Merge remote-tracking branch 'upstream/master'

.gitignore

@@ -33,3 +33,5 @@ classes/*
 /*.iml
 .extract/*
 UserDatabase.mv.db
+webgoat-container/src/main/webapp/users/guest.org.owasp.webgoat.plugin.*.props
+webgoat-container/src/main/webapp/plugin_lessons/dist-*.pom

.travis.yml

@@ -4,11 +4,11 @@ jdk:
   - oraclejdk8
 install: "/bin/true"
 script:
-  - mvn clean compile install
+  - mvn clean install
   - git clone https://github.com/WebGoat/WebGoat-Lessons.git
   - mvn -file ./WebGoat-Lessons/pom.xml package
   - cp -fa ./WebGoat-Lessons/target/plugins/*.jar ./webgoat-container/src/main/webapp/plugin_lessons/
-  - mvn -Prun-integration-tests package verify install
+  - if [[ $TRAVIS_PULL_REQUEST == "false" ]]; then mvn -Prun-integration-tests clean install; else mvn clean install; fi
 before_deploy:
   - export WEBGOAT_ARTIFACT_VERSION=$(grep "<version>" $HOME/build/$TRAVIS_REPO_SLUG/pom.xml | cut -d ">" -f 2 | cut -d "<" -f 1)
   - export WEBGOAT_JAR_FILE=$HOME/build/$TRAVIS_REPO_SLUG/webgoat-container/target/webgoat-container-$WEBGOAT_ARTIFACT_VERSION.jar
@@ -36,7 +36,6 @@ deploy:
     jdk: oraclejdk8
 notifications:
   slack:
-    rooms:
+    secure: S9VFew5NSE8WDzYD1VDBUULKKT0fzgblQACznwQ85699b2yeX9TX58N3RZvRS1JVagVP1wu2xOrwN2g+AWx4Ro3UBZD5XG86uTJWpCLD4cRWHBoGMH2TfvI7/IzsWmgxH4MBxFRvZr/eEhlVAux+N9H4EoEdS4CKsJXEqV37PlA=
-      secure: "RS/QCVjDAt8y7c816d8UIJUl2OLaRRU6gjh//7Kb4f9TyKRACtP0Qa9NVNhSXuvb2kzUTOFb76Lz8utnt2a3iZ+elZMvnQu8+HioKr9wWJPKml8TLC+tCclQnSAz7orsQ0ubgUlsVycs7bsaQ79aKw1C9YdH+QNDgMKDxvfrEKk="
 addons:
   sauce_connect: true

README.MD

@@ -125,7 +125,7 @@ cd WebGoat
 mvn -pl webgoat-container tomcat7:run-war
 ```
 
-Browse to [http://localhost:8080](http://localhost:8080/WebGoat) and happy hacking !
+Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking !
 
 #### Option #2: Java executable JAR
 The __maven package__ goal generates an executable .jar file:
@@ -137,7 +137,7 @@ cd webgoat-container/target
 java -jar webgoat-container-7.0-SNAPSHOT-war-exec.jar http://localhost:8080/WebGoat
 ```
 
-Browse to [http://localhost:8080](http://localhost:8080/WebGoat) and happy hacking !
+Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking !
 
 #### Option #3: Deploy the WebGoat WAR file in yout local Tomcat or other Application Serve:
 The __maven package__ goal generates a .war file that can deployed into an Application Server, such as Tomcat
@@ -148,4 +148,4 @@ mvn package
 cp webgoat-container/target/webgoat-container-7.0-SNAPSHOT-war-exec.jar <your_tomcat_directory>/webapps/
 ```
 
-Browse to [http://localhost:8080](http://localhost:8080/WebGoat) and happy hacking !
+Browse to [http://localhost:8080/WebGoat](http://localhost:8080/WebGoat) and happy hacking !

