From 31f20e41f0e606ad2efc9a67f9f5ce1c6833ae75 Mon Sep 17 00:00:00 2001 From: Kohei Tamura Date: Thu, 15 Jun 2017 17:37:09 +0900 Subject: [PATCH] Code refactoring --- .../t246osslab/easybuggy/core/model/User.java | 4 +- .../core/utils/ApplicationUtils.java | 101 +++++++----------- .../utils/DeleteClassWhileMavenBuild.java | 2 +- .../easybuggy/core/utils/EmailUtils.java | 14 +-- .../ExceptionInInitializerErrorServlet.java | 2 +- .../errors/OutOfMemoryErrorServlet2.java | 2 +- .../errors/OutOfMemoryErrorServlet6.java | 3 +- .../errors/UnsatisfiedLinkErrorServlet.java | 2 +- .../ArithmeticExceptionServlet.java | 2 +- ...ArrayIndexOutOfBoundsExceptionServlet.java | 2 +- .../ArrayStoreExceptionServlet.java | 2 +- .../BufferOverflowExceptionServlet.java | 6 +- .../exceptions/ClassCastExceptionServlet.java | 2 +- .../EmptyStackExceptionServlet.java | 4 +- .../IllegalArgumentExceptionServlet.java | 4 +- .../NegativeArraySizeExceptionServlet.java | 2 +- .../NullPointerExceptionServlet.java | 2 +- .../NumberFormatExceptionServlet.java | 2 +- .../UnsupportedCharsetExceptionServlet.java | 2 +- .../UnsupportedOperationExceptionServlet.java | 2 +- .../CreatingUnnecessaryObjectsServlet.java | 18 +--- .../StringPlusOperationServlet.java | 29 ++--- .../easybuggy/troubles/DeadlockServlet2.java | 10 +- .../troubles/EndlessWaitingServlet.java | 24 ++--- .../troubles/FileDescriptorLeakServlet.java | 4 +- .../troubles/IntegerOverflowServlet.java | 25 ++--- .../troubles/LossOfTrailingDigitsServlet.java | 26 ++--- .../troubles/RoundOffErrorServlet.java | 29 ++--- .../easybuggy/troubles/ThreadLeakServlet.java | 1 + .../troubles/TruncationErrorServlet.java | 35 ++---- .../vulnerabilities/ClickJackingServlet.java | 3 +- .../vulnerabilities/CodeInjectionServlet.java | 2 +- .../MailHeaderInjectionServlet.java | 50 +++++---- .../UnrestrictedExtensionUploadServlet.java | 58 +++++----- .../UnrestrictedSizeUploadServlet.java | 53 ++++----- .../vulnerabilities/XEEandXXEServlet.java | 61 ++++++----- src/main/resources/messages_en.properties | 2 +- src/main/resources/messages_ja.properties | 2 +- 38 files changed, 268 insertions(+), 326 deletions(-) diff --git a/src/main/java/org/t246osslab/easybuggy/core/model/User.java b/src/main/java/org/t246osslab/easybuggy/core/model/User.java index c8f4f9d6..c7141347 100644 --- a/src/main/java/org/t246osslab/easybuggy/core/model/User.java +++ b/src/main/java/org/t246osslab/easybuggy/core/model/User.java @@ -1,9 +1,11 @@ package org.t246osslab.easybuggy.core.model; +import java.io.Serializable; import java.util.Date; -public class User { +public class User implements Serializable{ + private static final long serialVersionUID = 1L; private String userId = null; private String name = null; private String password = null; diff --git a/src/main/java/org/t246osslab/easybuggy/core/utils/ApplicationUtils.java b/src/main/java/org/t246osslab/easybuggy/core/utils/ApplicationUtils.java index 5de68a17..b19624bd 100644 --- a/src/main/java/org/t246osslab/easybuggy/core/utils/ApplicationUtils.java +++ b/src/main/java/org/t246osslab/easybuggy/core/utils/ApplicationUtils.java @@ -47,69 +47,21 @@ public final class ApplicationUtils { private static String adminAddress = null; static { - ResourceBundle bundle = null; try { - bundle = ResourceBundle.getBundle("application"); + ResourceBundle bundle = ResourceBundle.getBundle("application"); + databaseURL = getProperty(bundle, "database.url", databaseURL); + databaseDriver = getProperty(bundle, "database.driver", databaseDriver); + accountLockTime = getProperty(bundle, "account.lock.time", accountLockTime); + accountLockCount = getProperty(bundle, "account.lock.count", accountLockCount); + smtpHost = getProperty(bundle, "mail.smtp.host", smtpHost); + smtpPort = getProperty(bundle, "mail.smtp.port", smtpPort); + smtpAuth = getProperty(bundle, "mail.smtp.auth", smtpAuth); + smtpStarttlsEnable = getProperty(bundle, "mail.smtp.starttls.enable", smtpStarttlsEnable); + smtpUser = getProperty(bundle, "mail.user", smtpUser); + smtpPass = getProperty(bundle, "mail.password", smtpPass); + adminAddress = getProperty(bundle, "mail.admin.address", adminAddress); } catch (MissingResourceException e) { - log.error("Exception occurs: ", e); - } - if (bundle != null) { - try { - databaseURL = bundle.getString("database.url"); - } catch (Exception e) { - log.error("Exception occurs: ", e); - } - try { - databaseDriver = bundle.getString("database.driver"); - } catch (Exception e) { - log.error("Exception occurs: ", e); - } - try { - accountLockTime = Long.parseLong(bundle.getString("account.lock.time")); - } catch (Exception e) { - log.error("Exception occurs: ", e); - } - try { - accountLockCount = Integer.parseInt(bundle.getString("account.lock.count")); - } catch (Exception e) { - log.error("Exception occurs: ", e); - } - try { - smtpHost = bundle.getString("mail.smtp.host"); - } catch (Exception e) { - log.error("Exception occurs: ", e); - } - try { - smtpPort = bundle.getString("mail.smtp.port"); - } catch (Exception e) { - log.error("Exception occurs: ", e); - } - try { - smtpAuth = bundle.getString("mail.smtp.auth"); - } catch (Exception e) { - log.error("Exception occurs: ", e); - } - try { - smtpStarttlsEnable = bundle.getString("mail.smtp.starttls.enable"); - } catch (Exception e) { - log.error("Exception occurs: ", e); - } - try { - smtpUser = bundle.getString("mail.user"); - } catch (Exception e) { - log.error("Exception occurs: ", e); - } - try { - smtpPass = bundle.getString("mail.password"); - } catch (Exception e) { - log.error("Exception occurs: ", e); - } - - try { - adminAddress = bundle.getString("mail.admin.address"); - } catch (Exception e) { - log.error("Exception occurs: ", e); - } + log.error("MissingResourceException occurs: ", e); } } @@ -216,4 +168,31 @@ public static String getSmtpPass() { public static String getAdminAddress() { return adminAddress; } + + private static String getProperty(ResourceBundle bundle, String key, String defaultValue) { + try { + return bundle.getString(key); + } catch (Exception e) { + log.error("Exception occurs: ", e); + } + return defaultValue; + } + + private static int getProperty(ResourceBundle bundle, String key, int defaultValue) { + try { + return Integer.parseInt(bundle.getString(key)); + } catch (Exception e) { + log.error("Exception occurs: ", e); + } + return defaultValue; + } + + private static long getProperty(ResourceBundle bundle, String key, long defaultValue) { + try { + return Long.parseLong(bundle.getString(key)); + } catch (Exception e) { + log.error("Exception occurs: ", e); + } + return defaultValue; + } } diff --git a/src/main/java/org/t246osslab/easybuggy/core/utils/DeleteClassWhileMavenBuild.java b/src/main/java/org/t246osslab/easybuggy/core/utils/DeleteClassWhileMavenBuild.java index 56101ce2..592fc7a1 100644 --- a/src/main/java/org/t246osslab/easybuggy/core/utils/DeleteClassWhileMavenBuild.java +++ b/src/main/java/org/t246osslab/easybuggy/core/utils/DeleteClassWhileMavenBuild.java @@ -1,5 +1,5 @@ package org.t246osslab.easybuggy.core.utils; public class DeleteClassWhileMavenBuild { - + // this class is removed during Maven build processing } diff --git a/src/main/java/org/t246osslab/easybuggy/core/utils/EmailUtils.java b/src/main/java/org/t246osslab/easybuggy/core/utils/EmailUtils.java index 3b06017e..0aec29dc 100644 --- a/src/main/java/org/t246osslab/easybuggy/core/utils/EmailUtils.java +++ b/src/main/java/org/t246osslab/easybuggy/core/utils/EmailUtils.java @@ -13,7 +13,6 @@ import javax.mail.PasswordAuthentication; import javax.mail.Session; import javax.mail.Transport; -import javax.mail.internet.AddressException; import javax.mail.internet.InternetAddress; import javax.mail.internet.MimeBodyPart; import javax.mail.internet.MimeMessage; @@ -48,9 +47,8 @@ public static boolean isReadyToSendEmail() { /** * Sends an e-mail message from a SMTP host with a list of attached files. */ - public static void sendEmailWithAttachment( - String subject, String message, List attachedFiles) - throws AddressException, MessagingException { + public static void sendEmailWithAttachment(String subject, String message, List attachedFiles) + throws MessagingException { // sets SMTP server properties Properties properties = new Properties(); properties.put("mail.smtp.host", ApplicationUtils.getSmtpHost()); @@ -87,17 +85,15 @@ public PasswordAuthentication getPasswordAuthentication() { multipart.addBodyPart(messageBodyPart); // adds attachments - if (attachedFiles != null && attachedFiles.size() > 0) { + if (attachedFiles != null && !attachedFiles.isEmpty()) { for (File aFile : attachedFiles) { MimeBodyPart attachPart = new MimeBodyPart(); - - try { + try { attachPart.attachFile(aFile); } catch (IOException e) { log.error("IOException occurs: ", e); } - - multipart.addBodyPart(attachPart); + multipart.addBodyPart(attachPart); } } diff --git a/src/main/java/org/t246osslab/easybuggy/errors/ExceptionInInitializerErrorServlet.java b/src/main/java/org/t246osslab/easybuggy/errors/ExceptionInInitializerErrorServlet.java index 0da38cf8..d4360cdd 100644 --- a/src/main/java/org/t246osslab/easybuggy/errors/ExceptionInInitializerErrorServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/errors/ExceptionInInitializerErrorServlet.java @@ -31,6 +31,6 @@ protected void doGet(HttpServletRequest req, HttpServletResponse res) throws Ser class InitializerErrorThrower { static { - int i = 1 / 0; + LoggerFactory.getLogger(InitializerErrorThrower.class).debug("clinit" + 1 / 0); } } diff --git a/src/main/java/org/t246osslab/easybuggy/errors/OutOfMemoryErrorServlet2.java b/src/main/java/org/t246osslab/easybuggy/errors/OutOfMemoryErrorServlet2.java index d5584d4f..fd04487f 100644 --- a/src/main/java/org/t246osslab/easybuggy/errors/OutOfMemoryErrorServlet2.java +++ b/src/main/java/org/t246osslab/easybuggy/errors/OutOfMemoryErrorServlet2.java @@ -13,6 +13,6 @@ public class OutOfMemoryErrorServlet2 extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - byte[] buffer = new byte[Integer.MAX_VALUE]; + req.setAttribute("oome2", new byte[Integer.MAX_VALUE]); } } diff --git a/src/main/java/org/t246osslab/easybuggy/errors/OutOfMemoryErrorServlet6.java b/src/main/java/org/t246osslab/easybuggy/errors/OutOfMemoryErrorServlet6.java index dcc3a11c..cec67e9c 100644 --- a/src/main/java/org/t246osslab/easybuggy/errors/OutOfMemoryErrorServlet6.java +++ b/src/main/java/org/t246osslab/easybuggy/errors/OutOfMemoryErrorServlet6.java @@ -14,7 +14,6 @@ public class OutOfMemoryErrorServlet6 extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - - ByteBuffer buffer = ByteBuffer.allocateDirect(99999999); + req.setAttribute("oome2", ByteBuffer.allocateDirect(99999999)); } } diff --git a/src/main/java/org/t246osslab/easybuggy/errors/UnsatisfiedLinkErrorServlet.java b/src/main/java/org/t246osslab/easybuggy/errors/UnsatisfiedLinkErrorServlet.java index 1a3d0263..0496e4b3 100644 --- a/src/main/java/org/t246osslab/easybuggy/errors/UnsatisfiedLinkErrorServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/errors/UnsatisfiedLinkErrorServlet.java @@ -17,7 +17,7 @@ @SuppressWarnings("serial") public class UnsatisfiedLinkErrorServlet extends HttpServlet { - private native static NetworkInterface getByName0(String name) throws SocketException; + private static native NetworkInterface getByName0(String name) throws SocketException; protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { getByName0(""); diff --git a/src/main/java/org/t246osslab/easybuggy/exceptions/ArithmeticExceptionServlet.java b/src/main/java/org/t246osslab/easybuggy/exceptions/ArithmeticExceptionServlet.java index 90983c27..5e7c6f3a 100644 --- a/src/main/java/org/t246osslab/easybuggy/exceptions/ArithmeticExceptionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/exceptions/ArithmeticExceptionServlet.java @@ -13,6 +13,6 @@ public class ArithmeticExceptionServlet extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - int i = 1 / 0; + res.addIntHeader("ae", 1 / 0); } } diff --git a/src/main/java/org/t246osslab/easybuggy/exceptions/ArrayIndexOutOfBoundsExceptionServlet.java b/src/main/java/org/t246osslab/easybuggy/exceptions/ArrayIndexOutOfBoundsExceptionServlet.java index 79f84bcd..0bdcce66 100644 --- a/src/main/java/org/t246osslab/easybuggy/exceptions/ArrayIndexOutOfBoundsExceptionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/exceptions/ArrayIndexOutOfBoundsExceptionServlet.java @@ -13,6 +13,6 @@ public class ArrayIndexOutOfBoundsExceptionServlet extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - int i = (new int[] { 1 })[1]; + req.setAttribute("aioobe", (new int[] { 1 })[1]); } } diff --git a/src/main/java/org/t246osslab/easybuggy/exceptions/ArrayStoreExceptionServlet.java b/src/main/java/org/t246osslab/easybuggy/exceptions/ArrayStoreExceptionServlet.java index d2fa4ae2..0da6ec8b 100644 --- a/src/main/java/org/t246osslab/easybuggy/exceptions/ArrayStoreExceptionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/exceptions/ArrayStoreExceptionServlet.java @@ -14,6 +14,6 @@ public class ArrayStoreExceptionServlet extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { Object[] objects = new String[1]; - objects[0] = new Integer(0); + objects[0] = Integer.valueOf(1); } } diff --git a/src/main/java/org/t246osslab/easybuggy/exceptions/BufferOverflowExceptionServlet.java b/src/main/java/org/t246osslab/easybuggy/exceptions/BufferOverflowExceptionServlet.java index 82627402..933c8a2a 100644 --- a/src/main/java/org/t246osslab/easybuggy/exceptions/BufferOverflowExceptionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/exceptions/BufferOverflowExceptionServlet.java @@ -16,6 +16,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.t246osslab.easybuggy.core.utils.Closer; @SuppressWarnings("serial") @WebServlet(urlPatterns = { "/boe" }) @@ -24,9 +25,10 @@ public class BufferOverflowExceptionServlet extends HttpServlet { private static final Logger log = LoggerFactory.getLogger(BufferOverflowExceptionServlet.class); protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { + RandomAccessFile raf = null; try { File f = new File("test.txt"); - RandomAccessFile raf = new RandomAccessFile(f, "rw"); + raf = new RandomAccessFile(f, "rw"); FileChannel ch = raf.getChannel(); MappedByteBuffer buf = ch.map(MapMode.READ_WRITE, 0, f.length()); final byte[] src = new byte[10]; @@ -35,6 +37,8 @@ protected void doGet(HttpServletRequest req, HttpServletResponse res) throws Ser log.error("FileNotFoundException occurs: ", e); } catch (IOException e) { log.error("IOException occurs: ", e); + } finally { + Closer.close(raf); } } } diff --git a/src/main/java/org/t246osslab/easybuggy/exceptions/ClassCastExceptionServlet.java b/src/main/java/org/t246osslab/easybuggy/exceptions/ClassCastExceptionServlet.java index feedb638..4a2a7721 100644 --- a/src/main/java/org/t246osslab/easybuggy/exceptions/ClassCastExceptionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/exceptions/ClassCastExceptionServlet.java @@ -14,6 +14,6 @@ public class ClassCastExceptionServlet extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { req.setAttribute("param1", "value1"); - String[] s = (String[]) req.getAttribute("param1"); + req.setAttribute("param2", (String[]) req.getAttribute("param1")); } } diff --git a/src/main/java/org/t246osslab/easybuggy/exceptions/EmptyStackExceptionServlet.java b/src/main/java/org/t246osslab/easybuggy/exceptions/EmptyStackExceptionServlet.java index 0e268298..9da47c27 100644 --- a/src/main/java/org/t246osslab/easybuggy/exceptions/EmptyStackExceptionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/exceptions/EmptyStackExceptionServlet.java @@ -20,8 +20,8 @@ public class EmptyStackExceptionServlet extends HttpServlet { protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { Stack stack = new Stack(); - String tmp = null; - while (null != (tmp = (String) stack.pop())) { + String tmp; + while (null != (tmp = stack.pop())) { log.debug("Stack.pop(): " + tmp); } } diff --git a/src/main/java/org/t246osslab/easybuggy/exceptions/IllegalArgumentExceptionServlet.java b/src/main/java/org/t246osslab/easybuggy/exceptions/IllegalArgumentExceptionServlet.java index 26bb71a0..a99bc4ba 100644 --- a/src/main/java/org/t246osslab/easybuggy/exceptions/IllegalArgumentExceptionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/exceptions/IllegalArgumentExceptionServlet.java @@ -1,7 +1,7 @@ package org.t246osslab.easybuggy.exceptions; import java.io.IOException; -import java.util.Date; +import java.util.ArrayList; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; @@ -14,6 +14,6 @@ public class IllegalArgumentExceptionServlet extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - new Date(null); + req.setAttribute("iae", new ArrayList(-1)); } } diff --git a/src/main/java/org/t246osslab/easybuggy/exceptions/NegativeArraySizeExceptionServlet.java b/src/main/java/org/t246osslab/easybuggy/exceptions/NegativeArraySizeExceptionServlet.java index ff1f9f55..5080f54e 100644 --- a/src/main/java/org/t246osslab/easybuggy/exceptions/NegativeArraySizeExceptionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/exceptions/NegativeArraySizeExceptionServlet.java @@ -13,6 +13,6 @@ public class NegativeArraySizeExceptionServlet extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - int[] intArray = new int[-1]; + req.setAttribute("nase", new int[-1]); } } diff --git a/src/main/java/org/t246osslab/easybuggy/exceptions/NullPointerExceptionServlet.java b/src/main/java/org/t246osslab/easybuggy/exceptions/NullPointerExceptionServlet.java index b2a79ea6..86488d89 100644 --- a/src/main/java/org/t246osslab/easybuggy/exceptions/NullPointerExceptionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/exceptions/NullPointerExceptionServlet.java @@ -13,6 +13,6 @@ public class NullPointerExceptionServlet extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - Integer.decode(null); + req.setAttribute("npe", Integer.decode(null)); } } diff --git a/src/main/java/org/t246osslab/easybuggy/exceptions/NumberFormatExceptionServlet.java b/src/main/java/org/t246osslab/easybuggy/exceptions/NumberFormatExceptionServlet.java index 3f76be22..d75472f8 100644 --- a/src/main/java/org/t246osslab/easybuggy/exceptions/NumberFormatExceptionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/exceptions/NumberFormatExceptionServlet.java @@ -13,6 +13,6 @@ public class NumberFormatExceptionServlet extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - Integer.valueOf(""); + req.setAttribute("nfe", Integer.valueOf("")); } } diff --git a/src/main/java/org/t246osslab/easybuggy/exceptions/UnsupportedCharsetExceptionServlet.java b/src/main/java/org/t246osslab/easybuggy/exceptions/UnsupportedCharsetExceptionServlet.java index d8fe420b..5b551289 100644 --- a/src/main/java/org/t246osslab/easybuggy/exceptions/UnsupportedCharsetExceptionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/exceptions/UnsupportedCharsetExceptionServlet.java @@ -14,6 +14,6 @@ public class UnsupportedCharsetExceptionServlet extends HttpServlet { protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - new String("str".getBytes(Charset.defaultCharset()), Charset.forName("test")); + req.setAttribute("uce", new String("str".getBytes(Charset.defaultCharset()), Charset.forName("test"))); } } diff --git a/src/main/java/org/t246osslab/easybuggy/exceptions/UnsupportedOperationExceptionServlet.java b/src/main/java/org/t246osslab/easybuggy/exceptions/UnsupportedOperationExceptionServlet.java index ba6ddc4e..6dbd8bb5 100644 --- a/src/main/java/org/t246osslab/easybuggy/exceptions/UnsupportedOperationExceptionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/exceptions/UnsupportedOperationExceptionServlet.java @@ -20,7 +20,7 @@ protected void doGet(HttpServletRequest req, HttpServletResponse res) throws Ser Iterator i = alphabet.iterator(); while(i.hasNext()){ String name = i.next(); - if(!name.equals("a")){ + if(!"a".equals(name)){ i.remove(); } } diff --git a/src/main/java/org/t246osslab/easybuggy/performance/CreatingUnnecessaryObjectsServlet.java b/src/main/java/org/t246osslab/easybuggy/performance/CreatingUnnecessaryObjectsServlet.java index 6de62ecb..4a2b64c2 100644 --- a/src/main/java/org/t246osslab/easybuggy/performance/CreatingUnnecessaryObjectsServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/performance/CreatingUnnecessaryObjectsServlet.java @@ -9,6 +9,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.math.NumberUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.t246osslab.easybuggy.core.utils.HTTPResponseCreator; @@ -21,17 +22,10 @@ public class CreatingUnnecessaryObjectsServlet extends HttpServlet { private static final Logger log = LoggerFactory.getLogger(CreatingUnnecessaryObjectsServlet.class); protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - int number = -1; try { Locale locale = req.getLocale(); String strNumber = req.getParameter("number"); - if (strNumber != null) { - try { - number = Integer.parseInt(strNumber); - } catch (NumberFormatException e) { - // ignore - } - } + int number = NumberUtils.toInt(strNumber, -1); StringBuilder bodyHtml = new StringBuilder(); bodyHtml.append("
"); bodyHtml.append(MessageUtils.getMsg("msg.calc.sym.natural.numbers", locale)); @@ -64,7 +58,7 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S bodyHtml.append("\\(\\begin{eqnarray}\\sum_{ k = 1 }^{ " + number + " } k\\end{eqnarray}\\) = "); } } else { - bodyHtml.append("1 + 2 + 3 + … + n = "); + bodyHtml.append("1 + 2 + 3 + ... + n = "); bodyHtml.append("\\(\\begin{eqnarray}\\sum_{ k = 1 }^{ n } k\\end{eqnarray}\\) = "); } if (number >= 1) { @@ -72,11 +66,9 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S bodyHtml.append(calcSum1(number)); log.info((System.nanoTime() - start) / 1000000f + " ms"); } - bodyHtml.append("
"); - bodyHtml.append("
"); + bodyHtml.append("

