Adjust lesson template (#704)

* Remove method `getId()` from all lessons as it defaults to the class name

* remove clean up endpoint

* remove unused class `RequestParameter`

* remove unused class `PluginLoadingFailure`

* Move `CourseConfiguration` to lesson package

* Add more content around the lesson template lesson and make it visible as a lesson in WebGoat

* Remove explicit invocation `trackProgress()` inside WebGoat framework so assignments only need to return an `AttackResult`

* Put original solution back as well for SQL string injection

* review comments

* Add

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRF.java

@@ -41,10 +41,4 @@ public class CSRF extends Lesson {
 
     @Override
     public String getTitle() { return "csrf.title"; }
-
-    @Override
-    public String getId() {
-        return "CSRF";
-    }
-
 }

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFConfirmFlag1.java

@@ -47,11 +47,12 @@ public class CSRFConfirmFlag1 extends AssignmentEndpoint {
     public AttackResult completed(String confirmFlagVal) {
         Object userSessionDataStr = userSessionData.getValue("csrf-get-success");
         if (userSessionDataStr != null && confirmFlagVal.equals(userSessionDataStr.toString())) {
-            return trackProgress(
-                    success().feedback("csrf-get-null-referer.success").output("Correct, the flag was " + userSessionData.getValue("csrf-get-success")).build()
-            );
+            return success(this)
+                    .feedback("csrf-get-null-referer.success")
+                    .output("Correct, the flag was " + userSessionData.getValue("csrf-get-success"))
+                    .build();
         }
 
-        return trackProgress(failed().build());
+        return failed(this).build();
     }
 }

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFFeedback.java

@@ -24,11 +24,9 @@ package org.owasp.webgoat.csrf;
 
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentHints;
-import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.UserSessionData;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -66,25 +64,25 @@ public class CSRFFeedback extends AssignmentEndpoint {
             objectMapper.enable(DeserializationFeature.FAIL_ON_TRAILING_TOKENS);
             objectMapper.readValue(feedback.getBytes(), Map.class);
         } catch (IOException e) {
-            return failed().feedback(ExceptionUtils.getStackTrace(e)).build();
+            return failed(this).feedback(ExceptionUtils.getStackTrace(e)).build();
         }
         boolean correctCSRF = requestContainsWebGoatCookie(request.getCookies()) && request.getContentType().contains(MediaType.TEXT_PLAIN_VALUE);
         correctCSRF &= hostOrRefererDifferentHost(request);
         if (correctCSRF) {
             String flag = UUID.randomUUID().toString();
             userSessionData.setValue("csrf-feedback", flag);
-            return success().feedback("csrf-feedback-success").feedbackArgs(flag).build();
+            return success(this).feedback("csrf-feedback-success").feedbackArgs(flag).build();
         }
-        return failed().build();
+        return failed(this).build();
     }
 
     @PostMapping(path = "/csrf/feedback", produces = "application/json")
     @ResponseBody
     public AttackResult flag(@RequestParam("confirmFlagVal") String flag) {
         if (flag.equals(userSessionData.getValue("csrf-feedback"))) {
-            return trackProgress(success().build());
+            return success(this).build();
         } else {
-            return trackProgress(failed().build());
+            return failed(this).build();
         }
     }
 

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/CSRFLogin.java

@@ -51,9 +51,9 @@ public class CSRFLogin extends AssignmentEndpoint {
         String userName = request.getUserPrincipal().getName();
         if (userName.startsWith("csrf")) {
             markAssignmentSolvedWithRealUser(userName.substring("csrf-".length()));
-            return trackProgress(success().feedback("csrf-login-success").build());
+            return success(this).feedback("csrf-login-success").build();
         }
-        return trackProgress(failed().feedback("csrf-login-failed").feedbackArgs(userName).build());
+        return failed(this).feedback("csrf-login-failed").feedbackArgs(userName).build();
     }
 
     private void markAssignmentSolvedWithRealUser(String username) {

webgoat-lessons/csrf/src/main/java/org/owasp/webgoat/csrf/ForgedReviews.java

@@ -90,13 +90,13 @@ public class ForgedReviews extends AssignmentEndpoint {
         userReviews.put(webSession.getUserName(), reviews);
         //short-circuit
         if (validateReq == null || !validateReq.equals(weakAntiCSRF)) {
-            return trackProgress(failed().feedback("csrf-you-forgot-something").build());
+            return failed(this).feedback("csrf-you-forgot-something").build();
         }
         //we have the spoofed files
         if (referer != "NULL" && refererArr[2].equals(host)) {
-            return trackProgress(failed().feedback("csrf-same-host").build());
+            return failed(this).feedback("csrf-same-host").build();
         } else {
-            return trackProgress(success().feedback("csrf-review.success").build()); //feedback("xss-stored-comment-failure")
+            return success(this).feedback("csrf-review.success").build(); //feedback("xss-stored-comment-failure")
         }
     }
 }