webgoat-container/src/main/java/org/owasp/webgoat/plugins/GlobalProperties.java

@@ -1,26 +0,0 @@
-package org.owasp.webgoat.plugins;
-
-import java.io.IOException;
-import java.nio.file.Path;
-import java.util.List;
-import java.util.Objects;
-
-public final class GlobalProperties {
-
-    private final Path pluginDirectory;
-
-    public GlobalProperties(Path pluginDirectory) {
-        this.pluginDirectory = Objects.requireNonNull(pluginDirectory, "pluginDirectory cannot be null");
-    }
-
-    public void loadProperties(Path globalPropertiesPath) {
-        try {
-            PluginFileUtils.createDirsIfNotExists(pluginDirectory);
-            List<Path> filesInDirectory = PluginFileUtils.getFilesInDirectory(globalPropertiesPath);
-            new Plugin(pluginDirectory).loadFiles(filesInDirectory, true);
-        } catch (IOException e) {
-            throw new IllegalStateException("Unable to load global properties, check your installation for the directory i18n: " + globalPropertiesPath.toString(), e);
-        }
-    }
-
-}

webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java

@@ -5,8 +5,8 @@ import com.google.common.base.Preconditions;
 import com.google.common.collect.Lists;
 import org.owasp.webgoat.classloader.PluginClassLoader;
 import org.owasp.webgoat.lessons.AbstractLesson;
+import org.owasp.webgoat.util.LabelProvider;
 
-import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.IOException;
 import java.nio.file.Files;
@@ -90,16 +90,11 @@ public class Plugin {
 
     private void copyProperties(boolean reload, Path file) {
         try {
-            ByteArrayOutputStream bos = new ByteArrayOutputStream();
+            byte[] lines = Files.readAllBytes(file);
-            Files.copy(file, bos);
             Path propertiesPath = createPropertiesDirectory();
-            ResourceBundleClassLoader.setPropertiesPath(propertiesPath);
+            LabelProvider.updatePluginResources(propertiesPath);
             PluginFileUtils.createDirsIfNotExists(file.getParent());
-            if (reload) {
+            Files.write(propertiesPath.resolve(file.getFileName()), lines, CREATE, (reload ? APPEND : TRUNCATE_EXISTING));
-                Files.write(propertiesPath.resolve(file.getFileName()), bos.toByteArray(), CREATE, APPEND);
-            } else {
-                Files.write(propertiesPath.resolve(file.getFileName()), bos.toByteArray(), CREATE, TRUNCATE_EXISTING);
-            }
         } catch (IOException io) {
             throw new PluginLoadingFailure("Property file detected, but unable to copy the properties", io);
         }

webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java

@@ -3,11 +3,11 @@ package org.owasp.webgoat.plugins;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.Lists;
 import org.owasp.webgoat.classloader.PluginClassLoader;
+import org.owasp.webgoat.util.LabelProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
-import java.net.URISyntaxException;
 import java.net.URL;
 import java.nio.file.FileVisitResult;
 import java.nio.file.Files;
@@ -16,6 +16,11 @@ import java.nio.file.Paths;
 import java.nio.file.SimpleFileVisitor;
 import java.nio.file.attribute.BasicFileAttributes;
 import java.util.List;
+import java.util.concurrent.Callable;
+import java.util.concurrent.CompletionService;
+import java.util.concurrent.ExecutorCompletionService;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
 
 public class PluginsLoader implements Runnable {
 
@@ -34,7 +39,7 @@ public class PluginsLoader implements Runnable {
     }
 
     public List<Plugin> loadPlugins(final boolean reload) {
-        final PluginClassLoader cl = (PluginClassLoader)Thread.currentThread().getContextClassLoader();
+        final PluginClassLoader cl = (PluginClassLoader) Thread.currentThread().getContextClassLoader();
         List<Plugin> plugins = Lists.newArrayList();
 
         try {
@@ -42,7 +47,7 @@ public class PluginsLoader implements Runnable {
             List<URL> jars = listJars();
             cl.addURL(jars);
             plugins = processPlugins(jars, reload);
-        } catch (IOException | URISyntaxException e) {
+        } catch (Exception e) {
             logger.error("Loading plugins failed", e);
         }
         return plugins;
@@ -63,13 +68,18 @@ public class PluginsLoader implements Runnable {
         return jars;
     }
 
-    private List<Plugin> processPlugins(List<URL> jars, boolean reload) throws URISyntaxException, IOException {
+    private List<Plugin> processPlugins(List<URL> jars, boolean reload) throws Exception {
         final List<Plugin> plugins = Lists.newArrayList();
-        for (URL jar : jars) {