"); bodyHtml.append(""); - bodyHtml.append("
"); - bodyHtml.append("
"); + bodyHtml.append("

"); bodyHtml.append(MessageUtils.getInfoMsg("msg.note.enter.large.number", locale)); bodyHtml.append("
"); diff --git a/src/main/java/org/t246osslab/easybuggy/performance/StringPlusOperationServlet.java b/src/main/java/org/t246osslab/easybuggy/performance/StringPlusOperationServlet.java index 0336be2a..b2c37579 100644 --- a/src/main/java/org/t246osslab/easybuggy/performance/StringPlusOperationServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/performance/StringPlusOperationServlet.java @@ -11,6 +11,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.math.NumberUtils; import org.owasp.esapi.ESAPI; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -35,11 +36,8 @@ public class StringPlusOperationServlet extends HttpServlet { protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { try { - int length = 0; - try { - length = Integer.parseInt(req.getParameter("length")); - } catch (NumberFormatException e) { - } + String strLength = req.getParameter("length"); + int length = NumberUtils.toInt(strLength, 0); String[] characters = req.getParameterValues("characters"); Locale locale = req.getLocale(); @@ -69,16 +67,19 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S if (length > 0) { // StringBuilder builder = new StringBuilder(); String s = ""; - java.util.Random rand = new java.util.Random(); - Date startDate = new Date(); - log.info("Start Date: {}", startDate.toString()); - for (int i = 0; i < length && i < MAX_LENGTH; i++) { - s = s + characters[rand.nextInt(characters.length)]; - // builder.append(characters[rand.nextInt(characters.length)]); + if (characters != null) { + java.util.Random rand = new java.util.Random(); + Date startDate = new Date(); + log.info("Start Date: {}", startDate.toString()); + for (int i = 0; i < length && i < MAX_LENGTH; i++) { + s = s + characters[rand.nextInt(characters.length)]; + // builder.append(characters[rand.nextInt(characters.length)]); + } + Date endDate = new Date(); + log.info("End Date: {}", endDate.toString()); } - Date endDate = new Date(); - log.info("End Date: {}", endDate.toString()); - bodyHtml.append(MessageUtils.getMsg("label.execution.result", locale) + "

