dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove WebGoat session object (#1929)

Browse Source 
* refactor: modernize code

* refactor: move to Tomcat

* chore: bump to Spring Boot 3.3.3

* refactor: use Testcontainers to run integration tests

* refactor: lesson/assignment progress

* chore: format code

* refactor: first step into removing base class for assignment

Always been a bit of an ugly construction, as none of the dependencies are clear. The constructors are hidden due to autowiring the base class. This PR removes two of the fields.

As a bonus we now wire the authentication principal directly in the controllers.

* refactor: use authentication principal directly.

* refactor: pass lesson to the endpoints

No more need to get the current lesson set in a session. The lesson is now passed to the endpoints.

* fix: Testcontainers cannot run on Windows host in Github actions.

Since we have Windows specific paths let's run it standalone for now. We need to run these tests on Docker as well (for now disabled)
This commit is contained in:
Nanne Baars
2024-10-26 10:54:21 +02:00
committed by GitHub
parent cb7c508046
commit ab068901f1
156 changed files with 1076 additions and 1235 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/main/resources/application-webgoat.properties
View File

@ -45,13 +45,17 @@ webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
webgoat.default.language=en
webgoat.url=http://${server.address}:${server.port}${server.servlet.context-path}
webwolf.host=${WEBWOLF_HOST:127.0.0.1}
webwolf.port=${WEBWOLF_PORT:9090}
webwolf.context=${WEBWOLF_CONTEXT:/WebWolf}
webwolf.url=http://${WEBWOLF_HOST:127.0.0.1}:${WEBWOLF_PORT:9090}${WEBWOLF_CONTEXT:/WebWolf}
webwolf.host=127.0.0.1
webwolf.port=9090
webwolf.context=/WebWolf
webwolf.url=http://${webwolf.host}:${webwolf.port}${webwolf.context}
webwolf.landingpage.url=${webwolf.url}/landing
webwolf.mail.url=${webwolf.url}/mail
spring.jpa.properties.jakarta.persistence.schema-generation.scripts.action=create
spring.jpa.properties.jakarta.persistence.schema-generation.scripts.create-target=create.sql
spring.jpa.properties.jakarta.persistence.schema-generation.scripts.create-source=metadata
spring.jackson.serialization.indent_output=true
spring.jackson.serialization.write-dates-as-timestamps=false
@ -70,3 +74,5 @@ management.endpoints.web.exposure.include=env, health,configprops
spring.security.oauth2.client.registration.github.client-id=${WEBGOAT_OAUTH_CLIENTID:dummy}
spring.security.oauth2.client.registration.github.client-secret=${WEBGOAT_OAUTH_CLIENTSECRET:dummy}
spring.application.admin.jmx-name=org.springframework.boot:type=Admin,name=WebGoat

3
src/main/resources/application-webwolf.properties
View File

@ -13,7 +13,6 @@ management.server.port=-1
server.servlet.session.cookie.name=WEBWOLFSESSION
server.servlet.session.timeout=6000
spring.flyway.enabled=false
spring.thymeleaf.prefix=classpath:/webwolf/templates/
@ -53,3 +52,5 @@ spring.devtools.restart.additional-paths=webwolf/src/main/resources/static/
spring.security.oauth2.client.registration.github.client-id=${WEBWOLF_OAUTH_CLIENTID:dummy}
spring.security.oauth2.client.registration.github.client-secret=${WEBWOLF_OAUTH_CLIENTSECRET:dummy}
spring.application.admin.jmx-name=org.springframework.boot:type=Admin,name=WebWolf

