From 74b218b2a764423b420624840d8c544cb8dfc76d Mon Sep 17 00:00:00 2001
From: avivmu <aviv.mu@gmail.com>
Date: Wed, 13 Jan 2021 19:21:04 +0200
Subject: [PATCH] Use try with resources instead of try (#921)
* Use try with resources instead of try
* Remove unused lesson
* Remove unused fields
---
.../assignments/AssignmentEndpoint.java | 2 -
.../webgoat/service/LabelServiceTest.java | 6 --
webgoat-lessons/command-injection/pom.xml | 34 -----------
.../plugin/HttpBasicsInterceptRequest.java | 58 ------------------
.../org/owasp/webgoat/plugin/HttpProxies.java | 53 ----------------
.../main/resources/html/CommandInjection.html | 50 ----------------
.../resources/i18n/WebGoatLabels.properties | 4 --
.../lessonPlans/en/CommandInjection1.adoc | 20 -------
.../org/owasp/webgoat/ssrf/SSRFTask2.java | 60 +++++++++----------
.../ssrf/src/main/resources/html/SSRF.html | 4 +-
.../resources/lessonPlans/en/SSRF_Task1.adoc | 2 +-
.../org/owasp/webgoat/ssrf/SSRFTest1.java | 2 +-
.../org/owasp/webgoat/ssrf/SSRFTest2.java | 2 +-
13 files changed, 32 insertions(+), 265 deletions(-)
delete mode 100644 webgoat-lessons/command-injection/pom.xml
delete mode 100644 webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
delete mode 100644 webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java
delete mode 100644 webgoat-lessons/command-injection/src/main/resources/html/CommandInjection.html
delete mode 100644 webgoat-lessons/command-injection/src/main/resources/i18n/WebGoatLabels.properties
delete mode 100644 webgoat-lessons/command-injection/src/main/resources/lessonPlans/en/CommandInjection1.adoc
diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
index 32b905952..9ff9a5cde 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
@@ -34,8 +34,6 @@ import org.springframework.beans.factory.annotation.Autowired;
public abstract class AssignmentEndpoint {
- @Autowired
- private UserTrackerRepository userTrackerRepository;
@Autowired
private WebSession webSession;
@Autowired
diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
index 75e8e188b..17415a720 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
@@ -53,12 +53,6 @@ public class LabelServiceTest {
@Autowired
public MockMvc mockMvc;
- @MockBean
- private Course course;
- @MockBean
- private UserService userService;
- @MockBean
- private LessonTrackerInterceptor interceptor;
@Test
@WithMockUser(username = "guest", password = "guest")
diff --git a/webgoat-lessons/command-injection/pom.xml b/webgoat-lessons/command-injection/pom.xml
deleted file mode 100644
index 23c24a5dd..000000000
--- a/webgoat-lessons/command-injection/pom.xml
+++ /dev/null
@@ -1,34 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <artifactId>http-proxies</artifactId>
- <packaging>jar</packaging>
- <parent>
- <groupId>org.owasp.webgoat.lesson</groupId>
- <artifactId>webgoat-lessons-parent</artifactId>
- <version>v8.0.0-SNAPSHOT</version>
- </parent>
-
- <dependencies>
- <dependency>
- <groupId>org.springframework.boot</groupId>
- <artifactId>spring-boot-starter-test</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.springframework.security</groupId>
- <artifactId>spring-security-test</artifactId>
- <version>4.1.3.RELEASE</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>${junit.version}</version>
- <type>jar</type>
- <scope>test</scope>
- </dependency>
-
- </dependencies>
-
-</project>
diff --git a/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java b/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
deleted file mode 100644
index ee8f9ef64..000000000
--- a/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
+++ /dev/null
@@ -1,58 +0,0 @@
-package org.owasp.webgoat.plugin;
-
-import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentPath;
-import org.owasp.webgoat.assignments.AttackResult;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.ResponseBody;
-
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-
-/**
- * *************************************************************************************************
- *
- *
- * This file is part of WebGoat, an Open Web Application Security Project
- * utility. For details, please see http://www.owasp.org/
- *
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- *
- * This program is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option) any later
- * version.
- *
- * This program is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
- * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
- * Place - Suite 330, Boston, MA 02111-1307, USA.
