnotation(@RequestParam("input") String user) {
        sessionFactory.openSession().createQuery("FROM comment WHERE user='"+user+"'"); //High
    }

    public void safeAnnotation1(@ModelAttribute("comment") CommentDto comment,@RequestParam("input") String input) {
        sessionFactory.openSession().createQuery("FROM comment WHERE user='"+input+"'"); //High
    }

    //Some tainted annotation are present but they are not place to sink location

    public void safeAnnotation2(@RequestParam("comment") String comment, @RequestParam("input") String input) {
        sessionFactory.openSession().createQuery("FROM comment WHERE user='"+input+"'"); //High
    }

    public void safeAnnotation3(@RequestParam("input") String input, @RequestParam("unsafe") String unsafe) {
        sessionFactory.openSession().createQuery("FROM comment WHERE user='"+input+"'"); //High
    }

    public void safeAnnotation4(String unusedParameter, @RequestParam("input") String input, @RequestParam("unsafe") String unsafe) {
        sessionFactory.openSession().createQuery("FROM comment WHERE user='"+input+"'"); //High
    }

    public void safeAnnotation5(int unusedParameter1, String unusedParameter2, @RequestParam("input") String input, @RequestParam("unsafe") String unsafe) {
        sessionFactory.openSession().createQuery("FROM comment WHERE user='"+input+"'"); //High
    }

    //Makes sure that primitive types that takes two slots are properly consider

    public void safeAnnotation6(double unusedParameter1, @RequestParam("input") String input, @RequestParam("unsafe") String unsafe) {
        sessionFactory.openSession().createQuery("FROM comment WHERE user='"+input+"'"); //High
    }

    public void safeAnnotation7(@RequestParam("input") String input, @RequestParam("unsafe") String unsafe, double unusedParameter1) {
        sessionFactory.openSession().createQuery("FROM comment WHERE user='"+input+"'"); //High
    }

    public void safeAnnotation8(long unusedParameter1, @RequestParam("input") String input, @RequestParam("unsafe") String unsafe) {
        sessionFactory.openSession().createQuery("FROM comment WHERE user='"+input+"'"); //High
    }

    public void safeAnnotation9(@RequestParam("input") String input, @RequestParam("unsafe") String unsafe, long unusedParameter1) {
        sessionFactory.openSession().createQuery("FROM comment WHERE user='"+input+"'"); //High
    }

}