#1045: Run build with Java 16

2021-09-23 14:04:53 +02:00 · 2021-09-23 14:04:53 +02:00 · 04d1293a33
commit 04d1293a33
parent 9af514f3eb
15 changed files with 126 additions and 148 deletions
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -1,4 +1,4 @@
-FROM openjdk:15-slim
+FROM openjdk:16-slim
 ARG webgoat_version=8.2.1-SNAPSHOT
 ENV webgoat_version_env=${webgoat_version}
--- a/docker/start.sh
+++ b/docker/start.sh
@ -8,9 +8,11 @@ echo "Starting WebGoat..."
 java \
 -Duser.home=/home/webgoat \
 -Dfile.encoding=UTF-8 \
 --add-opens java.base/java.lang=ALL-UNNAMED \
 --add-opens java.base/java.util=ALL-UNNAMED \
 --add-opens java.base/java.lang.reflect=ALL-UNNAMED \
 --add-opens java.base/java.text=ALL-UNNAMED \
 --add-opens java.desktop/java.beans=ALL-UNNAMED \
 --add-opens java.desktop/java.awt.font=ALL-UNNAMED \
 --add-opens java.base/sun.nio.ch=ALL-UNNAMED \
 --add-opens java.base/java.io=ALL-UNNAMED \
--- a/pom.xml
+++ b/pom.xml
@ -8,6 +8,12 @@
    <packaging>pom</packaging>
    <version>8.2.1-SNAPSHOT</version>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.5.4</version>
    </parent>
    <name>WebGoat Parent Pom</name>
    <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
    <inceptionYear>2006</inceptionYear>
@ -22,12 +28,6 @@
        <url>https://github.com/WebGoat/WebGoat/</url>
    </organization>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.4.3</version>
    </parent>
    <licenses>
        <license>
            <name>GNU General Public License, version 2</name>
@ -122,22 +122,21 @@
        <maven.compiler.source>15</maven.compiler.source>
        <maven.compiler.target>15</maven.compiler.target>
        <!-- This build number will be ubdated by Travis-CI -->
        <build.number>build</build.number>
        <!-- Shared properties with plugins and version numbers across submodules-->
        <activation.version>1.1.1</activation.version>
        <asciidoctorj.version>2.5.2</asciidoctorj.version>
        <commons-collections.version>3.2.1</commons-collections.version>
-        <commons-lang3.version>3.4</commons-lang3.version>
+        <commons-lang3.version>3.12.0</commons-lang3.version>
        <commons-io.version>2.6</commons-io.version>
        <guava.version>30.1-jre</guava.version>
        <lombok.version>1.18.20</lombok.version>
        <wiremock.version>2.27.2</wiremock.version>
        <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
        <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
        <maven-jar-plugin.version>3.1.2</maven-jar-plugin.version>
        <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
        <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
-        <maven-surefire-plugin.version>3.0.0-M4</maven-surefire-plugin.version>
+        <maven-surefire-plugin.version>3.0.0-M5</maven-surefire-plugin.version>
        <java.version>15</java.version>
    </properties>
--- a/webgoat-container/pom.xml
+++ b/webgoat-container/pom.xml
@ -17,13 +17,7 @@
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
-                <configuration>
+                <version>${maven-surefire-plugin.version}</version>
                    <forkCount>0</forkCount>
                    <reuseForks>true</reuseForks>
                    <argLine>
                        --illegal-access=permit
                    </argLine>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
@ -70,7 +64,7 @@
        <dependency>
            <groupId>org.asciidoctor</groupId>
            <artifactId>asciidoctorj</artifactId>
-            <version>2.4.3</version>
+            <version>${asciidoctorj.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
--- a/webgoat-integration-tests/pom.xml
+++ b/webgoat-integration-tests/pom.xml
@ -62,14 +62,12 @@
                <artifactId>maven-surefire-plugin</artifactId>
                <version>${maven-surefire-plugin.version}</version>
                <configuration>
-                    <forkCount>0</forkCount>
+                    <!-- Otherwise test will fail with JDK16 -->
                    <reuseForks>true</reuseForks>
                    <argLine>
-                        --illegal-access=permit
+                        --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.beans=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED --add-opens java.base/sun.nio.ch=ALL-UNNAMED
                    </argLine>
                </configuration>
            </plugin>
        </plugins>
    </build>
 </project>
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalITTest.java
@ -24,9 +24,8 @@ import java.util.zip.ZipOutputStream;
 import static org.junit.jupiter.api.DynamicTest.dynamicTest;
-public class PathTraversalTest extends IntegrationTest {
+class PathTraversalITTest extends IntegrationTest {
    //the JUnit5 way
    @TempDir
    Path tempDir;
@ -35,8 +34,7 @@ public class PathTraversalTest extends IntegrationTest {
    @BeforeEach
    @SneakyThrows
    public void init() {
-        fileToUpload = Files.createFile(
+        fileToUpload = Files.createFile(tempDir.resolve("test.jpg")).toFile();
                tempDir.resolve("test.jpg")).toFile();
        Files.write(fileToUpload.toPath(), "This is a test".getBytes());
        startLesson("PathTraversal");
    }
@ -52,7 +50,7 @@ public class PathTraversalTest extends IntegrationTest {
        );
    }
-    public void assignment1() throws IOException {
