Update and rename ComparingValueOfSensetiveHeader.java to Test.java

2026-04-30 03:05:15 +02:00 · 2022-02-25 15:39:50 +01:00
parent 091227982c
commit 35abc3f9a3
2 changed files with 20 additions and 17 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-208/ComparingValueOfSensetiveHeader.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/ComparingValueOfSensetiveHeader.java
@@ -1,17 +0,0 @@
-import javax.servlet.http.HttpServletRequest;
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
-
-private boolean UnsafecsrfComparison(String csrfTokenInCookie) {
-         if(csrfTokenInCookie == null || !csrfTokenInCookie.equals(request.getHeader("X-CSRF-TOKEN"))) { // BAD
-                 return false;
-         }
-}
-private boolean safecsrfComparison(String csrfTokenInCookie) {
-	  String csrfTokenInRequest = request.getHeader("X-CSRF-TOKEN");
-          if (csrfTokenInRequest == null || !MessageDigest.isEqual(
-                csrfTokenInCookie.getBytes(StandardCharsets.UTF_8), 
-                csrfTokenInRequest.getBytes(StandardCharsets.UTF_8))) { // GOOD
-                     return false;
-         }
-}
--- a/java/ql/src/experimental/Security/CWE/CWE-208/Test.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/Test.java
@@ -0,0 +1,20 @@
+import javax.servlet.http.HttpServletRequest;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.lang.String;
+
+
+public class Test {
+    private boolean UnsafeComparison(HttpServletRequest request) {
+        String Key = "secret";
+        return Key.equals(request.getHeader("X-Auth-Token"));        
+    }
+
+    private boolean safeComparison(HttpServletRequest request) {
+          String token = request.getHeader("X-Auth-Token");
+          String Key = "secret"; 
+          return MessageDigest.isEqual(Key.getBytes(StandardCharsets.UTF_8), token.getBytes(StandardCharsets.UTF_8));
+    }
+    
+}
+