Use try with resources instead of try (#921)

* Use try with resources instead of try * Remove unused lesson * Remove unused fields
2021-01-13 19:21:04 +02:00 · 2021-01-13 19:21:04 +02:00 · 74b218b2a7
commit 74b218b2a7
parent b219854f81
13 changed files with 32 additions and 265 deletions
--- a/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/assignments/AssignmentEndpoint.java
@ -34,8 +34,6 @@ import org.springframework.beans.factory.annotation.Autowired;
 public abstract class AssignmentEndpoint {
    @Autowired
    private UserTrackerRepository userTrackerRepository;
    @Autowired
    private WebSession webSession;
    @Autowired
--- a/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/service/LabelServiceTest.java
@ -53,12 +53,6 @@ public class LabelServiceTest {
    @Autowired
    public MockMvc mockMvc;
    @MockBean
    private Course course;
    @MockBean
    private UserService userService;
    @MockBean
    private LessonTrackerInterceptor interceptor;
    @Test
    @WithMockUser(username = "guest", password = "guest")
--- a/webgoat-lessons/command-injection/pom.xml
+++ b/webgoat-lessons/command-injection/pom.xml
@ -1,34 +0,0 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <artifactId>http-proxies</artifactId>
    <packaging>jar</packaging>
    <parent>
        <groupId>org.owasp.webgoat.lesson</groupId>
        <artifactId>webgoat-lessons-parent</artifactId>
        <version>v8.0.0-SNAPSHOT</version>
    </parent>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <version>4.1.3.RELEASE</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>${junit.version}</version>
            <type>jar</type>
            <scope>test</scope>
        </dependency>
    </dependencies>
 </project>
--- a/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
+++ b/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpBasicsInterceptRequest.java
@ -1,58 +0,0 @@
 package org.owasp.webgoat.plugin;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 /**
 * *************************************************************************************************
 *
 *
 * This file is part of WebGoat, an Open Web Application Security Project
 * utility. For details, please see http://www.owasp.org/
 *
 * Copyright (c) 2002 - 20014 Bruce Mayhew
 *
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free Software
 * Foundation; either version 2 of the License, or (at your option) any later
 * version.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
 * details.
 *
 * You should have received a copy of the GNU General Public License along with
 * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
 * Place - Suite 330, Boston, MA 02111-1307, USA.
 *
 * Getting Source ==============
 *
 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
 * for free software projects.
 *
 * For details, please see http://webgoat.github.io
 *
 * @author Bruce Mayhew <a href="http://code.google.com/p/webgoat">WebGoat</a>
 * @created October 28, 2003
 */
@AssignmentPath("/HttpProxies/intercept-request")
 public class HttpBasicsInterceptRequest extends AssignmentEndpoint {
 	@RequestMapping(method = RequestMethod.GET)
 	public @ResponseBody
 	AttackResult completed(HttpServletRequest request) throws IOException {
 		if (request.getHeader("x-request-intercepted").toLowerCase().equals("true") && request.getParameter("changeMe").equals("Requests are tampered easily")) {
            return trackProgress(success().feedback("http-proxies.intercept.success").build());
 		} else {
            return trackProgress(failed().feedback("http-proxies.intercept.failure").build());
        }
 	}
 }
--- a/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java
+++ b/webgoat-lessons/command-injection/src/main/java/org/owasp/webgoat/plugin/HttpProxies.java
@ -1,53 +0,0 @@
 package org.owasp.webgoat.plugin;
 import com.beust.jcommander.internal.Lists;
 import org.owasp.webgoat.lessons.Category;
 import org.owasp.webgoat.lessons.Lesson;
 import java.util.List;
 /**
 * ************************************************************************************************
 * This file is part of WebGoat, an Open Web Application Security Project utility. For details,
 * please see http://www.owasp.org/
 * <p>
 * Copyright (c) 2002 - 20014 Bruce Mayhew
 * <p>
 * This program is free software; you can redistribute it and/or modify it under the terms of the
 * GNU General Public License as published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * <p>
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 * <p>
 * You should have received a copy of the GNU General Public License along with this program; if
 * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
 * 02111-1307, USA.
 * <p>
 * Getting Source ==============
 * <p>
 * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
 * projects.
