fix: remove implicit context path guessing (#1956)

Pass the context-path in the assignment overview so the frontend can easily match an assignment.
2024-11-13 21:32:28 +01:00
parent e60ca6ce72
commit 4880afa0e3
5 changed files with 9 additions and 12 deletions
--- a/src/main/java/org/owasp/webgoat/container/lessons/CourseConfiguration.java
+++ b/src/main/java/org/owasp/webgoat/container/lessons/CourseConfiguration.java
@ -30,6 +30,7 @@ import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.container.assignments.AssignmentHints;
 import org.owasp.webgoat.container.assignments.AttackResult;
 import org.owasp.webgoat.container.session.Course;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.util.Assert;
@ -42,10 +43,15 @@ import org.springframework.web.bind.annotation.RequestMapping;
 public class CourseConfiguration {
  private final List<Lesson> lessons;
  private final List<AssignmentEndpoint> assignments;
+  private final String contextPath;

-  public CourseConfiguration(List<Lesson> lessons, List<AssignmentEndpoint> assignments) {
+  public CourseConfiguration(
+      List<Lesson> lessons,
+      List<AssignmentEndpoint> assignments,
+      @Value("${server.servlet.context-path}") String contextPath) {
    this.lessons = lessons;
    this.assignments = assignments;
+    this.contextPath = contextPath.equals("/") ? "" : contextPath;
  }

  private void attachToLessonInParentPackage(
@ -124,7 +130,7 @@ public class CourseConfiguration {
      if (methodReturnTypeIsOfTypeAttackResult(m)) {
        var mapping = getMapping(m);
        if (mapping != null) {
-          return mapping;
+          return contextPath + mapping;
        }
      }
    }
--- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5b.java
@ -22,7 +22,6 @@

 package org.owasp.webgoat.lessons.sqlinjection.introduction;

-import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.sql.*;
 import org.owasp.webgoat.container.LessonDataSource;
@ -52,8 +51,7 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {

  @PostMapping("/SqlInjection/assignment5b")
  @ResponseBody
-  public AttackResult completed(
-      @RequestParam String userid, @RequestParam String login_count, HttpServletRequest request)
+  public AttackResult completed(@RequestParam String userid, @RequestParam String login_count)
      throws IOException {
    return injectableQuery(login_count, userid);
  }