dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge tag '8.0.0' into develop

Browse Source 
Release 8.0.0
This commit is contained in:
nbaars
2017-12-30 16:52:24 +01:00
parent a11e6911cd 114fbc5760
commit 05d8b590f3
114 changed files with 1744 additions and 1060 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java
View File

@ -32,6 +32,7 @@ package org.owasp.webgoat;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import lombok.extern.slf4j.Slf4j;
import org.asciidoctor.Asciidoctor;
import org.owasp.webgoat.i18n.Language;
import org.thymeleaf.TemplateProcessingParameters;
@ -41,6 +42,7 @@ import org.thymeleaf.templateresolver.TemplateResolver;
import java.io.*;
import java.util.Map;
import static org.apache.commons.lang3.CharEncoding.UTF_8;
import static org.asciidoctor.Asciidoctor.Factory.create;
/**
@ -50,6 +52,7 @@ import static org.asciidoctor.Asciidoctor.Factory.create;
* <div th:replace="doc:AccessControlMatrix_plan.adoc"></div>
* </code>
*/
@Slf4j
public class AsciiDoctorTemplateResolver extends TemplateResolver {
private static final Asciidoctor asciidoctor = create();
@ -73,11 +76,15 @@ public class AsciiDoctorTemplateResolver extends TemplateResolver {
@Override
public InputStream getResourceAsStream(TemplateProcessingParameters params, String resourceName) {
InputStream is = readInputStreamOrFallbackToEnglish(resourceName, language);
try {
StringWriter writer = new StringWriter();
asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
return new ByteArrayInputStream(writer.getBuffer().toString().getBytes());
try (InputStream is = readInputStreamOrFallbackToEnglish(resourceName, language)) {
if (is == null) {
log.warn("Resource name: {} not found, did you add the adoc file?", resourceName);
return new ByteArrayInputStream(new byte[0]);
} else {
StringWriter writer = new StringWriter();
asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());
return new ByteArrayInputStream(writer.getBuffer().toString().getBytes(UTF_8));
}
} catch (IOException e) {
//no html yet
return new ByteArrayInputStream(new byte[0]);

6
webgoat-container/src/main/java/org/owasp/webgoat/CleanupLocalProgressFiles.java
View File

@ -23,11 +23,5 @@ public class CleanupLocalProgressFiles {
@PostConstruct
public void clean() {
File dir = new File(webgoatHome);
//do it safe, check whether the subdir mongodb is available as subdirectory
File[] mongoDir = dir.listFiles(f -> f.isDirectory() && f.getName().contains("mongodb"));
if (mongoDir != null && mongoDir.length == 1) {
FileSystemUtils.deleteRecursively(dir);
}
}
}

7
webgoat-container/src/main/java/org/owasp/webgoat/lessons/Assignment.java
View File

@ -2,6 +2,10 @@ package org.owasp.webgoat.lessons;
import lombok.*;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.OneToMany;
import javax.persistence.Transient;
import java.util.List;
/**
@ -38,11 +42,14 @@ import java.util.List;
@NoArgsConstructor
@Getter
@EqualsAndHashCode
@Entity
public class Assignment {
@NonNull
@Id
private String name;
@NonNull
private String path;
@Transient
private List<String> hints;
}

66
webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java
View File

@ -1,66 +0,0 @@
/**
* *************************************************************************************************
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*/
package org.owasp.webgoat.service;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* <p>SolutionService class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
@Controller
public class SolutionService {
/**
* Returns solution for current attack
*
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/service/solution.mvc", produces = "text/html")
public
@ResponseBody
String showSolution() {
//// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
String source = getSolution();
return source;
}
/**
* <p>getSolution.</p>
*
* @return a {@link java.lang.String} object.
*/
protected String getSolution() {
return "Solution is not available";
}
}

82
webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java
View File

@ -1,82 +0,0 @@
/**
* *************************************************************************************************
* <p>
* <p>
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
* <p>
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
* for free software projects.
*/
package org.owasp.webgoat.service;
import org.apache.commons.lang3.StringEscapeUtils;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
/**
* <p>SourceService class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
@Controller
//TODO REMOVE!
public class SourceService {
/**
* Description of the Field
*/
public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE";
/** Constant <code>END_SOURCE_SKIP="END_OMIT_SOURCE"</code> */
public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE";
/**
* Returns source for current attack
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a {@link java.lang.String} object.
*/
@RequestMapping(path = "/service/source.mvc", produces = "application/text")
public
@ResponseBody
String showSource(HttpSession session) {
//// TODO: 11/6/2016 to decide not sure about the role in WebGoat 8
String source = getSource();
if (source == null) {
source = "No source listing found";
}
return StringEscapeUtils.escapeHtml4(source);
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
protected String getSource() {
return "Source code is not available for this lesson.";
}
}

