dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Thymeleaf works with AsciiDoc

Browse Source
This commit is contained in:
Nanne Baars 2016-05-15 10:38:22 +02:00
parent e8628599fe
commit 63398aaf6d
13 changed files with 375 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
webgoat-container/pom.xml
View File

@ -233,6 +233,11 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-loader</artifactId>
</dependency>
<dependency>
<groupId>org.asciidoctor</groupId>
<artifactId>asciidoctorj</artifactId>
<version>1.5.4</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>

108
webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java Normal file
View File

@ -0,0 +1,108 @@
/**
*************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @since December 12, 2015
* @version $Id: $Id
*/
package org.owasp.webgoat;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import org.asciidoctor.Asciidoctor;
import org.thymeleaf.TemplateProcessingParameters;
import org.thymeleaf.resourceresolver.IResourceResolver;
import org.thymeleaf.templateresolver.TemplateResolver;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.Optional;
import static org.asciidoctor.Asciidoctor.Factory.create;
/**
* Thymeleaf resolver for AsciiDoc used in the lesson, can be used as follows inside a lesson file:
*
* <code>
* <div th:replace="doc:AccessControlMatrix_plan.adoc"></div>
* </code>
*/
public class AsciiDoctorTemplateResolver extends TemplateResolver {
private static final Asciidoctor asciidoctor = create();
private static final String PREFIX = "doc:";
private final File pluginTargetDirectory;
public AsciiDoctorTemplateResolver(File pluginTargetDirectory) {
this.pluginTargetDirectory = pluginTargetDirectory;
setResourceResolver(new AdocResourceResolver());
setResolvablePatterns(Sets.newHashSet(PREFIX + "*"));
}
@Override
protected String computeResourceName(TemplateProcessingParameters params) {
String templateName = params.getTemplateName();
return templateName.substring(PREFIX.length());
}
private class AdocResourceResolver implements IResourceResolver {
@Override
public InputStream getResourceAsStream(TemplateProcessingParameters params, String resourceName) {
try {
Optional<Path> adocFile = find(pluginTargetDirectory.toPath(), resourceName);
if (adocFile.isPresent()) {
try (FileReader reader = new FileReader(adocFile.get().toFile())) {
StringWriter writer = new StringWriter();
asciidoctor.convert(reader, writer, Maps.newHashMap());
return new ByteArrayInputStream(writer.getBuffer().toString().getBytes());
}
}
return new ByteArrayInputStream(new byte[0]);
} catch (IOException e) {
//no html yet
return new ByteArrayInputStream(new byte[0]);
}
}
private Optional<Path> find(Path path, String resourceName) throws IOException {
return Files.walk(path)
.filter(Files::isRegularFile)
.filter(p -> p.toString().endsWith(resourceName)).findFirst();
}
@Override
public String getName() {
return "adocResourceResolver";
}
}
}

37
webgoat-container/src/main/java/org/owasp/webgoat/LessonTemplateResolver.java
View File

@ -1,3 +1,33 @@
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author WebGoat
* @since October 28, 2003
* @version $Id: $Id
*/
package org.owasp.webgoat;
import com.google.common.collect.Sets;
@ -12,11 +42,16 @@ import java.io.IOException;
import java.io.InputStream;
/**
* Dynamically resolve a lesson. In the html file this can be invoked as:
*
* <code>
* <div th:case="true" th:replace="lesson:__${lesson.class.simpleName}__"></div>
* </code>
*
* Thymeleaf will invoke this resolver based on the prefix and this implementqtion will resolve the html in the plugins directory
*/
public class LessonTemplateResolver extends TemplateResolver {
private final static String PREFIX = "lesson:";
private final File pluginTargetDirectory;

