From 1edf091c4e15635407fbd4d1ccb1882910a3a23a Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 2 May 2017 14:26:50 +0200 Subject: [PATCH] Improvements for challenge 3 --- .../plugin/challenge3/Assignment3.java | 38 ++++++++++++------- .../webgoat/plugin/challenge3/Comment.java | 5 ++- .../src/main/resources/html/Challenge3.html | 4 +- .../src/main/resources/js/challenge3.js | 6 +-- 4 files changed, 34 insertions(+), 19 deletions(-) diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java index 749db2fc1..ed32e2458 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java @@ -1,9 +1,12 @@ package org.owasp.webgoat.plugin.challenge3; +import com.beust.jcommander.internal.Lists; import com.fasterxml.jackson.databind.ObjectMapper; import com.google.common.collect.EvictingQueue; +import com.google.common.collect.Maps; import com.google.common.io.Files; import lombok.SneakyThrows; +import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTime; import org.joda.time.format.DateTimeFormat; import org.joda.time.format.DateTimeFormatter; @@ -30,6 +33,7 @@ import java.io.IOException; import java.io.StringReader; import java.nio.charset.Charset; import java.util.Collection; +import java.util.Map; import static org.springframework.http.MediaType.ALL_VALUE; import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE; @@ -49,13 +53,14 @@ public class Assignment3 extends AssignmentEndpoint { private WebSession webSession; private static DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd, HH:mm:ss"); + private static final Map> userComments = Maps.newHashMap(); private static final EvictingQueue comments = EvictingQueue.create(100); private static final String secretContents = "Congratulations you may now collect your flag"; static { comments.add(new Comment("webgoat", DateTime.now().toString(fmt), "Silly cat....")); comments.add(new Comment("guest", DateTime.now().toString(fmt), "I think I will use this picture in one of my projects.")); - comments.add(new Comment("guest", DateTime.now().toString(), "Lol!! :-).")); + comments.add(new Comment("guest", DateTime.now().toString(fmt), "Lol!! :-).")); } @PostConstruct @@ -68,11 +73,16 @@ public class Assignment3 extends AssignmentEndpoint { Files.write(secretContents, new File(targetDirectory, "secret.txt"), Charset.defaultCharset()); } - - @RequestMapping(method = GET, produces = APPLICATION_JSON_VALUE) + @RequestMapping(method = GET, produces = MediaType.APPLICATION_JSON_VALUE) @ResponseBody public Collection retrieveComments() { - return comments; + Collection allComments = Lists.newArrayList(); + Collection xmlComments = userComments.get(webSession.getUserName()); + if (xmlComments != null) { + allComments.addAll(xmlComments); + } + allComments.addAll(comments); + return allComments; } @RequestMapping(method = POST, consumes = ALL_VALUE, produces = APPLICATION_JSON_VALUE) @@ -82,27 +92,29 @@ public class Assignment3 extends AssignmentEndpoint { AttackResult attackResult = failed().build(); if (APPLICATION_JSON_VALUE.equals(contentType)) { comment = parseJson(commentStr); - comment.setDateTime(DateTime.now().toString()); + comment.setDateTime(DateTime.now().toString(fmt)); comment.setUser(webSession.getUserName()); + comments.add(comment); } if (MediaType.APPLICATION_XML_VALUE.equals(contentType)) { + //Do not show these comments to all users comment = parseXml(commentStr); comment.setDateTime(DateTime.now().toString(fmt)); comment.setUser(webSession.getUserName()); - } - if (comment != null) { + EvictingQueue comments = userComments.getOrDefault(webSession.getUserName(), EvictingQueue.create(100)); comments.add(comment); - if (checkSolution(comment)) { - attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build(); - } + userComments.put(webSession.getUserName(), comments); + } + if (checkSolution(comment)) { + attackResult = success().feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(2)).build(); } - return attackResult; } private boolean checkSolution(Comment comment) { - if (comment.getComment().contains(secretContents)) { - comment.setComment("Congratulations to " + webSession.getUserName() + " for finding the flag!!"); + if (StringUtils.equals(comment.getText(), secretContents)) { + comment.setText("Congratulations to " + webSession.getUserName() + " for finding the flag!!"); + comments.add(comment); return true; } return false; diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java index 0effcab0b..0ea3e0d07 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Comment.java @@ -5,6 +5,8 @@ import lombok.Getter; import lombok.NoArgsConstructor; import lombok.Setter; +import javax.xml.bind.annotation.XmlRootElement; + /** * @author nbaars * @since 4/8/17. @@ -13,9 +15,10 @@ import lombok.Setter; @Setter @AllArgsConstructor @NoArgsConstructor +@XmlRootElement public class Comment { private String user; private String dateTime; - private String comment; + private String text; } diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge3.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge3.html index c10d5f72f..62255ab95 100644 --- a/webgoat-lessons/challenge/src/main/resources/html/Challenge3.html +++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge3.html @@ -10,7 +10,7 @@
-
+
@@ -48,7 +48,7 @@
-
+