115
src/main/resources/db/container/V1__init.sql
View File

@ -2,65 +2,64 @@
-- For the normal WebGoat server there is a bean which already provided the schema (and creates it see DatabaseInitialization)
CREATE SCHEMA IF NOT EXISTS CONTAINER;
CREATE SEQUENCE CONTAINER.HIBERNATE_SEQUENCE;
CREATE TABLE CONTAINER.ASSIGNMENT (
ID BIGINT NOT NULL PRIMARY KEY,
NAME VARCHAR(255),
PATH VARCHAR(255)
create
table CONTAINER.assignment
(
solved boolean not null,
id bigint generated by default as identity (start with 1),
name varchar(255),
path varchar(255),
primary key (id)
);
create table CONTAINER.lesson_progress
(
number_of_attempts integer not null,
version integer,
id bigint generated by default as identity (start with 1),
lesson_name varchar(255),
primary key (id)
);
create table CONTAINER.lesson_progress_assignments
(
assignments_id bigint not null unique,
lesson_progress_id bigint not null,
primary key (assignments_id, lesson_progress_id)
);
create table CONTAINER.user_progress
(
id bigint generated by default as identity (start with 1),
username varchar(255),
primary key (id)
);
create table CONTAINER.user_progress_lesson_progress
(
lesson_progress_id bigint not null unique,
user_progress_id bigint not null,
primary key (lesson_progress_id, user_progress_id)
);
create table CONTAINER.web_goat_user
(
password varchar(255),
role varchar(255),
username varchar(255) not null,
primary key (username)
);
CREATE TABLE CONTAINER.LESSON_TRACKER(
ID BIGINT NOT NULL PRIMARY KEY,
LESSON_NAME VARCHAR(255),
NUMBER_OF_ATTEMPTS INTEGER NOT NULL
create table CONTAINER.email
(
id BIGINT GENERATED BY DEFAULT AS IDENTITY (START WITH 1) NOT NULL PRIMARY KEY,
contents VARCHAR(1024),
recipient VARCHAR(255),
sender VARCHAR(255),
time TIMESTAMP,
title VARCHAR(255)
);
CREATE TABLE CONTAINER.LESSON_TRACKER_ALL_ASSIGNMENTS(
LESSON_TRACKER_ID BIGINT NOT NULL,
ALL_ASSIGNMENTS_ID BIGINT NOT NULL,
PRIMARY KEY(LESSON_TRACKER_ID,ALL_ASSIGNMENTS_ID),
CONSTRAINT FKNHIDKE27BCJHI8C7WJ9QW6Y3Q FOREIGN KEY(ALL_ASSIGNMENTS_ID) REFERENCES CONTAINER.ASSIGNMENT(ID),
CONSTRAINT FKBM51QSDJ7N17O2DNATGAMW7D FOREIGN KEY(LESSON_TRACKER_ID) REFERENCES CONTAINER.LESSON_TRACKER(ID),
CONSTRAINT UK_SYGJY2S8O8DDGA2K5YHBMUVEA UNIQUE(ALL_ASSIGNMENTS_ID)
);
CREATE TABLE CONTAINER.LESSON_TRACKER_SOLVED_ASSIGNMENTS(
LESSON_TRACKER_ID BIGINT NOT NULL,
SOLVED_ASSIGNMENTS_ID BIGINT NOT NULL,
PRIMARY KEY(LESSON_TRACKER_ID,SOLVED_ASSIGNMENTS_ID),
CONSTRAINT FKPP850U1MG09YKKL2EQGM0TRJK FOREIGN KEY(SOLVED_ASSIGNMENTS_ID) REFERENCES CONTAINER.ASSIGNMENT(ID),
CONSTRAINT FKNKRWGA1UHLOQ6732SQXHXXSCR FOREIGN KEY(LESSON_TRACKER_ID) REFERENCES CONTAINER.LESSON_TRACKER(ID),
CONSTRAINT UK_9WFYDUY3TVE1XD05LWOUEG0C1 UNIQUE(SOLVED_ASSIGNMENTS_ID)
);
CREATE TABLE CONTAINER.USER_TRACKER(
ID BIGINT NOT NULL PRIMARY KEY,
USERNAME VARCHAR(255)
);
CREATE TABLE CONTAINER.USER_TRACKER_LESSON_TRACKERS(
USER_TRACKER_ID BIGINT NOT NULL,
LESSON_TRACKERS_ID BIGINT NOT NULL,
PRIMARY KEY(USER_TRACKER_ID,LESSON_TRACKERS_ID),
CONSTRAINT FKQJSTCA3YND3OHP35D50PNUH3H FOREIGN KEY(LESSON_TRACKERS_ID) REFERENCES CONTAINER.LESSON_TRACKER(ID),
CONSTRAINT FKC9GX8INK7LRC79XC77O2MN9KE FOREIGN KEY(USER_TRACKER_ID) REFERENCES CONTAINER.USER_TRACKER(ID),
CONSTRAINT UK_5D8N5I3IC26CVF7DF7N95DOJB UNIQUE(LESSON_TRACKERS_ID)
);
CREATE TABLE CONTAINER.WEB_GOAT_USER(
USERNAME VARCHAR(255) NOT NULL PRIMARY KEY,
PASSWORD VARCHAR(255),
ROLE VARCHAR(255)
);
CREATE TABLE CONTAINER.EMAIL(
ID BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) NOT NULL PRIMARY KEY,
CONTENTS VARCHAR(1024),
RECIPIENT VARCHAR(255),
SENDER VARCHAR(255),
TIME TIMESTAMP,
TITLE VARCHAR(255)
);
ALTER TABLE CONTAINER.EMAIL ALTER COLUMN ID RESTART WITH 2;
alter table CONTAINER.lesson_progress_assignments
add constraint FKbd9xavuwr1rxbcqhcu3jckyro foreign key (assignments_id) references CONTAINER.assignment;
alter table CONTAINER.lesson_progress_assignments
add constraint FKl8vg2qfqhmsnt18qqcyydq7iu foreign key (lesson_progress_id) references CONTAINER.lesson_progress;
alter table CONTAINER.user_progress_lesson_progress
add constraint FKkk5vk79v4q48xb5apeq0g5t2q foreign key (lesson_progress_id) references CONTAINER.lesson_progress;
alter table CONTAINER.user_progress_lesson_progress
add constraint FKkw1rtg14shtginbfflbglbf4m foreign key (user_progress_id) references CONTAINER.user_progress;

