dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lessons which load JavaScript etc now works

Browse Source
This commit is contained in:
Nanne Baars 2016-04-26 18:59:51 +02:00
parent 9066e45725
commit 79102c6ddd
17 changed files with 222 additions and 559 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
webgoat-container/pom.xml
View File

@ -1,5 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<name>webgoat-container</name>
<modelVersion>4.0.0</modelVersion>
@ -112,6 +113,41 @@
</resource>
</resources>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>${maven-jar-plugin.version}</version>
<executions>
<execution>
<id>create-jar</id>
<phase>compile</phase>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<version>${build-helper-maven-plugin.version}</version>
<executions>
<execution>
<id>attach-artifacts</id>
<phase>package</phase>
<goals>
<goal>attach-artifact</goal>
</goals>
<configuration>
<artifacts>
<artifact>
<file>${project.build.directory}/webgoat-container-${project.version}.jar</file>
</artifact>
</artifacts>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
@ -133,20 +169,6 @@
<encoding>ISO-8859-1</encoding>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>${maven-jar-plugin.version}</version>
<executions>
<execution>
<id>create-jar</id>
<phase>compile</phase>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
@ -160,6 +182,21 @@
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>repackage</goal>
</goals>
<configuration>
<requiresUnpack>
<dependency>
<groupId>org.thymeleaf.extra</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>
</requiresUnpack>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
@ -184,10 +221,14 @@
<optional>true</optional>
</dependency>
<!--<dependency>-->
<!--<groupId>org.springframework.boot</groupId>-->
<!--<artifactId>spring-boot-devtools</artifactId>-->
<!--<optional>true</optional>-->
<!--<groupId>org.springframework.boot</groupId>-->
<!--<artifactId>spring-boot-devtools</artifactId>-->
<!--<optional>true</optional>-->
<!--</dependency>-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-loader</artifactId>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>

69
webgoat-container/src/main/java/org/owasp/webgoat/HammerHead.java
View File

@ -8,10 +8,8 @@ import org.owasp.webgoat.session.ErrorScreen;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebgoatContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.ClassPathResource;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
@ -62,42 +60,18 @@ import java.util.TimeZone;
*/
public class HammerHead extends HttpServlet {
final Logger logger = LoggerFactory.getLogger(HammerHead.class);
/**
*
*/
private static final long serialVersionUID = 645640331343188020L;
private static SimpleDateFormat httpDateFormat;
private final Logger logger = LoggerFactory.getLogger(HammerHead.class);
private WebSession webSession;
/**
* Description of the Field
*/
protected static SimpleDateFormat httpDateFormat;
/**
* Set the session timeout to be 2 days
*/
private final static int sessionTimeoutSeconds = 60 * 60 * 24 * 2;
// private final static int sessionTimeoutSeconds = 1;
/**
* Properties file path
*/
public static String propertiesPath = null;
/**
* provides convenience methods for getting setup information from the
* ServletContext
*/
private WebgoatContext webgoatContext = null;
public HammerHead(WebgoatContext context) {
this.webgoatContext = context;
public HammerHead() {
//for catcher subclass
}
//TODO_NB
public HammerHead() {}
public HammerHead(WebSession webSession) {
this.webSession = webSession;
}
/**
* {@inheritDoc}
@ -250,7 +224,6 @@ public class HammerHead extends HttpServlet {
logger.info("Initializing main webgoat servlet");
httpDateFormat = new SimpleDateFormat("EEE, dd MMM yyyyy HH:mm:ss z", Locale.US);
httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
propertiesPath = new ClassPathResource("/WEB-INF/webgoat.properties").getPath();
}
/**
@ -348,25 +321,6 @@ public class HammerHead extends HttpServlet {
return (screen);
}
/**
* This method sets the required expiration headers in the response for a
* given RunData object. This method attempts to set all relevant headers,
* both for HTTP 1.0 and HTTP 1.1.
*
* @param response The new cacheHeaders value
* @param expiry The new cacheHeaders value
*/
protected static void setCacheHeaders(HttpServletResponse response, int expiry) {
if (expiry == 0) {
response.setHeader("Pragma", "no-cache");
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Expires", formatHttpDate(new Date()));
} else {
Date expiryDate = new Date(System.currentTimeMillis() + expiry);
response.setHeader("Expires", formatHttpDate(expiryDate));
}
}
/**
* Description of the Method
*
@ -382,10 +336,11 @@ public class HammerHead extends HttpServlet {
// session should already be created by spring security
hs = request.getSession(false);
//TODO rewrite this logic
logger.debug("HH Entering Session_id: " + hs.getId());
// dumpSession( hs );
// Get our session object out of the HTTP session
WebSession session = null;
WebSession session = this.webSession;
Object o = hs.getAttribute(WebSession.SESSION);
if ((o != null) && o instanceof WebSession) {
@ -394,13 +349,11 @@ public class HammerHead extends HttpServlet {
} else {
// Create new custom session and save it in the HTTP session
logger.warn("HH Creating new WebSession");
session = new WebSession(webgoatContext, context);
// Ensure splash screen shows on any restart
// rlawson - removed this since we show splash screen at login now
//hs.removeAttribute(WELCOMED);
//@TODO NO NEED TO PUT IN THE HTTP SESSION, FOCUS WILL FIX LATER
hs.setAttribute(WebSession.SESSION, session);
// reset timeout
hs.setMaxInactiveInterval(sessionTimeoutSeconds);
}
session.update(request, response, this.getServletName());