9
webgoat-container/src/main/java/org/owasp/webgoat/users/LessonTracker.java
View File

@ -7,6 +7,7 @@ import lombok.Getter;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Assignment;
import javax.persistence.*;
import java.util.List;
import java.util.Map;
import java.util.Optional;
@ -44,16 +45,20 @@ import java.util.stream.Collectors;
* @version $Id: $Id
* @since October 29, 2003
*/
@Entity
public class LessonTracker {
@Getter
@Id
private String lessonName;
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
private final Set<Assignment> solvedAssignments = Sets.newHashSet();
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
private final List<Assignment> allAssignments = Lists.newArrayList();
@Getter
private int numberOfAttempts = 0;
protected LessonTracker() {
//Mongo
private LessonTracker() {
//JPA
}
public LessonTracker(AbstractLesson lesson) {

2
webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java
View File

@ -15,7 +15,7 @@ import javax.validation.constraints.Size;
public class UserForm {
@NotNull
@Size(min=6, max=10)
@Size(min=6, max=20)
private String username;
@NotNull
@Size(min=6, max=10)

4
webgoat-container/src/main/java/org/owasp/webgoat/users/UserRepository.java
View File

@ -1,6 +1,6 @@
package org.owasp.webgoat.users;
import org.springframework.data.mongodb.repository.MongoRepository;
import org.springframework.data.jpa.repository.JpaRepository;
import java.util.List;
@ -8,7 +8,7 @@ import java.util.List;
* @author nbaars
* @since 3/19/17.
*/
public interface UserRepository extends MongoRepository<WebGoatUser, String> {
public interface UserRepository extends JpaRepository<WebGoatUser, String> {
WebGoatUser findByUsername(String username);

8
webgoat-container/src/main/java/org/owasp/webgoat/users/UserTracker.java
View File

@ -5,8 +5,8 @@ import com.google.common.collect.Lists;
import lombok.extern.slf4j.Slf4j;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Assignment;
import org.springframework.data.annotation.Id;
import javax.persistence.*;
import java.util.List;
import java.util.Map;
import java.util.Optional;
@ -44,12 +44,16 @@ import java.util.stream.Collectors;
* @since October 29, 2003
*/
@Slf4j
@Entity
public class UserTracker {
@Id
private final String user;
private String user;
@OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
private List<LessonTracker> lessonTrackers = Lists.newArrayList();
private UserTracker() {}
public UserTracker(final String user) {
this.user = user;
}

4
webgoat-container/src/main/java/org/owasp/webgoat/users/UserTrackerRepository.java
View File

@ -1,12 +1,12 @@
package org.owasp.webgoat.users;
import org.springframework.data.mongodb.repository.MongoRepository;
import org.springframework.data.jpa.repository.JpaRepository;
/**
* @author nbaars
* @since 4/30/17.
*/
public interface UserTrackerRepository extends MongoRepository<UserTracker, String> {
public interface UserTrackerRepository extends JpaRepository<UserTracker, String> {
}

6
webgoat-container/src/main/java/org/owasp/webgoat/users/WebGoatUser.java
View File

@ -1,13 +1,14 @@
package org.owasp.webgoat.users;
import lombok.Getter;
import org.springframework.data.annotation.Id;
import org.springframework.data.annotation.Transient;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import javax.persistence.Entity;
import javax.persistence.Id;
import javax.persistence.Transient;
import java.util.Collection;
import java.util.Collections;
@ -16,6 +17,7 @@ import java.util.Collections;
* @since 3/19/17.
*/
@Getter
@Entity
public class WebGoatUser implements UserDetails {
public static final String ROLE_USER = "WEBGOAT_USER";

