Intial commit: test cases for dataflow analysis.
This commit is contained in:
parent
00ca96d41b
commit
5562e5b2e8
|
@ -0,0 +1,14 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<parent>
|
||||
<groupId>eu.aniketos.dasca</groupId>
|
||||
<artifactId>eu.aniketos.dasca.parent</artifactId>
|
||||
<version>0.1</version>
|
||||
<relativePath>../eu.aniketos.dasca.parent/pom.xml</relativePath>
|
||||
</parent>
|
||||
<artifactId>eu.aniketos.dasca.dataflow.tests</artifactId>
|
||||
<version>0.1</version>
|
||||
<packaging>jar</packaging>
|
||||
<name>DASCA - Dataflow Test Cases</name>
|
||||
</project>
|
|
@ -0,0 +1,61 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 01:
|
||||
// different types of (apparently) constant values
|
||||
public class Test01 {
|
||||
|
||||
public void bad() {
|
||||
String userName;
|
||||
if(true) {
|
||||
userName = IO.readLine();
|
||||
} else {
|
||||
userName = "fix";
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good01() {
|
||||
String userName;
|
||||
if(true) {
|
||||
userName = "fix";
|
||||
} else {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test01 test = new Test01();
|
||||
test.good01();
|
||||
test.bad();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,78 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 02:
|
||||
// reachability from bad sink to bad source via global boolean constant
|
||||
public class Test02 {
|
||||
|
||||
private final boolean final_false = false;
|
||||
|
||||
public void bad() {
|
||||
String userName;
|
||||
if(final_false) {
|
||||
userName = "fix";
|
||||
} else {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good01() {
|
||||
String userName;
|
||||
if(final_false) {
|
||||
userName = IO.readLine();
|
||||
} else {
|
||||
userName = "fix";
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good02() {
|
||||
String userName = IO.readLine();
|
||||
|
||||
if(final_false) {
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test02 test = new Test02();
|
||||
test.good01();
|
||||
test.good02();
|
||||
test.bad();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,63 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 03:
|
||||
//reachability from bad sink to bad source via global boolean variable
|
||||
public class Test03 {
|
||||
|
||||
private boolean public_true = true;
|
||||
|
||||
public void bad() {
|
||||
String userName;
|
||||
if(public_true) {
|
||||
userName = "fix";
|
||||
} else {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good01() {
|
||||
String userName = IO.readLine();
|
||||
if(public_true) {
|
||||
userName = "fix";
|
||||
} else {
|
||||
userName = "fix";
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test03 test = new Test03();
|
||||
test.good01();
|
||||
test.bad();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,64 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 04:
|
||||
//reachability from bad sink to bad source via local boolean variable
|
||||
public class Test04 {
|
||||
|
||||
|
||||
public void bad() {
|
||||
String userName;
|
||||
boolean local_false = false;
|
||||
if(local_false) {
|
||||
userName = "fix";
|
||||
} else {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good01() {
|
||||
String userName = IO.readLine();
|
||||
boolean local_true = true;
|
||||
if(local_true) {
|
||||
userName = "fix";
|
||||
} else {
|
||||
userName = "fix";
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test04 test = new Test04();
|
||||
test.good01();
|
||||
test.bad();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,64 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 05:
|
||||
//reachability from bad sink to bad source via arithmetic expressions
|
||||
public class Test05 {
|
||||
|
||||
|
||||
public void bad() {
|
||||
String userName;
|
||||
int i = 5;
|
||||
if(i > 10) {
|
||||
userName = "fix";
|
||||
} else {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good01() {
|
||||
String userName = IO.readLine();
|
||||
int i = 5;
|
||||
if(i > 10) {
|
||||
userName = "fix";
|
||||
} else {
|
||||
userName = "fix";
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test05 test = new Test05();
|
||||
test.good01();
|
||||
test.bad();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,84 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 06:
|
||||
//reachability from bad sink to bad source via indirect data flow
|
||||
public class Test06 {
|
||||
|
||||
|
||||
public void bad() {
|
||||
String userName;
|
||||
String fix = "fix";
|
||||
String input = IO.readLine();
|
||||
if(false) {
|
||||
userName = fix;
|
||||
} else {
|
||||
userName = input;
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good01() {