26
webgoat-container/src/main/java/org/owasp/webgoat/MvcConfiguration.java
View File

@ -1,18 +1,17 @@
package org.owasp.webgoat;
import org.owasp.webgoat.session.LabelDebugger;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.WebSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.context.embedded.ServletRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.Resource;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import java.io.File;
import java.io.IOException;
/**
*
@ -20,10 +19,15 @@ import java.io.IOException;
@Configuration
public class MvcConfiguration extends WebMvcConfigurerAdapter {
@Autowired
@Qualifier("pluginTargetDirectory")
private File pluginTargetDirectory;
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login");
registry.addViewController("/lesson_content").setViewName("lesson_content");
registry.addViewController("/start.mvc").setViewName("main_new");
}
@Bean
@ -33,23 +37,15 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
Resource resource = new ClassPathResource("/plugin_lessons/plugin_lessons_marker.txt");
try {
File pluginsDir = resource.getFile().getParentFile();
registry.addResourceHandler("/plugin_lessons/**").addResourceLocations("file:///" + pluginsDir.toString() + "/");
} catch (IOException e) {
e.printStackTrace();
}
registry.addResourceHandler("/plugin_lessons/**").addResourceLocations("file:///" + pluginTargetDirectory.toString() + "/");
}
@Bean
public HammerHead hammerHead(WebgoatContext context) {
return new HammerHead(context);
public HammerHead hammerHead(WebSession webSession) {
return new HammerHead(webSession);
}
@Bean
//@Scope(value= WebApplicationContext.SCOPE_SESSION)
public LabelDebugger labelDebugger() {
return new LabelDebugger();
}

61
webgoat-container/src/main/java/org/owasp/webgoat/WebGoat.java
View File

@ -1,11 +1,25 @@
package org.owasp.webgoat;
import org.owasp.webgoat.plugins.PluginsLoader;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebgoatContext;
import org.owasp.webgoat.session.WebgoatProperties;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder;
import org.springframework.boot.context.web.SpringBootServletInitializer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.PropertySource;
import org.springframework.context.annotation.Scope;
import org.springframework.context.annotation.ScopedProxyMode;
import javax.servlet.ServletContext;
import java.io.File;
@SpringBootApplication
@PropertySource("classpath:/webgoat.properties")
public class WebGoat extends SpringBootServletInitializer {
@Override
@ -17,28 +31,31 @@ public class WebGoat extends SpringBootServletInitializer {
SpringApplication.run(WebGoat.class, args);
}
// @Bean
// @Autowired
// public TomcatEmbeddedServletContainerFactory servletContainer(final JarScanner jarScanner) {
// TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
// factory.setPort(80);
// factory.setSessionTimeout(10, TimeUnit.MINUTES);
// factory.addContextCustomizers(new TomcatContextCustomizer() {
// @Override
// public void customize(Context context) {
//
// context.setJarScanner(jarScanner);
// }
// });
// return factory;
// }
//
// @Bean
// public JarScanner getJarScanner() {
// StandardJarScanner jarScanner = new StandardJarScanner();
// jarScanner.setScanClassPath(true);
// return jarScanner;
// }
@Bean(name = "pluginTargetDirectory")
public File pluginTargetDirectory() {
File tempDir = com.google.common.io.Files.createTempDir();
tempDir.deleteOnExit();
return tempDir;
}
@Bean
public PluginsLoader pluginsLoader(@Qualifier("pluginTargetDirectory") File pluginTargetDirectory) {
System.out.println("Plugin target directory: " + pluginTargetDirectory.toString());
return new PluginsLoader(pluginTargetDirectory);
}
@Bean
@Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
public WebSession webSession(Course course, WebgoatContext webgoatContext, ServletContext context) {
return new WebSession(course, webgoatContext, context);
}
@Bean
public Course course(PluginsLoader pluginsLoader, WebgoatContext webgoatContext, ServletContext context,
WebgoatProperties webgoatProperties) {
Course course = new Course(webgoatProperties);
course.loadCourses(webgoatContext, context, "/");
course.loadLessonFromPlugin(pluginsLoader.loadPlugins());
return course;
}
}

