dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Consistent environment values and url references (#1677)

Browse Source 
* organizing environment variables

* Update application-webgoat.properties

* Update pom.xml

* test without ssl

* fix docker base image and default env entries

* seperate server.address from webgoat.host and webwolf.host

* change base image and enable endpoint logging for docker as well

* change README

* change README

* make integration test able to verify against alternative host names

* use dynamic ports and remove system println
This commit is contained in:
René Zubcevic 2023-11-27 14:35:49 +01:00 committed by GitHub
parent 62db86246e
commit 826887cc83
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 90 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Dockerfile
View File

@ -1,4 +1,4 @@
FROM docker.io/eclipse-temurin:19-jre-focal
FROM docker.io/eclipse-temurin:21-jdk-ubi9-minimal
LABEL NAME = "WebGoat: A deliberately insecure Web Application"
MAINTAINER "WebGoat team"
@ -14,6 +14,8 @@ COPY --chown=webgoat target/webgoat-*.jar /home/webgoat/webgoat.jar
EXPOSE 8080
EXPOSE 9090
ENV TZ=Europe/Amsterdam
WORKDIR /home/webgoat
ENTRYPOINT [ "java", \
"-Duser.home=/home/webgoat", \
@ -30,8 +32,4 @@ ENTRYPOINT [ "java", \
"--add-opens", "java.base/sun.nio.ch=ALL-UNNAMED", \
"--add-opens", "java.base/java.io=ALL-UNNAMED", \
"-Drunning.in.docker=true", \
"-Dwebgoat.host=0.0.0.0", \
"-Dwebwolf.host=0.0.0.0", \
"-Dwebgoat.port=8080", \
"-Dwebwolf.port=9090", \
"-jar", "webgoat.jar" ]
"-jar", "webgoat.jar", "--server.address", "0.0.0.0" ]

