From 9a1ba6a4254d5b749a098018234936fe2a42a79c Mon Sep 17 00:00:00 2001 From: mayhew64 Date: Sat, 30 Sep 2006 12:57:26 +0000 Subject: [PATCH] git-svn-id: http://webgoat.googlecode.com/svn/trunk@2 4033779f-a91e-0410-96ef-6bf7bf53c507 --- webgoat/Exec.java | 508 +++++++++++++++++++++++++++++++ webgoat/ExecResults.java | 320 +++++++++++++++++++ webgoat/ExecutionException.java | 31 ++ webgoat/HtmlEncoder.java | 195 ++++++++++++ webgoat/ThreadWatcher.java | 90 ++++++ 5 files changed, 1144 insertions(+) create mode 100644 webgoat/Exec.java create mode 100644 webgoat/ExecResults.java create mode 100644 webgoat/ExecutionException.java create mode 100644 webgoat/HtmlEncoder.java create mode 100644 webgoat/ThreadWatcher.java diff --git a/ webgoat/Exec.java b/ webgoat/Exec.java new file mode 100644 index 000000000..abd43f3e7 --- /dev/null +++ b/ webgoat/Exec.java @@ -0,0 +1,508 @@ +package org.owasp.webgoat.util; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.util.BitSet; + + +/** + * Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web + * Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP + * under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute + * this software. + * + * @author Jeff Williams Aspect Security + * @created October 28, 2003 + */ +public class Exec +{ + /** + * Description of the Method + * + * @param command Description of the Parameter + * @param input Description of the Parameter + * @return Description of the Return Value + */ + public static ExecResults execInput( String command, String input ) + { + return ( execOptions( command, input, 0, 0, false ) ); + } + + + /** + * Description of the Method + * + * @param command Description of the Parameter + * @return Description of the Return Value + */ + public static ExecResults execLazy( String command ) + { + return ( execOptions( command, "", 0, 0, true ) ); + } + + + /* + * Execute an OS command and capture the output in an ExecResults. + * All exceptions are caught and stored in the ExecResults. + * @param String command is the OS command to execute + * @param String input is piped into the OS command + * @param int successCode is the expected return code if the command completes successfully + * @param int timeout is the number of milliseconds to wait before interrupting the command + * @param boolean quit tells the method to exit when there is no more output waiting + */ + /** + * Description of the Method + * + * @param command Description of the Parameter + * @param input Description of the Parameter + * @param successCode Description of the Parameter + * @param timeout Description of the Parameter + * @param lazy Description of the Parameter + * @return Description of the Return Value + */ + public static ExecResults execOptions( String[] command, String input, int successCode, int timeout, boolean lazy ) + { + Process child = null; + ByteArrayOutputStream output = new ByteArrayOutputStream(); + ByteArrayOutputStream errors = new ByteArrayOutputStream(); + ExecResults results = new ExecResults( command[0], input, successCode, timeout ); + BitSet interrupted = new BitSet( 1 ); + boolean lazyQuit = false; + ThreadWatcher watcher; + + try + { + // start the command + child = Runtime.getRuntime().exec( command ); + + // get the streams in and out of the command + InputStream processIn = child.getInputStream(); + InputStream processError = child.getErrorStream(); + OutputStream processOut = child.getOutputStream(); + + // start the clock running + if ( timeout > 0 ) + { + watcher = new ThreadWatcher( child, interrupted, timeout ); + new Thread( watcher ).start(); + } + + // Write to the child process' input stream + if ( ( input != null ) && !input.equals( "" ) ) + { + try + { + processOut.write( input.getBytes() ); + processOut.flush(); + processOut.close(); + } + catch ( IOException e1 ) + { + results.setThrowable( e1 ); + } + } + + // Read from the child process' output stream + // The process may get killed by the watcher at any time + int c = 0; + + try + { + while ( true ) + { + if ( interrupted.get( 0 ) || lazyQuit ) + { + break; + } + + // interrupted + c = processIn.read(); + + if ( c == -1 ) + { + break; + } + + // end of stream + output.write( c ); + + if ( lazy && ( processIn.available() < 1 ) ) + { + lazyQuit = true; + } + + // if lazy and nothing then quit (after at least one read) + } + + processIn.close(); + } + catch ( IOException e2 ) + { + results.setThrowable( e2 ); + } + finally + { + if ( interrupted.get( 0 ) ) + { + results.setInterrupted(); + } + + results.setOutput( output.toString() ); + } + + // Read from the child process' error stream + // The process may get killed by the watcher at any time + try + { + while ( true ) + { + if ( interrupted.get( 0 ) || lazyQuit ) + { + break; + } + + // interrupted + c = processError.read(); + + if ( c == -1 ) + { + break; + } + + // end of stream + output.write( c ); + + if ( lazy && ( processError.available() < 1 ) ) + { + lazyQuit = true; + } + + // if lazy and nothing then quit (after at least one read) + } + + processError.close(); + } + catch ( IOException e3 ) + { + results.setThrowable( e3 ); + } + finally + { + if ( interrupted.get( 0 ) ) + { + results.setInterrupted(); + } + + results.setErrors( errors.toString() ); + } + + // wait for the return value of the child process. + if ( !interrupted.get( 0 ) && !lazyQuit ) + { + int returnCode = child.waitFor(); + results.setReturnCode( returnCode ); + + if ( returnCode != successCode ) + { + results.setError( ExecResults.BADRETURNCODE ); + } + } + } + catch ( InterruptedException i ) + { + results.setInterrupted(); + } + catch ( Throwable t ) + { + results.setThrowable( t ); + } + finally + { + if ( child != null ) + { + child.destroy(); + } + } + + return ( results ); + } + + + /* + * Execute an OS command and capture the output in an ExecResults. + * All exceptions are caught and stored in the ExecResults. + * @param String command is the OS command to execute + * @param String input is piped into the OS command + * @param int successCode is the expected return code if the command completes successfully + * @param int timeout is the number of milliseconds to wait before interrupting the command + * @param boolean quit tells the method to exit when there is no more output waiting + */ + /** + * Description of the Method + * + * @param command Description of the Parameter + * @param input Description of the Parameter + * @param successCode Description of the Parameter + * @param timeout Description of the Parameter + * @param lazy Description of the Parameter + * @return Description of the Return Value + */ + public static ExecResults execOptions( String command, String input, int successCode, int timeout, boolean lazy ) + { + Process child = null; + ByteArrayOutputStream output = new ByteArrayOutputStream(); + ByteArrayOutputStream errors = new ByteArrayOutputStream(); + ExecResults results = new ExecResults( command, input, successCode, timeout ); + BitSet interrupted = new BitSet( 1 ); + boolean lazyQuit = false; + ThreadWatcher watcher; + + try + { + // start the command + child = Runtime.getRuntime().exec( command ); + + // get the streams in and out of the command + InputStream processIn = child.getInputStream(); + InputStream processError = child.getErrorStream(); + OutputStream processOut = child.getOutputStream(); + + // start the clock running + if ( timeout > 0 ) + { + watcher = new ThreadWatcher( child, interrupted, timeout ); + new Thread( watcher ).start(); + } + + // Write to the child process' input stream + if ( ( input != null ) && !input.equals( "" ) ) + { + try + { + processOut.write( input.getBytes() ); + processOut.flush(); + processOut.close(); + } + catch ( IOException e1 ) + { + results.setThrowable( e1 ); + } + } + + // Read from the child process' output stream + // The process may get killed by the watcher at any time + int c = 0; + + try + { + while ( true ) + { + if ( interrupted.get( 0 ) || lazyQuit ) + { + break; + } + + // interrupted + c = processIn.read(); + + if ( c == -1 ) + { + break; + } + + // end of stream + output.write( c ); + + if ( lazy && ( processIn.available() < 1 ) ) + { + lazyQuit = true; + } + + // if lazy and nothing then quit (after at least one read) + } + + processIn.close(); + } + catch ( IOException e2 ) + { + results.setThrowable( e2 ); + } + finally + { + if ( interrupted.get( 0 ) ) + { + results.setInterrupted(); + } + + results.setOutput( output.toString() ); + } + + // Read from the child process' error stream + // The process may get killed by the watcher at any time + try + { + while ( true ) + { + if ( interrupted.get( 0 ) || lazyQuit ) + { + break; + } + + // interrupted + c = processError.read(); + + if ( c == -1 ) + { + break; + } + + // end of stream + output.write( c ); + + if ( lazy && ( processError.available() < 1 ) ) + { + lazyQuit = true; + } + + // if lazy and nothing then quit (after at least one read) + } + + processError.close(); + } + catch ( IOException e3 ) + { + results.setThrowable( e3 ); + } + finally + { + if ( interrupted.get( 0 ) ) + { + results.setInterrupted(); + } + + results.setErrors( errors.toString() ); + } + + // wait for the return value of the child process. + if ( !interrupted.get( 0 ) && !lazyQuit ) + { + int returnCode = child.waitFor(); + results.setReturnCode( returnCode ); + + if ( returnCode != successCode ) + { + results.setError( ExecResults.BADRETURNCODE ); + } + } + } + catch ( InterruptedException i ) + { + results.setInterrupted(); + } + catch ( Throwable t ) + { + results.setThrowable( t ); + } + finally + { + if ( child != null ) + { + child.destroy(); + } + } + + return ( results ); + } + + + /** + * Description of the Method + * + * @param command Description of the Parameter + * @return Description of the Return Value + */ + public static ExecResults execSimple( String[] command ) + { + return ( execOptions( command, "", 0, 0, false ) ); + } + + + /** + * Description of the Method + * + * @param command Description of the Parameter + * @return Description of the Return Value + */ + public static ExecResults execSimple( String command ) + { + return ( execOptions( command, "", 0, 0, false ) ); + } + + + /** + * Description of the Method + * + * @param command Description of the Parameter + * @param args Description of the Parameter + * @return Description of the Return Value + */ + public static ExecResults execSimple( String command, String args ) + { + return ( execOptions( command, args, 0, 0, false ) ); + } + + + /** + * Description of the Method + * + * @param command Description of the Parameter + * @param timeout Description of the Parameter + * @return Description of the Return Value + */ + public static ExecResults execTimeout( String command, int timeout ) + { + return ( execOptions( command, "", 0, timeout, false ) ); + } + + + /** + * The main program for the Exec class + * + * @param args The command line arguments + */ + public static void main( String[] args ) + { + ExecResults results; + String sep = System.getProperty( "line.separator" ); + System.out.println( "-------------------------------------------" + sep + "TEST 1: execSimple" ); + results = Exec.execSimple( "c:/swarm-2.1.1/bin/whoami.exe" ); + System.out.println( results ); + System.out.println( "-------------------------------------------" + sep + "TEST 2: execSimple (with search)" ); + results = Exec.execSimple( "netstat -r" ); + System.out.println( results ); + + if ( results.outputContains( "localhost:1031" ) ) + { + System.out.println( "ERROR: listening on 1031" ); + } + + System.out.println( "-------------------------------------------" + sep + "TEST 3: execInput" ); + results = Exec.execInput( "find \"cde\"", "abcdefg1\nhijklmnop\nqrstuv\nabcdefg2" ); + System.out.println( results ); + System.out.println( "-------------------------------------------" + sep + "TEST 4:execTimeout" ); + results = Exec.execTimeout( "ping -t 127.0.0.1", 5 * 1000 ); + System.out.println( results ); + System.out.println( "-------------------------------------------" + sep + "TEST 5:execLazy" ); + results = Exec.execLazy( "ping -t 127.0.0.1" ); + System.out.println( results ); + System.out.println( "-------------------------------------------" + sep + "TEST 6:ExecTimeout process never outputs" ); + results = Exec.execTimeout( "c:/swarm-2.1.1/bin/sleep.exe 20", 5 * 1000 ); + System.out.println( results ); + System.out.println( "-------------------------------------------" + sep + "TEST 7:ExecTimeout process waits for input" ); + results = Exec.execTimeout( "c:/swarm-2.1.1/bin/cat", 5 * 1000 ); + System.out.println( results ); + } +} + diff --git a/ webgoat/ExecResults.java b/ webgoat/ExecResults.java new file mode 100644 index 000000000..eb8fb2fa1 --- /dev/null +++ b/ webgoat/ExecResults.java @@ -0,0 +1,320 @@ +package org.owasp.webgoat.util; + +/** + * Copyright (c) 2002 Free Software Foundation developed under the custody of + * the Open Web Application Security Project (http://www.owasp.org) This + * software package org.owasp.webgoat.is published by OWASP under the GPL. You should read and + * accept the LICENSE before you use, modify and/or redistribute this software. + * + * @author Jeff Williams Aspect Security + */ +public class ExecResults +{ + /** + * Description of the Field + */ + public final static int BADRETURNCODE = 2; + + /** + * Description of the Field + */ + public final static int THROWABLE = 1; + private String myCommand; + private boolean myError = false; + private int myErrorType = 0; + private String myErrors = null; + private String myInput; + private boolean myInterrupted = false; + private String myOutput = null; + private int myReturnCode = 0; + private int mySuccessCode; + private Throwable myThrowable = null; + private int myTimeout; + + /** + * Constructor for the ExecResults object + * + *@param command Description of the Parameter + *@param input Description of the Parameter + *@param successCode Description of the Parameter + *@param timeout Description of the Parameter + */ + public ExecResults(String command, String input, int successCode, int timeout) + { + myCommand = command.trim(); + myInput = input.trim(); + mySuccessCode = successCode; + myTimeout = timeout; + } + + /** + * Description of the Method + * + *@param haystack Description of the Parameter + *@param needle Description of the Parameter + *@param fromIndex Description of the Parameter + *@return Description of the Return Value + */ + private boolean contains(String haystack, String needle, int fromIndex) + { + return (haystack.trim().toLowerCase().indexOf(needle.trim().toLowerCase(), fromIndex) != -1); + } + + + /** + * Description of the Method + * + *@param value Description of the Parameter + *@return Description of the Return Value + */ + public boolean errorsContains(String value) + { + return (errorsContains(value, 0)); + } + + + /** + * Description of the Method + * + *@param value Description of the Parameter + *@param fromIndex Description of the Parameter + *@return Description of the Return Value + */ + public boolean errorsContains(String value, int fromIndex) + { + return (contains(myErrors, value, fromIndex)); + } + + + /** + * Gets the error attribute of the ExecResults object + * + *@return The error value + */ + public boolean getError() + { + return (myError); + } + + + /** + * Gets the errorMessage attribute of the ExecResults object + * + *@return The errorMessage value + */ + public String getErrorMessage() + { + switch (getErrorType()) + { + case THROWABLE: + return ("Exception: " + myThrowable.getMessage()); + + case BADRETURNCODE: + return ("Bad return code (expected " + mySuccessCode + ")"); + + default: + return ("Unknown error"); + } + } + + + /** + * Gets the errorType attribute of the ExecResults object + * + *@return The errorType value + */ + public int getErrorType() + { + return (myErrorType); + } + + + /** + * Gets the errors attribute of the ExecResults object + * + *@return The errors value + */ + public String getErrors() + { + return (myErrors); + } + + + /** + * Gets the interrupted attribute of the ExecResults object + * + *@return The interrupted value + */ + public boolean getInterrupted() + { + return (myInterrupted); + } + + + /** + * Gets the output attribute of the ExecResults object + * + *@return The output value + */ + public String getOutput() + { + return (myOutput); + } + + + /** + * Gets the returnCode attribute of the ExecResults object + * + *@return The returnCode value + */ + public int getReturnCode() + { + return (myReturnCode); + } + + + /** + * Gets the throwable attribute of the ExecResults object + * + *@return The throwable value + */ + public Throwable getThrowable() + { + return (myThrowable); + } + + + /** + * Description of the Method + * + *@param value