108
webgoat-container/src/main/java/org/owasp/webgoat/application/Application.java
View File

@ -1,108 +0,0 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.application;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.builder.ToStringBuilder;
/**
* Singleton which is created on context startup
*
* @author rlawson
* @version $Id: $Id
*/
//TODO_NB still necessary?
public class Application {
private static final Application INSTANCE = new Application();
private Application() {
}
/**
* <p>getInstance.</p>
*
* @return a {@link org.owasp.webgoat.application.Application} object.
*/
public static final Application getInstance() {
return INSTANCE;
}
private String version = "SNAPSHOT";
private String build = "local";
private String name = "WebGoat";
/**
* <p>Getter for the field <code>version</code>.</p>
*
* @return the version
*/
public String getVersion() {
return version;
}
/**
* <p>Setter for the field <code>version</code>.</p>
*
* @param version the version to set
*/
public void setVersion(String version) {
if (StringUtils.isNotBlank(version)) {
this.version = version;
}
}
/**
* <p>Getter for the field <code>build</code>.</p>
*
* @return the build
*/
public String getBuild() {
return build;
}
/**
* <p>Setter for the field <code>build</code>.</p>
*
* @param build the build to set
*/
public void setBuild(String build) {
if (StringUtils.isNotBlank(build)) {
this.build = build;
}
}
/**
* <p>Getter for the field <code>name</code>.</p>
*
* @return the name
*/
public String getName() {
return name;
}
/**
* <p>Setter for the field <code>name</code>.</p>
*
* @param name the name to set
*/
public void setName(String name) {
if (StringUtils.isNotBlank(name)) {
this.name = name;
}
}
/** {@inheritDoc} */
@Override
public String toString() {
return new ToStringBuilder(this).
append("name", name).
append("version", version).
append("build", build).
toString();
}
}

32
webgoat-container/src/main/java/org/owasp/webgoat/application/WebGoatServletListener.java
View File

@ -6,7 +6,6 @@
package org.owasp.webgoat.application;
import org.owasp.webgoat.lessons.LessonServletMapping;
import org.owasp.webgoat.plugins.PluginsLoader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.config.BeanDefinition;
@ -17,16 +16,11 @@ import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.ServletRegistration;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Paths;
import java.sql.Driver;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.Enumeration;
import java.util.Set;
import java.util.jar.Attributes;
import java.util.jar.Manifest;
/**
* Web application lifecycle listener.
@ -43,10 +37,7 @@ public class WebGoatServletListener implements ServletContextListener {
public void contextInitialized(ServletContextEvent sce) {
ServletContext context = sce.getServletContext();
context.log("WebGoat is starting");
setApplicationVariables(context);
context.log("Adding extra mappings for lessions");
loadPlugins(sce);
loadServlets(sce);
}
@ -68,12 +59,6 @@ public class WebGoatServletListener implements ServletContextListener {
}
}
private void loadPlugins(ServletContextEvent sce) {
String pluginPath = sce.getServletContext().getRealPath("plugin_lessons");
String targetPath = sce.getServletContext().getRealPath("plugin_extracted");
new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).loadPlugins();
}
/** {@inheritDoc} */
@Override
public void contextDestroyed(ServletContextEvent sce) {
@ -101,21 +86,4 @@ public class WebGoatServletListener implements ServletContextListener {
}
}
}
private void setApplicationVariables(ServletContext context) {
Application app = Application.getInstance();
try {
InputStream inputStream = context.getResourceAsStream("/META-INF/MANIFEST.MF");
Manifest manifest = new Manifest(inputStream);
Attributes attr = manifest.getMainAttributes();
String name = attr.getValue("Specification-Title");
String version = attr.getValue("Specification-Version");
String build = attr.getValue("Implementation-Version");
app.setName(name);
app.setVersion(version);
app.setBuild(build);
} catch (IOException ioe) {
context.log("Error setting application variables", ioe);
}
}
}

109
webgoat-container/src/main/java/org/owasp/webgoat/controller/Start.java
View File

