codeql/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.java

import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletException;

class UncaughtServletException extends HttpServlet {
	// BAD - Tests `doGet` without catching exceptions.
	public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
		String ip = request.getParameter("srcIP");
		InetAddress addr = InetAddress.getByName(ip);  // getByName(String) throws UnknownHostException

		String userId = request.getRemoteUser();
		Integer.parseInt(userId);  // Integer.parse(String) throws RuntimeException
	}

	// GOOD - Tests `doPost` with catching exceptions.
	public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
		try {
			String ip = request.getParameter("srcIP");
			InetAddress addr = InetAddress.getByName(ip);

			String userId = request.getRemoteUser();
			Integer.parseInt(userId);  // Integer.parse(String) throws RuntimeException
		} catch (UnknownHostException uhex) {
			uhex.printStackTrace();
		} catch (RuntimeException re) {
			re.printStackTrace();	
		}
	}

	// GOOD - Tests `doPut` without user provided data and without catching exceptions.
	public void doPut(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
		String ip = "10.100.10.81";
		InetAddress addr = InetAddress.getByName(ip); // GOOD: hard-coded variable value or system property not controlled by attacker
	}

	// GOOD - Tests rethrowing caught exceptions without stack trace, which the typical programming practice.
	public void doDelete(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
		try {
			String ip = request.getParameter("srcIP");
			InetAddress addr = InetAddress.getByName(ip);
		} catch (UnknownHostException uhex) {
			throw new IOException("Host not found "+uhex.getMessage());
		}
	}

	// BAD - Tests rethrowing caught exceptions with stack trace.
	public void doOptions(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
		try {
			String ip = request.getParameter("srcIP");
			InetAddress addr = InetAddress.getByName(ip);
		} catch (UnknownHostException uhex) {
			uhex.printStackTrace();
			throw uhex;
		}
	}

	// GOOD - Tests invoking another top-level method.
	public void doHead(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
		doGet(request, response);
	}

	// BAD - Tests nested try-blocks without catching runtime exceptions.
	public void service(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
		try {
			String ip = request.getParameter("srcIP");
			InetAddress addr = null;
			try {
				addr = InetAddress.getByName(ip);

				String userId = request.getRemoteUser();
				Integer.parseInt(userId);  // Integer.parse(String) throws RuntimeException		
			} catch (UnknownHostException uhex) {
				throw new UnknownHostException("Got exception "+uhex.getMessage());
			}
		} catch (IOException ie) {
			ie.printStackTrace();
		}
	}

	// GOOD - Tests nested try-blocks with catching all exceptions.
	public void doTrace(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
		try {
			try {
				String ip = request.getParameter("srcIP");
				InetAddress addr = null;
				try {
					addr = InetAddress.getByName(ip);

					String userId = request.getRemoteUser();
					Integer.parseInt(userId);  // Integer.parse(String) throws RuntimeException		
				} catch (UnknownHostException uhex) {
					throw new UnknownHostException("Got exception "+uhex.getMessage());
				}
			} catch (IOException ie) {
				ie.printStackTrace();
			}
		} catch (RuntimeException re) {
			re.printStackTrace();
		}
	}	
}