Create Test.java

ahmed-farid-dev · smowton · commit 0d278f6d614b · 2022-02-25T17:33:08.000Z
diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstHeader/Test.java b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstHeader/Test.java
@@ -0,0 +1,19 @@
+import javax.servlet.http.HttpServletRequest;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.lang.String;
+
+
+public class Test {
+    private boolean UnsafeComparison(HttpServletRequest request) {
+        String Key = "secret";
+        return Key.equals(request.getHeader("X-Auth-Token"));        
+    }
+
+    private boolean safeComparison(HttpServletRequest request) {
+          String token = request.getHeader("X-Auth-Token");
+          String Key = "secret"; 
+          return MessageDigest.isEqual(Key.getBytes(StandardCharsets.UTF_8), token.getBytes(StandardCharsets.UTF_8));
+    }
+
+}