52
webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
View File

@ -1,3 +1,33 @@
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author WebGoat
* @since October 28, 2003
* @version $Id: $Id
*/
package org.owasp.webgoat;
import com.google.common.collect.Sets;
@ -20,7 +50,7 @@ import org.thymeleaf.templateresolver.TemplateResolver;
import java.io.File;
/**
*
* Configuration for Spring MVC
*/
@Configuration
public class MvcConfiguration extends WebMvcConfigurerAdapter {
@ -50,15 +80,26 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
public LessonTemplateResolver lessonTemplateResolver() {
LessonTemplateResolver resolver = new LessonTemplateResolver(pluginTargetDirectory);
resolver.setOrder(2);
resolver.setCacheable(false);
return resolver;
}
@Bean
public SpringTemplateEngine thymeleafTemplateEngine(TemplateResolver springThymeleafTemplateResolver, LessonTemplateResolver lessonTemplateResolver) {
public AsciiDoctorTemplateResolver asciiDoctorTemplateResolver() {
AsciiDoctorTemplateResolver resolver = new AsciiDoctorTemplateResolver(pluginTargetDirectory);
resolver.setCacheable(true);
resolver.setOrder(3);
return resolver;
}
@Bean
public SpringTemplateEngine thymeleafTemplateEngine(TemplateResolver springThymeleafTemplateResolver,
LessonTemplateResolver lessonTemplateResolver,
AsciiDoctorTemplateResolver asciiDoctorTemplateResolver) {
SpringTemplateEngine engine = new SpringTemplateEngine();
engine.addDialect(new SpringSecurityDialect());
engine.setTemplateResolvers(
Sets.newHashSet(springThymeleafTemplateResolver, lessonTemplateResolver));
Sets.newHashSet(springThymeleafTemplateResolver, lessonTemplateResolver, asciiDoctorTemplateResolver));
return engine;
}
@ -68,6 +109,11 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
return new ServletRegistrationBean(hammerHead, "/attack/*");
}
/**
* This way we expose the plugins target directory as a resource within the web application.
*
* @param registry
*/
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/plugin_lessons/**").addResourceLocations("file:///" + pluginTargetDirectory.toString() + "/");

32
webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
View File

@ -1,3 +1,33 @@
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author WebGoat
* @since October 28, 2003
* @version $Id: $Id
*/
package org.owasp.webgoat;
import org.owasp.webgoat.plugins.PluginClassLoader;
@ -53,7 +83,7 @@ public class WebGoat extends SpringBootServletInitializer {
@Bean
@Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
public WebSession webSession(Course course, WebgoatContext webgoatContext, ServletContext context, ApplicationContext applicationContext ) {
public WebSession webSession(Course course, WebgoatContext webgoatContext, ServletContext context) {
return new WebSession(course, webgoatContext, context);
}

33
webgoat-container/src/main/java/org/owasp/webgoat/WebSecurityConfig.java
View File

@ -1,3 +1,33 @@
/**
*************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @since December 12, 2015
* @version $Id: $Id
*/
package org.owasp.webgoat;
import org.springframework.beans.factory.annotation.Autowired;
@ -10,6 +40,9 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
import org.springframework.security.core.userdetails.UserDetailsService;
/**
* Security configuration for WebGoat.
*/
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

63
webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java
View File

@ -1,63 +0,0 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.application;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import java.sql.Driver;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.Enumeration;
/**
* Web application lifecycle listener.
*
* @author rlawson
* @version $Id: $Id
*/
public class WebGoatServletListener implements ServletContextListener {
private static final Logger logger = LoggerFactory.getLogger(WebGoatServletListener.class);
/** {@inheritDoc} */
@Override
public void contextInitialized(ServletContextEvent sce) {
ServletContext context = sce.getServletContext();
context.log("WebGoat is starting");
}
/** {@inheritDoc} */
@Override
public void contextDestroyed(ServletContextEvent sce) {
ServletContext context = sce.getServletContext();
context.log("WebGoat is stopping");
// Unregister JDBC drivers in this context's ClassLoader:
// Get the webapp's ClassLoader
ClassLoader cl = Thread.currentThread().getContextClassLoader();
// Loop through all drivers
Enumeration<Driver> drivers = DriverManager.getDrivers();
while (drivers.hasMoreElements()) {
java.sql.Driver driver = drivers.nextElement();
if (driver.getClass().getClassLoader() == cl) {
// This driver was registered by the webapp's ClassLoader, so deregister it:
try {
context.log("Unregister JDBC driver {}");
DriverManager.deregisterDriver(driver);
} catch (SQLException ex) {
context.log("Error unregistering JDBC driver {}");
}
} else {
// driver was not registered by the webapp's ClassLoader and may be in use elsewhere
context.log("Not unregistering JDBC driver {} as it does not belong to this webapp's ClassLoader");
}
}
}
}