26
README.md
View File

@ -44,19 +44,27 @@ Every release is also published on [DockerHub](https://hub.docker.com/r/webgoat/
docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 webgoat/webgoat
```
If you want to reuse the container, give it a name:
For some lessons you need the container run in the same timezone. For this you can set the TZ environment variable.
E.g.
```shell
docker run --name webgoat -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 webgoat/webgoat
docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e TZ=America/Boise webgoat/webgoat
```
As long as you don't remove the container you can use:
If you want to use OWASP ZAP or another proxy, you can no longer use 127.0.0.1 or localhost. but
you can use custom host entries. For example:
```shell
docker start webgoat
127.0.0.1 www.webgoat.local www.webwolf.local
```
This way, you can start where you left off. If you remove the container, you need to use `docker run` again.
Then you can run the container with:
```shell
docker run -it -p 127.0.0.1:8080:8080 -p 127.0.0.1:9090:9090 -e WEBGOAT_HOST=www.webgoat.local -e WEBWOLF_HOST=www.webwolf.local -e TZ=America/Boise webgoat/webgoat
```
Then visit http://www.webgoat.local:8080/WebGoat/ and http://www.webwolf.local:9090/WebWolf/
## 2. Run using Docker with complete Linux Desktop
@ -71,7 +79,8 @@ docker run -p 127.0.0.1:3000:3000 webgoat/webgoat-desktop
Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
```shell
java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.5.jar
export TZ=Europe/Amsterdam # or your timezone
java -Dfile.encoding=UTF-8 -jar webgoat-2023.5.jar
```
Click the link in the log to start WebGoat.
@ -80,7 +89,7 @@ Click the link in the log to start WebGoat.
### Prerequisites:
* Java 17
* Java 17 or 21
* Your favorite IDE
* Git, or Git support in your IDE
@ -132,9 +141,10 @@ For specialist only. There is a way to set up WebGoat with a personalized menu.
For instance running as a jar on a Linux/macOS it will look like this:
```Shell
export TZ=Europe/Amsterdam # or your timezone
export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
java -jar target/webgoat-2023.4-SNAPSHOT.jar
java -jar target/webgoat-2023.6-SNAPSHOT.jar
```
Or in a docker run it would (once this version is pushed into docker hub) look like this:

38
pom.xml
View File

@ -141,10 +141,9 @@
<thymeleaf.version>3.1.1.RELEASE</thymeleaf.version>
<webdriver.version>5.3.3</webdriver.version>
<webgoat.context>/</webgoat.context>
<webgoat.port>8080</webgoat.port>
<webgoat.sslenabled>false</webgoat.sslenabled>
<webjars-locator-core.version>0.53</webjars-locator-core.version>
<webwolf.context>/</webwolf.context>
<webwolf.port>9090</webwolf.port>
<wiremock.version>2.27.2</wiremock.version>
<xml-resolver.version>1.2</xml-resolver.version>
<xstream.version>1.4.5</xstream.version>
@ -513,10 +512,19 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<configuration>
<environmentVariables>
<WEBGOAT_SSLENABLED>${webgoat.sslenabled}</WEBGOAT_SSLENABLED>
<WEBGOAT_HOST>127.0.0.1</WEBGOAT_HOST>
<WEBGOAT_PORT>${webgoat.port}</WEBGOAT_PORT>
<WEBGOAT_CONTEXT>${webgoat.context}</WEBGOAT_CONTEXT>
<WEBWOLF_HOST>127.0.0.1</WEBWOLF_HOST>
<WEBWOLF_PORT>${webwolf.port}</WEBWOLF_PORT>
<WEBWOLF_CONTEXT>${webwolf.context}</WEBWOLF_CONTEXT>
</environmentVariables>
<systemPropertyVariables>
<logback.configurationFile>${basedir}/src/test/resources/logback-test.xml</logback.configurationFile>
</systemPropertyVariables>
<argLine>-Xmx512m -Dwebgoatport=${webgoat.port} -Dwebwolfport=${webwolf.port} -Dwebwolfcontext=${webwolf.context} -Dwebgoatcontext=${webgoat.context}</argLine>
<argLine>-Xmx512m</argLine>
<includes>org/owasp/webgoat/*Test</includes>
</configuration>
<executions>
@ -557,7 +565,6 @@
<artifactId>maven-checkstyle-plugin</artifactId>
<version>${checkstyle.version}</version>
<configuration>
<encoding>UTF-8</encoding>
<consoleOutput>true</consoleOutput>
<failsOnError>true</failsOnError>
<configLocation>config/checkstyle/checkstyle.xml</configLocation>
@ -686,16 +693,15 @@
<portNames>
<portName>webgoat.port</portName>
<portName>webwolf.port</portName>
<portName>jmxPort</portName>
</portNames>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>com.bazaarvoice.maven.plugins</groupId>
<groupId>org.honton.chas</groupId>
<artifactId>process-exec-maven-plugin</artifactId>
<version>0.9</version>
<version>0.9.2</version>
<executions>
<execution>
<id>start-jar</id>
@ -703,8 +709,18 @@
<goal>start</goal>
</goals>
<phase>pre-integration-test</phase>
<configuration>
<workingDir>${project.build.directory}</workingDir>
<environment>
<WEBGOAT_SSLENABLED>${webgoat.sslenabled}</WEBGOAT_SSLENABLED>
<WEBGOAT_HOST>127.0.0.1</WEBGOAT_HOST>
<WEBGOAT_PORT>${webgoat.port}</WEBGOAT_PORT>
<WEBGOAT_CONTEXT>${webgoat.context}</WEBGOAT_CONTEXT>
