/src/main/java/org/owasp/benchmark/testcode/BenchmarkTest01030.java
https://gitlab.com/disextr/BenchmarkJava · Java · 122 lines · 85 code · 15 blank · 22 comment · 10 complexity · 6e6f5984b345fa5151a6c5dfc21a7372 MD5 · raw file
- /**
- * OWASP Benchmark Project v1.2
- *
- * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
- * details, please see <a
- * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
- *
- * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
- * of the GNU General Public License as published by the Free Software Foundation, version 2.
- *
- * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
- * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- * PURPOSE. See the GNU General Public License for more details.
- *
- * @author Dave Wichers
- * @created 2015
- */
- package org.owasp.benchmark.testcode;
- import java.io.IOException;
- import javax.servlet.ServletException;
- import javax.servlet.annotation.WebServlet;
- import javax.servlet.http.HttpServlet;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- @WebServlet(value = "/pathtraver-01/BenchmarkTest01030")
- public class BenchmarkTest01030 extends HttpServlet {
- private static final long serialVersionUID = 1L;
- @Override
- public void doGet(HttpServletRequest request, HttpServletResponse response)
- throws ServletException, IOException {
- doPost(request, response);
- }
- @Override
- public void doPost(HttpServletRequest request, HttpServletResponse response)
- throws ServletException, IOException {
- response.setContentType("text/html;charset=UTF-8");
- String param = "";
- if (request.getHeader("BenchmarkTest01030") != null) {
- param = request.getHeader("BenchmarkTest01030");
- }
- // URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter().
- param = java.net.URLDecoder.decode(param, "UTF-8");
- String bar = new Test().doSomething(request, param);
- // FILE URIs are tricky because they are different between Mac and Windows because of lack
- // of standardization.
- // Mac requires an extra slash for some reason.
- String startURIslashes = "";
- if (System.getProperty("os.name").indexOf("Windows") != -1)
- if (System.getProperty("os.name").indexOf("Windows") != -1) startURIslashes = "/";
- else startURIslashes = "//";
- try {
- java.net.URI fileURI =
- new java.net.URI(
- "file",
- null,
- startURIslashes
- + org.owasp.benchmark.helpers.Utils.TESTFILES_DIR
- .replace('\\', java.io.File.separatorChar)
- .replace(' ', '_')
- + bar,
- null,
- null);
- java.io.File fileTarget = new java.io.File(fileURI);
- response.getWriter()
- .println(
- "Access to file: '"
- + org.owasp
- .esapi
- .ESAPI
- .encoder()
- .encodeForHTML(fileTarget.toString())
- + "' created.");
- if (fileTarget.exists()) {
- response.getWriter().println(" And file already exists.");
- } else {
- response.getWriter().println(" But file doesn't exist yet.");
- }
- } catch (java.net.URISyntaxException e) {
- throw new ServletException(e);
- }
- } // end doPost
- private class Test {
- public String doSomething(HttpServletRequest request, String param)
- throws ServletException, IOException {
- String bar;
- String guess = "ABC";
- char switchTarget = guess.charAt(1); // condition 'B', which is safe
- // Simple case statement that assigns param to bar on conditions 'A', 'C', or 'D'
- switch (switchTarget) {
- case 'A':
- bar = param;
- break;
- case 'B':
- bar = "bob";
- break;
- case 'C':
- case 'D':
- bar = param;
- break;
- default:
- bar = "bob's your uncle";
- break;
- }
- return bar;
- }
- } // end innerclass Test
- } // end DataflowThruInnerClass