|
||||
String userName;
|
||||
String fix = "fix";
|
||||
String input = IO.readLine();
|
||||
if(true) {
|
||||
userName = fix;
|
||||
} else {
|
||||
userName = IO.readLine(); // TODO: = input;
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good02() {
|
||||
String userName;
|
||||
String fix = "fix";
|
||||
if(true) {
|
||||
userName = fix + "";
|
||||
} else {
|
||||
userName = fix + IO.readLine();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test06 test = new Test06();
|
||||
test.good01();
|
||||
test.good02();
|
||||
test.bad();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,68 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 07:
|
||||
//reachability from bad sink to bad source via multiple if-statements
|
||||
public class Test07 {
|
||||
|
||||
|
||||
public void bad() {
|
||||
String userName = null;
|
||||
boolean local_true = true;
|
||||
if(local_true) {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if(!local_true){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good01() {
|
||||
String userName = null;
|
||||
boolean local_true = true;
|
||||
if(!local_true) {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if(local_true){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test07 test = new Test07();
|
||||
test.good01();
|
||||
test.bad();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,114 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 08:
|
||||
//reachability from bad sink to bad source via multiple if-statements (arithmetic)
|
||||
public class Test08 {
|
||||
|
||||
|
||||
/*
|
||||
* bad for i==5
|
||||
*/
|
||||
public void bad(int i) {
|
||||
String userName = null;
|
||||
if(i > 5) {
|
||||
userName = IO.readLineGood();
|
||||
} else{
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if(i < 5){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good01(int i) {
|
||||
String userName = null;
|
||||
if(i >= 5) {
|
||||
userName = IO.readLineGood();
|
||||
} else{
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if(i < 5){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good02(int i) {
|
||||
String userName = IO.readLine();
|
||||
if(i > 5) {
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
|
||||
if(i == 5){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
|
||||
if(i < 5){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good03(int i) {
|
||||
String userName = IO.readLine();
|
||||
if(i <= 5) {
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
|
||||
if(i == 3){
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test08 test = new Test08();
|
||||
test.good01(10);
|
||||
test.good02(10);
|
||||
test.good03(10);
|
||||
test.bad(10);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,103 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 09:
|
||||
//reachability from bad sink to bad source via mutually exclusive source and sink
|
||||
public class Test09 {
|
||||
|
||||
|
||||
public void bad() {
|
||||
String userName = null;
|
||||
boolean local_true = true;
|
||||
if(local_true) {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if(local_true) {
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public void good01() {
|
||||
String userName = null;
|
||||
boolean local_true = true;
|
||||
if(local_true) {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if(!local_true) {
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public void good02() {
|
||||
String userName = null;
|
||||
int i = 1;
|
||||
if(i > 5) {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if(i < 3 ) {
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public void good03(int i) {
|
||||
String userName = null;
|
||||
if(i > 3) {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if(i < 3 ) {
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test09 test = new Test09();
|
||||
test.good01();
|
||||
test.good02();
|
||||
test.good03(5);
|
||||
test.bad();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,110 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 10:
|
||||
//reachability from bad sink to bad source via mutually exclusive source and sink (changing variables)
|
||||
public class Test10 {
|
||||
|
||||
/*
|
||||
* bad for i==3
|
||||
*/
|
||||
public void bad(int i) {
|
||||
String userName = null;
|
||||
if(i > 2) {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
i = i - 2;
|
||||
|
||||
if(i < 2) {
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public void good01(int i) {
|
||||
String userName = null;
|
||||
if(i > 2) {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
i = i - 2;
|
||||
|
||||
if(i < 0) {
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public void good02(int i) {
