diff --git a/java/org/owasp/webgoat/LessonSource.java b/java/org/owasp/webgoat/LessonSource.java index 4d4468d6a..5db30e03a 100644 --- a/java/org/owasp/webgoat/LessonSource.java +++ b/java/org/owasp/webgoat/LessonSource.java @@ -1,4 +1,3 @@ - package org.owasp.webgoat; import java.io.IOException; @@ -10,197 +9,177 @@ import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.WebSession; - -/*************************************************************************************************** - * - * - * This file is part of WebGoat, an Open Web Application Security Project utility. For details, - * please see http://www.owasp.org/ - * +/** + * ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * * Copyright (c) 2002 - 2007 Bruce Mayhew - * - * This program is free software; you can redistribute it and/or modify it under the terms of the - * GNU General Public License as published by the Free Software Foundation; either version 2 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without - * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License along with this program; if - * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA - * 02111-1307, USA. - * + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * * Getting Source ============== - * - * Source for this application is maintained at code.google.com, a repository for free software - * projects. - * + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * * For details, please see http://code.google.com/p/webgoat/ - * + * * @author Bruce Mayhew WebGoat * @created October 28, 2003 */ -public class LessonSource extends HammerHead -{ +public class LessonSource extends HammerHead { - /** - * - */ - private static final long serialVersionUID = 2588430536196446145L; + /** + * + */ + private static final long serialVersionUID = 2588430536196446145L; - /** - * Description of the Field - */ - public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; + /** + * Description of the Field + */ + public final static String START_SOURCE_SKIP = "START_OMIT_SOURCE"; - public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE"; + public final static String END_SOURCE_SKIP = "END_OMIT_SOURCE"; - /** - * Description of the Method - * - * @param request - * Description of the Parameter - * @param response - * Description of the Parameter - * @exception IOException - * Description of the Exception - * @exception ServletException - * Description of the Exception - */ - public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException - { - String source = null; + /** + * Description of the Method + * + * @param request Description of the Parameter + * @param response Description of the Parameter + * @exception IOException Description of the Exception + * @exception ServletException Description of the Exception + */ + public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { + String source = null; - try - { + try { // System.out.println( "Entering doPost: " ); - // System.out.println( " - request " + request); - // System.out.println( " - principle: " + request.getUserPrincipal() - // ); - // setCacheHeaders(response, 0); - WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION); - // FIXME: Too much in this call. - session.update(request, response, this.getServletName()); + // System.out.println( " - request " + request); + // System.out.println( " - principle: " + request.getUserPrincipal() + // ); + // setCacheHeaders(response, 0); + WebSession session = (WebSession) request.getSession(true).getAttribute(WebSession.SESSION); + // FIXME: Too much in this call. + session.update(request, response, this.getServletName()); - boolean showSolution = session.getParser().getBooleanParameter("solution", false); - boolean showSource = session.getParser().getBooleanParameter("source", false); - if (showSolution) - { + boolean showSolution = session.getParser().getBooleanParameter("solution", false); + boolean showSource = session.getParser().getBooleanParameter("source", false); + if (showSolution) { - // Get the Java solution of the lesson. - source = getSolution(session); + // Get the Java solution of the lesson. + source = getSolution(session); - int scr = session.getCurrentScreen(); - Course course = session.getCourse(); - AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); - lesson.getLessonTracker(session).setViewedSolution(true); + int scr = session.getCurrentScreen(); + Course course = session.getCourse(); + AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); + lesson.getLessonTracker(session).setViewedSolution(true); - } - else if (showSource) - { + } else if (showSource) { - // Get the Java source of the lesson. FIXME: Not needed - source = getSource(session); + // Get the Java source of the lesson. FIXME: Not needed + source = getSource(session); - int scr = session.getCurrentScreen(); - Course course = session.getCourse(); - AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); - lesson.getLessonTracker(session).setViewedSource(true); - } - } catch (Throwable t) - { - t.printStackTrace(); - log("ERROR: " + t); - } finally - { - try - { - this.writeSource(source, response); - } catch (Throwable thr) - { - thr.printStackTrace(); - log(request, "Could not write error screen: " + thr.getMessage()); - } - // System.out.println( "Leaving doPost: " ); + int scr = session.getCurrentScreen(); + Course course = session.getCourse(); + AbstractLesson lesson = course.getLesson(session, scr, AbstractLesson.USER_ROLE); + lesson.getLessonTracker(session).setViewedSource(true); + } + } catch (Throwable t) { + t.printStackTrace(); + log("ERROR: " + t); + } finally { + try { + this.writeSource(source, response); + } catch (Throwable thr) { + thr.printStackTrace(); + log(request, "Could not write error screen: " + thr.getMessage()); + } + // System.out.println( "Leaving doPost: " ); - } - } + } + } - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @return Description of the Return Value - */ - protected String getSource(WebSession s) - { + /** + * Description of the Method + * + * @param s Description of the Parameter + * @return Description of the Return Value + */ + protected String getSource(WebSession s) { - String source = null; - int scr = s.getCurrentScreen(); - Course course = s.getCourse(); + String source = null; + int scr = s.getCurrentScreen(); + Course course = s.getCourse(); - if (s.isUser() || s.isChallenge()) - { + if (s.isUser() || s.isChallenge()) { - AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); + AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); - if (lesson != null) - { - source = lesson.getSource(s); - } - } - if (source == null) { return "Source code is not available. Contact " - + s.getWebgoatContext().getFeedbackAddressHTML(); } - return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, - "Code Section Deliberately Omitted")); - } + if (lesson != null) { + source = lesson.getSource(s); + } + } + if (source == null) { + return "Source code is not available. Contact " + + s.getWebgoatContext().getFeedbackAddressHTML(); + } + return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, + "Code Section Deliberately Omitted")); + } - protected String getSolution(WebSession s) - { + protected String getSolution(WebSession s) { - String source = null; - int scr = s.getCurrentScreen(); - Course course = s.getCourse(); + String source = null; + int scr = s.getCurrentScreen(); + Course course = s.getCourse(); - if (s.isUser() || s.isChallenge()) - { + if (s.isUser() || s.isChallenge()) { - AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); + AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); - if (lesson != null) - { - source = lesson.getSolution(s); - } - } - if (source == null) { return "Solution is not available. Contact " - + s.getWebgoatContext().getFeedbackAddressHTML(); } - return (source); - } + if (lesson != null) { + source = lesson.getSolution(s); + } + } + if (source == null) { + return "Solution is not available. Contact " + + s.getWebgoatContext().getFeedbackAddressHTML(); + } + return (source); + } - /** - * Description of the Method - * - * @param s - * Description of the Parameter - * @param response - * Description of the Parameter - * @exception IOException - * Description of the Exception - */ - protected void writeSource(String s, HttpServletResponse response) throws IOException - { - response.setContentType("text/html"); + /** + * Description of the Method + * + * @param s Description of the Parameter + * @param response Description of the Parameter + * @exception IOException Description of the Exception + */ + protected void writeSource(String s, HttpServletResponse response) throws IOException { + response.setContentType("text/html"); - PrintWriter out = response.getWriter(); + PrintWriter out = response.getWriter(); - if (s == null) - { - s = new String(); - } + if (s == null) { + s = new String(); + } - out.print(s); - out.close(); - } + out.print(s); + out.close(); + } } diff --git a/java/org/owasp/webgoat/lessons/AbstractLesson.java b/java/org/owasp/webgoat/lessons/AbstractLesson.java index b6ae5d945..f1b64b33a 100644 --- a/java/org/owasp/webgoat/lessons/AbstractLesson.java +++ b/java/org/owasp/webgoat/lessons/AbstractLesson.java @@ -1,6 +1,7 @@ package org.owasp.webgoat.lessons; import java.io.BufferedReader; +import java.io.FileNotFoundException; import java.io.FileReader; import java.io.InputStreamReader; import java.io.StringReader; @@ -313,10 +314,10 @@ public abstract class AbstractLesson extends Screen implements Comparable getHints(WebSession s); - + // @TODO we need to restrict access at the service layer // rather than passing session object around - public List getHintsPublic(WebSession s){ + public List getHintsPublic(WebSession s) { List hints = getHints(s); return hints; } @@ -491,6 +492,25 @@ public abstract class AbstractLesson extends Screen implements Comparable" + + "Send this message to: " + s.getWebgoatContext().getFeedbackAddress() + ""); + } + + return src; + } + public String getSolution(WebSession s) { String src = null; diff --git a/java/org/owasp/webgoat/service/CookieService.java b/java/org/owasp/webgoat/service/CookieService.java index d7f29bdbf..d37632319 100644 --- a/java/org/owasp/webgoat/service/CookieService.java +++ b/java/org/owasp/webgoat/service/CookieService.java @@ -30,12 +30,9 @@ */ package org.owasp.webgoat.service; -import java.util.ArrayList; import java.util.List; import javax.servlet.http.Cookie; import javax.servlet.http.HttpSession; -import org.owasp.webgoat.lessons.AbstractLesson; -import org.owasp.webgoat.lessons.model.Hint; import org.owasp.webgoat.session.WebSession; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; diff --git a/java/org/owasp/webgoat/service/SourceService.java b/java/org/owasp/webgoat/service/SourceService.java new file mode 100644 index 000000000..7a7f0a4d9 --- /dev/null +++ b/java/org/owasp/webgoat/service/SourceService.java @@ -0,0 +1,91 @@ +/** + * ************************************************************************************************* + * + * + * This file is part of WebGoat, an Open Web Application Security Project + * utility. For details, please see http://www.owasp.org/ + * + * Copyright (c) 2002 - 2007 Bruce Mayhew + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free Software + * Foundation; either version 2 of the License, or (at your option) any later + * version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 59 Temple + * Place - Suite 330, Boston, MA 02111-1307, USA. + * + * Getting Source ============== + * + * Source for this application is maintained at code.google.com, a repository + * for free software projects. + * + * For details, please see http://code.google.com/p/webgoat/ + */ +package org.owasp.webgoat.service; + +import javax.servlet.http.HttpSession; +import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP; +import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP; +import org.owasp.webgoat.lessons.AbstractLesson; +import org.owasp.webgoat.session.Course; +import org.owasp.webgoat.session.WebSession; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.ResponseBody; + +/** + * + * @author rlawson + */ +@Controller +public class SourceService extends BaseService { + + /** + * Returns source for current attack + * + * @param session + * @return + */ + @RequestMapping(value = "/source.mvc", produces = "application/json") + public @ResponseBody + String showSource(HttpSession session) { + WebSession ws = getWebSesion(session); + String source = getSource(ws); + return source; + } + + /** + * Description of the Method + * + * @param s Description of the Parameter + * @return Description of the Return Value + */ + protected String getSource(WebSession s) { + + String source = null; + int scr = s.getCurrentScreen(); + Course course = s.getCourse(); + + if (s.isUser() || s.isChallenge()) { + + AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); + + if (lesson != null) { + source = lesson.getRawSource(s); + } + } + if (source == null) { + return "Source code is not available. Contact " + + s.getWebgoatContext().getFeedbackAddressHTML(); + } + return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, + "Code Section Deliberately Omitted")); + } +}