50
webgoat-container/src/main/java/org/owasp/webgoat/controller/StartLesson.java
View File

@ -1,36 +1,51 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author WebGoat
* @since October 28, 2003
* @version $Id: $Id
*/
package org.owasp.webgoat.controller;
import org.owasp.webgoat.lessons.RandomLessonAdapter;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
/**
* <p>Start class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
@Controller
public class StartLesson {
final Logger logger = LoggerFactory.getLogger(StartLesson.class);
//simple filter can be removed after ECS removal
private static final String refactored = "ClientSideFiltering AccessControlMatrix";
@Autowired
private ServletContext servletContext;
/**
* <p>start.</p>
@ -48,6 +63,7 @@ public class StartLesson {
model.addObject("lesson", ws.getCurrentLesson());
model.addObject("message", ws.getMessage());
model.addObject("instructions", ws.getInstructions());
model.addObject("migrated", refactored.contains(ws.getCurrentLesson().getClass().getSimpleName())); //remove after ECS removal otherwise you will see the lesson twice
model.setViewName("lesson_content");
return model;
}

33
webgoat-container/src/main/java/org/owasp/webgoat/controller/Welcome.java
View File

@ -1,7 +1,32 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
/**
*************************************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
*
* Copyright (c) 2002 - 20014 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
*
* @author WebGoat
* @since October 28, 2003
* @version $Id: $Id
*/
package org.owasp.webgoat.controller;

47
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonAdapter.java
View File

@ -1,26 +1,3 @@
package org.owasp.webgoat.lessons;
import com.google.common.base.Joiner;
import org.apache.commons.io.IOUtils;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H3;
import org.apache.ecs.html.P;
import org.apache.ecs.html.PRE;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.WebSession;
import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
/**
*************************************************************************************************
*
@ -51,6 +28,30 @@ import java.util.List;
* @since October 28, 2003
* @version $Id: $Id
*/
package org.owasp.webgoat.lessons;
import com.google.common.base.Joiner;
import org.apache.commons.io.IOUtils;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.Center;
import org.apache.ecs.html.H3;
import org.apache.ecs.html.P;
import org.apache.ecs.html.PRE;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.session.WebSession;
import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
public abstract class LessonAdapter extends AbstractLesson {
/**

21
webgoat-container/src/main/java/org/owasp/webgoat/lessons/LessonEndpointMapping.java
View File

@ -1,11 +1,3 @@
package org.owasp.webgoat.lessons;
import org.springframework.stereotype.Component;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
/**
*************************************************************************************************
@ -36,6 +28,19 @@ import java.lang.annotation.Target;
* @since December 12, 2015
* @version $Id: $Id
*/
package org.owasp.webgoat.lessons;
import org.springframework.stereotype.Component;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
/**
* Annotation as a marker annotation. During the startup we scan the plugins for classes which use this annotation.
* @see LessonEndpoint for more information.
*/
@Component
@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)

3
webgoat-container/src/main/resources/application.properties
View File

@ -4,8 +4,7 @@ server.contextPath=/WebGoat
server.port=8080
logging.level.org.springframework=DEBUG
logging.level.org.hibernate=ERROR
logging.level.org.springframework=WARN
spring.thymeleaf.cache=false
security.enable-csrf=false

16
webgoat-container/src/main/resources/templates/lesson_content.html
View File

@ -3,10 +3,20 @@
<!-- Model is setup in the class StartLesson -->
<div id="lessonInstructions" th:utext="${instructions}"></div>
<div th:switch="${migrated}">
<div th:case="false" id="lessonInstructions" th:utext="${instructions}"></div>
<div th:case="true" id="lessonInstructions"></div>
</div>
<div id="message" class="info" th:utext="${message}"></div>
<br/>
<div th:utext="${lesson.content}"></div>
<div th:replace="lesson:__${lesson.class.simpleName}__"></div> <!-- __lesson__ makes Thymeleaf dynamic and calling the Thymeleaf resolver -->
<div th:switch="${migrated}">
<div th:case="false" th:utext="${lesson.content}"></div>
<div th:case="true" th:replace="lesson:__${lesson.class.simpleName}__"></div>
</div>
</html>