|
||||
String userName = null;
|
||||
if(i > 2) {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
i = i * -1;
|
||||
|
||||
if(i > 2) {
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public void good03(boolean bool) {
|
||||
String userName = null;
|
||||
if(bool) {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
bool = !bool;
|
||||
|
||||
if(bool) {
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test10 test = new Test10();
|
||||
test.good01(10);
|
||||
test.good02(10);
|
||||
test.good03(true);
|
||||
test.bad(10);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,162 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 11:
|
||||
//reachability from bad sink to bad source via multiple if-statements and multiple variables
|
||||
public class Test11 {
|
||||
|
||||
/*
|
||||
* bad for !x and !y
|
||||
*/
|
||||
public void bad(boolean x, boolean y) {
|
||||
String userName = null;
|
||||
if(x | y) {
|
||||
userName = IO.readLineGood();
|
||||
}else{
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if(x){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good01(boolean x, boolean y) {
|
||||
String userName = null;
|
||||
if(x | y) {
|
||||
userName = IO.readLineGood();
|
||||
}else{
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if(!(x | y)){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good02(boolean x, boolean y) {
|
||||
String userName = null;
|
||||
if(x | y) {
|
||||
userName = IO.readLine();
|
||||
}else{
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
|
||||
if(x){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
|
||||
if(y){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good03(boolean x, boolean y) {
|
||||
String userName = null;
|
||||
if(x & y) {
|
||||
userName = IO.readLine();
|
||||
}else{
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
|
||||
if(x){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good04(boolean x, boolean y) {
|
||||
String userName = null;
|
||||
if(x | y) {
|
||||
userName = IO.readLineGood();
|
||||
}else{
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if(!x & !y){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good05(boolean x) {
|
||||
String userName = null;
|
||||
if(x) {
|
||||
userName = IO.readLineGood();
|
||||
}else{
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
boolean y = !x;
|
||||
|
||||
if(y){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test11 test = new Test11();
|
||||
test.good01(true, false);
|
||||
test.good02(true, false);
|
||||
test.good03(true, false);
|
||||
test.good04(true, false);
|
||||
test.good05(true);
|
||||
test.bad(true, false);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,72 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 12:
|
||||
//reachability from bad sink to bad source via multiple if-statements and boolean expressions combined with arithmetics
|
||||
public class Test12 {
|
||||
|
||||
/*
|
||||
* bad for i==3 and !x
|
||||
*/
|
||||
public void bad(boolean x, int i) {
|
||||
String userName = null;
|
||||
if(x | i > 3) {
|
||||
userName = IO.readLineGood();
|
||||
}else{
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if( i < 3 ){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good01(boolean x, int i) {
|
||||
String userName = null;
|
||||
if(x | i > 3) {
|
||||
userName = IO.readLineGood();
|
||||
}else{
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if(!x & i <= 3 ){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test12 test = new Test12();
|
||||
test.good01(true, 5);
|
||||
test.bad(true, 5);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,93 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 13:
|
||||
//reachability from bad sink to bad source via multiple if-statements with multiple arithmetics
|
||||
public class Test13 {
|
||||
|
||||
/*
|
||||
* bad for i==3 and j>5
|
||||
*/
|
||||
public void bad(int i, int j) {
|
||||
String userName = null;
|
||||
if(j <= 5 | i > 3) {
|
||||
userName = IO.readLineGood();
|
||||
}else{
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if( i < 3 ){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good01(int i, int j) {
|
||||
String userName = null;
|
||||
if(j <= 5 | i > 3) {
|
||||
userName = IO.readLineGood();
|
||||
}else{
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if( j > 5 & i <= 3 ){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good02(int i, int j) {
|
||||
String userName = null;
|
||||
if(j > 0 & i > 0) {
|
||||
userName = IO.readLine();
|
||||
if(i + j > 0){
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
}else{
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test13 test = new Test13();