<WEBWOLF_HOST>127.0.0.1</WEBWOLF_HOST>
<WEBWOLF_PORT>${webwolf.port}</WEBWOLF_PORT>
<WEBWOLF_CONTEXT>${webwolf.context}</WEBWOLF_CONTEXT>
</environment>
<arguments>
<argument>java</argument>
<argument>-jar</argument>
@ -712,10 +728,6 @@
<argument>-Dwebgoat.server.directory=${java.io.tmpdir}/webgoat_${webgoat.port}</argument>
<argument>-Dwebgoat.user.directory=${java.io.tmpdir}/webgoat_${webgoat.port}</argument>
<argument>-Dspring.main.banner-mode=off</argument>
<argument>-Dwebgoat.port=${webgoat.port}</argument>
<argument>-Dwebgoat.context=${webgoat.context}</argument>
<argument>-Dwebwolf.port=${webwolf.port}</argument>
<argument>-Dwebwolf.context=${webwolf.context}</argument>
<argument>--add-opens</argument>
<argument>java.base/java.lang=ALL-UNNAMED</argument>
<argument>--add-opens</argument>
@ -741,8 +753,6 @@
<argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
</arguments>
<waitForInterrupt>false</waitForInterrupt>
<waitAfterLaunch>120</waitAfterLaunch>
<healthcheckUrl>http://localhost:${webgoat.port}/WebGoat/actuator/health</healthcheckUrl>
</configuration>
</execution>
<execution>
@ -767,7 +777,6 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.3</version>
<configuration>
<failBuildOnCVSS>7</failBuildOnCVSS>
<skipProvidedScope>false</skipProvidedScope>
@ -816,7 +825,6 @@
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>${jacoco.version}</version>
<executions>
<execution>
<id>before-unit-test</id>

1
src/it/java/org/owasp/webgoat/CSRFIntegrationTest.java
View File

@ -253,6 +253,7 @@ public class CSRFIntegrationTest extends IntegrationTest {
Overview[] assignments =
RestAssured.given()
.cookie("JSESSIONID", getWebGoatCookie())
.relaxedHTTPSValidation()
.get(url("service/lessonoverview.mvc"))
.then()
.extract()

24
src/it/java/org/owasp/webgoat/IntegrationTest.java
View File

@ -5,7 +5,6 @@ import static io.restassured.RestAssured.given;
import io.restassured.RestAssured;
import io.restassured.http.ContentType;
import java.util.Map;
import java.util.Objects;
import lombok.Getter;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
@ -15,23 +14,26 @@ import org.springframework.http.HttpStatus;
public abstract class IntegrationTest {
private static String webGoatPort =
Objects.requireNonNull(System.getProperty("webgoatport", "8080"));
private static String webGoatPort = System.getenv().getOrDefault("WEBGOAT_PORT", "8080");
private static String webGoatContext =
Objects.requireNonNull(System.getProperty("webgoatcontext", "/WebGoat/"));
System.getenv().getOrDefault("WEBGOAT_CONTEXT", "/WebGoat/");
@Getter private static String webWolfPort = System.getenv().getOrDefault("WEBWOLF_PORT", "9090");
@Getter
private static String webWolfPort =
Objects.requireNonNull(System.getProperty("webwolfport", "9090"));
private static String webWolfHost = System.getenv().getOrDefault("WEBWOLF_HOST", "127.0.0.1");
@Getter
private static String webGoatHost = System.getenv().getOrDefault("WEBGOAT_HOST", "127.0.0.1");
private static String webWolfContext =
Objects.requireNonNull(System.getProperty("webwolfcontext", "/WebWolf/"));
System.getenv().getOrDefault("WEBWOLF_CONTEXT", "/WebWolf/");
private static boolean useSSL = false;
private static boolean useSSL =
Boolean.valueOf(System.getenv().getOrDefault("WEBGOAT_SSLENABLED", "false"));
private static String webgoatUrl =
(useSSL ? "https:" : "http:") + "//localhost:" + webGoatPort + webGoatContext;
private static String webWolfUrl =
(useSSL ? "https:" : "http:") + "//localhost:" + webWolfPort + webWolfContext;
(useSSL ? "https://" : "http://") + webGoatHost + ":" + webGoatPort + webGoatContext;
private static String webWolfUrl = "http://" + webWolfHost + ":" + webWolfPort + webWolfContext;
@Getter private String webGoatCookie;
@Getter private String webWolfCookie;
@Getter private final String user = "webgoat";

3
src/it/java/org/owasp/webgoat/PasswordResetLessonIntegrationTest.java
View File

@ -69,7 +69,6 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest {
// WebWolf
var link = getPasswordResetLinkFromLandingPage();
// WebGoat
changePassword(link);
checkAssignment(
@ -137,7 +136,7 @@ public class PasswordResetLessonIntegrationTest extends IntegrationTest {
private void clickForgotEmailLink(String user) {
RestAssured.given()
.when()
.header(HttpHeaders.HOST, String.format("%s:%s", "127.0.0.1", getWebWolfPort()))
.header(HttpHeaders.HOST, String.format("%s:%s", getWebWolfHost(), getWebWolfPort()))
.relaxedHTTPSValidation()
.cookie("JSESSIONID", getWebGoatCookie())
.formParams("email", user)

30
src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfMacro.java
View File

@ -1,12 +1,9 @@
package org.owasp.webgoat.container.asciidoc;
import jakarta.servlet.http.HttpServletRequest;
import java.util.HashMap;
import java.util.Map;