Description of the Parameter + *@return Description of the Return Value + */ + public boolean outputContains(String value) + { + return (outputContains(value, 0)); + } + + + /** + * Description of the Method + * + *@param value Description of the Parameter + *@param fromIndex Description of the Parameter + *@return Description of the Return Value + */ + public boolean outputContains(String value, int fromIndex) + { + return (contains(myOutput, value, fromIndex)); + } + + + /** + * Sets the error attribute of the ExecResults object + * + *@param value The new error value + */ + public void setError(int value) + { + myError = true; + myErrorType = value; + } + + + /** + * Sets the errors attribute of the ExecResults object + * + *@param errors The new errors value + */ + public void setErrors(String errors) + { + myErrors = errors.trim(); + } + + + /** + * Sets the interrupted attribute of the ExecResults object + */ + public void setInterrupted() + { + myInterrupted = true; + } + + + /** + * Sets the output attribute of the ExecResults object + * + *@param value The new output value + */ + public void setOutput(String value) + { + myOutput = value.trim(); + } + + + /** + * Sets the returnCode attribute of the ExecResults object + * + *@param value The new returnCode value + */ + public void setReturnCode(int value) + { + myReturnCode = value; + } + + + /** + * Sets the throwable attribute of the ExecResults object + * + *@param value The new throwable value + */ + public void setThrowable(Throwable value) + { + setError(THROWABLE); + myThrowable = value; + } + + + /** + * Description of the Method + * + *@return Description of the Return Value + */ + public String toString() + { + String sep = System.getProperty("line.separator"); + StringBuffer value = new StringBuffer(); + value.append("ExecResults for \'" + myCommand + "\'" + sep); + + if ((myInput != null) && !myInput.equals("")) + { + value.append(sep + "Input..." + sep + myInput + sep); + } + + if ((myOutput != null) && !myOutput.equals("")) + { + value.append(sep + "Output..." + sep + myOutput + sep); + } + + if ((myErrors != null) && !myErrors.equals("")) + { + value.append(sep + "Errors..." + sep + myErrors + sep); + } + + value.append(sep); + + if (myInterrupted) + { + value.append("Command timed out after " + (myTimeout / 1000) + " seconds " + sep); + } + + value.append("Returncode: " + myReturnCode + sep); + + if (myError) + { + value.append(getErrorMessage() + sep); + } + + return (value.toString()); + } +} diff --git a/ webgoat/ExecutionException.java b/ webgoat/ExecutionException.java new file mode 100644 index 000000000..e01c00f31 --- /dev/null +++ b/ webgoat/ExecutionException.java @@ -0,0 +1,31 @@ +package org.owasp.webgoat.util; + +/** + * Copyright (c) 2002 Free Software Foundation developed under the custody of + * the Open Web Application Security Project (http://www.owasp.org) This + * software package org.owasp.webgoat.is published by OWASP under the GPL. You should read and + * accept the LICENSE before you use, modify and/or redistribute this software. + * + * @author Jeff Williams Aspect Security + */ +public class ExecutionException extends Exception +{ + /** + * Constructor for the ExecutionException object + */ + public ExecutionException() + { + super(); + } + + + /** + * Constructor for the ExecutionException object + * + *@param msg Description of the Parameter + */ + public ExecutionException(String msg) + { + super(msg); + } +} diff --git a/ webgoat/HtmlEncoder.java b/ webgoat/HtmlEncoder.java new file mode 100644 index 000000000..09401378a --- /dev/null +++ b/ webgoat/HtmlEncoder.java @@ -0,0 +1,195 @@ +package org.owasp.webgoat.util; + +import java.util.HashMap; +import java.util.Map; + +public class HtmlEncoder +{ + static Map e2i = new HashMap(); + static Map i2e = new HashMap(); + + // html entity list + private static Object[][] entities = + { + {"quot", new Integer( 34 )}, // " - double-quote + {"amp", new Integer( 38 )}, // & - ampersand + {"lt", new Integer( 60 )}, // < - less-than + {"gt", new Integer( 62 )}, // > - greater-than + {"nbsp", new Integer( 160 )}, // non-breaking space + {"copy", new Integer( 169 )}, // © - copyright + {"reg", new Integer( 174 )}, // ® - registered trademark + {"Agrave", new Integer( 192 )}, // À - uppercase A, grave accent + {"Aacute", new Integer( 193 )}, // Á - uppercase A, acute accent + {"Acirc", new Integer( 194 )}, // Â - uppercase A, circumflex accent + {"Atilde", new Integer( 195 )}, // Ã - uppercase A, tilde + {"Auml", new Integer( 196 )}, // Ä - uppercase A, umlaut + {"Aring", new Integer( 197 )}, // Å - uppercase A, ring + {"AElig", new Integer( 198 )}, // Æ - uppercase AE + {"Ccedil", new Integer( 199 )}, // Ç - uppercase C, cedilla + {"Egrave", new Integer( 200 )}, // È - uppercase E, grave accent + {"Eacute", new Integer( 201 )}, // É - uppercase E, acute accent + {"Ecirc", new Integer( 202 )}, // Ê - uppercase E, circumflex accent + {"Euml", new Integer( 203 )}, // Ë - uppercase E, umlaut + {"Igrave", new Integer( 204 )}, // Ì - uppercase I, grave accent + {"Iacute", new Integer( 205 )}, // Í - uppercase I, acute accent + {"Icirc", new Integer( 206 )}, // Î - uppercase I, circumflex accent + {"Iuml", new Integer( 207 )}, // Ï - uppercase I, umlaut + {"ETH", new Integer( 208 )}, // Ð - uppercase Eth, Icelandic + {"Ntilde", new Integer( 209 )}, // Ñ - uppercase N, tilde + {"Ograve", new Integer( 210 )}, // Ò - uppercase O, grave accent + {"Oacute", new Integer( 211 )}, // Ó - uppercase O, acute accent + {"Ocirc", new Integer( 212 )}, // Ô - uppercase O, circumflex accent + {"Otilde", new Integer( 213 )}, // Õ - uppercase O, tilde + {"Ouml", new Integer( 214 )}, // Ö - uppercase O, umlaut + {"Oslash", new Integer( 216 )}, // Ø - uppercase O, slash + {"Ugrave", new Integer( 217 )}, // Ù - uppercase U, grave accent + {"Uacute", new Integer( 218 )}, // Ú - uppercase U, acute accent + {"Ucirc", new Integer( 219 )}, // Û - uppercase U, circumflex accent + {"Uuml", new Integer( 220 )}, // Ü - uppercase U, umlaut + {"Yacute", new Integer( 221 )}, // Ý - uppercase Y, acute accent + {"THORN", new Integer( 222 )}, // Þ - uppercase THORN, Icelandic + {"szlig", new Integer( 223 )}, // ß - lowercase sharps, German + {"agrave", new Integer( 224 )}, // à - lowercase a, grave accent + {"aacute", new Integer( 225 )}, // á - lowercase a, acute accent + {"acirc", new Integer( 226 )}, // â - lowercase a, circumflex accent + {"atilde", new Integer( 227 )}, // ã - lowercase a, tilde + {"auml", new Integer( 228 )}, // ä - lowercase a, umlaut + {"aring", new Integer( 229 )}, // å - lowercase a, ring + {"aelig", new Integer( 230 )}, // æ - lowercase ae + {"ccedil", new Integer( 231 )}, // ç - lowercase c, cedilla + {"egrave", new Integer( 232 )}, // è - lowercase e, grave accent + {"eacute", new Integer( 233 )}, // é - lowercase e, acute accent + {"ecirc", new Integer( 234 )}, // ê - lowercase e, circumflex accent + {"euml", new Integer( 235 )}, // ë - lowercase e, umlaut + {"igrave", new Integer( 236 )}, // ì - lowercase i, grave accent + {"iacute", new Integer( 237 )}, // í - lowercase i, acute accent + {"icirc", new Integer( 238 )}, // î - lowercase i, circumflex accent + {"iuml", new Integer( 239 )}, // ï - lowercase i, umlaut + {"igrave", new Integer( 236 )}, // ì - lowercase i, grave accent + {"iacute", new Integer( 237 )}, // í - lowercase i, acute accent + {"icirc", new Integer( 238 )}, // î - lowercase i, circumflex accent + {"iuml", new Integer( 239 )}, // ï - lowercase i, umlaut + {"eth", new Integer( 240 )}, // ð - lowercase eth, Icelandic + {"ntilde", new Integer( 241 )}, // ñ - lowercase n, tilde + {"ograve", new Integer( 242 )}, // ò - lowercase o, grave accent + {"oacute", new Integer( 243 )}, // ó - lowercase o, acute accent + {"ocirc", new Integer( 244 )}, // ô - lowercase o, circumflex accent + {"otilde", new Integer( 245 )}, // õ - lowercase o, tilde + {"ouml", new Integer( 246 )}, // ö - lowercase o, umlaut + {"oslash", new Integer( 248 )}, // ø - lowercase o, slash + {"ugrave", new Integer( 249 )}, // ù - lowercase u, grave accent + {"uacute", new Integer( 250 )}, // ú - lowercase u, acute accent + {"ucirc", new Integer( 251 )}, // û - lowercase u, circumflex accent + {"uuml", new Integer( 252 )}, // ü - lowercase u, umlaut + {"yacute", new Integer( 253 )}, // ý - lowercase y, acute accent + {"thorn", new Integer( 