@ -1,109 +0,0 @@
/*
* To change this license header, choose License Headers in Project Properties.
* To change this template file, choose Tools | Templates
* and open the template in the editor.
*/
package org.owasp.webgoat.controller;
import org.apache.commons.lang3.StringUtils;
import org.owasp.webgoat.application.Application;
import org.owasp.webgoat.session.WebSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import java.util.Collection;
/**
* <p>Start class.</p>
*
* @author rlawson
* @version $Id: $Id
*/
@Controller
public class Start {
final Logger logger = LoggerFactory.getLogger(Start.class);
private static final String WELCOMED = "welcomed";
@Autowired
private ServletContext servletContext;
/**
* <p>start.</p>
*
* @param request a {@link javax.servlet.http.HttpServletRequest} object.
* @return a {@link org.springframework.web.servlet.ModelAndView} object.
*/
@RequestMapping(path = "start.mvc", method = {RequestMethod.GET, RequestMethod.POST})
public ModelAndView start(HttpServletRequest request) {
ModelAndView model = new ModelAndView();
// make sure session is set up correctly
// if not redirect user to login
if (checkWebSession(request.getSession()) == false) {
model.setViewName("redirect:/login.mvc");
return model;
}
String role = getRole();
String user = request.getUserPrincipal().getName();
model.addObject("role", role);
model.addObject("user", user);
String contactEmail = servletContext.getInitParameter("email");
model.addObject("contactEmail", contactEmail);
String emailList = servletContext.getInitParameter("emaillist");
model.addObject("emailList", emailList);
Application app = Application.getInstance();
logger.info("Setting application properties: " + app);
model.addObject("version", app.getVersion());
model.addObject("build", app.getBuild());
// if everything ok then go to webgoat UI
model.setViewName("main_new");
return model;
}
private String getRole() {
Collection<GrantedAuthority> authorities = (Collection<GrantedAuthority>) SecurityContextHolder.getContext().getAuthentication().getAuthorities();
String role = "N/A";
for (GrantedAuthority authority : authorities) {
authority.getAuthority();
role = authority.getAuthority();
role = StringUtils.lowerCase(role);
role = StringUtils.remove(role, "role_");
break;
}
return role;
}
/**
* <p>checkWebSession.</p>
*
* @param session a {@link javax.servlet.http.HttpSession} object.
* @return a boolean.
*/
public boolean checkWebSession(HttpSession session) {
Object o = session.getAttribute(WebSession.SESSION);
if (o == null) {
logger.error("No valid WebSession object found, has session timed out? [" + session.getId() + "]");
return false;
}
if (!(o instanceof WebSession)) {
logger.error("Invalid WebSession object found, this is probably a bug! [" + o.getClass() + " | " + session.getId() + "]");
return false;
}
return true;
}
}

4
webgoat-container/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
View File

@ -164,15 +164,11 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
setRanking(new Integer(properties.getIntProperty("lesson." + className + ".ranking", getDefaultRanking()
.intValue())));
String categoryRankingKey = "category." + getDefaultCategory().getName() + ".ranking";
// System.out.println("Category ranking key: " + categoryRankingKey);
Category tempCategory = Category.getCategory(getDefaultCategory().getName());
tempCategory.setRanking(new Integer(properties.getIntProperty(categoryRankingKey, getDefaultCategory()
.getRanking().intValue())));
category = tempCategory;
setHidden(properties.getBooleanProperty("lesson." + className + ".hidden", getDefaultHidden()));
// System.out.println(className + " in " + tempCategory.getName() + "
// (Category Ranking: " + tempCategory.getRanking() + " Lesson ranking:
// " + getRanking() + ", hidden:" + hidden +")");
}
/**

4
webgoat-container/src/main/java/org/owasp/webgoat/plugins/LegacyLoader.java
View File

@ -150,7 +150,7 @@ public class LegacyLoader {
public void loadFiles(ServletContext context, String path) {
logger.debug("Loading files into cache, path: " + path);
Resource resource = new ClassPathResource("/");
//resource.get
Set resourcePaths = null;
if (resourcePaths == null) {
logger.error("Unable to load file cache for courses, this is probably a bug or configuration issue");
@ -216,7 +216,7 @@ public class LegacyLoader {
// logger.error("Error in loadLessons: ", e);
}
}
// loadResources(lessons);
loadResources(lessons);
return lessons;
}

