fix cases

nahsra · nahsra · commit 97a2b0ceed42 · 2024-06-21T16:41:17.000-04:00
diff --git a/.dccache b/.dccache
@@ -0,0 +1 @@
+{"/Users/arshan/code/bad-java-code/pom.xml":[3000,1718917349969.081,"4ca0de2d17b12b52ecf638bd3529d914f1f750898f876269d182ab79cf74728a"],"/Users/arshan/code/bad-java-code/src/main/java/com/acme/XXEVuln.java":[2982,1719002214286.9138,"5e87995eedebe28ff93049eea7e7807851dcfeb40e05f74af61b5eae351b6de2"],"/Users/arshan/code/bad-java-code/src/main/java/com/acme/XXEVulnFixed.java":[3603,1719002288827.916,"c736fde04ea3864ea1a1d7dc680491b0005fc4e71921e4f78baf0929e9569ec9"],"/Users/arshan/code/bad-java-code/src/main/java/com/acme/reflection/TranslatorStrategy.java":[182,1718917349970.476,"aaebffa4316c4b698bb186d80bccd0b1344ddd1bd837f96cea34a08b5003ccf2"],"/Users/arshan/code/bad-java-code/src/main/java/com/acme/reflection/UnsafeReflection.java":[1755,1718917349970.8848,"bb2d13e795f710d48ba7232694f994257c4ed72b36329e0365ba430092efe784"],"/Users/arshan/code/bad-java-code/src/main/java/com/acme/reflection/UnsafeReflectionFixed.java":[1789,1718917349971.234,"fa8dc9b96ec62f8db22c208a9f2cd20fd219f0115bfd51aaae023c56c3028f00"]}
diff --git a/src/main/java/com/acme/XXEVuln.java b/src/main/java/com/acme/XXEVuln.java
@@ -31,7 +31,7 @@ public static void main(String[] args)
     saxTransformer(args[0]);
     withDom(args[1]);
     withDomButDisabled(args[2]);
-    withReaderFactory(null);
+    withReaderFactory(args[3]);
 
     String sql = "select * from users where name= '" + args[0] + "'";
     Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/test");
@@ -78,8 +78,9 @@ public static Document withDomButDisabled(String xml)
     return db.parse(new InputSource(new StringReader(xml)));
   }
 
-  public static XMLReader withReaderFactory(XMLReaderFactory factory)
-      throws ParserConfigurationException, IOException, SAXException {
-    return factory.createXMLReader();
+  public static void withReaderFactory(String xml)
+      throws IOException, SAXException {
+    XMLReader reader = XMLReaderFactory.createXMLReader();
+    reader.parse(new InputSource(new StringReader(xml)));
   }
 }
diff --git a/src/main/java/com/acme/XXEVulnFixed.java b/src/main/java/com/acme/XXEVulnFixed.java
@@ -32,7 +32,7 @@ public static void main(String[] args)
     saxTransformer(args[0]);
     withDom(args[1]);
     withDomButDisabled(args[2]);
-    withReaderFactory(null);
+    withReaderFactory(args[3]);
 
     String sql = "select * from users where name= '" + args[0] + "'";
     Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/test");
@@ -86,8 +86,9 @@ public static Document withDomButDisabled(String xml)
     return db.parse(new InputSource(new StringReader(xml)));
   }
 
-  public static XMLReader withReaderFactory(XMLReaderFactory factory)
-      throws ParserConfigurationException, IOException, SAXException {
-    return factory.createXMLReader();
+  public static void withReaderFactory(String xml)
+      throws IOException, SAXException {
+    XMLReader reader = XMLReaderFactory.createXMLReader();
+    reader.parse(new InputSource(new StringReader(xml)));
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+{"/Users/arshan/code/bad-java-code/pom.xml":[3000,1718917349969.081,"4ca0de2d17b12b52ecf638bd3529d914f1f750898f876269d182ab79cf74728a"],"/Users/arshan/code/bad-java-code/src/main/java/com/acme/XXEVuln.java":[2982,1719002214286.9138,"5e87995eedebe28ff93049eea7e7807851dcfeb40e05f74af61b5eae351b6de2"],"/Users/arshan/code/bad-java-code/src/main/java/com/acme/XXEVulnFixed.java":[3603,1719002288827.916,"c736fde04ea3864ea1a1d7dc680491b0005fc4e71921e4f78baf0929e9569ec9"],"/Users/arshan/code/bad-java-code/src/main/java/com/acme/reflection/TranslatorStrategy.java":[182,1718917349970.476,"aaebffa4316c4b698bb186d80bccd0b1344ddd1bd837f96cea34a08b5003ccf2"],"/Users/arshan/code/bad-java-code/src/main/java/com/acme/reflection/UnsafeReflection.java":[1755,1718917349970.8848,"bb2d13e795f710d48ba7232694f994257c4ed72b36329e0365ba430092efe784"],"/Users/arshan/code/bad-java-code/src/main/java/com/acme/reflection/UnsafeReflectionFixed.java":[1789,1718917349971.234,"fa8dc9b96ec62f8db22c208a9f2cd20fd219f0115bfd51aaae023c56c3028f00"]}
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ public static void main(String[] args)`
`31`	`31`	`saxTransformer(args[0]);`
`32`	`32`	`withDom(args[1]);`
`33`	`33`	`withDomButDisabled(args[2]);`
`34`		`- withReaderFactory(null);`
	`34`	`+ withReaderFactory(args[3]);`
`35`	`35`
`36`	`36`	`String sql = "select * from users where name= '" + args[0] + "'";`
`37`	`37`	`Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/test");`
`@@ -78,8 +78,9 @@ public static Document withDomButDisabled(String xml)`
`78`	`78`	`return db.parse(new InputSource(new StringReader(xml)));`
`79`	`79`	`}`
`80`	`80`
`81`		`- public static XMLReader withReaderFactory(XMLReaderFactory factory)`
`82`		`- throws ParserConfigurationException, IOException, SAXException {`
`83`		`- return factory.createXMLReader();`
	`81`	`+ public static void withReaderFactory(String xml)`
	`82`	`+ throws IOException, SAXException {`
	`83`	`+ XMLReader reader = XMLReaderFactory.createXMLReader();`
	`84`	`+ reader.parse(new InputSource(new StringReader(xml)));`
`84`	`85`	`}`
`85`	`86`	`}`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ public static void main(String[] args)`
`32`	`32`	`saxTransformer(args[0]);`
`33`	`33`	`withDom(args[1]);`
`34`	`34`	`withDomButDisabled(args[2]);`
`35`		`- withReaderFactory(null);`
	`35`	`+ withReaderFactory(args[3]);`
`36`	`36`
`37`	`37`	`String sql = "select * from users where name= '" + args[0] + "'";`
`38`	`38`	`Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/test");`
`@@ -86,8 +86,9 @@ public static Document withDomButDisabled(String xml)`
`86`	`86`	`return db.parse(new InputSource(new StringReader(xml)));`
`87`	`87`	`}`
`88`	`88`
`89`		`- public static XMLReader withReaderFactory(XMLReaderFactory factory)`
`90`		`- throws ParserConfigurationException, IOException, SAXException {`
`91`		`- return factory.createXMLReader();`
	`89`	`+ public static void withReaderFactory(String xml)`
	`90`	`+ throws IOException, SAXException {`
	`91`	`+ XMLReader reader = XMLReaderFactory.createXMLReader();`
	`92`	`+ reader.parse(new InputSource(new StringReader(xml)));`
`92`	`93`	`}`
`93`	`94`	`}`