Fix merge request

2019-10-19 17:17:54 +02:00
parent d73875e8e8
commit 25dae3a4a8
79 changed files with 900 additions and 2286 deletions
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/SqlLessonTest.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/SqlLessonTest.java
@ -24,7 +24,6 @@ package org.owasp.webgoat.sql_injection;

 import org.junit.Before;
 import org.owasp.webgoat.plugins.LessonTest;
-import org.owasp.webgoat.session.WebgoatContext;
 import org.owasp.webgoat.sql_injection.introduction.SqlInjection;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10Test.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10Test.java
@ -22,19 +22,13 @@

 package org.owasp.webgoat.sql_injection.introduction;

-import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.owasp.webgoat.plugins.LessonTest;
-import org.owasp.webgoat.session.WebgoatContext;
 import org.owasp.webgoat.sql_injection.SqlLessonTest;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;

 import static org.hamcrest.CoreMatchers.is;
-import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2Test.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2Test.java
@ -0,0 +1,45 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.sql_injection.introduction;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.owasp.webgoat.sql_injection.SqlLessonTest;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+public class SqlInjectionLesson2Test extends SqlLessonTest {
+
+    @Test
+    public void solution() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack2")
+                .param("query", "SELECT department FROM employees WHERE userid=96134;"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    }
+}
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5Test.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5Test.java
@ -28,6 +28,8 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.junit.MockitoJUnitRunner;
 import org.owasp.webgoat.assignments.AssignmentEndpointTest;
+import org.owasp.webgoat.sql_injection.SqlLessonTest;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;

@ -36,33 +38,13 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;

-@RunWith(MockitoJUnitRunner.class)
-public class SqlInjectionLesson5Test extends AssignmentEndpointTest {
-
-    private MockMvc mockMvc;
-
-    @Before
-    public void setup() {
-        SqlInjectionLesson5 sql = new SqlInjectionLesson5();
-        init(sql);
-        this.mockMvc = standaloneSetup(sql).build();
-        when(webSession.getCurrentLesson()).thenReturn(new SqlInjection());
-
-    }
+@RunWith(SpringJUnit4ClassRunner.class)
+public class SqlInjectionLesson5Test extends SqlLessonTest {

    @Test
    public void grantSolution() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5")
-                .param("_query","grant alter table to unauthorizedUser"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$.output", CoreMatchers.containsString("grant")))
-                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
-    }
-
-    @Test
-    public void grantSolutionWithQuotes() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5")
-                .param("_query","grant alter table to \"unauthorizedUser\""))
+                .param("query","grant alter table to unauthorizedUser"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.output", CoreMatchers.containsString("grant")))
                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
@ -71,7 +53,7 @@ public class SqlInjectionLesson5Test extends AssignmentEndpointTest {
    @Test
    public void grantSolutionWithSingleQuotes() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5")
-                .param("_query","grant alter table to 'unauthorizedUser';"))
+                .param("query","grant alter table to 'unauthorizedUser';"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.output", CoreMatchers.containsString("grant")))
                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
@ -80,7 +62,7 @@ public class SqlInjectionLesson5Test extends AssignmentEndpointTest {
    @Test
    public void grantSolutionWrong() throws Exception {
        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack5")
-                .param("_query","grant alter table to me"))
+                .param("query","grant alter table to me"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
    }
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5aTest.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5aTest.java
@ -1,3 +1,25 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
 package org.owasp.webgoat.sql_injection.introduction;

 import org.junit.Ignore;
@ -6,27 +28,21 @@ import org.junit.runner.RunWith;
 import org.owasp.webgoat.sql_injection.SqlLessonTest;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.util.LinkedMultiValueMap;
-
-import java.util.Map;

 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.is;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

-/**
- * @author nbaars
- * @since 5/21/17.
- */
@RunWith(SpringJUnit4ClassRunner.class)
 public class SqlInjectionLesson5aTest extends SqlLessonTest {

    @Test
    public void knownAccountShouldDisplayData() throws Exception {
-        var params = Map.of("account", "Smith", "operator", "", "injection", "");
        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/assignment5a")
-                .params(new LinkedMultiValueMap(params)))
+                .param("account", "Smith")
+                .param("operator", "")
+                .param("injection", ""))
                .andExpect(status().isOk())
                .andExpect(jsonPath("lessonCompleted", is(false)))
                .andExpect(jsonPath("$.feedback", is(messages.getMessage("assignment.not.solved"))))
@ -36,10 +52,9 @@ public class SqlInjectionLesson5aTest extends SqlLessonTest {
    @Ignore
    @Test
    public void unknownAccount() throws Exception {
-        var params = Map.of("account", "Smith", "operator", "", "injection", "");
        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/assignment5a")
-                .params(new LinkedMultiValueMap(params)))
-
+                .param("account", "Smith")
+                .param("operator", "").param("injection", ""))
                .andExpect(status().isOk())
                .andExpect(jsonPath("lessonCompleted", is(false)))
                .andExpect(jsonPath("$.feedback", is(SqlInjectionLesson8Test.modifySpan(messages.getMessage("NoResultsMatched")))))
@ -48,9 +63,10 @@ public class SqlInjectionLesson5aTest extends SqlLessonTest {

    @Test
    public void sqlInjection() throws Exception {
-        var params = Map.of("account", "'", "operator", "OR", "injection", "'1' = '1");
        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/assignment5a")
-                .params(new LinkedMultiValueMap(params)))
+                .param("account", "'")
+                .param("operator", "OR")
+                .param("injection", "'1' = '1"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("lessonCompleted", is(true)))
                .andExpect(jsonPath("$.feedback", containsString("You have succeed")))
@ -59,9 +75,10 @@ public class SqlInjectionLesson5aTest extends SqlLessonTest {

    @Test
    public void sqlInjectionWrongShouldDisplayError() throws Exception {
-        var params = Map.of("account", "Smith'", "operator", "OR", "injection", "'1' = '1'");
        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/assignment5a")
-                .params(new LinkedMultiValueMap(params)))
+                .param("account", "Smith'")
+                .param("operator", "OR")
+                .param("injection", "'1' = '1'"))
                .andExpect(status().isOk())
                .andExpect(jsonPath("lessonCompleted", is(false)))
                .andExpect(jsonPath("$.feedback", containsString(messages.getMessage("assignment.not.solved"))))
--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8Test.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8Test.java
@ -22,21 +22,14 @@

 package org.owasp.webgoat.sql_injection.introduction;

-import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.owasp.webgoat.plugins.LessonTest;
-import org.owasp.webgoat.session.WebgoatContext;
 import org.owasp.webgoat.sql_injection.SqlLessonTest;
-import org.owasp.webgoat.sql_injection.introduction.SqlInjection;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;

 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.is;
-import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9Test.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9Test.java
@ -22,20 +22,14 @@

 package org.owasp.webgoat.sql_injection.introduction;

-import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import org.owasp.webgoat.plugins.LessonTest;
-import org.owasp.webgoat.session.WebgoatContext;
 import org.owasp.webgoat.sql_injection.SqlLessonTest;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;

 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.is;
-import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;

--- a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12aTest.java
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12aTest.java
@ -1,19 +1,12 @@
 package org.owasp.webgoat.sql_injection.mitigation;

-import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.owasp.webgoat.sql_injection.SqlLessonTest;
-import org.owasp.webgoat.sql_injection.introduction.SqlInjection;
-import org.owasp.webgoat.plugins.LessonTest;
-import org.owasp.webgoat.session.WebgoatContext;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
-import org.springframework.test.web.servlet.setup.MockMvcBuilders;

 import static org.hamcrest.Matchers.is;
-import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;