mirror of
https://github.com/github/codeql.git
synced 2025-12-20 18:56:32 +01:00
e3cf5c235e
This is realised by somewhat generalising our interfaces for modelling RNGs. We also add tests for randomness-related queries that didn't have any, and addtest cases checking the Apache random-number generators are interchangeable with the stdlib ones.
124 lines
3.2 KiB
Java
124 lines
3.2 KiB
Java
// Test case for
|
|
// CWE-129: Improper Validation of Array Index
|
|
// http://cwe.mitre.org/data/definitions/129.html
|
|
|
|
package test.cwe129.cwe.examples;
|
|
|
|
import java.security.SecureRandom;
|
|
import org.apache.commons.lang3.RandomUtils;
|
|
|
|
class Test {
|
|
public static void basic() {
|
|
|
|
int array[] = { 0, 1, 2, 3, 4 };
|
|
String userProperty = System.getProperty("userProperty");
|
|
try {
|
|
int index = Integer.parseInt(userProperty.trim());
|
|
|
|
// BAD Accessing array without conditional check
|
|
System.out.println(array[index]);
|
|
|
|
if (index >= 0 && index < array.length) {
|
|
// GOOD Accessing array under conditions
|
|
System.out.println(array[index]);
|
|
}
|
|
|
|
try {
|
|
/*
|
|
* GOOD Accessing array, but catch ArrayIndexOutOfBounds, so someone has at least
|
|
* considered the consequences.
|
|
*/
|
|
System.out.println(array[index]);
|
|
} catch (ArrayIndexOutOfBoundsException ex) {
|
|
}
|
|
} catch(NumberFormatException exceptNumberFormat) {
|
|
}
|
|
}
|
|
|
|
public static void random() {
|
|
int array[] = { 0, 1, 2, 3, 4 };
|
|
|
|
int index = (new SecureRandom()).nextInt(10);
|
|
|
|
// BAD Accessing array without conditional check
|
|
System.out.println(array[index]);
|
|
|
|
if (index < array.length) {
|
|
// GOOD Accessing array under conditions
|
|
System.out.println(array[index]);
|
|
}
|
|
|
|
// GOOD, the array access is protected by short-circuiting
|
|
if (index < array.length && array[index] > 0) {
|
|
}
|
|
}
|
|
|
|
public static void apacheRandom() {
|
|
int array[] = { 0, 1, 2, 3, 4 };
|
|
|
|
int index = RandomUtils.nextInt(0, 10);
|
|
|
|
// BAD Accessing array without conditional check
|
|
System.out.println(array[index]);
|
|
|
|
if (index < array.length) {
|
|
// GOOD Accessing array under conditions
|
|
System.out.println(array[index]);
|
|
}
|
|
|
|
// GOOD, the array access is protected by short-circuiting
|
|
if (index < array.length && array[index] > 0) {
|
|
}
|
|
}
|
|
|
|
public static void construction() {
|
|
|
|
String userProperty = System.getProperty("userProperty");
|
|
try {
|
|
int size = Integer.parseInt(userProperty.trim());
|
|
|
|
int[] array = new int[size];
|
|
|
|
// BAD The array was created without checking the size, so this access may be dubious
|
|
System.out.println(array[0]);
|
|
|
|
if (size >= 0) {
|
|
int[] array2 = new int[size];
|
|
|
|
// BAD The array was created without checking that the size is greater than zero
|
|
System.out.println(array2[0]);
|
|
}
|
|
|
|
if (size > 0) {
|
|
int[] array3 = new int[size];
|
|
|
|
// GOOD We verified that this was greater than zero
|
|
System.out.println(array3[0]);
|
|
}
|
|
|
|
} catch(NumberFormatException exceptNumberFormat) {
|
|
}
|
|
}
|
|
|
|
public static void constructionBounded() {
|
|
|
|
int size = 0;
|
|
|
|
int[] array = new int[size];
|
|
|
|
// BAD Array may be empty.
|
|
System.out.println(array[0]);
|
|
|
|
int index = 0;
|
|
if (index < array.length) {
|
|
// GOOD protected by length check
|
|
System.out.println(array[index]);
|
|
}
|
|
|
|
size = 2;
|
|
array = new int[2];
|
|
// GOOD array size is guaranteed to be larger than zero
|
|
System.out.println(array[0]);
|
|
}
|
|
}
|