From 2614044918522ad69b6818d349be1d7a1d62921c Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Mon, 27 Apr 2020 12:51:07 +0200 Subject: [PATCH] Fix copying of pictures to WebGoat home directory --- .../webgoat/path_traversal/ProfileUploadRetrieval.java | 10 +++++----- .../path_traversal/ProfileUploadRetrievalTest.java | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java b/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java index 7e71be049..44f71073a 100644 --- a/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java +++ b/webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java @@ -6,6 +6,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint; import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AttackResult; import org.springframework.beans.factory.annotation.Value; +import org.springframework.core.io.ClassPathResource; import org.springframework.http.HttpStatus; import org.springframework.http.MediaType; import org.springframework.http.ResponseEntity; @@ -17,15 +18,14 @@ import org.springframework.web.bind.annotation.*; import javax.annotation.PostConstruct; import javax.servlet.http.HttpServletRequest; import java.io.File; +import java.io.FileOutputStream; import java.io.IOException; +import java.io.InputStream; import java.net.URI; import java.net.URISyntaxException; import java.nio.file.Files; import java.util.Base64; -import static org.springframework.util.FileCopyUtils.copy; -import static org.springframework.util.ResourceUtils.getFile; - @RestController @AssignmentHints({ "path-traversal-profile-retrieve.hint1", @@ -47,8 +47,8 @@ public class ProfileUploadRetrieval extends AssignmentEndpoint { @PostConstruct public void initAssignment() { for (int i = 1; i <= 10; i++) { - try { - copy(getFile(getClass().getResource("/images/cats/" + i + ".jpg")), new File(catPicturesDirectory, i + ".jpg")); + try (InputStream is = new ClassPathResource("images/cats/" + i + ".jpg").getInputStream()) { + FileCopyUtils.copy(is, new FileOutputStream(new File(catPicturesDirectory, i + ".jpg"))); } catch (Exception e) { log.error("Unable to copy pictures" + e.getMessage()); } diff --git a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java index 821735fae..7ed5da2f2 100644 --- a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java +++ b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java @@ -9,7 +9,6 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.MediaType; import org.springframework.security.core.token.Sha512DigestUtils; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; -import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.result.MockMvcResultHandlers; import org.springframework.test.web.servlet.setup.MockMvcBuilders; @@ -19,7 +18,8 @@ import java.net.URI; import static org.hamcrest.CoreMatchers.equalTo; import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.Matchers.containsString; -import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; @RunWith(SpringJUnit4ClassRunner.class) @@ -77,6 +77,6 @@ public class ProfileUploadRetrievalTest extends LessonTest { public void unknownFileShouldGiveDirectoryContents() throws Exception { mockMvc.perform(get("/PathTraversal/random-picture?id=test")) .andExpect(status().is(404)) - .andExpect(content().string(containsString("cats"+File.separator+"8.jpg"))); + .andExpect(content().string(containsString("cats" + File.separator + "8.jpg"))); } } \ No newline at end of file