|
||||
test.good01(5, 10);
|
||||
test.good02(5, 10);
|
||||
test.bad(5, 10);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,90 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 14:
|
||||
//reachability from bad sink to bad source via if-statement and loops
|
||||
public class Test14 {
|
||||
|
||||
/*
|
||||
* bad for i==0
|
||||
*/
|
||||
public void bad(int i) {
|
||||
String userName = IO.readLine();
|
||||
if(i < 0) {
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
|
||||
for (int j = 0; j < i; j++) {
|
||||
userName = IO.readLineGood();
|
||||
|
||||
}
|
||||
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good01() {
|
||||
String userName = IO.readLineGood();
|
||||
|
||||
for (int j = 0; j < 0; j++) {
|
||||
userName = IO.readLine();
|
||||
|
||||
}
|
||||
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good02(int i) {
|
||||
String userName = IO.readLine();
|
||||
if(i <= 0) {
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
|
||||
for (int j = 0; j < i; j++) {
|
||||
userName = IO.readLineGood();
|
||||
|
||||
}
|
||||
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test14 test = new Test14();
|
||||
test.good01();
|
||||
test.good02(5);
|
||||
test.bad(5);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,106 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 15:
|
||||
//reachability from bad sink to bad source with guaranteed sanitizing
|
||||
public class Test15 {
|
||||
|
||||
public void bad(int i) {
|
||||
String userName = IO.readLine();
|
||||
|
||||
if(i < 0) {
|
||||
userName = IO.sanitize(userName);
|
||||
}
|
||||
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good01(int i) {
|
||||
String userName = IO.readLine();
|
||||
if(i < 0) {
|
||||
userName = IO.sanitize(userName);
|
||||
}else{
|
||||
userName = IO.sanitize(userName);
|
||||
}
|
||||
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good02(int i) {
|
||||
String userName = IO.readLine();
|
||||
if(i < 0) {
|
||||
userName = IO.sanitize(userName);
|
||||
}
|
||||
|
||||
if(i >= 0){
|
||||
userName = IO.sanitize(userName);
|
||||
}
|
||||
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public void good03(int i) {
|
||||
String userName = IO.readLine();
|
||||
if(i < 0) {
|
||||
userName = IO.sanitize(userName);
|
||||
}
|
||||
|
||||
if(i == 0) {
|
||||
userName = IO.readLineGood();
|
||||
}
|
||||
|
||||
if(i > 0){
|
||||
userName = IO.sanitize(userName);
|
||||
}
|
||||
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test15 test = new Test15();
|
||||
test.good01(5);
|
||||
test.good02(5);
|
||||
test.good03(5);
|
||||
test.bad(5);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,51 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 16:
|
||||
//reachability from multiple identical bad sinks to one bad source with one vulnerability
|
||||
public class Test16 {
|
||||
|
||||
/*
|
||||
* 1 findings
|
||||
*/
|
||||
public void bad(int i) {
|
||||
String userName = IO.readLine();
|
||||
|
||||
if(i < 0) {
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
if(i < 0) {
|
||||
userName = IO.sanitize(userName);
|
||||
}
|
||||
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test16 test = new Test16();
|
||||
test.bad(5);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,49 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 17:
|
||||
//reachability from multiple identical bad sinks to one bad source with multiple vulnerabilities
|
||||
public class Test17 {
|
||||
|
||||
/*
|
||||
* 2 findings
|
||||
*/
|
||||
public void bad(int i) {
|
||||
String userName = "";
|
||||
|
||||
if(i < 0) {
|
||||
userName = IO.readLine();
|
||||
} else{
|
||||
userName = IO.readLine();
|
||||
}
|
||||
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test17 test = new Test17();
|
||||
test.bad(5);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,49 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 18:
|
||||
//reachability from multiple differing bad sinks to one bad source with one vulnerability
|
||||
public class Test18 {
|
||||
|
||||
/*
|
||||
* 1 findings
|
||||
*/
|
||||
public void bad() {
|
||||
String userName;
|
||||
|
||||
if(true) {
|
||||
userName = IO.readLine();
|
||||
} else{
|
||||
userName = IO.readLine2();
|
||||
}
|
||||
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test18 test = new Test18();
|
||||
test.bad();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,47 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests;
|
||||
|
||||
import java.sql.Connection;
|
||||
import java.sql.SQLException;
|
||||
import java.sql.Statement;
|
||||
|
||||
import eu.aniketos.dasca.dataflow.tests.dummy.IO;
|
||||
|
||||
|