1
src/main/resources/db/container/V2__version.sql
View File

@ -1 +0,0 @@
ALTER TABLE CONTAINER.LESSON_TRACKER ADD VERSION INTEGER;

3
src/main/resources/db/container/V3__id.sql
View File

@ -1,3 +0,0 @@
ALTER TABLE CONTAINER.ASSIGNMENT ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
ALTER TABLE CONTAINER.LESSON_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);
ALTER TABLE CONTAINER.USER_TRACKER ALTER COLUMN ID SET GENERATED BY DEFAULT AS IDENTITY(START WITH 1);

22
src/main/resources/db/container/V4__rename_to_progress.sql
View File

@ -1,22 +0,0 @@
ALTER TABLE container.lesson_tracker
RENAME TO container.lesson_progress;
ALTER TABLE container.lesson_tracker_all_assignments
ALTER COLUMN lesson_tracker_id RENAME TO lesson_progress_id;
ALTER TABLE container.lesson_tracker_all_assignments
RENAME TO container.lesson_progress_all_assignments;
ALTER TABLE container.lesson_tracker_solved_assignments
ALTER COLUMN lesson_tracker_id RENAME TO lesson_progress_id;
ALTER TABLE container.lesson_tracker_solved_assignments
RENAME TO container.lesson_progress_solved_assignments;
ALTER TABLE container.user_tracker
RENAME TO container.user_progress;
ALTER TABLE container.user_tracker_lesson_trackers
ALTER COLUMN user_tracker_id RENAME TO user_progress_id;
ALTER TABLE container.user_tracker_lesson_trackers
ALTER COLUMN lesson_trackers_id RENAME TO lesson_progress_id;
ALTER TABLE container.user_tracker_lesson_trackers
RENAME TO container.user_progress_lesson_progress;

