Review

Detector:

Tikanga

Target:

project '

chensun

' version

cf23b99

Tags:

Potential Misuse

Anomaly identified by the detector. Please review whether this anomaly corresponds to a misuse.

Finding:	finding-0
In File:	database/SocialNetworkDatabasePosts.java
In Method:	authorizedFFAPost(Connection, String, int, String)
Code with Finding:	class SocialNetworkDatabasePosts { /** * AUTHORIZATION FUNCTION * Returns whether this user can go to/reply under the specified post # in the FFA board. * The user must be the post's author or have a privilege in the post. * Assumes post already exists. * AuthType = "view" or "reply". For view, merely checks that a priv exists. * For reply, checks that the priv is "viewpost" / public static Boolean authorizedFFAPost(Connection conn, String username, int postNum, String authType) { Boolean isPostCreator = isFFAPostCreator(conn, username, postNum); if (isPostCreator == null) { return null; } else if (isPostCreator.booleanValue()) { return new Boolean(true); } else { /Retrieve the privilege for a given post and user*/ PreparedStatement getPriv = null; String getPrivString = "SELECT privilege " + "FROM freeforall.postprivileges " + "WHERE pid = ? AND username = ?"; ResultSet privResult = null; Boolean authorized = null; try { getPriv = conn.prepareStatement(getPrivString); getPriv.setInt(1, postNum); getPriv.setString(2, username); privResult = getPriv.executeQuery(); //the privilege is at least View if (authType.equals("view")) { authorized = new Boolean(privResult.next()); } else if (authType.equals("reply")) { if (privResult.next()) { authorized = new Boolean(privResult.getString("privilege").equals("viewpost")); } else { authorized = new Boolean(false); } } } catch (SQLException e) { e.printStackTrace(); } finally { DBManager.closeResultSet(privResult); DBManager.closePreparedStatement(getPriv); } return authorized; } } }

Metadata

Hit	Rank	Confidence	Defect Indicator	Missing Properties	Present Properties	Supporting Objects	Violation Types
?	0	0.97	8.5	AG (ResultSet.next () : boolean @ (0) => EX EF EXC(SQLException): ResultSet.getString (String) : String @ (0)) AG (ResultSet.next () : boolean @ (0) => EX EF ResultSet.getString (String) : String @ (0))	AG (EXC(SQLException): ResultSet.next () : boolean @ (0) => AX AF DBManager.closeResultSet (ResultSet) : void @ (1)) AG (ResultSet.next () : boolean @ (0) => EX EF DBManager.closeResultSet (ResultSet) : void @ (1)) EF DBManager.closeResultSet (ResultSet) : void @ (1) EF ResultSet.next () : boolean @ (0) AG (EXC(SQLException): ResultSet.getString (String) : String @ (0) => EX EF DBManager.closeResultSet (ResultSet) : void @ (1)) EF EXC(SQLException): ResultSet.next () : boolean @ (0) AG (ResultSet.getString (String) : String @ (0) => EX EF DBManager.closeResultSet (ResultSet) : void @ (1)) EF EXC(SQLException): ResultSet.getString (String) : String @ (0) AG (ResultSet.getString (String) : String @ (0) => AX AF DBManager.closeResultSet (ResultSet) : void @ (1)) AG (EXC(SQLException): ResultSet.next () : boolean @ (0) => EX EF DBManager.closeResultSet (ResultSet) : void @ (1)) AG (ResultSet.next () : boolean @ (0) => AX AF DBManager.closeResultSet (ResultSet) : void @ (1)) EF ResultSet.getString (String) : String @ (0) AG (EXC(SQLException): ResultSet.getString (String) : String @ (0) => AX AF DBManager.closeResultSet (ResultSet) : void @ (1)) AF DBManager.closeResultSet (ResultSet) : void @ (1)	DatabaseAdmin.getAdmins (Connection) : List : var #4@ResultSet (line 950) DatabaseAdmin.changePassword (Connection, String, String) : int : var #4@ResultSet (line 196) DatabaseAdmin.getAdminsOfBoard (Connection, String) : List : var #5@ResultSet (line 861)