||||
// Test Case 19:
|
||||
//reachability from multiple differing bad sinks to one bad source with multiple vulnerabilities
|
||||
public class Test19 {
|
||||
|
||||
/*
|
||||
* 2 findings
|
||||
*/
|
||||
public void bad(int i) {
|
||||
String userName = IO.readLine();
|
||||
|
||||
if(i < 10) {
|
||||
userName = IO.readLine2();
|
||||
}
|
||||
|
||||
Connection conn = IO.getDBConnection();
|
||||
try {
|
||||
Statement stmt = conn.createStatement();
|
||||
stmt.execute("SELECT * FROM user WHERE name='" + userName + "';");
|
||||
} catch(SQLException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
public static void main(String[] args) {
|
||||
Test19 test = new Test19();
|
||||
test.bad(5);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,87 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests.dummy;
|
||||
|
||||
import java.io.BufferedReader;
|
||||
import java.io.InputStreamReader;
|
||||
import java.sql.Connection;
|
||||
|
||||
public class IO {
|
||||
|
||||
public static Connection getDBConnection() {
|
||||
// TODO Auto-generated method stub
|
||||
return null;
|
||||
}
|
||||
|
||||
public static void writeString(String string) {
|
||||
// TODO Auto-generated method stub
|
||||
|
||||
}
|
||||
|
||||
public static String readLine(){
|
||||
/*/ // add/remove '*' to switch
|
||||
String s = "";
|
||||
try {
|
||||
InputStreamReader converter = new InputStreamReader(System.in);
|
||||
BufferedReader in = new BufferedReader(converter);
|
||||
s = in.readLine();
|
||||
} catch (Exception e) {
|
||||
System.out.println("Error! Exception: "+e);
|
||||
}
|
||||
return s;
|
||||
/*/
|
||||
return "";
|
||||
/**/
|
||||
}
|
||||
|
||||
public static String readLine2(){
|
||||
/*/ // add/remove '*' to switch
|
||||
String s = "";
|
||||
try {
|
||||
InputStreamReader converter = new InputStreamReader(System.in);
|
||||
BufferedReader in = new BufferedReader(converter);
|
||||
s = in.readLine();
|
||||
} catch (Exception e) {
|
||||
System.out.println("Error! Exception: "+e);
|
||||
}
|
||||
return s;
|
||||
/*/
|
||||
return "";
|
||||
/**/
|
||||
}
|
||||
|
||||
public static String readLineGood(){
|
||||
return "";
|
||||
}
|
||||
|
||||
public static String sanitize(String s){
|
||||
return "";
|
||||
}
|
||||
|
||||
public static boolean testCondition(int i) throws IllegalArgumentException{
|
||||
if(i<0){
|
||||
throw new IllegalArgumentException("number must be positive");
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
public static void a() {
|
||||
}
|
||||
|
||||
public static InputStreamReader getInputStreamReader(){
|
||||
return null;
|
||||
}
|
||||
|
||||
public static BufferedReader getBufferedReader(){
|
||||
return null;
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,22 @@
|
|||
/*
|
||||
* (C) Copyright 2010-2015 SAP SE.
|
||||
*
|
||||
* All rights reserved. This program and the accompanying materials
|
||||
* are made available under the terms of the Eclipse Public License v1.0
|
||||
* which accompanies this distribution, and is available at
|
||||
* http://www.eclipse.org/legal/epl-v10.html
|
||||
*
|
||||
*/
|
||||
|
||||
package eu.aniketos.dasca.dataflow.tests.dummy;
|
||||
|
||||
public class Logger {
|
||||
|
||||
public static Logger getLogger(String name){
|
||||
return null;
|
||||
}
|
||||
|
||||
public void warning(String msg){
|
||||
|
||||
}
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
/classes/
|
|
@ -0,0 +1,46 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<groupId>eu.aniketos.dasca</groupId>
|
||||
<artifactId>eu.aniketos.dasca.parent</artifactId>
|
||||
<version>0.1</version>
|
||||
<packaging>pom</packaging>
|
||||
<name>DASCA - Parent project</name>
|
||||
<properties>
|
||||
<tycho-version>0.12.0</tycho-version>
|
||||
</properties>
|
||||
<modules>
|
||||
<module>../eu.aniketos.dasca.dataflow.tests</module>
|
||||
</modules>
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.eclipse.tycho</groupId>
|
||||
<artifactId>tycho-maven-plugin</artifactId>
|
||||
<version>${tycho-version}</version>
|
||||
<extensions>true</extensions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.eclipse.tycho</groupId>
|
||||
<artifactId>target-platform-configuration</artifactId>
|
||||
<version>${tycho-version}</version>
|
||||
<configuration>
|
||||
<resolver>p2</resolver>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>junit</groupId>
|
||||
<artifactId>junit</artifactId>
|
||||
<version>[4.8,)</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>log4j</groupId>
|
||||
<artifactId>log4j</artifactId>
|
||||
<version>[1.2,)</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</project>
|
Loading…
Reference in New Issue