dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix copying of pictures to WebGoat home directory

Browse Source
This commit is contained in:
Nanne Baars 2020-04-27 12:51:07 +02:00 committed by Nanne Baars
parent 1aad57ba55
commit 2614044918
2 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
webgoat-lessons/path-traversal/src/main/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrieval.java
View File

@ -6,6 +6,7 @@ import org.owasp.webgoat.assignments.AssignmentEndpoint;
import org.owasp.webgoat.assignments.AssignmentHints; import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AttackResult; import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.io.ClassPathResource;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity; import org.springframework.http.ResponseEntity;
@ -17,15 +18,14 @@ import org.springframework.web.bind.annotation.*;
import javax.annotation.PostConstruct; import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import java.io.File; import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.nio.file.Files; import java.nio.file.Files;
import java.util.Base64; import java.util.Base64;
import static org.springframework.util.FileCopyUtils.copy;
import static org.springframework.util.ResourceUtils.getFile;
@RestController @RestController
@AssignmentHints({ @AssignmentHints({
"path-traversal-profile-retrieve.hint1", "path-traversal-profile-retrieve.hint1",
@ -47,8 +47,8 @@ public class ProfileUploadRetrieval extends AssignmentEndpoint {
@PostConstruct @PostConstruct
public void initAssignment() { public void initAssignment() {
for (int i = 1; i <= 10; i++) { for (int i = 1; i <= 10; i++) {
try { try (InputStream is = new ClassPathResource("images/cats/" + i + ".jpg").getInputStream()) {
copy(getFile(getClass().getResource("/images/cats/" + i + ".jpg")), new File(catPicturesDirectory, i + ".jpg")); FileCopyUtils.copy(is, new FileOutputStream(new File(catPicturesDirectory, i + ".jpg")));
} catch (Exception e) { } catch (Exception e) {
log.error("Unable to copy pictures" + e.getMessage()); log.error("Unable to copy pictures" + e.getMessage());
} }

6
webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java
View File

@ -9,7 +9,6 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.security.core.token.Sha512DigestUtils; import org.springframework.security.core.token.Sha512DigestUtils;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultHandlers; import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
import org.springframework.test.web.servlet.setup.MockMvcBuilders; import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@ -19,7 +18,8 @@ import java.net.URI;
import static org.hamcrest.CoreMatchers.equalTo; import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.containsString;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
@RunWith(SpringJUnit4ClassRunner.class) @RunWith(SpringJUnit4ClassRunner.class)
@ -77,6 +77,6 @@ public class ProfileUploadRetrievalTest extends LessonTest {
public void unknownFileShouldGiveDirectoryContents() throws Exception { public void unknownFileShouldGiveDirectoryContents() throws Exception {
mockMvc.perform(get("/PathTraversal/random-picture?id=test")) mockMvc.perform(get("/PathTraversal/random-picture?id=test"))
.andExpect(status().is(404)) .andExpect(status().is(404))
.andExpect(content().string(containsString("cats"+File.separator+"8.jpg"))); .andExpect(content().string(containsString("cats" + File.separator + "8.jpg")));
} }
} }