suppressing some useless log messages and banners in unit tests (#752)

* suppressing some useless log messages and banners in unit tests

* some more log suppressed

webgoat-integration-tests/src/test/java/org/owasp/webgoat/PasswordResetLessonTest.java

@@ -46,7 +46,6 @@ public class PasswordResetLessonTest extends IntegrationTest {
                 .formParams("resetLink", link, "password", "123456")
                 .post(url("PasswordReset/reset/change-password"))
                 .then()
-                .log().all()
                 .statusCode(200);
     }
 
@@ -57,7 +56,6 @@ public class PasswordResetLessonTest extends IntegrationTest {
                 .cookie("WEBWOLFSESSION", getWebWolfCookie())
                 .get(webWolfUrl("WebWolf/requests"))
                 .then()
-                .log().all()
                 .extract().response().getBody().asString();
         int startIndex = responseBody.lastIndexOf("/PasswordReset/reset/reset-password/");
         var link = responseBody.substring(startIndex + "/PasswordReset/reset/reset-password/".length(), responseBody.indexOf(",", startIndex) - 1);

webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/xss/CrossSiteScriptingLesson3.java

@@ -67,7 +67,6 @@ public class CrossSiteScriptingLesson3 extends AssignmentEndpoint {
             }
 
             if (includeCorrect && firstNameCorrect && lastNameCorrect) {
-                System.out.println("true");
                 return success(this).feedback("xss-mitigation-3-success").build();
             } else {
                 return failed(this).feedback("xss-mitigation-3-failure").build();

webgoat-lessons/crypto/src/test/java/org/owasp/webgoat/crypto/CryptoUtilTest.java

@@ -11,6 +11,9 @@ import javax.xml.bind.DatatypeConverter;
 
 import org.junit.jupiter.api.Test;
 
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
 public class CryptoUtilTest {
 
 	@Test
@@ -21,10 +24,10 @@ public class CryptoUtilTest {
 			PrivateKey privateKey = CryptoUtil.getPrivateKeyFromPEM(CryptoUtil.getPrivateKeyInPEM(keyPair));
 			String modulus = DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray());
 			String signature = CryptoUtil.signMessage(modulus, privateKey);
-			System.out.println(rsaPubKey.getPublicExponent());
+			log.debug("public exponent {}", rsaPubKey.getPublicExponent());
 			assertTrue(CryptoUtil.verifyAssignment(modulus, signature, keyPair.getPublic()));
 		} catch (Exception e) {
-			e.printStackTrace();
+			log.error("signing failed", e);;
 			fail();
 		}
 	}

webgoat-lessons/idor/src/main/java/org/owasp/webgoat/idor/IDORViewOwnProfile.java

@@ -27,10 +27,13 @@ import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.*;
 
+import lombok.extern.slf4j.Slf4j;
+
 import java.util.HashMap;
 import java.util.Map;
 
 @RestController
+@Slf4j
 public class IDORViewOwnProfile {
 
     @Autowired
@@ -54,7 +57,7 @@ public class IDORViewOwnProfile {
                 details.put("error","You do not have privileges to view the profile. Authenticate as tom first please.");
             }
         }catch (Exception ex) {
-            System.out.println(ex.getMessage());
+            log.error("something went wrong", ex.getMessage());
         }
         return details;
     }

webgoat-lessons/insecure-deserialization/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java

@@ -7,6 +7,9 @@ import java.io.ObjectInputStream;
 import java.io.Serializable;
 import java.time.LocalDateTime;
 
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
 public class VulnerableTaskHolder implements Serializable {
 
 	private static final long serialVersionUID = 2;
@@ -37,31 +40,31 @@ public class VulnerableTaskHolder implements Serializable {
 		stream.defaultReadObject();
 		
 		//do something with the data
-		System.out.println("restoring task: "+taskName);
+		log.info("restoring task: {}", taskName);
-		System.out.println("restoring time: "+requestedExecutionTime);
+		log.info("restoring time: {}", requestedExecutionTime);
 		
 		if (requestedExecutionTime!=null && 
 				(requestedExecutionTime.isBefore(LocalDateTime.now().minusMinutes(10))
 				|| requestedExecutionTime.isAfter(LocalDateTime.now()))) {
 			//do nothing is the time is not within 10 minutes after the object has been created
-			System.out.println(this.toString());
+			log.debug(this.toString());
 			throw new IllegalArgumentException("outdated");
 		}
 		
 		//condition is here to prevent you from destroying the goat altogether
 		if ((taskAction.startsWith("sleep")||taskAction.startsWith("ping"))
 				&& taskAction.length() < 22) {
-		System.out.println("about to execute: "+taskAction);
+		log.info("about to execute: {}", taskAction);
 		try {
             Process p = Runtime.getRuntime().exec(taskAction);
             BufferedReader in = new BufferedReader(
                                 new InputStreamReader(p.getInputStream()));
             String line = null;
             while ((line = in.readLine()) != null) {
-                System.out.println(line);
+                log.info(line);
             }
         } catch (IOException e) {
-            e.printStackTrace();
+            log.error("IO Exception", e);
         }
 		}
        

webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java

@@ -85,7 +85,6 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
                 }
             }
         } catch (Exception e) {
-            e.printStackTrace();
             return failed(this).feedback("jwt-invalid-token").output(e.getMessage()).build();
         }
     }