- *
- * Getting Source ==============
- *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
- *
- * For details, please see http://webgoat.github.io
- *
- * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
- * @created October 28, 2003
- */
-@AssignmentPath("/HttpProxies/intercept-request")
-public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
-
- @RequestMapping(method = RequestMethod.GET)
- public @ResponseBody
- AttackResult completed(HttpServletRequest request) throws IOException {
- if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
- return trackProgress(success().feedback("http-proxies.intercept.success").build());
- } else {
- return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
- }
- }
-}
\ No newline at end of file
diff --git a/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java b/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java
deleted file mode 100644
index 16c6c3812..000000000
--- a/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java
+++ /dev/null
@@ -1,53 +0,0 @@
-package org.owasp.webgoat.plugin;
-
-import com.beust.jcommander.internal.Lists;
-import org.owasp.webgoat.lessons.Category;
-import org.owasp.webgoat.lessons.Lesson;
-
-import java.util.List;
-
-/**
- * ************************************************************************************************
- * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
- * please see http://www.owasp.org/
- * <p>
- * Copyright (c) 2002 - 20014 Bruce Mayhew
- * <p>
- * This program is free software; you can redistribute it and/or modify it under the terms of the
- * GNU General Public License as published by the Free Software Foundation; either version 2 of the
- * License, or (at your option) any later version.
- * <p>
- * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
- * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- * <p>
- * You should have received a copy of the GNU General Public License along with this program; if
- * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
- * 02111-1307, USA.
- * <p>
- * Getting Source ==============
- * <p>
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
- * projects.
- * <p>
- *
- * @author WebGoat
- * @version $Id: $Id
- * @since October 12, 2016
- */
-public class HttpProxies extends Lesson {
- @Override
- public Category getDefaultCategory() {
- return Category.GENERAL;
- }
-
- @Override
- public String getTitle() {
- return "http-proxies.title";
- }
-
- @Override
- public String getId() {
- return "HttpProxies";
- }
-}
diff --git a/webgoat-lessons/command-injection/src/main/resources/html/CommandInjection.html b/webgoat-lessons/command-injection/src/main/resources/html/CommandInjection.html
deleted file mode 100644
index da04726db..000000000
--- a/webgoat-lessons/command-injection/src/main/resources/html/CommandInjection.html
+++ /dev/null
@@ -1,50 +0,0 @@
-<!DOCTYPE html>
-
-<html xmlns:th="http://www.thymeleaf.org">
-
- <div class="lesson-page-wrapper">
- <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
- <!-- include content here. Content will be presented via asciidocs files,
- which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
- <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
- </div>
-
- <div class="lesson-page-wrapper">
- <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
- <!-- include content here. Content will be presented via asciidocs files,
- which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
- <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
- </div>
-
- <div class="lesson-page-wrapper">
- <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
- <!-- include content here. Content will be presented via asciidocs files,
- which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
- <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
- </div>
-
- <div class="lesson-page-wrapper">
- <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
- <!-- include content here. Content will be presented via asciidocs files,
- which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
- <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
- </div>
-
- <div class="lesson-page-wrapper">
- <!-- stripped down without extra comments -->
- <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntercept.adoc"></div>
- <div class="attack-container">
- <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
- <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
- method="POST"
- action="/WebGoat/HttpBasics/intercept-request">
-
- <input type="text" value="doesn't matter really" name="changeMe" />
- <input type="submit" value="Submit" />
-
- </form>
- <div class="attack-feedback"></div>
- <div class="attack-output"></div>
- </div>
- </div>
-</html>
\ No newline at end of file
diff --git a/webgoat-lessons/command-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/command-injection/src/main/resources/i18n/WebGoatLabels.properties
deleted file mode 100644
index 2140e3ed4..000000000
--- a/webgoat-lessons/command-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ /dev/null
@@ -1,4 +0,0 @@
-http-proxies.title=HTTP Proxies
-
-http-proxies.intercept.success=Well done, you tampered the request as expected
-http-proxies.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!
\ No newline at end of file
diff --git a/webgoat-lessons/command-injection/src/main/resources/lessonPlans/en/CommandInjection1.adoc b/webgoat-lessons/command-injection/src/main/resources/lessonPlans/en/CommandInjection1.adoc
deleted file mode 100644
index ce6d3f4b2..000000000
--- a/webgoat-lessons/command-injection/src/main/resources/lessonPlans/en/CommandInjection1.adoc
+++ /dev/null
@@ -1,20 +0,0 @@
-
-== HTTP Proxy Overview
-
-Many times proxies are used as a way of accessing otherwise blocked content. A user might connect to server A, which relays content from server B
- ... Because Server B is blocked within the user's network. That's not the use case we will be dealing with here, but the concept is the same.
-HTTP Proxies receive requests from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
-use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
-relationship to proxies.
-
-=== Proxy Capabilities
-
-Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses. You can also use the proxy to
-modify (tamper) the requests and responses. Proxies also have automated or semi-automated functions that allow you to gain efficiency in testing and
-analyzing the security of a website.
-
-=== Other Uses for Proxies
-
-ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment. This lesson does
-not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
-CI/CD with Jenkins, Maven or other build processes.