"); + bodyHtml.append(MessageUtils.getMsg("label.execution.result", locale)); + bodyHtml.append("

"); // bodyHtml.append(ESAPI.encoder().encodeForHTML(builder.toString())); bodyHtml.append(ESAPI.encoder().encodeForHTML(s)); } else { diff --git a/src/main/java/org/t246osslab/easybuggy/troubles/DeadlockServlet2.java b/src/main/java/org/t246osslab/easybuggy/troubles/DeadlockServlet2.java index ab9ee8e3..7cdb6ea4 100644 --- a/src/main/java/org/t246osslab/easybuggy/troubles/DeadlockServlet2.java +++ b/src/main/java/org/t246osslab/easybuggy/troubles/DeadlockServlet2.java @@ -54,7 +54,7 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S } updateResult = updateUsers(users, locale); } else { - users = selectUsers(order, locale); + users = selectUsers(order); } createHTMLUserTable(locale, bodyHtml, users, order, updateResult); @@ -112,23 +112,19 @@ private void createHTMLUserTable(Locale locale, StringBuilder bodyHtml, ArrayLis bodyHtml.append(""); } - private ArrayList selectUsers(String order, Locale locale) { + private ArrayList selectUsers(String order) { Statement stmt = null; Connection conn = null; ResultSet rs = null; ArrayList users = new ArrayList(); try { - if (!"asc".equals(order) && !"desc".equals(order)) { - order = "asc"; - } - conn = DBClient.getConnection(); conn.setAutoCommit(true); // conn.setTransactionIsolation(Connection.TRANSACTION_READ_COMMITTED); stmt = conn.createStatement(); - rs = stmt.executeQuery("select * from users where ispublic = 'true' order by id " + order); + rs = stmt.executeQuery("select * from users where ispublic = 'true' order by id " + ("desc".equals(order) ? "desc" : "asc")); while (rs.next()) { User user = new User(); user.setUserId(rs.getString("id")); diff --git a/src/main/java/org/t246osslab/easybuggy/troubles/EndlessWaitingServlet.java b/src/main/java/org/t246osslab/easybuggy/troubles/EndlessWaitingServlet.java index 6c511624..e43810d5 100644 --- a/src/main/java/org/t246osslab/easybuggy/troubles/EndlessWaitingServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/troubles/EndlessWaitingServlet.java @@ -15,6 +15,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.math.NumberUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.t246osslab.easybuggy.core.utils.Closer; @@ -32,11 +33,8 @@ public class EndlessWaitingServlet extends HttpServlet { protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { try { - int count = 0; - try { - count = Integer.parseInt(req.getParameter("count")); - } catch (NumberFormatException e) { - } + String strCount = req.getParameter("count"); + int count = NumberUtils.toInt(strCount, 0); Locale locale = req.getLocale(); StringBuilder bodyHtml = new StringBuilder(); @@ -60,9 +58,10 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S ProcessBuilder pb = new ProcessBuilder(batFile.getAbsolutePath()); Process process = pb.start(); process.waitFor(); - bodyHtml.append( - MessageUtils.getMsg("msg.executed.batch", locale) + batFile.getAbsolutePath() + "

"); - bodyHtml.append(MessageUtils.getMsg("label.execution.result", locale) + "

"); + bodyHtml.append(MessageUtils.getMsg("msg.executed.batch", locale) + batFile.getAbsolutePath()); + bodyHtml.append("

"); + bodyHtml.append(MessageUtils.getMsg("label.execution.result", locale)); + bodyHtml.append("

