hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix scope issues in the Java example

Browse Source
This commit is contained in:
Tony Torralba
2021-09-15 14:39:12 +02:00
parent 023264660b
commit c3c73377b8
1 changed files with 6 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
java/ql/src/Security/CWE/CWE-522/InsecureBasicAuth.java
View File

@@ -1,22 +1,19 @@
public class InsecureBasicAuth { public class InsecureBasicAuth {
/** /**
* Test basic authentication with Apache HTTP request. * Test basic authentication with Apache HTTP request.
*/ */
public void testApacheHttpRequest(String username, String password) { public void testApacheHttpRequest(String username, String password) {
{
// BAD: basic authentication over HTTP // BAD: basic authentication over HTTP
String url = "http://www.example.com/rest/getuser.do?uid=abcdx"; String url = "http://www.example.com/rest/getuser.do?uid=abcdx";
}
{
// GOOD: basic authentication over HTTPS // GOOD: basic authentication over HTTPS
String url = "https://www.example.com/rest/getuser.do?uid=abcdx"; url = "https://www.example.com/rest/getuser.do?uid=abcdx";
}
HttpPost post = new HttpPost(url); HttpPost post = new HttpPost(url);
post.setHeader("Accept", "application/json"); post.setHeader("Accept", "application/json");
post.setHeader("Content-type", "application/json"); post.setHeader("Content-type", "application/json");
String authString = username + ":" + password; String authString = username + ":" + password;
byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes()); byte[] authEncBytes = Base64.getEncoder().encode(authString.getBytes());
String authStringEnc = new String(authEncBytes); String authStringEnc = new String(authEncBytes);
@@ -28,15 +25,12 @@ public class InsecureBasicAuth {
* Test basic authentication with Java HTTP URL connection. * Test basic authentication with Java HTTP URL connection.
*/ */
public void testHttpUrlConnection(String username, String password) { public void testHttpUrlConnection(String username, String password) {
{
// BAD: basic authentication over HTTP // BAD: basic authentication over HTTP
String urlStr = "http://www.example.com/rest/getuser.do?uid=abcdx"; String urlStr = "http://www.example.com/rest/getuser.do?uid=abcdx";
}
{
// GOOD: basic authentication over HTTPS // GOOD: basic authentication over HTTPS
String urlStr = "https://www.example.com/rest/getuser.do?uid=abcdx"; urlStr = "https://www.example.com/rest/getuser.do?uid=abcdx";
}
String authString = username + ":" + password; String authString = username + ":" + password;
String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8")); String encoding = Base64.getEncoder().encodeToString(authString.getBytes("UTF-8"));