11
webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java
View File

@ -52,8 +52,6 @@ public class Plugin {
private void findLesson(String name) {
String realClassName = StringUtils.trimLeadingCharacter(name, '/').replaceAll("/", ".").replaceAll(".class", "");
//TODO should be passed in (refactor)
//TomcatEmbeddedWebappClassLoader cl = (TomcatEmbeddedWebappClassLoader) Thread.currentThread().getContextClassLoader();
try {
Class clazz = classLoader.loadClass(realClassName);
@ -95,19 +93,18 @@ public class Plugin {
public void rewritePaths(Path pluginTarget) {
try {
replaceInFiles(this.lesson.getSimpleName() + "_files",
pluginTarget.getFileName().toString() + "/plugin/" + this.lesson
"plugin_lessons/plugin/" + this.lesson
.getSimpleName() + "/lessonSolutions/en/" + this.lesson.getSimpleName() + "_files",
solutionLanguageFiles.values());
replaceInFiles(this.lesson.getSimpleName() + "_files",
pluginTarget.getFileName().toString() + "/plugin/" + this.lesson
"plugin_lessons/plugin/" + this.lesson
.getSimpleName() + "/lessonPlans/en/" + this.lesson.getSimpleName() + "_files",
lessonPlansLanguageFiles.values());
String[] replacements = {"jsp", "js"};
for (String replacement : replacements) {
String s = String.format("plugin/%s/%s/", this.lesson.getSimpleName(), replacement);
String r = String.format("%s/plugin/%s/%s/", pluginTarget.getFileName().toString(),
this.lesson.getSimpleName(), replacement);
String r = String.format("plugin_lessons/plugin/s/%s/", this.lesson.getSimpleName(), replacement);
replaceInFiles(s, r, pluginFiles);
replaceInFiles(s, r, Arrays.asList(lessonSourceFile));
}
@ -115,7 +112,7 @@ public class Plugin {
//CSS with url('/plugin/images') should not begin with / otherwise image cannot be found
String s = String.format("/plugin/%s/images/", this.lesson.getSimpleName());
String r = String
.format("%s/plugin/%s/images/", pluginTarget.getFileName().toString(), this.lesson.getSimpleName());
.format("plugin_lessons/plugin/%s/images/", this.lesson.getSimpleName());
replaceInFiles(s, r, pluginFiles);
replaceInFiles(s, r, Arrays.asList(lessonSourceFile));
} catch (IOException e) {

