#1045: Run build with Java 16

webgoat-lessons/cross-site-scripting/pom.xml

@@ -16,28 +16,4 @@
             <version>1.14.2</version>
         </dependency>
     </dependencies>
-    <build>
-       <plugins>
-           <plugin>
-               <groupId>org.asciidoctor</groupId>
-               <artifactId>asciidoctor-maven-plugin</artifactId>
-               <version>1.5.3</version>
-
-               <executions>
-                   <execution>
-                       <id>output-html</id>
-                       <phase>generate-resources</phase>
-                       <goals>
-                           <goal>process-asciidoc</goal>
-                       </goals>
-                       <configuration>
-                           <backend>html</backend>
-                           <sourceDirectory>src/main/resources/lessonPlans/en/</sourceDirectory>
-                       </configuration>
-                   </execution>
-
-               </executions>
-           </plugin>
-       </plugins>
-   </build>
 </project>

webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java

@@ -18,11 +18,11 @@ import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standal
 @ExtendWith(MockitoExtension.class)
 public class DeserializeTest extends AssignmentEndpointTest {
 
-	private MockMvc mockMvc;
-	
-	private static String OS = System.getProperty("os.name").toLowerCase();
-	
-	@BeforeEach
+    private MockMvc mockMvc;
+
+    private static String OS = System.getProperty("os.name").toLowerCase();
+
+    @BeforeEach
     public void setup() {
         InsecureDeserializationTask insecureTask = new InsecureDeserializationTask();
         init(insecureTask);
@@ -31,62 +31,60 @@ public class DeserializeTest extends AssignmentEndpointTest {
 
     @Test
     public void success() throws Exception {
-    	if (OS.indexOf("win")>-1) {
-    		mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+        if (OS.indexOf("win") > -1) {
+            mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
                     .header("x-request-intercepted", "true")
                     .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5"))))
-            		.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
-    	} else {
-    		mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
-                .header("x-request-intercepted", "true")
-                .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5"))))
-        		.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
-    	}
+                    .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
+        } else {
+            mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+                    .header("x-request-intercepted", "true")
+                    .param("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5"))))
+                    .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)));
+        }
     }
-    
+
     @Test
     public void fail() throws Exception {
         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
                 .header("x-request-intercepted", "true")
                 .param("token", SerializationHelper.toString(new VulnerableTaskHolder("delete", "rm *"))))
-        		.andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
+                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
-    
+
     @Test
     public void wrongVersion() throws Exception {
-    	String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
+        String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAECAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4GIQgMLRSoeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
                 .header("x-request-intercepted", "true")
                 .param("token", token))
-        		.andExpect(status().isOk())
+                .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.invalidversion"))))
-        		.andExpect(jsonPath("$.lessonCompleted", is(false)));
+                .andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
-    
+
     @Test
     public void expiredTask() throws Exception {
-    	String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
+        String token = "rO0ABXNyADFvcmcuZHVtbXkuaW5zZWN1cmUuZnJhbWV3b3JrLlZ1bG5lcmFibGVUYXNrSG9sZGVyAAAAAAAAAAICAANMABZyZXF1ZXN0ZWRFeGVjdXRpb25UaW1ldAAZTGphdmEvdGltZS9Mb2NhbERhdGVUaW1lO0wACnRhc2tBY3Rpb250ABJMamF2YS9sYW5nL1N0cmluZztMAAh0YXNrTmFtZXEAfgACeHBzcgANamF2YS50aW1lLlNlcpVdhLobIkiyDAAAeHB3DgUAAAfjCR4IDC0YfvNIeHQACmVjaG8gaGVsbG90AAhzYXlIZWxsbw";
         mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
                 .header("x-request-intercepted", "true")
                 .param("token", token))
-        		.andExpect(status().isOk())
+                .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.expired"))))
-        		.andExpect(jsonPath("$.lessonCompleted", is(false)));
+                .andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
-    
 
-    
+
     @Test
     public void checkOtherObject() throws Exception {
-    	String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l";
-    	mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
+        String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l";
+        mockMvc.perform(MockMvcRequestBuilders.post("/InsecureDeserialization/task")
                 .header("x-request-intercepted", "true")
                 .param("token", token))
-        		.andExpect(status().isOk())
+                .andExpect(status().isOk())
                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("insecure-deserialization.stringobject"))))
-        		.andExpect(jsonPath("$.lessonCompleted", is(false)));
+                .andExpect(jsonPath("$.lessonCompleted", is(false)));
     }
-    
-    
+
 
 }

webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java

@@ -7,14 +7,12 @@ import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
 import org.springframework.util.FileCopyUtils;
-import org.springframework.util.FileSystemUtils;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
-import java.nio.file.CopyOption;
 import java.nio.file.Files;
 import java.nio.file.StandardCopyOption;
 import java.util.Arrays;
@@ -45,22 +43,21 @@ public class ProfileZipSlip extends ProfileUploadBase {
 