254 )}, // þ - lowercase thorn, Icelandic + {"yuml", new Integer( 255 )}, // ÿ - lowercase y, umlaut + {"euro", new Integer( 8364 )},// Euro symbol + }; + + + public HtmlEncoder() + { + for(int i=0; i + * + * e.g. "bread" & "butter" => &quot;bread&quot; &amp; + * &quot;butter&quot; . Update: supports nearly all HTML entities, including funky + * accents. See the source code for more detail. Adapted from + * http://www.purpletech.com/code/src/com/purpletech/util/Utils.java. + * + * @param s1 Description of the Parameter + * @return Description of the Return Value + */ + public static String encode( String s1 ) + { + StringBuffer buf = new StringBuffer(); + + int i; + for ( i = 0; i < s1.length(); ++i ) + { + char ch = s1.charAt( i ); + + String entity = (String) i2e.get( new Integer( (int) ch ) ); + + if ( entity == null ) + { + if ( ( (int) ch ) > 128 ) + { + buf.append( "&#" + ( (int) ch ) + ";" ); + } + else + { + buf.append( ch ); + } + } + else + { + buf.append( "&" + entity + ";" ); + } + } + + return buf.toString(); + } + + + /** + * Given a string containing entity escapes, returns a string containing the actual Unicode + * characters corresponding to the escapes. Adapted from + * http://www.purpletech.com/code/src/com/purpletech/util/Utils.java. + * + * @param s1 Description of the Parameter + * @return Description of the Return Value + */ + public static String decode( String s1 ) + { + StringBuffer buf = new StringBuffer(); + + int i; + for ( i = 0; i < s1.length(); ++i ) + { + char ch = s1.charAt( i ); + + if ( ch == '&' ) + { + int semi = s1.indexOf( ';', i + 1 ); + if ( semi == -1 ) + { + buf.append( ch ); + continue; + } + String entity = s1.substring( i + 1, semi ); + Integer iso; + if ( entity.charAt( 0 ) == '#' ) + { + iso = new Integer( entity.substring( 1 ) ); + } + else + { + iso = (Integer) e2i.get( entity ); + } + if ( iso == null ) + { + buf.append( "&" + entity + ";" ); + } + else + { + buf.append( (char) ( iso.intValue() ) ); + } + i = semi; + } + else + { + buf.append( ch ); + } + } + + return buf.toString(); + } +} diff --git a/ webgoat/ThreadWatcher.java b/ webgoat/ThreadWatcher.java new file mode 100644 index 000000000..3a5b46b64 --- /dev/null +++ b/ webgoat/ThreadWatcher.java @@ -0,0 +1,90 @@ +package org.owasp.webgoat.util; + +import java.util.BitSet; + + +/** + * Copyright (c) 2002 Free Software Foundation developed under the custody of + * the Open Web Application Security Project (http://www.owasp.org) This + * software package org.owasp.webgoat.is published by OWASP under the GPL. You should read and + * accept the LICENSE before you use, modify and/or redistribute this software. + * + *@author jwilliams@aspectsecurity.com + *@created November 6, 2002 + */ +public class ThreadWatcher implements Runnable +{ + // time to live in milliseconds + private BitSet myInterrupted; + private Process myProcess; + private int myTimeout; + + /** + * Constructor for the ThreadWatcher object + * + *@param p Description of the Parameter + *@param interrupted Description of the Parameter + *@param timeout Description of the Parameter + */ + public ThreadWatcher(Process p, BitSet interrupted, int timeout) + { + myProcess = p; + + // thread used by whoever constructed this watcher + myTimeout = timeout; + myInterrupted = interrupted; + } + + /* + * Interrupt the thread by marking the interrupted bit and killing the process + */ + + /** + * Description of the Method + */ + public void interrupt() + { + myInterrupted.set(0); + + // set interrupted bit (bit 0 of the bitset) to 1 + myProcess.destroy(); + + /* + * try + * { + * myProcess.getInputStream().close(); + * } + * catch( IOException e1 ) + * { + * / do nothing -- input streams are probably already closed + * } + * try + * { + * myProcess.getErrorStream().close(); + * } + * catch( IOException e2 ) + * { + * / do nothing -- input streams are probably already closed + * } + * myThread.interrupt(); + */ + } + + + /** + * Main processing method for the ThreadWatcher object + */ + public void run() + { + try + { + Thread.sleep(myTimeout); + } + catch (InterruptedException e) + { + // do nothing -- if watcher is interrupted, so is thread + } + + interrupt(); + } +}