117
webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java
View File

@ -5,82 +5,66 @@ import org.apache.commons.io.FileUtils;
import org.owasp.webgoat.util.LabelProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.util.ResourceUtils;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;
import java.nio.file.FileVisitResult;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.SimpleFileVisitor;
import java.nio.file.attribute.BasicFileAttributes;
import java.util.Enumeration;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.Callable;
import java.util.concurrent.CompletionService;
import java.util.concurrent.ExecutorCompletionService;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.jar.JarFile;
import java.util.zip.ZipEntry;
/**
* <p>PluginsLoader class.</p>
*
* @version $Id: $Id
* @author dm
* @version $Id: $Id
*/
@Component
public class PluginsLoader {
private static final String WEBGOAT_PLUGIN_EXTENSION = "jar";
private static boolean alreadyLoaded = false;
private static final int BUFFER_SIZE = 32 * 1024;
private final Logger logger = LoggerFactory.getLogger(this.getClass());
private final Path pluginSource;
private Path pluginTarget;
private final File pluginTargetDirectory;
/**
* <p>Constructor for PluginsLoader.</p>
*
* @param pluginSource a {@link java.nio.file.Path} object.
* @param pluginTarget a {@link java.nio.file.Path} object.
*/
public PluginsLoader(Path pluginSource, Path pluginTarget) {
this.pluginSource = Objects.requireNonNull(pluginSource, "plugin source cannot be null");
this.pluginTarget = Objects.requireNonNull(pluginTarget, "plugin target cannot be null");
@Autowired
public PluginsLoader(File pluginTargetDirectory) {
this.pluginTargetDirectory = pluginTargetDirectory;
}
// /**
// * Copy jars to the lib directory
// */
// public void copyJars() {
// try {
// if (!alreadyLoaded) {
// WebappClassLoader cl = (WebappClassLoader) Thread.currentThread().getContextClassLoader();
// // cl.setAntiJARLocking(true);
// List<URL> jars = listJars();
// for (URL jar : jars) {
// // cl.setResources();
// // cl.addRepository(jar.toString());
// }
// alreadyLoaded = true;
// }
// } catch (Exception e) {
// logger.error("Copying plugins failed", e);
// }
// }
/**
* <p>loadPlugins.</p>
*
* @return a {@link java.util.List} object.
*/
public List<Plugin> loadPlugins() {
// copyJars();
List<Plugin> plugins = Lists.newArrayList();
try {
PluginFileUtils.createDirsIfNotExists(pluginTarget);
cleanupExtractedPluginsDirectory();
File jarFile = new File(this.getClass().getProtectionDomain().getCodeSource().getLocation().getFile());
if (jarFile.isDirectory()) {
extractToTempDirectoryFromExplodedDirectory(jarFile);
} else {
extractToTempDirectoryFromJarFile(jarFile);
}
List<URL> jars = listJars();
plugins = processPlugins(jars);
} catch (Exception e) {
logger.error("Loading plugins failed", e);
@ -88,14 +72,49 @@ public class PluginsLoader {
return plugins;
}
private void cleanupExtractedPluginsDirectory() {
Path i18nDirectory = pluginTarget.resolve("plugin/i18n/");
FileUtils.deleteQuietly(i18nDirectory.toFile());
private void extractToTempDirectoryFromJarFile(File jarFile) throws IOException {
JarFile jar = new JarFile(jarFile);
Enumeration<? extends ZipEntry> entries = jar.entries();
while (entries.hasMoreElements()) {
ZipEntry zipEntry = entries.nextElement();
if (zipEntry.getName().contains("plugin_lessons") && zipEntry.getName().endsWith(".jar")) {
unpack(jar, zipEntry);
}
}
}
private List<URL> listJars() throws IOException {
private void unpack(JarFile jar, ZipEntry zipEntry) throws IOException {
try (InputStream inputStream = jar.getInputStream(zipEntry)) {
String name = zipEntry.getName();
if (name.lastIndexOf("/") != -1) {
name = name.substring(name.lastIndexOf("/") + 1);
}
try (OutputStream outputStream = new FileOutputStream(new File(pluginTargetDirectory, name))) {
byte[] buffer = new byte[BUFFER_SIZE];
int bytesRead = -1;
while ((bytesRead = inputStream.read(buffer)) != -1) {
outputStream.write(buffer, 0, bytesRead);
}
outputStream.flush();
}
}
}
private void extractToTempDirectoryFromExplodedDirectory(File directory) throws IOException {
Files.walkFileTree(directory.toPath(), new SimpleFileVisitor<Path>() {
@Override
public FileVisitResult preVisitDirectory(Path dir, BasicFileAttributes attrs) throws IOException {
if (dir.endsWith("plugin_lessons")) {
FileUtils.copyDirectory(dir.toFile(), pluginTargetDirectory);
}
return FileVisitResult.CONTINUE;
}
});
}
private List<URL> listJars() throws Exception {
final List<URL> jars = Lists.newArrayList();
Files.walkFileTree(pluginSource, new SimpleFileVisitor<Path>() {
Files.walkFileTree(Paths.get(pluginTargetDirectory.toURI()), new SimpleFileVisitor<Path>() {
@Override
public FileVisitResult visitFile(Path file, BasicFileAttributes attrs) throws IOException {
@ -115,17 +134,17 @@ public class PluginsLoader {
final CompletionService<Plugin> completionService = new ExecutorCompletionService<>(executorService);
final List<Callable<Plugin>> callables = extractJars(jars);
for (Callable<Plugin> s : callables) {
completionService.submit(s);
}
callables.forEach(s -> completionService.submit(s));
int n = callables.size();
for (int i = 0; i < n; i++) {
Plugin plugin = completionService.take().get();
if (plugin.getLesson().isPresent()) {
plugins.add(plugin);
}
}
LabelProvider.updatePluginResources(pluginTarget.resolve("plugin/i18n/WebGoatLabels.properties"));
LabelProvider.updatePluginResources(
pluginTargetDirectory.toPath().resolve("plugin/i18n/WebGoatLabels.properties"));
return plugins;
} finally {
executorService.shutdown();
@ -141,7 +160,7 @@ public class PluginsLoader {
classLoader.addURL(jar);
extractorCallables.add(() -> {
PluginExtractor extractor = new PluginExtractor();
return extractor.extractJarFile(ResourceUtils.getFile(jar), pluginTarget.toFile(), classLoader);
return extractor.extractJarFile(ResourceUtils.getFile(jar), pluginTargetDirectory, classLoader);
});
}
return extractorCallables;

3
webgoat-container/src/main/java/org/owasp/webgoat/service/PluginReloadService.java
View File

@ -68,8 +68,9 @@ public class PluginReloadService extends BaseService {
logger.debug("Loading plugins into cache");
String pluginPath = session.getServletContext().getRealPath("plugin_lessons");
String targetPath = session.getServletContext().getRealPath("plugin_extracted");
//TODO fix me
//new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).copyJars();
webSession.getCourse().loadLessonFromPlugin();
//webSession.getCourse().loadLessonFromPlugin();
Map<String, Object> result = new HashMap<String, Object>();
result.put("success", true);

42
webgoat-container/src/main/java/org/owasp/webgoat/session/Course.java
View File