+    private void assignment1() throws IOException {
        MatcherAssert.assertThat(
                RestAssured.given()
                        .when()
@ -66,7 +64,7 @@ public class PathTraversalTest extends IntegrationTest {
                        .extract().path("lessonCompleted"), CoreMatchers.is(true));
    }
-    public void assignment2() throws IOException {
+    private void assignment2() throws IOException {
        MatcherAssert.assertThat(
                RestAssured.given()
                        .when()
@ -80,7 +78,7 @@ public class PathTraversalTest extends IntegrationTest {
                        .extract().path("lessonCompleted"), CoreMatchers.is(true));
    }
-    public void assignment3() throws IOException {
+    private void assignment3() throws IOException {
        MatcherAssert.assertThat(
                RestAssured.given()
                        .when()
@ -93,7 +91,7 @@ public class PathTraversalTest extends IntegrationTest {
                        .extract().path("lessonCompleted"), CoreMatchers.is(true));
    }
-    public void assignment4() throws IOException {
+    private void assignment4() throws IOException {
        var uri = "/WebGoat/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret";
        RestAssured.given().urlEncodingEnabled(false)
                .when()
@ -102,17 +100,17 @@ public class PathTraversalTest extends IntegrationTest {
                .get(uri)
                .then()
                .statusCode(200)
-                .content(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
+                .body(CoreMatchers.is("You found it submit the SHA-512 hash of your username as answer"));
        checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true);
    }
-    public void assignment5() throws IOException {
+    private void assignment5() throws IOException {
-        var webGoatHome = System.getProperty("user.dir") + "/target/.webgoat/PathTraversal/" + getWebgoatUser();
+        var webGoatHome = System.getProperty("java.io.tmpdir") + "/webgoat/PathTraversal/" + getWebgoatUser();
        webGoatHome = webGoatHome.replaceAll("^[a-zA-Z]:", ""); //Remove C: from the home directory on Windows
        var webGoatDirectory = new File(webGoatHome);
-        var zipFile = new File(webGoatDirectory, "upload.zip");
+        var zipFile = new File(tempDir.toFile(), "upload.zip");
        try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) {
            ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory.toString() + "/image.jpg");
            zos.putNextEntry(e);
@ -132,7 +130,7 @@ public class PathTraversalTest extends IntegrationTest {
    }
    @AfterEach
-    public void shutdown() {
+    void shutdown() {
        //this will run only once after the list of dynamic tests has run, this is to test if the lesson is marked complete
        checkResults("/PathTraversal");
    }
--- a/webgoat-integration-tests/src/test/resources/application-inttest.properties
+++ b/webgoat-integration-tests/src/test/resources/application-inttest.properties
@ -1,9 +1,9 @@
 #In order to run tests a known temp directory is preferred
 #that is why these values are used
-webgoat.user.directory=${user.dir}/target/.webgoat
+webgoat.user.directory=${java.io.tmpdir}/webgoat
-webgoat.server.directory=${user.dir}/target/.webgoat
+webgoat.server.directory=${java.io.tmpdir}/webgoat
-webwolf.fileserver.location=${user.dir}/target/webwolf-fileserver
+webwolf.fileserver.location=${java.io.tmpdir}/webwolf-fileserver
 #database will get deleted for every mvn clean install
 #as these extra properties are read by WebGoat and WebWolf the drop of the tables 
--- a/webgoat-lessons/cross-site-scripting/pom.xml
+++ b/webgoat-lessons/cross-site-scripting/pom.xml
@ -16,28 +16,4 @@
            <version>1.14.2</version>
        </dependency>
    </dependencies>
    <build>
       <plugins>
           <plugin>
               <groupId>org.asciidoctor</groupId>
               <artifactId>asciidoctor-maven-plugin</artifactId>
               <version>1.5.3</version>
               <executions>
                   <execution>
                       <id>output-html</id>
                       <phase>generate-resources</phase>
                       <goals>
                           <goal>process-asciidoc</goal>
                       </goals>
                       <configuration>
                           <backend>html</backend>
                           <sourceDirectory>src/main/resources/lessonPlans/en/</sourceDirectory>
                       </configuration>
                   </execution>
               </executions>
           </plugin>
       </plugins>
   </build>
 </project>
--- a/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
+++ b/webgoat-lessons/insecure-deserialization/src/test/java/org/owasp/webgoat/deserialization/DeserializeTest.java
@ -75,7 +75,6 @@ public class DeserializeTest extends AssignmentEndpointTest {
    }
    @Test
    public void checkOtherObject() throws Exception {
        String token = "rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l";
@ -88,5 +87,4 @@ public class DeserializeTest extends AssignmentEndpointTest {
    }
 }
--- a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java
+++ b/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileZipSlip.java
@ -7,14 +7,12 @@ import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.ResponseEntity;
 import org.springframework.util.FileCopyUtils;