import org.asciidoctor.ast.ContentNode;
import org.asciidoctor.extension.InlineMacroProcessor;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
/**
* Usage in asciidoc:
@ -26,7 +23,7 @@ public class WebWolfMacro extends InlineMacroProcessor {
@Override
public Object process(ContentNode contentNode, String linkText, Map<String, Object> attributes) {
var env = EnvironmentExposure.getEnv();
var hostname = determineHost(env.getProperty("webwolf.port"));
var hostname = env.getProperty("webwolf.url");
var target = (String) attributes.getOrDefault("target", "home");
var href = hostname + "/" + target;
@ -45,29 +42,4 @@ public class WebWolfMacro extends InlineMacroProcessor {
private boolean displayCompleteLinkNoFormatting(Map<String, Object> attributes) {
return attributes.values().stream().anyMatch(a -> a.equals("noLink"));
}
/**
* Determine the host from the hostname and ports that were used. The purpose is to make it
* possible to use the application behind a reverse proxy. For instance in the docker
* compose/stack version with webgoat webwolf and nginx proxy. You do not have to use the
* indicated hostname, but if you do, you should define two hosts aliases 127.0.0.1
* www.webgoat.local www.webwolf.local
*/
private String determineHost(String port) {
HttpServletRequest request =
((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
String host = request.getHeader("Host");
int semicolonIndex = host.indexOf(":");
if (semicolonIndex == -1 || host.endsWith(":80")) {
host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local");
} else {
host = host.substring(0, semicolonIndex);
host = host.concat(":").concat(port);
}
return "http://" + host + (includeWebWolfContext() ? "/WebWolf" : "");
}
protected boolean includeWebWolfContext() {
return true;
}
}

5
src/main/java/org/owasp/webgoat/container/asciidoc/WebWolfRootMacro.java
View File

@ -17,9 +17,4 @@ public class WebWolfRootMacro extends WebWolfMacro {
public WebWolfRootMacro(String macroName, Map<String, Object> config) {
super(macroName, config);
}
@Override
protected boolean includeWebWolfContext() {
return false;
}
}

26
src/main/java/org/owasp/webgoat/server/StartupMessage.java
View File

@ -17,6 +17,11 @@ public class StartupMessage {
private String address;
private String contextPath;
private String applicationName;
private static boolean useSSL =
Boolean.valueOf(System.getenv().getOrDefault("WEBGOAT_SSLENABLED", "true"));
@EventListener
void onStartup(ApplicationReadyEvent event) {
@ -24,9 +29,24 @@ public class StartupMessage {
address = event.getApplicationContext().getEnvironment().getProperty("server.address");
contextPath =
event.getApplicationContext().getEnvironment().getProperty("server.servlet.context-path");
if (StringUtils.hasText(port)
&& !StringUtils.hasText(System.getProperty("running.in.docker"))) {
log.warn("Please browse to http://{}:{}{} to get started...", address, port, contextPath);
applicationName =
event.getApplicationContext().getEnvironment().getProperty("spring.application.name");
if (StringUtils.hasText(applicationName)) {
if (applicationName.equals("WebGoat")) {
log.warn(
"Please browse to "
+ (useSSL ? "https://" : "http://")
+ "{}:{}{} to start using WebGoat...",
event.getApplicationContext().getEnvironment().getProperty("webgoat.host"),
port,
contextPath);
} else {
log.warn(
"Please browse to http://{}:{}{} to start using WebWolf...",
event.getApplicationContext().getEnvironment().getProperty("webwolf.host"),
port,
contextPath);
}
}
}

8
src/main/resources/application-webgoat.properties
View File

@ -1,9 +1,9 @@
server.error.include-stacktrace=always
server.error.path=/error.html
server.servlet.context-path=${webgoat.context}
server.servlet.context-path=${WEBGOAT_CONTEXT:/WebGoat}
server.servlet.session.persistent=false
server.port=${webgoat.port}
server.address=${webgoat.host}
server.port=${WEBGOAT_PORT:8080}
server.address=0.0.0.0
webgoat.host=${WEBGOAT_HOST:127.0.0.1}
webgoat.port=${WEBGOAT_PORT:8080}
webgoat.context=${WEBGOAT_CONTEXT:/WebGoat}
@ -47,7 +47,7 @@ webgoat.default.language=en
webwolf.host=${WEBWOLF_HOST:127.0.0.1}
webwolf.port=${WEBWOLF_PORT:9090}
webwolf.context=${WEBWOLF_CONTEXT:/WebWolf}
webwolf.url=http://${webwolf.host}:${webwolf.port}${webwolf.context}
webwolf.url=http://${WEBWOLF_HOST:127.0.0.1}:${WEBWOLF_PORT:9090}${WEBWOLF_CONTEXT:/WebWolf}
webwolf.landingpage.url=${webwolf.url}/landing
webwolf.mail.url=${webwolf.url}/mail

4
src/main/resources/application-webwolf.properties
View File

@ -1,8 +1,8 @@
server.error.include-stacktrace=always
server.error.path=/error.html
server.servlet.context-path=${webwolf.context}
server.port=${webwolf.port}
server.address=${webwolf.host}
server.port=${WEBWOLF_PORT:9090}
server.address=0.0.0.0
spring.application.name=WebWolf
webwolf.host=${WEBWOLF_HOST:127.0.0.1}