 * <p>
 *
 * @author WebGoat
 * @version $Id: $Id
 * @since October 12, 2016
 */
 public class HttpProxies extends Lesson {
    @Override
    public Category getDefaultCategory() {
        return Category.GENERAL;
    }
    @Override
    public String getTitle() {
        return "http-proxies.title";
    }
    @Override
    public String getId() {
        return "HttpProxies";
    }
 }
--- a/webgoat-lessons/command-injection/src/main/resources/html/CommandInjection.html
+++ b/webgoat-lessons/command-injection/src/main/resources/html/CommandInjection.html
@ -1,50 +0,0 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org">
    <div class="lesson-page-wrapper">
        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
        <!-- include content here. Content will be presented via asciidocs files,
        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro0.adoc"></div>
    </div>
    <div class="lesson-page-wrapper">
 		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
 		<!-- include content here. Content will be presented via asciidocs files,
        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro1.adoc"></div>
 	</div>
    <div class="lesson-page-wrapper">
        <!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
        <!-- include content here. Content will be presented via asciidocs files,
        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro2.adoc"></div>
    </div>
 	<div class="lesson-page-wrapper">
 		<!-- reuse this lesson-page-wrapper block for each 'page' of content in your lesson -->
 		<!-- include content here. Content will be presented via asciidocs files,
        which you put in src/main/resources/plugin/lessonplans/{lang}/{fileName}.adoc -->
 		<div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntro3.adoc"></div>
 	</div>
    <div class="lesson-page-wrapper">
        <!-- stripped down without extra comments -->
        <div class="adoc-content" th:replace="doc:HttpBasics_ProxyIntercept.adoc"></div>
        <div class="attack-container">
            <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
            <form class="attack-form" accept-charset="UNKNOWN" name="intercept-request"
                  method="POST"
                  action="/WebGoat/HttpBasics/intercept-request">
                <input type="text" value="doesn't matter really" name="changeMe" />
                <input type="submit" value="Submit" />
            </form>
            <div class="attack-feedback"></div>
            <div class="attack-output"></div>
        </div>
    </div>
 </html>
--- a/webgoat-lessons/command-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/command-injection/src/main/resources/i18n/WebGoatLabels.properties
@ -1,4 +0,0 @@
 http-proxies.title=HTTP Proxies
 http-proxies.intercept.success=Well done, you tampered the request as expected
 http-proxies.intercept.failure=Please try again. Make sure to make all the changes. And case sensitivity may matter ... or not, you never know!
--- a/webgoat-lessons/command-injection/src/main/resources/lessonPlans/en/CommandInjection1.adoc
+++ b/webgoat-lessons/command-injection/src/main/resources/lessonPlans/en/CommandInjection1.adoc
@ -1,20 +0,0 @@
 == HTTP Proxy Overview
 Many times proxies are used as a way of accessing otherwise blocked content.  A user might connect to server A, which relays content from server B
 ... Because Server B is blocked within the user's network. That's not the use case we will be dealing with here, but the concept is the same.
 HTTP Proxies receive requests from a client and relay them. They also typically record them. They act as a man-in-the-middle (keep that in mind if you decide to
 use a proxy server to connect to some other system that is otherwise blocked). We won't get into HTTP vs HTTPS just yet, but that's an important topic in
 relationship to proxies.
 === Proxy Capabilities
 Proxies sit between your client and the server the client is talking to. You can record and analyze the requests & responses.  You can also use the proxy to
 modify (tamper) the requests and responses.  Proxies also have automated or semi-automated functions that allow  you to gain efficiency in testing and
 analyzing the security of a website.
 === Other Uses for Proxies
 ZAP specifically can also be used in the development process in a CI/CD, DevOps or otherwise automated build/test environment.  This lesson does
 not currently have any details on that, but it is worth mentioning. There are a number of examples on the internet of it being integrated into a
 CI/CD with Jenkins, Maven or other build processes.
