dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

#1045: Run build with Java 16

Browse Source
This commit is contained in:
Nanne Baars
2021-09-23 14:04:53 +02:00
parent 9af514f3eb
commit 04d1293a33
15 changed files with 126 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java
View File

@ -7,14 +7,12 @@ import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.ResponseEntity;
import org.springframework.util.FileCopyUtils;
import org.springframework.util.FileSystemUtils;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.multipart.MultipartFile;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.CopyOption;
import java.nio.file.Files;
import java.nio.file.StandardCopyOption;
import java.util.Arrays;
@ -45,22 +43,21 @@ public class ProfileZipSlip extends ProfileUploadBase {
@SneakyThrows
private AttackResult processZipUpload(MultipartFile file) {
var tmpZipDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/zip-slip/" + getWebSession().getUserName());
var tmpZipDirectory = Files.createTempDirectory(getWebSession().getUserName());
var uploadDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/" + getWebSession().getUserName());
FileSystemUtils.deleteRecursively(uploadDirectory);
Files.createDirectories(tmpZipDirectory.toPath());
var currentImage = getProfilePictureAsBase64();
Files.createDirectories(uploadDirectory.toPath());
byte[] currentImage = getProfilePictureAsBase64();
try {
var uploadedZipFile = new File(tmpZipDirectory, file.getOriginalFilename());
FileCopyUtils.copy(file.getBytes(), uploadedZipFile);
var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename());
FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile());
ZipFile zip = new ZipFile(uploadedZipFile);
ZipFile zip = new ZipFile(uploadedZipFile.toFile());
Enumeration<? extends ZipEntry> entries = zip.entries();
while (entries.hasMoreElements()) {
ZipEntry e = entries.nextElement();
File f = new File(uploadDirectory, e.getName());
File f = new File(tmpZipDirectory.toFile(), e.getName());
InputStream is = zip.getInputStream(e);
Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING);
}

2
webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
View File

@ -8,7 +8,7 @@ curl -o cat.jpg http://localhost:8080/WebGoat/images/cats/1.jpg
zip profile.zip cat.jpg
----
Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software and the result we see on the screen is:
Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software, and the result we see on the screen is:
[source]
----