From 04d1293a33c04fa0a9812879952bccd7305a0ca5 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Thu, 23 Sep 2021 14:04:53 +0200 Subject: [PATCH] #1045: Run build with Java 16 --- docker/Dockerfile | 2 +- docker/start.sh | 2 + pom.xml | 21 +++---- webgoat-container/pom.xml | 10 +-- webgoat-integration-tests/pom.xml | 46 +++++++------- ...rsalTest.java => PathTraversalITTest.java} | 24 ++++--- .../resources/application-inttest.properties | 6 +- webgoat-lessons/cross-site-scripting/pom.xml | 24 ------- .../deserialization/DeserializeTest.java | 62 +++++++++---------- .../path_traversal/ProfileZipSlip.java | 17 +++-- .../en/PathTraversal_zip_slip_solution.adoc | 2 +- webgoat-lessons/vulnerable-components/pom.xml | 16 +++++ webgoat-lessons/xxe/pom.xml | 11 ++-- .../webgoat/xxe/ContentTypeAssignment.java | 27 ++++---- .../java/org/owasp/webgoat/xxe/SimpleXXE.java | 4 +- 15 files changed, 126 insertions(+), 148 deletions(-) rename webgoat-integration-tests/src/test/java/org/owasp/webgoat/{PathTraversalTest.java => PathTraversalITTest.java} (87%) diff --git a/docker/Dockerfile b/docker/Dockerfile index 3047632a2..1437def53 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM openjdk:15-slim +FROM openjdk:16-slim ARG webgoat_version=8.2.1-SNAPSHOT ENV webgoat_version_env=${webgoat_version} diff --git a/docker/start.sh b/docker/start.sh index 6f6b27ee7..c167d419b 100644 --- a/docker/start.sh +++ b/docker/start.sh @@ -8,9 +8,11 @@ echo "Starting WebGoat..." java \ -Duser.home=/home/webgoat \ -Dfile.encoding=UTF-8 \ + --add-opens java.base/java.lang=ALL-UNNAMED \ --add-opens java.base/java.util=ALL-UNNAMED \ --add-opens java.base/java.lang.reflect=ALL-UNNAMED \ --add-opens java.base/java.text=ALL-UNNAMED \ + --add-opens java.desktop/java.beans=ALL-UNNAMED \ --add-opens java.desktop/java.awt.font=ALL-UNNAMED \ --add-opens java.base/sun.nio.ch=ALL-UNNAMED \ --add-opens java.base/java.io=ALL-UNNAMED \ diff --git a/pom.xml b/pom.xml index 893e45538..4a337bdda 100644 --- a/pom.xml +++ b/pom.xml @@ -8,6 +8,12 @@ pom 8.2.1-SNAPSHOT + + org.springframework.boot + spring-boot-starter-parent + 2.5.4 + + WebGoat Parent Pom Parent Pom for the WebGoat Project. A deliberately insecure Web Application 2006 @@ -22,12 +28,6 @@ https://github.com/WebGoat/WebGoat/ - - org.springframework.boot - spring-boot-starter-parent - 2.4.3 - - GNU General Public License, version 2 @@ -122,22 +122,21 @@ 15 15 - - build - 1.1.1 + 2.5.2 3.2.1 - 3.4 + 3.12.0 2.6 30.1-jre 1.18.20 + 2.27.2 3.8.0 2.22.0 3.1.2 3.1.1 3.1.0 - 3.0.0-M4 + 3.0.0-M5 15 diff --git a/webgoat-container/pom.xml b/webgoat-container/pom.xml index ea83551ce..25cd764a3 100644 --- a/webgoat-container/pom.xml +++ b/webgoat-container/pom.xml @@ -17,13 +17,7 @@ org.apache.maven.plugins maven-surefire-plugin - - 0 - true - - --illegal-access=permit - - + ${maven-surefire-plugin.version} org.apache.maven.plugins @@ -70,7 +64,7 @@ org.asciidoctor asciidoctorj - 2.4.3 + ${asciidoctorj.version} org.springframework.boot diff --git a/webgoat-integration-tests/pom.xml b/webgoat-integration-tests/pom.xml index abd0f8e10..ff665b923 100644 --- a/webgoat-integration-tests/pom.xml +++ b/webgoat-integration-tests/pom.xml @@ -10,17 +10,17 @@ - + org.seleniumhq.selenium - selenium-java - test - - - io.github.bonigarcia - webdrivermanager - 4.3.1 - test - + selenium-java + test + + + io.github.bonigarcia + webdrivermanager + 4.3.1 + test + org.owasp.webgoat webgoat-server @@ -43,16 +43,16 @@ webwolf ${project.version} - - org.springframework.boot - spring-boot-starter-test - test - - - io.rest-assured - rest-assured - test - + + org.springframework.boot + spring-boot-starter-test + test + + + io.rest-assured + rest-assured + test + @@ -62,14 +62,12 @@ maven-surefire-plugin ${maven-surefire-plugin.version} - 0 - true + - --illegal-access=permit + --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.beans=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED - diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java similarity index 87% rename from webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java rename to webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java index d32ce336e..753b193d3 100644 --- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java +++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java @@ -24,9 +24,8 @@ import java.util.zip.ZipOutputStream; import static org.junit.jupiter.api.DynamicTest.dynamicTest; -public class PathTraversalTest extends IntegrationTest { +class PathTraversalITTest extends IntegrationTest { - //the JUnit5 way @TempDir Path tempDir; @@ -35,8 +34,7 @@ public class PathTraversalTest extends IntegrationTest { @BeforeEach @SneakyThrows public void init() { - fileToUpload = Files.createFile( - tempDir.resolve("test.jpg")).toFile(); + fileToUpload = Files.createFile(tempDir.resolve("test.jpg")).toFile(); Files.write(fileToUpload.toPath(), "This is a test".getBytes()); startLesson("PathTraversal"); } @@ -52,7 +50,7 @@ public class PathTraversalTest extends IntegrationTest { ); } - public void assignment1() throws IOException { + private void assignment1() throws IOException { MatcherAssert.assertThat( RestAssured.given() .when() @@ -66,7 +64,7 @@ public class PathTraversalTest extends IntegrationTest { .extract().path("lessonCompleted"), CoreMatchers.is(true)); } - public void assignment2() throws IOException { + private void assignment2() throws IOException { MatcherAssert.assertThat( RestAssured.given() .when() @@ -80,7 +78,7 @@ public class PathTraversalTest extends IntegrationTest { .extract().path("lessonCompleted"), CoreMatchers.is(true)); } - public void assignment3() throws IOException { + private void assignment3() throws IOException { MatcherAssert.assertThat( RestAssured.given() .when() @@ -93,7 +91,7 @@ public class PathTraversalTest extends IntegrationTest { .extract().path("lessonCompleted"), CoreMatchers.is(true)); } - public void assignment4() throws IOException { + private void assignment4() throws IOException { var uri = "/WebGoat/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret"; RestAssured.given().urlEncodingEnabled(false) .when() @@ -102,17 +100,17 @@ public class PathTraversalTest extends IntegrationTest { .get(uri) .then() .statusCode(200) - .content(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer")); + .body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer")); checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true); } - public void assignment5() throws IOException { - var webGoatHome = System.getProperty("user.dir") + "/target/.webgoat/PathTraversal/" + getWebgoatUser(); + private void assignment5() throws IOException { + var webGoatHome = System.getProperty("java.io.tmpdir") + "/webgoat/PathTraversal/" + getWebgoatUser(); webGoatHome = webGoatHome.replaceAll("^[a-zA-Z]:", ""); //Remove C: from the home directory on Windows var webGoatDirectory = new File(webGoatHome); - var zipFile = new File(webGoatDirectory, "upload.zip"); + var zipFile = new File(tempDir.toFile(), "upload.zip"); try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) { ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory.toString() + "/image.jpg"); zos.putNextEntry(e); @@ -132,7 +130,7 @@ public class PathTraversalTest extends IntegrationTest { } @AfterEach - public void shutdown() { + void shutdown() { //this will run only once after the list of dynamic tests has run, this is to test if the lesson is marked complete checkResults("/PathTraversal"); } diff --git a/webgoat-integration-tests/src/test/resources/application-inttest.properties b/webgoat-integration-tests/src/test/resources/application-inttest.properties index 4286e914f..a694bd592 100644 --- a/webgoat-integration-tests/src/test/resources/application-inttest.properties +++ b/webgoat-integration-tests/src/test/resources/application-inttest.properties @@ -1,9 +1,9 @@ #In order to run tests a known temp directory is preferred #that is why these values are used -webgoat.user.directory=${user.dir}/target/.webgoat -webgoat.server.directory=${user.dir}/target/.webgoat -webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver +webgoat.user.directory=${java.io.tmpdir}/webgoat +webgoat.server.directory=${java.io.tmpdir}/webgoat +webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver #database will get deleted for every mvn clean install #as these extra properties are read by WebGoat and WebWolf the drop of the tables diff --git a/webgoat-lessons/cross-site-scripting/pom.xml b/webgoat-lessons/cross-site-scripting/pom.xml index bc82c23fa..5bb02a9f2 100644 --- a/webgoat-lessons/cross-site-scripting/pom.xml +++ b/webgoat-lessons/cross-site-scripting/pom.xml @@ -16,28 +16,4 @@ 1.14.2 - - - - org.asciidoctor - asciidoctor-maven-plugin - 1.5.3 - - - - output-html - generate-resources - - process-asciidoc - - - html - src/main/resources/lessonPlans/en/ - - - - - - - \ No newline at end of file diff --git a/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java b/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java index 9a2ecec94..35ba51976 100644 --- a/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java +++ b/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java @@ -18,11 +18,11 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal @ExtendWith(MockitoExtension.class) public class DeserializeTest extends AssignmentEndpointTest { - private MockMvc mockMvc; - - private static String OS = System.getProperty("os.name").toLowerCase(); - - @BeforeEach + private MockMvc mockMvc; + + private static String OS = System.getProperty("os.name").toLowerCase(); + + @BeforeEach public void setup() { InsecureDeserializationTask insecureTask = new InsecureDeserializationTask(); init(insecureTask); @@ -31,62 +31,60 @@ public class DeserializeTest extends AssignmentEndpointTest { @Test public void success() throws Exception { - if (OS.indexOf("win")>-1) { - mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") + if (OS.indexOf("win") > -1) { + mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") .header("x-request-intercepted", "true") .