 import org.springframework.util.FileSystemUtils;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.file.CopyOption;
 import java.nio.file.Files;
 import java.nio.file.StandardCopyOption;
 import java.util.Arrays;
@ -45,22 +43,21 @@ public class ProfileZipSlip extends ProfileUploadBase {
    @SneakyThrows
    private AttackResult processZipUpload(MultipartFile file) {
-        var tmpZipDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/zip-slip/" + getWebSession().getUserName());
+        var tmpZipDirectory = Files.createTempDirectory(getWebSession().getUserName());
        var uploadDirectory = new File(getWebGoatHomeDirectory(), "/PathTraversal/" + getWebSession().getUserName());
-        FileSystemUtils.deleteRecursively(uploadDirectory);
+        var currentImage = getProfilePictureAsBase64();
-        Files.createDirectories(tmpZipDirectory.toPath());
+
        Files.createDirectories(uploadDirectory.toPath());
        byte[] currentImage = getProfilePictureAsBase64();
        try {
-            var uploadedZipFile = new File(tmpZipDirectory, file.getOriginalFilename());
+            var uploadedZipFile = tmpZipDirectory.resolve(file.getOriginalFilename());
-            FileCopyUtils.copy(file.getBytes(), uploadedZipFile);
+            FileCopyUtils.copy(file.getBytes(), uploadedZipFile.toFile());
-            ZipFile zip = new ZipFile(uploadedZipFile);
+            ZipFile zip = new ZipFile(uploadedZipFile.toFile());
            Enumeration<? extends ZipEntry> entries = zip.entries();
            while (entries.hasMoreElements()) {
                ZipEntry e = entries.nextElement();
-                File f = new File(uploadDirectory, e.getName());
+                File f = new File(tmpZipDirectory.toFile(), e.getName());
                InputStream is = zip.getInputStream(e);
                Files.copy(is, f.toPath(), StandardCopyOption.REPLACE_EXISTING);
            }
--- a/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
+++ b/webgoat-lessons/path-traversal/src/main/resources/lessonPlans/en/PathTraversal_zip_slip_solution.adoc
@ -8,7 +8,7 @@ curl -o cat.jpg http://localhost:8080/WebGoat/images/cats/1.jpg
 zip profile.zip cat.jpg
 ----
-Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software and the result we see on the screen is:
+Now let's upload this as our profile image, we can see nothing happens as mentioned in the assignment there is a bug in the software, and the result we see on the screen is:
 [source]
 ----
--- a/webgoat-lessons/vulnerable-components/pom.xml
+++ b/webgoat-lessons/vulnerable-components/pom.xml
@ -35,4 +35,20 @@
            <version>1.2</version>
        </dependency>
    </dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
                <version>${maven-surefire-plugin.version}</version>
                <configuration>
                    <!-- Otherwise test will fail with JDK16 -->
                    <argLine>
                        --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.base/java.text=ALL-UNNAMED --add-opens java.desktop/java.awt.font=ALL-UNNAMED
                    </argLine>
                </configuration>
            </plugin>
        </plugins>
    </build>
 </project>
--- a/webgoat-lessons/xxe/pom.xml
+++ b/webgoat-lessons/xxe/pom.xml
@ -11,21 +11,20 @@
    <dependencies>
        <dependency>
-            <groupId>commons-lang</groupId>
+            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-lang</artifactId>
+            <artifactId>commons-lang3</artifactId>
-            <version>2.6</version>
+            <version>${commons-lang3.version}</version>
        </dependency>
        <dependency>
            <groupId>org.glassfish.jaxb</groupId>
            <artifactId>jaxb-runtime</artifactId>
            <version>2.3.0</version>
        </dependency>
        <dependency>
            <groupId>com.github.tomakehurst</groupId>
            <artifactId>wiremock</artifactId>
            <version>2.27.2</version>
            <scope>test</scope>
            <version>${wiremock.version}</version>
        </dependency>
    </dependencies>
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java
@ -23,6 +23,7 @@
 package org.owasp.webgoat.xxe;
 import org.apache.commons.exec.OS;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AttackResult;
@ -77,7 +78,7 @@ public class ContentTypeAssignment extends AssignmentEndpoint {
                    attackResult = success(this).build();
                }
            } catch (Exception e) {
-                error = org.apache.commons.lang.exception.ExceptionUtils.getFullStackTrace(e);
+                error = ExceptionUtils.getStackTrace(e);
                attackResult = failed(this).feedback("xxe.content.type.feedback.xml").output(error).build();
            }
        }
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java
@ -23,7 +23,7 @@
 package org.owasp.webgoat.xxe;
 import org.apache.commons.exec.OS;
-import org.apache.commons.lang.exception.ExceptionUtils;
+import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AttackResult;
@ -80,7 +80,7 @@ public class SimpleXXE extends AssignmentEndpoint {
                return success(this).build();
            }
        } catch (Exception e) {
-            error = ExceptionUtils.getFullStackTrace(e);
+            error = ExceptionUtils.getStackTrace(e);
        }
        return failed(this).output(error).build();
    }