20
webgoat-container/src/main/resources/application.properties
View File

@ -4,6 +4,9 @@ server.session.timeout=600
server.contextPath=/WebGoat
server.port=8080
spring.datasource.url=jdbc:hsqldb:file:${webgoat.server.directory}/data/webgoat
spring.jpa.hibernate.ddl-auto=update
logging.level.org.springframework=WARN
logging.level.org.springframework.boot.devtools=WARN
@ -28,22 +31,15 @@ webgoat.feedback.address.html=<A HREF=mailto:webgoat@owasp.org>webgoat@owasp.org
webgoat.database.driver=org.hsqldb.jdbcDriver
webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
webgoat.default.language=en
webgoat.embedded.mongo=${WG_INTERNAL_MONGO:true}
webwolf.port=8081
webwolf.url=http://localhost:${webwolf.port}/WebWolf
webworf.url.landingpage=http://localhost:${webwolf.port}/landing
webworf.url.mail=http://localhost:${webwolf.port}/mail
webwolf.host=${WEBWOLF_HOST:localhost}
webwolf.port=${WEBWOLF_PORT:8081}
webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
webworf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail
spring.jackson.serialization.indent_output=true
spring.jackson.serialization.write-dates-as-timestamps=false
spring.activemq.brokerUrl=tcp://${WG_MQ_HOST:localhost}:${WG_MQ_PORT:61616}
spring.data.mongodb.host=${WG_MONGO_HOST:localhost}
spring.data.mongodb.port=${WG_MONGO_PORT:27017}
spring.data.mongodb.database=webgoat
spring.mongodb.embedded.storage.databaseDir=${webgoat.user.directory}/mongodb/
#For static file refresh ... and faster dev :D
spring.devtools.restart.additional-paths=webgoat-container/src/main/resources/static/js,webgoat-container/src/main/resources/static/css

22
webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js
View File

@ -45,7 +45,6 @@ define(['jquery',
this.$el.find('.attack-feedback').hide();
this.$el.find('.attack-output').hide();
this.makeFormsAjax();
//this.ajaxifyAttackHref();
$(window).scrollTop(0); //work-around til we get the scroll down sorted out
var startPageNum = this.model.get('pageNum');
this.initPagination(startPageNum);
@ -86,6 +85,8 @@ define(['jquery',
var prepareDataFunctionName = $(curForm).attr('prepareData');
var callbackFunctionName = $(curForm).attr('callback');
var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize();
var successCallBackFunctionName = $(curForm).attr('successCallback');
var failureCallbackFunctionName = $(curForm).attr('failureCallback');
var callbackFunction = (typeof webgoat.customjs[callbackFunctionName] === 'function') ? webgoat.customjs[callbackFunctionName] : function() {};
// var submitData = this.$form.serialize();
this.curForm = curForm;
@ -104,19 +105,18 @@ define(['jquery',
//complete: function (data) {
//callbackFunction(data);
//}
}).then(self.onSuccessResponse.bind(self), self.onErrorResponse.bind(self));
}).then(function(data){
self.onSuccessResponse(data, failureCallbackFunctionName, successCallBackFunctionName)}, self.onErrorResponse.bind(self));
return false;
},
onSuccessResponse: function(data) {
onSuccessResponse: function(data, failureCallbackFunctionName, successCallBackFunctionName) {
this.renderFeedback(data.feedback);
this.renderOutput(data.output || "");
var successCallBackFunctionName = this.$form.attr('successCallback');
var failureCallbackFunctionName = this.$form.attr('failureCallback');
//var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize();
successCallbackFunction = (typeof webgoat.customjs[successCallBackFunctionName] === 'function') ? webgoat.customjs[successCallBackFunctionName] : function() {};
failureCallbackFunction = (typeof webgoat.customjs[failureCallbackFunctionName] === 'function') ? webgoat.customjs[failureCallbackFunctionName] : function() {};
var successCallbackFunction = (typeof webgoat.customjs[successCallBackFunctionName] === 'function') ? webgoat.customjs[successCallBackFunctionName] : function() {};
var failureCallbackFunction = (typeof webgoat.customjs[failureCallbackFunctionName] === 'function') ? webgoat.customjs[failureCallbackFunctionName] : function() {};
//TODO: refactor back assignmentCompleted in Java
if (data.lessonCompleted || data.assignmentCompleted) {
this.markAssignmentComplete();
@ -146,14 +146,6 @@ define(['jquery',
return false;
},
ajaxifyAttackHref: function() { // rewrite any links with hrefs point to relative attack URLs
var self = this;
// instruct in template to have links returned with the attack-link class
$('a.attack-link').submit(function(event){
$.get(this.action, "json").then(self.onSuccessResponse, self.onErrorResponse);
});
},
renderFeedback: function(feedback) {
this.$curFeedback.html(polyglot.t(feedback) || "");
this.$curFeedback.show(400)