"); bodyHtml.append(printInputStream(process.getInputStream())); bodyHtml.append(printInputStream(process.getErrorStream())); } @@ -116,11 +115,8 @@ private File createBatchFile(int count, String tmpdir) throws IOException { buffwriter.close(); fileWriter.close(); if (!osName.toLowerCase().startsWith("windows")) { - try { - Runtime runtime = Runtime.getRuntime(); - runtime.exec("chmod 777 " + batFile.getAbsolutePath()); - } catch (IOException ex) { - } + Runtime runtime = Runtime.getRuntime(); + runtime.exec("chmod 777 " + batFile.getAbsolutePath()); } } catch (Exception e) { log.error("Exception occurs: ", e); @@ -139,7 +135,7 @@ private String printInputStream(InputStream is) throws IOException { if (line == null) { break; } - sb.append(line + "
"); + sb.append(line + "
"); } } finally { Closer.close(br); diff --git a/src/main/java/org/t246osslab/easybuggy/troubles/FileDescriptorLeakServlet.java b/src/main/java/org/t246osslab/easybuggy/troubles/FileDescriptorLeakServlet.java index 64705bdf..24a9ad53 100644 --- a/src/main/java/org/t246osslab/easybuggy/troubles/FileDescriptorLeakServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/troubles/FileDescriptorLeakServlet.java @@ -35,8 +35,8 @@ protected void doGet(HttpServletRequest req, HttpServletResponse res) throws Ser try { File file = new File(req.getServletContext().getAttribute("javax.servlet.context.tempdir").toString(), "test.txt"); - FileOutputStream fos1 = new FileOutputStream(file, true); - OutputStreamWriter osw = new OutputStreamWriter(fos1); + FileOutputStream fos = new FileOutputStream(file, true); + OutputStreamWriter osw = new OutputStreamWriter(fos); osw.write(""); osw.write("" + new Date().toString() + ""); osw.write("" + req.getRemoteAddr() + ""); diff --git a/src/main/java/org/t246osslab/easybuggy/troubles/IntegerOverflowServlet.java b/src/main/java/org/t246osslab/easybuggy/troubles/IntegerOverflowServlet.java index fd0f766a..ef2797e9 100644 --- a/src/main/java/org/t246osslab/easybuggy/troubles/IntegerOverflowServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/troubles/IntegerOverflowServlet.java @@ -10,6 +10,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.math.NumberUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.t246osslab.easybuggy.core.utils.HTTPResponseCreator; @@ -22,19 +23,14 @@ public class IntegerOverflowServlet extends HttpServlet { private static final Logger log = LoggerFactory.getLogger(IntegerOverflowServlet.class); protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - int times = -1; BigDecimal thickness = null; BigDecimal thicknessM = null; BigDecimal thicknessKm = null; + String strTimes = req.getParameter("times"); + int times = NumberUtils.toInt(strTimes, -1); try { Locale locale = req.getLocale(); - String strTimes = req.getParameter("times"); if (strTimes != null) { - try { - times = Integer.parseInt(strTimes); - } catch (NumberFormatException e) { - // ignore - } long multipleNumber = 1; if (times >= 0) { for (int i = 0; i < times; i++) { @@ -49,8 +45,7 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S StringBuilder bodyHtml = new StringBuilder(); bodyHtml.append("
"); bodyHtml.append(MessageUtils.getMsg("msg.question.reach.the.moon", locale)); - bodyHtml.append("
"); - bodyHtml.append("
"); + bodyHtml.append("

"); if (times >= 0) { bodyHtml.append( ""); @@ -61,17 +56,17 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S bodyHtml.append(MessageUtils.getMsg("label.times", locale) + " : "); if (times >= 0) { bodyHtml.append(thickness + " mm"); - bodyHtml.append(thicknessM.intValue() >= 1 && thicknessKm.intValue() < 1 ? " = " + thicknessM + " m" : ""); - bodyHtml.append(thicknessKm.intValue() >= 1 ? " = " + thicknessKm + " km" : ""); + if (thicknessM != null && thicknessKm != null) { + bodyHtml.append(thicknessM.intValue() >= 1 && thicknessKm.intValue() < 1 ? " = " + thicknessM + " m" : ""); + bodyHtml.append(thicknessKm.intValue() >= 1 ? " = " + thicknessKm + " km" : ""); + } if (times == 42) { bodyHtml.append(" : " + MessageUtils.getMsg("msg.answer.is.correct", locale)); } } - bodyHtml.append("
"); - bodyHtml.append("
"); + bodyHtml.append("

"); bodyHtml.append(""); - bodyHtml.append("
"); - bodyHtml.append("
"); + bodyHtml.append("

"); bodyHtml.append(MessageUtils.getInfoMsg("msg.note.positive.number", locale)); bodyHtml.append("
"); diff --git a/src/main/java/org/t246osslab/easybuggy/troubles/LossOfTrailingDigitsServlet.java b/src/main/java/org/t246osslab/easybuggy/troubles/LossOfTrailingDigitsServlet.java index 1fa248e9..6967b5cb 100644 --- a/src/main/java/org/t246osslab/easybuggy/troubles/LossOfTrailingDigitsServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/troubles/LossOfTrailingDigitsServlet.java @@ -9,6 +9,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.math.NumberUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.t246osslab.easybuggy.core.utils.HTTPResponseCreator; @@ -21,28 +22,19 @@ public class LossOfTrailingDigitsServlet extends HttpServlet { private static final Logger log = LoggerFactory.getLogger(LossOfTrailingDigitsServlet.class); protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - double number = Double.NaN; - String strNumber = null; boolean isValid = true; + Locale locale = req.getLocale(); + String strNumber = req.getParameter("number"); + double number = NumberUtils.toDouble(strNumber, Double.NaN); try { - Locale locale = req.getLocale(); - try { - strNumber = req.getParameter("number"); - if (strNumber != null) { - number = Double.parseDouble(strNumber); - } - } catch (NumberFormatException e) { - // ignore - } - if (Double.isNaN(number) || number <= -1 || number == 0 || 1 <= number) { + if (Double.isNaN(number) || number <= -1 || 1 <= number) { isValid = false; } StringBuilder bodyHtml = new StringBuilder(); bodyHtml.append("
"); bodyHtml.append(MessageUtils.getMsg("msg.enter.decimal.value", locale)); - bodyHtml.append("
"); - bodyHtml.append("
"); + bodyHtml.append("

"); if (!Double.isNaN(number) && isValid) { bodyHtml.append(""); @@ -53,11 +45,9 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S if (!Double.isNaN(number) && isValid) { bodyHtml.append(String.valueOf(number + 1)); } - bodyHtml.append("
"); - bodyHtml.append("
"); + bodyHtml.append("

"); bodyHtml.append(""); - bodyHtml.append("
"); - bodyHtml.append("
"); + bodyHtml.append("