--- a/webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
+++ b/webgoat-lessons/ssrf/src/main/java/org/owasp/webgoat/ssrf/SSRFTask2.java
@ -31,9 +31,13 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLConnection;
 import java.nio.charset.StandardCharsets;
@RestController
@ -47,41 +51,31 @@ public class SSRFTask2 extends AssignmentEndpoint {
    }
    protected AttackResult furBall(String url) {
        try {
            StringBuffer html = new StringBuffer();
        if (url.matches("http://ifconfig.pro")) {
-                try {
+            String html;
-                URL u = new URL(url);
+            try (InputStream in = new URL(url).openStream()) {
-                URLConnection urlConnection = u.openConnection();
+                html = new String(in.readAllBytes(), StandardCharsets.UTF_8)
-                BufferedReader in = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
+                        .replaceAll("\n","<br>"); // Otherwise the \n gets escaped in the response
-                String inputLine;
+            } catch (MalformedURLException e) {
-
+                return getFailedResult(e.getMessage());
-                while ((inputLine = in.readLine()) != null) {
+            } catch (IOException e) {
                    html.append(inputLine);
                }
                in.close();
                } catch (Exception e) {
                //in case the external site is down, the test and lesson should still be ok
-                    html.append("<html><body>Altough the http://ifconfig.pro site is down, you still managed to solve this exercise the right way!</body></html>");
+                html = "<html><body>Although the http://ifconfig.pro site is down, you still managed to solve" +
                        " this exercise the right way!</body></html>";
            }
            return success(this)
                    .feedback("ssrf.success")
-                        .output(html.toString())
+                    .output(html)
                    .build();
-            } else {
+        }
-                html.append("<img class=\"image\" alt=\"image post\" src=\"images/cat.jpg\">");
+        var html = "<img class=\"image\" alt=\"image post\" src=\"images/cat.jpg\">";
        return getFailedResult(html);
    }
    private AttackResult getFailedResult(String errorMsg) {
        return failed(this)
                .feedback("ssrf.failure")
-                        .output(html.toString())
+                .output(errorMsg)
                        .build();
            }
        } catch (Exception e) {
            e.printStackTrace();
            return failed(this)
                    .output(e.getMessage())
                .build();
    }
 }
 }
--- a/webgoat-lessons/ssrf/src/main/resources/html/SSRF.html
+++ b/webgoat-lessons/ssrf/src/main/resources/html/SSRF.html
@ -15,7 +15,7 @@
                  action="/WebGoat/SSRF/task1">
                <table>
                    <tr>
-                        <td><input type="hidden" id="url" name="url" value="images/tom.png"/></td>
+                        <td><input type="hidden" id="url1" name="url" value="images/tom.png"/></td>
                        <td><input
                                name="Steal the Cheese" value="Steal the Cheese" type="SUBMIT"/></td>
@ -37,7 +37,7 @@
                  action="/WebGoat/SSRF/task2">
                <table>
                    <tr>
-                        <td><input type="hidden" id="url" name="url" value="images/cat.png"/></td>
+                        <td><input type="hidden" id="url2" name="url" value="images/cat.png"/></td>
                        <td><input
                                name="try this" value="try this" type="SUBMIT"/></td>
--- a/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task1.adoc
+++ b/webgoat-lessons/ssrf/src/main/resources/lessonPlans/en/SSRF_Task1.adoc
@ -1,2 +1,2 @@
 === Find and modify the request to display Jerry 
-lick the button and figure out what happened.
+Click the button and figure out what happened.
--- a/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest1.java
+++ b/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest1.java
@ -26,7 +26,7 @@ public class SSRFTest1 extends LessonTest {
    private SSRF ssrf;
    @Before
-    public void setup() throws Exception {
+    public void setup() {
        when(webSession.getCurrentLesson()).thenReturn(ssrf);
        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
    }
--- a/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest2.java
+++ b/webgoat-lessons/ssrf/src/test/java/org/owasp/webgoat/ssrf/SSRFTest2.java
@ -48,7 +48,7 @@ public class SSRFTest2 extends LessonTest {
    private SSRF ssrf;
    @Before
-    public void setup() throws Exception {
+    public void setup() {
        when(webSession.getCurrentLesson()).thenReturn(ssrf);
        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
    }
`@ -1,2 +1,2 @@`
	`=== Find and modify the request to display Jerry`	`=== Find and modify the request to display Jerry`
	`lick the button and figure out what happened.`	`Click the button and figure out what happened.`