+        final ExecutorService executorService = Executors.newFixedThreadPool(20);
-
+        final CompletionService<PluginExtractor> completionService = new ExecutorCompletionService<>(executorService);
-            PluginExtractor extractor = new PluginExtractor(Paths.get(jar.toURI()));
+        final List<Callable<PluginExtractor>> callables = extractJars(jars);
-            extractor.extract(pluginTarget);
 
+        for (Callable<PluginExtractor> s : callables) {
+            completionService.submit(s);
+        }
+        int n = callables.size();
+        for (int i = 0; i < n; i++) {
+            PluginExtractor extractor = completionService.take().get();
             Plugin plugin = new Plugin(pluginTarget, extractor.getClasses());
             if (plugin.getLesson().isPresent()) {
                 PluginFileUtils.createDirsIfNotExists(pluginTarget);
@@ -78,9 +88,26 @@ public class PluginsLoader implements Runnable {
                 plugins.add(plugin);
             }
         }
+        LabelProvider.refresh();
         return plugins;
     }
 
+    private List<Callable<PluginExtractor>> extractJars(List<URL> jars) {
+        List<Callable<PluginExtractor>> extractorCallables = Lists.newArrayList();
+        for (final URL jar : jars) {
+            extractorCallables.add(new Callable<PluginExtractor>() {
+
+                @Override
+                public PluginExtractor call() throws Exception {
+                    PluginExtractor extractor = new PluginExtractor(Paths.get(jar.toURI()));
+                    extractor.extract(pluginTarget);
+                    return extractor;
+                }
+            });
+        }
+        return extractorCallables;
+    }
+
     @Override
     public void run() {
         loadPlugins(true);

webgoat-container/src/main/java/org/owasp/webgoat/plugins/ResourceBundleClassLoader.java

@@ -1,33 +0,0 @@
-package org.owasp.webgoat.plugins;
-
-import java.io.IOException;
-import java.net.URL;
-import java.net.URLClassLoader;
-import java.nio.file.Path;
-import java.util.ArrayList;
-import java.util.List;
-
-public class ResourceBundleClassLoader {
-
-    private final static ResourceBundleClassLoader classLoader = new ResourceBundleClassLoader();
-    private Path propertiesPath;
-
-    private ResourceBundleClassLoader() {
-    }
-
-    public static void setPropertiesPath(Path path) {
-        classLoader.propertiesPath = path;
-    }
-
-    public static ClassLoader createPropertyFilesClassLoader() {
-        final List<URL> urls = new ArrayList<>();
-
-        try {
-            urls.add(classLoader.propertiesPath.toUri().toURL());
-        } catch (IOException e) {
-            throw new PluginLoadingFailure("Unable to load the properties for the classloader", e);
-        }
-        return new URLClassLoader(urls.toArray(new URL[urls.size()]), Thread.currentThread().getContextClassLoader());
-    }
-
-}

webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java

@@ -3,7 +3,6 @@ package org.owasp.webgoat.session;
 import org.owasp.webgoat.HammerHead;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.plugins.GlobalProperties;
 import org.owasp.webgoat.plugins.Plugin;
 import org.owasp.webgoat.plugins.PluginsLoader;
 import org.slf4j.Logger;
@@ -24,7 +23,6 @@ import javax.servlet.ServletContext;
 import org.owasp.webgoat.HammerHead;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.plugins.GlobalProperties;
 import org.owasp.webgoat.plugins.LegacyLoader;
 import org.owasp.webgoat.plugins.Plugin;
 import org.owasp.webgoat.plugins.PluginsLoader;
@@ -299,7 +297,6 @@ public class Course {
             logger.error("Plugins directory {} not found", pluginPath);
             return;
         }
-        new GlobalProperties(Paths.get(targetPath)).loadProperties(Paths.get(context.getRealPath("container//i18n")));
 
         List<Plugin> plugins = new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).loadPlugins(true);
         for (Plugin plugin : plugins) {

webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java

@@ -842,13 +842,17 @@ public class WebSession {
             } else if (al instanceof RandomLessonAdapter) {
                 try {
                     RandomLessonAdapter rla = (RandomLessonAdapter) al;
-                    int stage = myParser.getIntParameter(STAGE) - 1;
+                    if (!myParser.getRawParameter(STAGE).equals("null")) {
-                    String[] stages = rla.getStages();
+                        int stage = myParser.getIntParameter(STAGE) - 1;
-                    if (stages == null) {
+                        String[] stages = rla.getStages();
-                        stages = new String[0];