"); bodyHtml.append(MessageUtils.getInfoMsg("msg.note.enter.decimal.value", locale)); bodyHtml.append("
"); HTTPResponseCreator.createSimpleResponse(req, res, diff --git a/src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java b/src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java index 4429120b..9e68b7b8 100644 --- a/src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java @@ -9,6 +9,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.math.NumberUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.t246osslab.easybuggy.core.utils.HTTPResponseCreator; @@ -21,42 +22,28 @@ public class RoundOffErrorServlet extends HttpServlet { private static final Logger log = LoggerFactory.getLogger(RoundOffErrorServlet.class); protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - int number = -1; - double result = 0; try { Locale locale = req.getLocale(); String strNumber = req.getParameter("number"); - if (strNumber != null) { - try { - number = Integer.parseInt(strNumber); - } catch (NumberFormatException e) { - // ignore - } - if (1 <= number && number <= 9) { - result = number - 0.9; - } - } + int number = NumberUtils.toInt(strNumber, -1); StringBuilder bodyHtml = new StringBuilder(); bodyHtml.append("
"); bodyHtml.append(MessageUtils.getMsg("msg.enter.positive.number", locale)); - bodyHtml.append("
"); - bodyHtml.append("
"); - if (result != 0) { + bodyHtml.append("

"); + if (1 <= number && number <= 9) { bodyHtml.append(""); } else { bodyHtml.append(""); } bodyHtml.append(" - 0.9 = "); - if (result != 0) { - bodyHtml.append(String.valueOf(result)); + if (1 <= number && number <= 9) { + bodyHtml.append(String.valueOf(number - 0.9)); } - bodyHtml.append("
"); - bodyHtml.append("
"); + bodyHtml.append("

"); bodyHtml.append(""); - bodyHtml.append("
"); - bodyHtml.append("
"); + bodyHtml.append("

"); bodyHtml.append(MessageUtils.getInfoMsg("msg.note.enter.one", locale)); bodyHtml.append("
"); HTTPResponseCreator.createSimpleResponse(req, res, MessageUtils.getMsg("title.round.off.error.page", locale), diff --git a/src/main/java/org/t246osslab/easybuggy/troubles/ThreadLeakServlet.java b/src/main/java/org/t246osslab/easybuggy/troubles/ThreadLeakServlet.java index 9f9d5a79..719ef57a 100644 --- a/src/main/java/org/t246osslab/easybuggy/troubles/ThreadLeakServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/troubles/ThreadLeakServlet.java @@ -58,6 +58,7 @@ public void run() { ThreadMXBean bean = ManagementFactory.getThreadMXBean(); log.info("Current thread count: " + bean.getAllThreadIds().length); } catch (InterruptedException e) { + // ignore } } } diff --git a/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java b/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java index c2f8a560..822cc90a 100644 --- a/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java @@ -9,6 +9,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.commons.lang.math.NumberUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.t246osslab.easybuggy.core.utils.HTTPResponseCreator; @@ -21,44 +22,28 @@ public class TruncationErrorServlet extends HttpServlet { private static final Logger log = LoggerFactory.getLogger(TruncationErrorServlet.class); protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { - double number = -1; - double result = 0; + Locale locale = req.getLocale(); + String strNumber = req.getParameter("number"); + double number = NumberUtils.toDouble(strNumber, -1); try { - Locale locale = req.getLocale(); - - String strNumber = req.getParameter("number"); - if (strNumber != null) { - try { - number = Double.parseDouble(strNumber); - } catch (NumberFormatException e) { - // ignore - } - if (0 < number && number < 10) { - result = 10.0 / number; - } - } - StringBuilder bodyHtml = new StringBuilder(); bodyHtml.append("
"); bodyHtml.append(MessageUtils.getMsg("msg.enter.positive.number", locale)); - bodyHtml.append("
"); - bodyHtml.append("
"); + bodyHtml.append("

"); bodyHtml.append("10.0 " + MessageUtils.getMsg("label.obelus", locale) + " "); - if (result != 0) { + if (0 < number && number < 10) { bodyHtml.append( ""); } else { bodyHtml.append(""); } bodyHtml.append(" = "); - if (result != 0) { - bodyHtml.append(String.valueOf(result)); + if (0 < number && number < 10) { + bodyHtml.append(String.valueOf(10.0 / number)); } - bodyHtml.append("
"); - bodyHtml.append("
"); + bodyHtml.append("

"); bodyHtml.append(""); - bodyHtml.append("
"); - bodyHtml.append("
"); + bodyHtml.append("

"); bodyHtml.append(MessageUtils.getInfoMsg("msg.note.enter.specific.nembers", locale)); bodyHtml.append("
"); HTTPResponseCreator.createSimpleResponse(req, res, diff --git a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/ClickJackingServlet.java b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/ClickJackingServlet.java index f41f41e8..e73042ef 100644 --- a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/ClickJackingServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/ClickJackingServlet.java @@ -99,7 +99,8 @@ public boolean isValidEmailAddress(String email) { try { InternetAddress emailAddr = new InternetAddress(email); emailAddr.validate(); - } catch (AddressException ex) { + } catch (AddressException e) { + log.debug("Mail address is invalid: " + email, e); result = false; } return result; diff --git a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java index c763310a..3502d0d2 100644 --- a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/CodeInjectionServlet.java @@ -37,7 +37,7 @@ protected void service(HttpServletRequest req, HttpServletResponse res) throws S bodyHtml.append(MessageUtils.getMsg("description.parse.json", locale)); bodyHtml.append("