@ -1,20 +1,14 @@
package org.owasp.webgoat.session;
import org.owasp.webgoat.HammerHead;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.plugins.LegacyLoader;
import org.owasp.webgoat.plugins.Plugin;
import org.owasp.webgoat.plugins.PluginsLoader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.Resource;
import javax.servlet.ServletContext;
import java.io.File;
import java.io.IOException;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
@ -56,9 +50,7 @@ public class Course {
final Logger logger = LoggerFactory.getLogger(Course.class);
private List<AbstractLesson> lessons = new LinkedList<AbstractLesson>();
private final static String PROPERTIES_FILENAME = HammerHead.propertiesPath;
private List<AbstractLesson> lessons = new LinkedList<>();
private WebgoatProperties properties = null;
@ -67,12 +59,8 @@ public class Course {
/**
* <p>Constructor for Course.</p>
*/
public Course() {
try {
properties = new WebgoatProperties(PROPERTIES_FILENAME);
} catch (IOException e) {
logger.error("Error loading webgoat properties", e);
}
public Course(WebgoatProperties properties) {
this.properties = properties;
}
/**
@ -322,28 +310,7 @@ public class Course {
/**
* <p>loadLessonFromPlugin.</p>
*/
public void loadLessonFromPlugin() {
Resource resource = new ClassPathResource("/plugin_lessons/plugin_lessons_marker.txt");
String pluginPath = null;
String targetPath = null;
try {
pluginPath = resource.getFile().getParent();
targetPath = pluginPath;
} catch (IOException e) {
e.printStackTrace();
}
logger.debug("Loading plugins into cache");
//String pluginPath = context.getRealPath("plugin_lessons");
//String targetPath = context.getRealPath("plugin_extracted");
if (pluginPath == null) {
logger.error("Plugins directory {} not found", pluginPath);
return;
}
lessons.clear();
List<Plugin> plugins = new PluginsLoader(Paths.get(pluginPath), Paths.get(targetPath)).loadPlugins();
public void loadLessonFromPlugin(List<Plugin> plugins) {
for (Plugin plugin : plugins) {
try {
AbstractLesson lesson = plugin.getLesson().get();
@ -378,7 +345,6 @@ public class Course {
public void loadCourses(WebgoatContext webgoatContext, ServletContext context, String path) {
logger.info("Loading courses: " + path);
this.webgoatContext = webgoatContext;
loadLessonFromPlugin();
LegacyLoader loader = new LegacyLoader();
lessons.addAll(loader.loadLessons(webgoatContext, context, path, properties));
}

20
webgoat-container/src/main/java/org/owasp/webgoat/session/WebSession.java
View File

@ -9,6 +9,7 @@ import org.owasp.webgoat.util.BeanProvider;
import org.owasp.webgoat.util.LabelManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import javax.servlet.ServletContext;
import javax.servlet.http.Cookie;
@ -238,7 +239,8 @@ public class WebSession {
* @param webgoatContext a {@link org.owasp.webgoat.session.WebgoatContext} object.
* @param context Description of the Parameter
*/
public WebSession(WebgoatContext webgoatContext, ServletContext context) {
@Autowired
public WebSession(Course course, WebgoatContext webgoatContext, ServletContext context) {
this.webgoatContext = webgoatContext;
// initialize from web.xml
showParams = webgoatContext.isShowParams();
@ -248,9 +250,8 @@ public class WebSession {
showRequest = webgoatContext.isShowRequest();
currentLanguage = webgoatContext.getDefaultLanguage();
this.context = context;
this.course = course;
course = new Course();
course.loadCourses(webgoatContext, context, "/");
}
/**
@ -408,15 +409,6 @@ public class WebSession {
currentScreen = screen;
}
/**
* <p> getRestartLink. </p>
*
* @return a {@link java.lang.String} object.
*/
public String getRestartLink() {
return getCurrentLesson().getLink() + "&" + RESTART + "=" + getCurrentScreen();
}
/**
* <p> getCurrentLink. </p>
*
@ -1035,7 +1027,7 @@ public class WebSession {
/**
* Updates the stage for a RandomLessonAdapter
*
* @param al
* @param rla
*/
private void updateRlaStage(RandomLessonAdapter rla) {
try {
@ -1062,7 +1054,7 @@ public class WebSession {
/**
* Updates the stage for a SequentialLessonAdapter
*
* @param al
* @param sla
*/
private void updateSlaStage(SequentialLessonAdapter sla) {
int stage = myParser.getIntParameter(STAGE, sla.getStage(this));

37
webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatContext.java
View File