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java

@@ -149,7 +149,7 @@ public class JWTVotesEndpointTest extends LessonTest {
 
         result = mockMvc.perform(MockMvcRequestBuilders.get("/JWT/votings")
                 .cookie(cookie))
-                .andExpect(status().isOk()).andDo(print()).andReturn();
+                .andExpect(status().isOk())./*andDo(print()).*/andReturn();
         Object[] nodes = new ObjectMapper().readValue(result.getResponse().getContentAsString(), Object[].class);
         int currentNumberOfVotes = (int) findNodeByTitle(nodes, "Admin lost password").get("numberOfVotes");
 

webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/TokenTest.java

@@ -24,6 +24,8 @@ package org.owasp.webgoat.jwt;
 
 import io.jsonwebtoken.*;
 import io.jsonwebtoken.impl.TextCodec;
+import lombok.extern.slf4j.Slf4j;
+
 import org.junit.Test;
 
 import java.time.Duration;
@@ -32,6 +34,7 @@ import java.util.Date;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 
+@Slf4j
 public class TokenTest {
 
     @Test
@@ -43,7 +46,7 @@ public class TokenTest {
                 .setIssuedAt(new Date(System.currentTimeMillis() + TimeUnit.DAYS.toDays(10)))
                 .setClaims(claims)
                 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, key).compact();
-        System.out.println(token);
+        log.debug(token);
         Jwt jwt = Jwts.parser().setSigningKey("qwertyqwerty1234").parse(token);
         jwt = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
             @Override
@@ -64,8 +67,6 @@ public class TokenTest {
         String token = Jwts.builder().setClaims(claims)
                 .signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, "bm5n3SkxCX4kKRy4")
                 .compact();
-        //Jws<Claims> jws = Jwts.parser().setSigningKey("bm5n3SkxCX4kKRy4").parseClaimsJws(token);
+        log.debug(token);
-        //Jwts.parser().setSigningKey().parsePlaintextJws(token);
-        System.out.println(token);
     }
 }

webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/missing_ac/MissingFunctionACUsers.java

@@ -32,6 +32,8 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.servlet.ModelAndView;
 
+import lombok.extern.slf4j.Slf4j;
+
 import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
 import java.util.List;
@@ -41,6 +43,7 @@ import java.util.List;
  */
 
 @Controller
+@Slf4j
 public class MissingFunctionACUsers {
 
     // this will actually put controllers on the /WebGoat/* path ... the jsp for list_users restricts what can be seen, but the add_user is not controlled carefully
@@ -84,8 +87,7 @@ public class MissingFunctionACUsers {
             userService.addUser(newUser.getUsername(),newUser.getPassword(),newUser.getRole());
             return userService.loadUserByUsername(newUser.getUsername());
         } catch (Exception ex) {
-            System.out.println("Error creating new User" + ex.getMessage());
+            log.error("Error creating new User", ex);
-            ex.printStackTrace();
             //TODO: implement error handling ...
         } finally {
             // no streams or other resources opened ... nothing to do, right?

webwolf/pom.xml

@@ -31,7 +31,6 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>${commons-lang3.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -96,51 +95,4 @@
         </dependency>
     </dependencies>
 
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <version>${maven-compiler-plugin.version}</version>
-                <configuration>
-                    <source>11</source>
-                    <target>11</target>
-                    <encoding>UTF-8</encoding>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-maven-plugin</artifactId>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-jar-plugin</artifactId>
-                <version>3.1.2</version>
-                <executions>
-                    <execution>
-                        <phase>test-compile</phase>
-                        <goals>
-                            <goal>jar</goal>
-                        </goals>
-                        <configuration>
-                            <classifier>internal</classifier>
-                        </configuration>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-plugin</artifactId>
-                <version>${maven-surefire-plugin.version}</version>
-                <configuration>
-                    <forkMode>never</forkMode>
-                    <argLine>
-                        --illegal-access=permit
-                    </argLine>
-                </configuration>
-            </plugin>
-        </plugins>
-    </build>
-
-
 </project>

webwolf/src/test/resources/logback-test.xml

@@ -0,0 +1,16 @@
+<configuration>
+
+  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+    <!-- encoders are assigned the type
+         ch.qos.logback.classic.encoder.PatternLayoutEncoder by default -->
+    <encoder>
+      <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
+    </encoder>
+  </appender>
+  
+  <logger name="org.owasp.webgoat.plugin" level="INFO"/>
+
+  <root level="ERROR">
+    <appender-ref ref="STDOUT" />
+  </root>
+</configuration>