"); bodyHtml.append(MessageUtils.getMsg("label.json.string", locale) + ": "); - if (jsonString != null) { + if (!StringUtils.isBlank(jsonString)) { bodyHtml.append(""); } else { bodyHtml.append(""); diff --git a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java index 7fbda763..ad7345b4 100644 --- a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/MailHeaderInjectionServlet.java @@ -20,6 +20,7 @@ import org.apache.commons.lang.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.t246osslab.easybuggy.core.utils.Closer; import org.t246osslab.easybuggy.core.utils.EmailUtils; import org.t246osslab.easybuggy.core.utils.HTTPResponseCreator; import org.t246osslab.easybuggy.core.utils.MessageUtils; @@ -86,9 +87,6 @@ protected void doGet(HttpServletRequest req, HttpServletResponse res) throws Ser bodyHtml.toString()); } - /** - * handles form submission - */ protected void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { String resultMessage = ""; @@ -101,13 +99,14 @@ protected void doPost(HttpServletRequest req, HttpServletResponse res) throws Se String content = req.getParameter("content"); if (StringUtils.isBlank(subject) || StringUtils.isBlank(content)) { resultMessage = MessageUtils.getMsg("msg.mail.is.empty", locale); + req.setAttribute("message", resultMessage); doGet(req, res); return; } StringBuilder sb = new StringBuilder(); - sb.append(MessageUtils.getMsg("label.name", locale)).append(": ").append(name).append("
"); - sb.append(MessageUtils.getMsg("label.mail", locale)).append(": ").append(mail).append("
").append("
"); - sb.append(MessageUtils.getMsg("label.content", locale)).append(": ").append(content).append("
"); + sb.append(MessageUtils.getMsg("label.name", locale)).append(": ").append(name).append("
"); + sb.append(MessageUtils.getMsg("label.mail", locale)).append(": ").append(mail).append("
").append("
"); + sb.append(MessageUtils.getMsg("label.content", locale)).append(": ").append(content).append("
"); try { EmailUtils.sendEmailWithAttachment(subject, sb.toString(), uploadedFiles); resultMessage = MessageUtils.getMsg("msg.sent.mail", locale); @@ -126,32 +125,37 @@ protected void doPost(HttpServletRequest req, HttpServletResponse res) throws Se * to the mail message. */ private List saveUploadedFiles(HttpServletRequest request) - throws IllegalStateException, IOException, ServletException { + throws IOException, ServletException { List listFiles = new ArrayList(); byte[] buffer = new byte[4096]; - int bytesRead = -1; + int bytesRead; Collection multiparts = request.getParts(); - if (multiparts.size() > 0) { + if (!multiparts.isEmpty()) { for (Part part : request.getParts()) { // creates a file to be saved String fileName = extractFileName(part); - if (fileName == null || fileName.equals("")) { + if (StringUtils.isBlank(fileName)) { // not attachment part, continue continue; } File saveFile = new File(fileName); log.debug("Uploaded file is saved on: " + saveFile.getAbsolutePath()); - FileOutputStream outputStream = new FileOutputStream(saveFile); - - // saves uploaded file - InputStream inputStream = part.getInputStream(); - while ((bytesRead = inputStream.read(buffer)) != -1) { - outputStream.write(buffer, 0, bytesRead); + FileOutputStream outputStream = null; + InputStream inputStream = null; + try { + outputStream = new FileOutputStream(saveFile); + // saves uploaded file + inputStream = part.getInputStream(); + while ((bytesRead = inputStream.read(buffer)) != -1) { + outputStream.write(buffer, 0, bytesRead); + } + } catch (Exception e) { + log.error("Exception occurs: ", e); + } finally { + Closer.close(outputStream); + Closer.close(inputStream); } - outputStream.close(); - inputStream.close(); - listFiles.add(saveFile); } } @@ -166,7 +170,7 @@ private String extractFileName(Part part) { String[] items = contentDisp.split(";"); for (String s : items) { if (s.trim().startsWith("filename")) { - return s.substring(s.indexOf("=") + 2, s.length() - 1); + return s.substring(s.indexOf('=') + 2, s.length() - 1); } } return null; @@ -176,9 +180,11 @@ private String extractFileName(Part part) { * Deletes all uploaded files, should be called after the e-mail was sent. */ private void deleteUploadFiles(List listFiles) { - if (listFiles != null && listFiles.size() > 0) { + if (listFiles != null && !listFiles.isEmpty()) { for (File aFile : listFiles) { - aFile.delete(); + if (!aFile.delete()) { + log.debug("Cannot remove file: " + aFile); + } } } } diff --git a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java index be6ac999..0f7e4bc4 100644 --- a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedExtensionUploadServlet.java @@ -105,15 +105,8 @@ protected void doPost(HttpServletRequest req, HttpServletResponse res) throws Se isConverted = true; } - try { - // Convert the file into gray scale image. - if (!isConverted) { - convert2GrayScale(new File(savePath + File.separator + fileName).getAbsolutePath()); - isConverted = true; - } - } catch (Exception e) { - // Log and ignore the exception - log.warn("Exception occurs: ", e); + if (!isConverted) { + isConverted = convert2GrayScale(new File(savePath + File.separator + fileName).getAbsolutePath()); } StringBuilder bodyHtml = new StringBuilder(); @@ -150,28 +143,41 @@ private String getFileName(final Part part) { } // Convert color image into gray scale image. - private void convert2GrayScale(String fileName) throws IOException { - BufferedImage image = ImageIO.read(new File(fileName)); + private boolean convert2GrayScale(String fileName) throws IOException { + boolean isConverted = false; + try { + // Convert the file into gray scale image. + BufferedImage image = ImageIO.read(new File(fileName)); + if (image == null) { + log.warn("Cannot read upload file as image file, file name: " + fileName); + return false; + } - // convert to gray scale - for (int y = 0; y < image.getHeight(); y++) { - for (int x = 0; x < image.getWidth(); x++) { - int p = image.getRGB(x, y); - int a = (p >> 24) & 0xff; - int r = (p >> 16) & 0xff; - int g = (p >> 8) & 0xff; - int b = p & 0xff; + // convert to gray scale + for (int y = 0; y < image.getHeight(); y++) { + for (int x = 0; x < image.getWidth(); x++) { + int p = image.getRGB(x, y); + int a = (p >> 24) & 0xff; + int r = (p >> 16) & 0xff; + int g = (p >> 8) & 0xff; + int b = p & 0xff; - // calculate average - int avg = (r + g + b) / 3; + // calculate average + int avg = (r + g + b) / 3; - // replace RGB value with avg - p = (a << 24) | (avg << 16) | (avg << 8) | avg; + // replace RGB value with avg + p = (a << 24) | (avg << 16) | (avg << 8) | avg; - image.setRGB(x, y, p); + image.setRGB(x, y, p); + } } + // Output the image + ImageIO.write(image, "png", new File(fileName)); + isConverted = true; + } catch (Exception e) { + // Log and ignore the exception + log.warn("Exception occurs: ", e); } - // Output the image - ImageIO.write(image, "png", new File(fileName)); + return isConverted; } } diff --git a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java index dff02824..fc4d3737 100644 --- a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/UnrestrictedSizeUploadServlet.java @@ -8,6 +8,7 @@ import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; +import java.util.Arrays; import java.util.Locale; import javax.imageio.ImageIO; @@ -19,6 +20,7 @@ import javax.servlet.http.HttpServletResponse; import javax.servlet.http.Part; +import org.apache.commons.io.FilenameUtils; import org.apache.commons.lang.