+                        if (stages == null) {
-                    }
+                            stages = new String[0];
-                    if (stage >= 0 && stage < stages.length) {
+                        }
-                        rla.setStage(this, stages[stage]);
+                        if (stage >= 0 && stage < stages.length) {
+                            rla.setStage(this, stages[stage]);
+                        }
+                    } else {
+                        rla.setStage(this, null);
                     }
                 } catch (ParameterNotFoundException pnfe) {
                 }

webgoat-container/src/main/java/org/owasp/webgoat/util/LabelManagerImpl.java

@@ -1,11 +1,9 @@
 
 package org.owasp.webgoat.util;
 
-import org.springframework.context.annotation.Scope;
+import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.annotation.ScopedProxyMode;
 import org.springframework.stereotype.Component;
 
-import javax.annotation.Resource;
 import java.io.Serializable;
 import java.util.Locale;
 
@@ -38,10 +36,11 @@ import java.util.Locale;
  * For details, please see http://webgoat.github.io
  */
 @Component("labelManager")
-@Scope(value="session", proxyMode=ScopedProxyMode.INTERFACES)
 public class LabelManagerImpl implements LabelManager, Serializable
 {
-	@Resource
+	private static final long serialVersionUID = 1L;
+
+	@Autowired
 	private transient LabelProvider labelProvider;
 
 	/** Locale mapped with current session. */

webgoat-container/src/main/java/org/owasp/webgoat/util/LabelProvider.java

@@ -1,70 +1,96 @@
 
 package org.owasp.webgoat.util;
 
-import org.owasp.webgoat.plugins.ResourceBundleClassLoader;
+import org.springframework.context.support.ReloadableResourceBundleMessageSource;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.ResourceLoader;
+import org.springframework.core.io.UrlResource;
 import org.springframework.stereotype.Component;
 
-import java.util.HashMap;
+import javax.inject.Singleton;
+import java.net.MalformedURLException;
+import java.nio.file.Path;
+import java.util.Arrays;
+import java.util.List;
 import java.util.Locale;
-import java.util.ResourceBundle;
 
 
-/***************************************************************************************************
+/**
- * 
+ * ************************************************************************************************
- * 
+ * <p>
+ * <p>
  * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
  * please see http://www.owasp.org/
- * 
+ * <p>
  * Copyright (c) 2002 - 20014 Bruce Mayhew
- * 
+ * <p>
  * This program is free software; you can redistribute it and/or modify it under the terms of the
  * GNU General Public License as published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * 
+ * <p>
  * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
  * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  * General Public License for more details.
- * 
+ * <p>
  * You should have received a copy of the GNU General Public License along with this program; if
  * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
  * 02111-1307, USA.
- * 
+ * <p>
  * Getting Source ==============
- * 
+ * <p>
  * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for
  * free software projects.
- * 
+ * <p>
  * For details, please see http://webgoat.github.io
  */
 @Component
-public class LabelProvider
+@Singleton
-{
+public class LabelProvider {
-	public final static String DEFAULT_LANGUAGE = Locale.ENGLISH.getLanguage();
+    public final static String DEFAULT_LANGUAGE = Locale.ENGLISH.getLanguage();
 
-	private final HashMap<Locale, ResourceBundle> labels = new HashMap<Locale, ResourceBundle>();
+    private static final List<Locale> SUPPORTED = Arrays.asList(Locale.GERMAN, Locale.FRENCH, Locale.ENGLISH,
-	private final WebGoatResourceBundleController localeController = new WebGoatResourceBundleController();
+            Locale.forLanguageTag("ru"));
+    private final ReloadableResourceBundleMessageSource labels = new ReloadableResourceBundleMessageSource();
+    private static final ReloadableResourceBundleMessageSource pluginLabels = new ReloadableResourceBundleMessageSource();
 
-	public String get(Locale locale, String strName)
+    public LabelProvider() {
-	{
+        labels.setBasename("classpath:/i18n/WebGoatLabels");
-		if (!labels.containsKey(locale))
+        labels.setFallbackToSystemLocale(false);
-		{
+        labels.setUseCodeAsDefaultMessage(true);
-			ClassLoader classLoader = ResourceBundleClassLoader.createPropertyFilesClassLoader();
+        pluginLabels.setParentMessageSource(labels);
-			ResourceBundle resBundle = ResourceBundle.getBundle("WebGoatLabels", locale, classLoader, localeController);