     @SneakyThrows
     private AttackResult processZipUpload(MultipartFile file) {
-        var tmpZipDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/zip-slip/" + getWebSession().getUserName());
+        var tmpZipDirectory = Files.createTempDirectory(getWebSession().getUserName());
         var uploadDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/" + getWebSession().getUserName());
-        FileSystemUtils.deleteRecursively(uploadDirectory);
-        Files.createDirectories(tmpZipDirectory.toPath());
+        var currentImage = getProfilePictureAsBase64();
+
         Files.createDirectories(uploadDirectory.toPath());
-        byte[] currentImage = getProfilePictureAsBase64();
 
         try {
-            var uploadedZipFile = new File(tmpZipDirectory, file.getOriginalFilename());
-            FileCopyUtils.copy(file.getBytes(), uploadedZipFile);
+            var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename());
+            FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile());
 
-            ZipFile zip = new ZipFile(uploadedZipFile);
+            ZipFile zip = new ZipFile(uploadedZipFile.toFile());
             Enumeration<? extends ZipEntry> entries = zip.entries();
             while (entries.hasMoreElements()) {
                 ZipEntry e = entries.nextElement();
-                File f = new File(uploadDirectory, e.getName());
+                File f = new File(tmpZipDirectory.toFile(), e.getName());
                 InputStream is = zip.getInputStream(e);
                 Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING);
             }

webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc

@@ -8,7 +8,7 @@ curl -o cat.jpg http://localhost:8080/WebGoat/images/cats/1.jpg
 zip profile.zip cat.jpg
 ----
 
-Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software and the result we see on the screen is:
+Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software, and the result we see on the screen is:
 
 [source]
 ----

webgoat-lessons/vulnerable-components/pom.xml

@@ -35,4 +35,20 @@
             <version>1.2</version>
         </dependency>
     </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>${maven-surefire-plugin.version}</version>
+                <configuration>
+                    <!-- Otherwise test will fail with JDK16 -->
+                    <argLine>
+                        --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
+                    </argLine>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
 </project>

webgoat-lessons/xxe/pom.xml

@@ -11,21 +11,20 @@
 
     <dependencies>
         <dependency>
-            <groupId>commons-lang</groupId>
-            <artifactId>commons-lang</artifactId>
-            <version>2.6</version>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>${commons-lang3.version}</version>
         </dependency>
         <dependency>
             <groupId>org.glassfish.jaxb</groupId>
             <artifactId>jaxb-runtime</artifactId>
-            <version>2.3.0</version>
         </dependency>
 
         <dependency>
             <groupId>com.github.tomakehurst</groupId>
             <artifactId>wiremock</artifactId>
-            <version>2.27.2</version>
-        <scope>test</scope>
+            <scope>test</scope>
+            <version>${wiremock.version}</version>
         </dependency>
 
     </dependencies>

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java

@@ -23,6 +23,7 @@
 package org.owasp.webgoat.xxe;
 
 import org.apache.commons.exec.OS;
+import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AttackResult;
@@ -67,17 +68,17 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
         if (null != contentType && contentType.contains(MediaType.APPLICATION_XML_VALUE)) {
             String error = "";
             try {
-            	boolean secure = false;
-            	if (null != request.getSession().getAttribute("applySecurity")) {
-            		secure = true;
-            	}
+                boolean secure = false;
+                if (null != request.getSession().getAttribute("applySecurity")) {
+                    secure = true;
+                }
                 Comment comment = comments.parseXml(commentStr, secure);
                 comments.addComment(comment, false);
                 if (checkSolution(comment)) {
                     attackResult = success(this).build();
                 }
             } catch (Exception e) {
-                error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
+                error = ExceptionUtils.getStackTrace(e);
                 attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build();
             }
         }
@@ -85,13 +86,13 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
         return attackResult;
     }
 
-   private boolean checkSolution(Comment comment) {
-       String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
-       boolean success = false;
-       for (String directory : directoriesToCheck) {
-           success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
-       }
-       return success;
-   } 
+    private boolean checkSolution(Comment comment) {
+        String[] directoriesToCheck = OS.isFamilyMac() || OS.isFamilyUnix() ? DEFAULT_LINUX_DIRECTORIES : DEFAULT_WINDOWS_DIRECTORIES;
+        boolean success = false;
+        for (String directory : directoriesToCheck) {
+            success |= org.apache.commons.lang3.StringUtils.contains(comment.getText(), directory);
+        }
+        return success;
+    }
 
 }

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java

@@ -23,7 +23,7 @@
 package org.owasp.webgoat.xxe;
 
 import org.apache.commons.exec.OS;
-import org.apache.commons.lang.exception.ExceptionUtils;
+import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AttackResult;
@@ -80,7 +80,7 @@ public class SimpleXXE extends AssignmentEndpoint {
                 return success(this).build();
             }
         } catch (Exception e) {
-            error = ExceptionUtils.getFullStackTrace(e);
+            error = ExceptionUtils.getStackTrace(e);
         }
         return failed(this).output(error).build();
     }