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5")))) - .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true))); - } else { - mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") - .header("x-request-intercepted", "true") - .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5")))) - .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true))); - } + .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true))); + } else { + mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") + .header("x-request-intercepted", "true") + .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5")))) + .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true))); + } } - + @Test public void fail() throws Exception { mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") .header("x-request-intercepted", "true") .param("token", SerializationHelper.toString(new VulnerableTaskHolder("delete", "rm *")))) - .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false))); + .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false))); } - + @Test public void wrongVersion() throws Exception { - String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw"; + String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw"; mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") .header("x-request-intercepted", "true") .param("token", token)) - .andExpect(status().isOk()) + .andExpect(status().isOk()) .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.invalidversion")))) - .andExpect(jsonPath("$.lessonCompleted", is(false))); + .andExpect(jsonPath("$.lessonCompleted", is(false))); } - + @Test public void expiredTask() throws Exception { - String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw"; + String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw"; mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") .header("x-request-intercepted", "true") .param("token", token)) - .andExpect(status().isOk()) + .andExpect(status().isOk()) .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.expired")))) - .andExpect(jsonPath("$.lessonCompleted", is(false))); + .andExpect(jsonPath("$.lessonCompleted", is(false))); } - - + @Test public void checkOtherObject() throws Exception { - String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l"; - mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") + String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l"; + mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task") .header("x-request-intercepted", "true") .param("token", token)) - .andExpect(status().isOk()) + .andExpect(status().isOk()) .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.stringobject")))) - .andExpect(jsonPath("$.lessonCompleted", is(false))); + .andExpect(jsonPath("$.lessonCompleted", is(false))); } - - + } \ No newline at end of file diff --git a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java b/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java index 7bf9239bf..e119a1f4e 100644 --- a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java +++ b/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java @@ -7,14 +7,12 @@ import org.owasp.webgoat.session.WebSession; import org.springframework.beans.factory.annotation.Value; import org.springframework.http.ResponseEntity; import org.springframework.util.FileCopyUtils; -import org.springframework.util.FileSystemUtils; import org.springframework.web.bind.annotation.*; import org.springframework.web.multipart.MultipartFile; import java.io.File; import java.io.IOException; import java.io.InputStream; -import java.nio.file.CopyOption; import java.nio.file.Files; import java.nio.file.StandardCopyOption; import java.util.Arrays; @@ -45,22 +43,21 @@ public class ProfileZipSlip extends ProfileUploadBase { @SneakyThrows private AttackResult processZipUpload(MultipartFile file) { - var tmpZipDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/zip-slip/" + getWebSession().getUserName()); + var tmpZipDirectory = Files.createTempDirectory(getWebSession().getUserName()); var uploadDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/" + getWebSession().getUserName()); - FileSystemUtils.deleteRecursively(uploadDirectory); - Files.createDirectories(tmpZipDirectory.toPath()); + var currentImage = getProfilePictureAsBase64(); + Files.createDirectories(uploadDirectory.toPath()); - byte[] currentImage = getProfilePictureAsBase64(); try { - var uploadedZipFile = new File(tmpZipDirectory, file.getOriginalFilename()); - FileCopyUtils.copy(file.getBytes(), uploadedZipFile); + var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename()); + FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile()); - ZipFile zip = new ZipFile(uploadedZipFile); + ZipFile zip = new ZipFile(uploadedZipFile.toFile()); Enumeration entries = zip.entries(); while (entries.hasMoreElements()) { ZipEntry e = entries.nextElement(); - File f = new File(uploadDirectory, e.getName()); + File f = new File(tmpZipDirectory.toFile(), e.getName()); InputStream is = zip.getInputStream(e); Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING); } diff --git a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc index dc55affce..bb909b1d8 100644 --- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc +++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc @@ -8,7 +8,7 @@ curl -o cat.jpg http://localhost:8080/WebGoat/images/cats/1.jpg zip profile.zip cat.jpg ---- -Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software and the result we see on the screen is: +Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software, and the result we see on the screen is: [source] ---- diff --git a/webgoat-lessons/vulnerable-components/pom.xml b/webgoat-lessons/vulnerable-components/pom.xml index f16525506..7bc052d21 100644 --- a/webgoat-lessons/vulnerable-components/pom.xml +++ b/webgoat-lessons/vulnerable-components/pom.xml @@ -35,4 +35,20 @@ 1.2 + + + + + org.apache.maven.plugins + maven-surefire-plugin + ${maven-surefire-plugin.version} + + + + --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED + + + + + diff --git a/webgoat-lessons/xxe/pom.xml b/webgoat-lessons/xxe/pom.xml index 758b560f1..856f225c4 100644 --- a/webgoat-lessons/xxe/pom.xml +++ b/webgoat-lessons/xxe/pom.xml @@ -11,21 +11,20 @@ - commons-lang - commons-lang - 2.6 + org.apache.commons + commons-lang3 + ${commons-lang3.version} org.glassfish.jaxb jaxb-runtime - 2.3.0 com.github.tomakehurst wiremock - 2.27.2 - test + test + ${wiremock.version} diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java index c627d727f..4283c2895 100644 --- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java @@ -23,6 +23,7 @@ package org.owasp.webgoat.xxe; import org.apache.commons.exec.OS; +import org.apache.commons.lang3.exception.ExceptionUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AttackResult; @@ -67,17 +68,17 @@ public class ContentTypeAssignment extends AssignmentEndpoint { if (null != contentType && contentType.contains(MediaType.APPLICATION_XML_VALUE)) { String error = ""; try { - boolean secure = false; - if (null != request.getSession().getAttribute("applySecurity")) { - secure = true; - } + boolean secure = false; + if (null != request.getSession().getAttribute("applySecurity")) { + secure = true; + } Comment comment = comments.parseXml(commentStr, secure); comments.addComment(comment, false); if (checkSolution(comment)) { attackResult = success(this).build(); } } catch (Exception e) { - error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e); + error = ExceptionUtils.getStackTrace(e); attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build(); } } @@ -85,13 +86,13 @@ public class ContentTypeAssignment extends AssignmentEndpoint { return attackResult; } - private boolean checkSolution(Comment comment) { - String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES; - boolean success = false; - for (String directory : directoriesToCheck) { - success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory); - } - return success; - } + private boolean checkSolution(Comment comment) { + String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES; + boolean success = false; + for (String directory : directoriesToCheck) { + success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory); + } + return success; + } } diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java index 30930c97d..888bb25d3 100644 --- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java +++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java @@ -23,7 +23,7 @@ package org.owasp.webgoat.xxe; import org.apache.commons.exec.OS; -import org.apache.commons.lang.exception.ExceptionUtils; +import org.apache.commons.lang3.exception.ExceptionUtils; import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AttackResult; @@ -80,7 +80,7 @@ public class SimpleXXE extends AssignmentEndpoint { return success(this).build(); } } catch (Exception e) { - error = ExceptionUtils.getFullStackTrace(e); + error = ExceptionUtils.getStackTrace(e); } return failed(this).output(error).build(); }