+    }
-			labels.put(locale, resBundle);
-		}
-		return labels.get(locale).getString(strName);
-	}
 
-	private class WebGoatResourceBundleController extends ResourceBundle.Control
+    public static void updatePluginResources(final Path propertyFile) {
-	{
+        pluginLabels.setBasename("WebGoatLabels");
-		private final Locale fallbackLocale = new Locale(DEFAULT_LANGUAGE);
+        pluginLabels.setFallbackToSystemLocale(false);
+        pluginLabels.setUseCodeAsDefaultMessage(true);
+        pluginLabels.setResourceLoader(new ResourceLoader() {
+            @Override
+            public Resource getResource(String location) {
+                try {
+                    return new UrlResource(propertyFile.toUri());
+                } catch (MalformedURLException e) {
+                    throw new RuntimeException(e);
+                }
+            }
 
-		@Override
+            @Override
-		public Locale getFallbackLocale(String baseName, Locale locale)
+            public ClassLoader getClassLoader() {
-		{
+                return Thread.currentThread().getContextClassLoader();
-			if (!fallbackLocale.equals(locale)) { return fallbackLocale; }
+            }
-			return Locale.ROOT;
+        });
-		}
+    }
-	}
+
+    public static void refresh() {
+        pluginLabels.clearCache();
+    }
+
+    public String get(Locale locale, String strName) {
+        return pluginLabels.getMessage(strName, null, useLocaleOrFallbackToEnglish(locale));
+    }
+
+    private Locale useLocaleOrFallbackToEnglish(Locale locale) {
+        return SUPPORTED.contains(locale) ? Locale.ENGLISH : locale;
+    }
 
 }

webgoat-container/src/test/java/org/owasp/webgoat/plugins/GlobalPropertiesTest.java

@@ -1,40 +0,0 @@
-package org.owasp.webgoat.plugins;
-
-import org.junit.Test;
-
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-import java.util.Arrays;
-
-import static org.junit.Assert.assertNotNull;
-
-public class GlobalPropertiesTest {
-
-    @Test
-    public void propertyFilesShouldBeLoaded() throws IOException {
-        Path tempDirectory = PluginTestHelper.createTmpDir();
-        Path pluginDirectory = Files.createDirectory(Paths.get(tempDirectory.toString(), "plugins"));
-        Path directory = Files.createDirectory(Paths.get(tempDirectory.toString(), "i18n"));
-        Path globalProperties = Files.createFile(Paths.get(directory.toString(), "global.properties"));
-        Files.write(globalProperties, Arrays.asList("test=label for test"), StandardCharsets.UTF_8);
-        new GlobalProperties(pluginDirectory).loadProperties(directory);
-
-        ClassLoader propertyFilesClassLoader =
-            ResourceBundleClassLoader.createPropertyFilesClassLoader();
-        assertNotNull(propertyFilesClassLoader.getResourceAsStream("global.properties"));
-    }
-
-    @Test(expected = IllegalStateException.class)
-    public void propertyFilesDirectoryNotFoundShouldRaiseError() throws IOException {
-        Path tempDirectory = PluginTestHelper.createTmpDir();
-        Path pluginDirectory = Files.createDirectory(Paths.get(tempDirectory.toString(), "plugins"));
-        Path directory = Files.createDirectory(Paths.get(tempDirectory.toString(), "i18n"));
-        Files.delete(directory);
-
-        new GlobalProperties(pluginDirectory).loadProperties(directory);
-    }
-
-}

webgoat-container/src/test/java/org/owasp/webgoat/util/LabelProviderTest.java

@@ -0,0 +1,33 @@
+package org.owasp.webgoat.util;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.Test;
+import org.springframework.core.io.ClassPathResource;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import static org.junit.Assert.assertThat;
+
+public class LabelProviderTest  {
+
+    @Test
+    public void defaultLabelsShouldBePresent() {
+        LabelProvider labelProvider = new LabelProvider();
+        assertThat(labelProvider.get(Locale.ENGLISH, "LessonCompleted"), CoreMatchers.equalTo(
+                "Congratulations. You have successfully completed this lesson."));
+    }
+
+    @Test
+    public void loadingPluginLabels() throws IOException {
+        LabelProvider labelProvider = new LabelProvider();
+        labelProvider.updatePluginResources(new ClassPathResource("log4j.properties").getFile().toPath());
+        LabelProvider.refresh();
+        assertThat(labelProvider.get(Locale.ENGLISH, "LessonCompleted"), CoreMatchers.equalTo(
+                "Congratulations. You have successfully completed this lesson."));
+        assertThat(labelProvider.get(Locale.ENGLISH, "log4j.appender.CONSOLE.Target"), CoreMatchers.equalTo(
+                "System.out"));
+    }
+
+
+}