\ No newline at end of file
diff --git a/webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java b/webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
index 389d6df81..3d435e994 100644
--- a/webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
+++ b/webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
@@ -31,9 +31,13 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStream;
import java.io.InputStreamReader;
+import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;
+import java.nio.charset.StandardCharsets;
@RestController
@@ -47,41 +51,31 @@ public class SSRFTask2 extends AssignmentEndpoint {
}
protected AttackResult furBall(String url) {
- try {
- StringBuffer html = new StringBuffer();
-
- if (url.matches("http://ifconfig.pro")) {
- try {
- URL u = new URL(url);
- URLConnection urlConnection = u.openConnection();
- BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
- String inputLine;
-
- while ((inputLine = in.readLine()) != null) {
- html.append(inputLine);
- }
- in.close();
- } catch (Exception e) {
- //in case the external site is down, the test and lesson should still be ok
- html.append("<html><body>Altough the http://ifconfig.pro site is down, you still managed to solve this exercise the right way!</body></html>");
- }
-
- return success(this)
- .feedback("ssrf.success")
- .output(html.toString())
- .build();
- } else {
- html.append("<img class=\"image\" alt=\"image post\" src=\"images/cat.jpg\">");
- return failed(this)
- .feedback("ssrf.failure")
- .output(html.toString())
- .build();
+ if (url.matches("http://ifconfig.pro")) {
+ String html;
+ try (InputStream in = new URL(url).openStream()) {
+ html = new String(in.readAllBytes(), StandardCharsets.UTF_8)
+ .replaceAll("\n","<br>"); // Otherwise the \n gets escaped in the response
+ } catch (MalformedURLException e) {
+ return getFailedResult(e.getMessage());
+ } catch (IOException e) {
+ //in case the external site is down, the test and lesson should still be ok
+ html = "<html><body>Although the http://ifconfig.pro site is down, you still managed to solve" +
+ " this exercise the right way!</body></html>";
}
- } catch (Exception e) {
- e.printStackTrace();
- return failed(this)
- .output(e.getMessage())
+ return success(this)
+ .feedback("ssrf.success")
+ .output(html)
.build();
}
+ var html = "<img class=\"image\" alt=\"image post\" src=\"images/cat.jpg\">";
+ return getFailedResult(html);
+ }
+
+ private AttackResult getFailedResult(String errorMsg) {
+ return failed(this)
+ .feedback("ssrf.failure")
+ .output(errorMsg)
+ .build();
}
}
diff --git a/webgoat-lessons/ssrf/src/main/resources/html/SSRF.html b/webgoat-lessons/ssrf/src/main/resources/html/SSRF.html
index fe2cba273..c04edf620 100755
--- a/webgoat-lessons/ssrf/src/main/resources/html/SSRF.html
+++ b/webgoat-lessons/ssrf/src/main/resources/html/SSRF.html
@@ -15,7 +15,7 @@
action="/WebGoat/SSRF/task1">
<table>
<tr>
- <td><input type="hidden" id="url" name="url" value="images/tom.png"/></td>
+ <td><input type="hidden" id="url1" name="url" value="images/tom.png"/></td>
<td><input
name="Steal the Cheese" value="Steal the Cheese" type="SUBMIT"/></td>
@@ -37,7 +37,7 @@
action="/WebGoat/SSRF/task2">
<table>
<tr>
- <td><input type="hidden" id="url" name="url" value="images/cat.png"/></td>
+ <td><input type="hidden" id="url2" name="url" value="images/cat.png"/></td>
<td><input
name="try this" value="try this" type="SUBMIT"/></td>
diff --git a/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task1.adoc b/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task1.adoc
index 444f6baf0..fae8fc34b 100755
--- a/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task1.adoc
+++ b/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task1.adoc
@@ -1,2 +1,2 @@
=== Find and modify the request to display Jerry
-lick the button and figure out what happened.
+Click the button and figure out what happened.
diff --git a/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest1.java b/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest1.java
index 99a14aa1c..7123aff68 100644
--- a/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest1.java
+++ b/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest1.java
@@ -26,7 +26,7 @@ public class SSRFTest1 extends LessonTest {
private SSRF ssrf;
@Before
- public void setup() throws Exception {
+ public void setup() {
when(webSession.getCurrentLesson()).thenReturn(ssrf);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
diff --git a/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest2.java b/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest2.java
index 2625212b7..f1556605d 100644
--- a/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest2.java
+++ b/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest2.java
@@ -48,7 +48,7 @@ public class SSRFTest2 extends LessonTest {
private SSRF ssrf;
@Before
- public void setup() throws Exception {
+ public void setup() {
when(webSession.getCurrentLesson()).thenReturn(ssrf);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}