From 57c008a697d672fcfc451c85ec45429b8afee69d Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Tue, 28 Apr 2020 08:49:51 +0200
Subject: [PATCH] Fix reading file, added try/catch and added tests

---
 .../client_side_filtering/Salaries.java       | 35 +++++++-------
 .../ClientSideFilteringAssignmentTest.java    | 47 +++++++++++++++++++
 ...ClientSideFilteringFreeAssignmentTest.java | 26 +++++-----
 3 files changed, 78 insertions(+), 30 deletions(-)
 create mode 100644 webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignmentTest.java

diff --git a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
index bd2221caa..c09ea6e2b 100644
--- a/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
+++ b/webgoat-lessons/client-side-filtering/src/main/java/org/owasp/webgoat/client_side_filtering/Salaries.java
@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.client_side_filtering;
 
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.util.FileCopyUtils;
@@ -33,22 +34,19 @@ import org.w3c.dom.NodeList;
 import org.xml.sax.InputSource;
 
 import javax.annotation.PostConstruct;
-import javax.servlet.ServletException;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
+import java.io.*;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
 @RestController
-public class Salaries { // {extends Endpoint {
+@Slf4j
+public class Salaries {
 
     @Value("${webgoat.user.directory}")
     private String webGoatHomeDirectory;
@@ -69,27 +67,28 @@ public class Salaries { // {extends Endpoint {
 
     @GetMapping("clientSideFiltering/salaries")
     @ResponseBody
-    public List<Map<String, Object>> invoke() throws ServletException, IOException {
+    public List<Map<String, Object>> invoke() {
         NodeList nodes = null;
         File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
         XPathFactory factory = XPathFactory.newInstance();
         XPath path = factory.newXPath();
-        InputSource inputSource = new InputSource(new FileInputStream(d));
+        try (InputStream is = new FileInputStream(d)) {
+            InputSource inputSource = new InputSource(is);
 
-        StringBuffer sb = new StringBuffer();
+            StringBuffer sb = new StringBuffer();
 
-        sb.append("/Employees/Employee/UserID | ");
-        sb.append("/Employees/Employee/FirstName | ");
-        sb.append("/Employees/Employee/LastName | ");
-        sb.append("/Employees/Employee/SSN | ");
-        sb.append("/Employees/Employee/Salary ");
+            sb.append("/Employees/Employee/UserID | ");
+            sb.append("/Employees/Employee/FirstName | ");
+            sb.append("/Employees/Employee/LastName | ");
+            sb.append("/Employees/Employee/SSN | ");
+            sb.append("/Employees/Employee/Salary ");
 
-        String expression = sb.toString();
-
-        try {
+            String expression = sb.toString();
             nodes = (NodeList) path.evaluate(expression, inputSource, XPathConstants.NODESET);
         } catch (XPathExpressionException e) {
-            e.printStackTrace();
+            log.error("Unable to parse xml", e);
+        } catch (IOException e) {
+            log.error("Unable to read employees.xml at location: '{}'", d);
         }
         int columns = 5;
         List json = new ArrayList();
diff --git a/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignmentTest.java b/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignmentTest.java
new file mode 100644
index 000000000..04104c87c
--- /dev/null
+++ b/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringAssignmentTest.java
@@ -0,0 +1,47 @@
+package org.owasp.webgoat.client_side_filtering;
+
+import org.hamcrest.CoreMatchers;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.owasp.webgoat.plugins.LessonTest;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
+import static org.mockito.Mockito.when;
+import static org.owasp.webgoat.client_side_filtering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+
+/**
+ * @author nbaars
+ * @since 5/2/17.
+ */
+@RunWith(SpringJUnit4ClassRunner.class)
+public class ClientSideFilteringAssignmentTest extends LessonTest {
+
+    @Autowired
+    private ClientSideFiltering clientSideFiltering;
+
+    @Before
+    public void setup() {
+        when(webSession.getCurrentLesson()).thenReturn(clientSideFiltering);
+        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+    }
+
+    @Test
+    public void success() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree")
+                .param("checkoutCode", SUPER_COUPON_CODE))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
+    }
+
+    @Test
+    public void wrongCouponCode() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree")
+                .param("checkoutCode", "test"))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
+                .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
+    }
+}
\ No newline at end of file
diff --git a/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java b/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java
index c003166b9..61bfc6c17 100644
--- a/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java
+++ b/webgoat-lessons/client-side-filtering/src/test/java/org/owasp/webgoat/client_side_filtering/ClientSideFilteringFreeAssignmentTest.java
@@ -1,24 +1,19 @@
 package org.owasp.webgoat.client_side_filtering;
 
 import org.hamcrest.CoreMatchers;
+import org.hamcrest.Matchers;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.owasp.webgoat.plugins.LessonTest;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
-import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
 import static org.mockito.Mockito.when;
-import static org.owasp.webgoat.client_side_filtering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 
-/**
- * @author nbaars
- * @since 5/2/17.
- */
 @RunWith(SpringJUnit4ClassRunner.class)
 public class ClientSideFilteringFreeAssignmentTest extends LessonTest {
 
@@ -33,16 +28,23 @@ public class ClientSideFilteringFreeAssignmentTest extends LessonTest {
 
     @Test
     public void success() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree")
-                .param("checkoutCode", SUPER_COUPON_CODE))
+        mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/attack1")
+                .param("answer", "450000"))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
     }
 
     @Test
-    public void wrongCouponCode() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/getItForFree")
-                .param("checkoutCode", "test"))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("assignment.not.solved"))))
+    public void wrongSalary() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/clientSideFiltering/attack1")
+                .param("answer", "10000"))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.is("This is not the salary from Neville Bartholomew...")))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
+
+    @Test
+    public void getSalaries() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.get("/clientSideFiltering/salaries"))
+                .andExpect(jsonPath("$[0]", Matchers.hasKey("UserID")))
+                .andExpect(jsonPath("$.length()", CoreMatchers.is(12)));
+    }
 }
\ No newline at end of file