From 41879c46037bb03f1c95944386608abd1b349577 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 20 Oct 2020 22:01:06 +0200
Subject: [PATCH] Blind XXE lesson blocks including the file in the comment
 directly

---
 .../org/owasp/webgoat/xxe/BlindSendFileAssignment.java |  3 +++
 .../owasp/webgoat/xxe/BlindSendFileAssignmentTest.java | 10 ++++++++++
 2 files changed, 13 insertions(+)

diff --git a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
index cea713bf5..ee5833961 100644
--- a/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
+++ b/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/xxe/BlindSendFileAssignment.java
@@ -83,6 +83,9 @@ public class BlindSendFileAssignment extends AssignmentEndpoint {
 
         try {
             Comment comment = comments.parseXml(commentStr);
+            if (CONTENTS.contains(comment.getText())) {
+                comment.setText("Nice try, you need to send the file to WebWolf");
+            }
             comments.addComment(comment, false);
         } catch (Exception e) {
             return failed(this).output(e.toString()).build();
diff --git a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java b/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java
index 8effc48ce..04c3e4ea8 100644
--- a/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java
+++ b/webgoat-lessons/xxe/src/test/java/org/owasp/webgoat/xxe/BlindSendFileAssignmentTest.java
@@ -74,6 +74,16 @@ public class BlindSendFileAssignmentTest extends LessonTest {
                 .andExpect(jsonPath("$.output", CoreMatchers.startsWith("javax.xml.bind.UnmarshalException\\n - with linked exception:\\n[javax.xml.stream.XMLStreamException: ParseError at [row,col]:[1,22]\\nMessage:")));
     }
 
+    @Test
+    public void simpleXXEShouldNotWork() throws Exception {
+        File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");
+        String content = "<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM \"file:///%s\"> ]><comment><text>&root;</text></comment>";
+        mockMvc.perform(MockMvcRequestBuilders.post("/xxe/blind")
+                .content(String.format(content, targetFile.toString())))
+                .andExpect(status().isOk());
+        assertThat(comments.getComments().iterator().next().getText()).isEqualTo("Nice try, you need to send the file to WebWolf");
+    }
+
     @Test
     public void solve() throws Exception {
         File targetFile = new File(webGoatHomeDirectory, "/XXE/secret.txt");