@ -1,12 +1,8 @@
package org.owasp.webgoat.session;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import javax.servlet.http.HttpServlet;
/**
* <p>WebgoatContext class.</p>
*
@ -16,11 +12,6 @@ import javax.servlet.http.HttpServlet;
@Configuration
public class WebgoatContext {
final Logger logger = LoggerFactory.getLogger(WebgoatContext.class);
/** Constant <code>DEFAULTLANGUAGE="DefaultLanguage"</code> */
public final static String DEFAULTLANGUAGE = "DefaultLanguage";
@Value("${webgoat.database.connection.string}")
private String databaseConnectionString;
@ -55,14 +46,9 @@ public class WebgoatContext {
private boolean isDebug = false;
private String servletName;
private HttpServlet servlet;
@Value("${webgoat.default.language}")
private String defaultLanguage;
private java.nio.file.Path pluginDirectory;
/**
* returns the connection string with the real path to the database
* directory inserted at the word PATH
@ -71,18 +57,6 @@ public class WebgoatContext {
*/
public String getDatabaseConnectionString() {
return this.databaseConnectionString;
//
// if (realConnectionString == null) {
// try {
// String path = servlet.getServletContext().getRealPath("/database").replace('\\', '/');
// System.out.println("PATH: " + path);
// realConnectionString = databaseConnectionString.replaceAll("PATH", path);
// System.out.println("Database Connection String: " + realConnectionString);
// } catch (Exception e) {
// logger.error("Couldn't open database: check web.xml database parameters", e);
// }
// }
// return realConnectionString;
}
/**
@ -157,15 +131,6 @@ public class WebgoatContext {
return isDebug;
}
/**
* <p>Getter for the field <code>servletName</code>.</p>
*
* @return a {@link java.lang.String} object.
*/
public String getServletName() {
return servletName;
}
/**
* <p>isShowCookies.</p>
*

54
webgoat-container/src/main/java/org/owasp/webgoat/session/WebgoatProperties.java
View File

@ -2,11 +2,9 @@ package org.owasp.webgoat.session;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.Resource;
import java.io.IOException;
import java.util.Properties;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.env.Environment;
import org.springframework.stereotype.Component;
/**
* *************************************************************************************************
@ -39,7 +37,11 @@ import java.util.Properties;
* @version $Id: $Id
* @author dm
*/
public class WebgoatProperties extends Properties {
@Component
public class WebgoatProperties {
@Autowired
private Environment env;
/**
*
@ -47,25 +49,6 @@ public class WebgoatProperties extends Properties {
private static final long serialVersionUID = 4351681705558227918L;
final Logger logger = LoggerFactory.getLogger(WebgoatProperties.class);
/**
* <p>Constructor for WebgoatProperties.</p>
*
* @param propertiesFileName a {@link java.lang.String} object.
* @throws java.io.IOException if any.
*/
public WebgoatProperties(String propertiesFileName) throws IOException {
if (propertiesFileName == null) {
throw new IOException("Path to webgoat.properties is null, initialization must have failed");
}
// File propertiesFile = new File(propertiesFileName);
// if (propertiesFile.exists() == false) {
// throw new IOException("Unable to locate webgoat.properties at: " + propertiesFileName);
// }
Resource resource = new ClassPathResource("/webgoat.properties");
//FileInputStream in = new FileInputStream(propertiesFile);
load(resource.getInputStream());
}
/**
* <p>getIntProperty.</p>
@ -77,7 +60,7 @@ public class WebgoatProperties extends Properties {
public int getIntProperty(String key, int defaultValue) {
int value = defaultValue;
String s = getProperty(key);
String s = env.getProperty(key);
if (s != null) {
value = Integer.parseInt(s);
}
@ -96,7 +79,7 @@ public class WebgoatProperties extends Properties {
boolean value = defaultValue;
key = this.trimLesson(key);
String s = getProperty(key);
String s = env.getProperty(key);
if (s != null) {
if (s.equalsIgnoreCase("true")) {
value = true;
@ -127,21 +110,4 @@ public class WebgoatProperties extends Properties {
return result;
}
/**
* <p>main.</p>
*
* @param args an array of {@link java.lang.String} objects.
*/
public static void main(String[] args) {
WebgoatProperties properties = null;
try {
properties = new WebgoatProperties("C:\\webgoat.properties");
} catch (IOException e) {
System.out.println("Error loading properties");
e.printStackTrace();
}
System.out.println(properties.getProperty("CommandInjection.category"));
}
}

7
webgoat-container/src/main/resources/application.properties
View File

@ -5,13 +5,16 @@
#server.jsp-servlet.registered=true
server.error.include-stacktrace=always
server.session.timeout=600
server.contextPath=/WebGoat
server.port=8080
logging.level.org.springframework=INFO
logging.level.org.hibernate=ERROR
spring.thymeleaf.cache=false
security.enable-csrf=false
server.contextPath=/WebGoat
server.port=8080
webgoat.build.version=@project.version@
webgoat.build.number=@build.number@