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -101,15 +103,9 @@ protected void doPost(HttpServletRequest req, HttpServletResponse res) throws Se isConverted = true; } - try { - // Reverse the color of the upload image - if (!isConverted) { - reverseColor(new File(savePath + File.separator + fileName).getAbsolutePath()); - isConverted = true; - } - } catch (Exception e) { - // Log and ignore the exception - log.warn("Exception occurs: ", e); + // Reverse the color of the upload image + if (!isConverted) { + isConverted = reverseColor(new File(savePath + File.separator + fileName).getAbsolutePath()); } StringBuilder bodyHtml = new StringBuilder(); @@ -136,9 +132,8 @@ protected void doPost(HttpServletRequest req, HttpServletResponse res) throws Se } private boolean isImageFile(String fileName) { - return fileName.endsWith(".png") || fileName.endsWith(".gif") || fileName.endsWith(".jpg") - || fileName.endsWith(".jpeg") || fileName.endsWith(".tif") || fileName.endsWith(".tiff") - || fileName.endsWith(".bmp"); + return Arrays.asList(new String[] { "png", "gif", "jpg", "jpeg", "tif", "tiff", "bmp" }).contains( + FilenameUtils.getExtension(fileName)); } // Get file name from content-disposition filename @@ -152,20 +147,28 @@ private String getFileName(final Part part) { } // Reverse the color of the image file - private void reverseColor(String fileName) throws IOException { - BufferedImage image = ImageIO.read(new File(fileName)); - WritableRaster raster = image.getRaster(); - int[] pixelBuffer = new int[raster.getNumDataElements()]; - for (int y = 0; y < raster.getHeight(); y++) { - for (int x = 0; x < raster.getWidth(); x++) { - raster.getPixel(x, y, pixelBuffer); - pixelBuffer[0] = ~pixelBuffer[0]; - pixelBuffer[1] = ~pixelBuffer[1]; - pixelBuffer[2] = ~pixelBuffer[2]; - raster.setPixel(x, y, pixelBuffer); + private boolean reverseColor(String fileName) throws IOException { + boolean isConverted = false; + try { + BufferedImage image = ImageIO.read(new File(fileName)); + WritableRaster raster = image.getRaster(); + int[] pixelBuffer = new int[raster.getNumDataElements()]; + for (int y = 0; y < raster.getHeight(); y++) { + for (int x = 0; x < raster.getWidth(); x++) { + raster.getPixel(x, y, pixelBuffer); + pixelBuffer[0] = ~pixelBuffer[0]; + pixelBuffer[1] = ~pixelBuffer[1]; + pixelBuffer[2] = ~pixelBuffer[2]; + raster.setPixel(x, y, pixelBuffer); + } } + // Output the image + ImageIO.write(image, "png", new File(fileName)); + isConverted = true; + } catch (Exception e) { + // Log and ignore the exception + log.warn("Exception occurs: ", e); } - // Output the image - ImageIO.write(image, "png", new File(fileName)); + return isConverted; } } diff --git a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/XEEandXXEServlet.java b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/XEEandXXEServlet.java index 2e418a41..ded23dc1 100644 --- a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/XEEandXXEServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/XEEandXXEServlet.java @@ -186,9 +186,9 @@ protected void doPost(HttpServletRequest req, HttpServletResponse res) throws Se isRegistered = true; } - SAXParser parser; CustomHandler customHandler = new CustomHandler(); customHandler.setLocale(locale); + SAXParser parser; try { File file = new File(savePath + File.separator + fileName); SAXParserFactory spf = SAXParserFactory.newInstance(); @@ -201,8 +201,6 @@ protected void doPost(HttpServletRequest req, HttpServletResponse res) throws Se } parser = spf.newSAXParser(); parser.parse(file, customHandler); - - // TODO Implement registration isRegistered = true; } catch (ParserConfigurationException e) { log.error("ParserConfigurationException occurs: ", e); @@ -317,58 +315,63 @@ boolean isRegistered() { public String upsertUser(Attributes attributes, Locale locale) { PreparedStatement stmt = null; + PreparedStatement stmt2 = null; ResultSet rs = null; Connection conn = null; String resultMessage = null; try { - + conn = DBClient.getConnection(); conn.setAutoCommit(true); - + stmt = conn.prepareStatement("select * from users where id = ?"); stmt.setString(1, attributes.getValue("uid")); rs = stmt.executeQuery(); if (rs.next()) { - if (isInsert){ + if (isInsert) { return MessageUtils.getMsg("msg.user.already.exist", locale); } - }else{ - if (!isInsert){ + } else { + if (!isInsert) { return MessageUtils.getMsg("msg.user.not.exist", locale); } - } - if (isInsert){ - stmt = conn.prepareStatement("insert into users values (?, ?, ?, ?, ?, ?, ?)"); - stmt.setString(1, attributes.getValue("uid")); - stmt.setString(2, attributes.getValue("name")); - stmt.setString(3, attributes.getValue("password")); - stmt.setString(4, RandomStringUtils.randomNumeric(10)); - stmt.setString(5, "true"); - stmt.setString(6, attributes.getValue("phone")); - stmt.setString(7, attributes.getValue("mail")); - if (stmt.executeUpdate() != 1){ + } + if (isInsert) { + stmt2 = conn.prepareStatement("insert into users values (?, ?, ?, ?, ?, ?, ?)"); + stmt2.setString(1, attributes.getValue("uid")); + stmt2.setString(2, attributes.getValue("name")); + stmt2.setString(3, attributes.getValue("password")); + stmt2.setString(4, RandomStringUtils.randomNumeric(10)); + stmt2.setString(5, "true"); + stmt2.setString(6, attributes.getValue("phone")); + stmt2.setString(7, attributes.getValue("mail")); + if (stmt2.executeUpdate() != 1) { resultMessage = MessageUtils.getMsg("msg.user.already.exist", locale); } - }else{ - stmt = conn.prepareStatement("update users set name = ?, password = ?, phone = ?, mail = ? where id = ?"); - stmt.setString(1, attributes.getValue("name")); - stmt.setString(2, attributes.getValue("password")); - stmt.setString(3, attributes.getValue("phone")); - stmt.setString(4, attributes.getValue("mail")); - stmt.setString(5, attributes.getValue("uid")); - if (stmt.executeUpdate() != 1){ + } else { + stmt2 = conn + .prepareStatement("update users set name = ?, password = ?, phone = ?, mail = ? where id = ?"); + stmt2.setString(1, attributes.getValue("name")); + stmt2.setString(2, attributes.getValue("password")); + stmt2.setString(3, attributes.getValue("phone")); + stmt2.setString(4, attributes.getValue("mail")); + stmt2.setString(5, attributes.getValue("uid")); + if (stmt2.executeUpdate() != 1) { resultMessage = MessageUtils.getMsg("msg.user.not.exist", locale); } } } catch (SQLException e) { - resultMessage = MessageUtils.getMsg("msg.unknown.exception.occur", new String[]{e.getMessage()}, locale); + resultMessage = MessageUtils.getMsg("msg.unknown.exception.occur", new String[] { e.getMessage() }, + locale); log.error("SQLException occurs: ", e); } catch (Exception e) { - resultMessage = MessageUtils.getMsg("msg.unknown.exception.occur", new String[]{e.getMessage()}, locale); + resultMessage = MessageUtils.getMsg("msg.unknown.exception.occur", new String[] { e.getMessage() }, + locale); log.error("Exception occurs: ", e); } finally { Closer.close(rs); Closer.close(stmt); + Closer.close(stmt2); Closer.close(conn); } return resultMessage; diff --git a/src/main/resources/messages_en.properties b/src/main/resources/messages_en.properties index b6c66550..8fd62221 100644 --- a/src/main/resources/messages_en.properties +++ b/src/main/resources/messages_en.properties @@ -99,7 +99,7 @@ msg.enter.name.and.passwd=If you enter your name and password, then your secret msg.enter.name=Please enter your name. msg.enter.passwd=If you enter a new password and click the submit button, then your password will be changed. msg.enter.positive.number=Please enter a positive number. -msg.enter.decimal.value=Please enter a decimal number less than 1. +msg.enter.decimal.value=Please enter the absolute value of a decimal number less than 1. msg.enter.id.and.password=Please enter your user ID and password. msg.enter.string=Please enter a string. msg.error.user.not.exist=User does not exist or password does not match. diff --git a/src/main/resources/messages_ja.properties b/src/main/resources/messages_ja.properties index fb0411e2..39a299d6 100644 --- a/src/main/resources/messages_ja.properties +++ b/src/main/resources/messages_ja.properties @@ -99,7 +99,7 @@ msg.enter.name.and.passwd=\u540d\u524d\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3092 msg.enter.name=\u540d\u524d\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002 msg.enter.passwd=\u65b0\u3057\u3044\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u304c\u5909\u66f4\u3055\u308c\u307e\u3059\u3002 msg.enter.positive.number=\u6b63\u306e\u6574\u6570\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002 -msg.enter.decimal.value=1\u672a\u6e80\u306e\u5c0f\u6570\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002 +msg.enter.decimal.value=\u7d76\u5bfe\u5024\u304c1\u672a\u6e80\u306e\u5c0f\u6570\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002 msg.enter.id.and.password=\u30e6\u30fc\u30b6\u30fcID\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002 msg.enter.string=\u6587\u5b57\u5217\u3092\u5165\u529b\u3057\u3066\u4e0b\u3055\u3044\u3002 msg.error.user.not.exist=\u30e6\u30fc\u30b6\u30fc\u304c\u5b58\u5728\u3057\u306a\u3044\u304b\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u304c\u4e00\u81f4\u3057\u307e\u305b\u3093\u3002