32
src/main/resources/i18n/messages_ru.properties
View File

@ -1,32 +0,0 @@
#
# This file is part of WebGoat, an Open Web Application Security Project utility. For details,
# please see http://www.owasp.org/
# <p>
# Copyright (c) 2002 - 2017 Bruce Mayhew
# <p>
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
# <p>
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# <p>
# You should have received a copy of the GNU General Public License along with this program; if
# not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# <p>
# Getting Source ==============
# <p>
# Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
# projects.
# <p>
#
#General
lesson.completed=\u041f\u043e\u0437\u0434\u0440\u0430\u0432\u043b\u044f\u044e. \u0412\u044b \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u043f\u0440\u043e\u0448\u043b\u0438 \u0434\u0430\u043d\u043d\u044b\u0439 \u0443\u0440\u043e\u043a.
RestartLesson=\u041d\u0430\u0447\u0430\u043b\u044c \u0441\u043d\u0430\u0447\u0430\u043b\u0430
SolutionVideos=\u0412\u0438\u0434\u0435\u043e \u0441 \u0440\u0435\u0448\u0435\u043d\u0438\u0435\u043c
ErrorGenerating=\u041f\u0440\u043e\u0438\u0437\u043e\u0448\u043b\u0430 \u043e\u0448\u0438\u0431\u043a\u0430
InvalidData=\u041d\u0435\u0432\u0435\u0440\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435
Go!=\u0412\u043f\u0435\u0440\u0451\u0434!

2
src/main/resources/lessons/challenges/html/Challenge1.html
View File

@ -37,7 +37,7 @@
</div>
</div>
<form class="attack-form" method="POST" name="form" action="challenge/flag">
<form class="attack-form" method="POST" name="form" action="challenge/flag/1">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

2
src/main/resources/lessons/challenges/html/Challenge5.html
View File

@ -66,7 +66,7 @@
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="challenge/flag">
<form class="attack-form" method="POST" name="form" action="challenge/flag/5">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

2
src/main/resources/lessons/challenges/html/Challenge6.html
View File

@ -99,7 +99,7 @@
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="challenge/flag">
<form class="attack-form" method="POST" name="form" action="challenge/flag/6">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

2
src/main/resources/lessons/challenges/html/Challenge7.html
View File

@ -57,7 +57,7 @@ f94008f801fceb8833a30fe56a8b26976347edcf First version of WebGoat Cloud website
</div>
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="challenge/flag">
<form class="attack-form" method="POST" name="form" action="challenge/flag/7">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

2
src/main/resources/lessons/challenges/html/Challenge8.html
View File

@ -231,7 +231,7 @@
</div>
<br/>
<form class="attack-form" method="POST" name="form" action="challenge/flag">
<form class="attack-form" method="POST" name="form" action="challenge/flag/8">
<div class="form-group">
<div class="input-group">
<div class="input-group-addon"><i class="fa fa-flag-checkered" aria-hidden="true"

18
src/main/resources/webgoat/static/js/goatApp/controller/LessonController.js
View File

@ -60,7 +60,6 @@ define(['jquery',
this.lessonContentView.navToPage(pageNum);
this.lessonHintView.hideHints();
this.lessonHintView.showFirstHint();
//this.lessonHintView.selectHints();
this.titleView.render(this.lessonInfoModel.get('lessonTitle'));
return;
}
@ -78,17 +77,11 @@ define(['jquery',
};
this.onInfoLoaded = function() {
this.helpControlsView = new HelpControlsView({
hasPlan:this.lessonInfoModel.get('hasPlan'),
hasSolution:this.lessonInfoModel.get('hasSolution'),
hasSource:this.lessonInfoModel.get('hasSource')
});
this.helpControlsView = new HelpControlsView();
this.listenTo(this.helpControlsView,'hints:show',this.showHintsView);
this.listenTo(this.helpControlsView,'lesson:restart',this.restartLesson);
this.helpControlsView.render();
this.showHintsView();
this.titleView.render(this.lessonInfoModel.get('lessonTitle'));
};
@ -98,7 +91,8 @@ define(['jquery',
};
this.onContentLoaded = function(loadHelps) {
this.lessonInfoModel = new LessonInfoModel();
this.lessonInfoModel = new LessonInfoModel({'lesson':loadHelps['urlRoot']});
this.listenTo(this.lessonInfoModel,'info:loaded',this.onInfoLoaded);
if (loadHelps) {
@ -126,6 +120,8 @@ define(['jquery',
};
this.showHintsView = function() {
var self=this;
console.log(self.name);
if (!this.lessonHintView) {
this.createLessonHintView();
}
@ -141,7 +137,7 @@ define(['jquery',
this.restartLesson = function() {
var self=this;
$.ajax({
url:'service/restartlesson.mvc',
url: 'service/restartlesson.mvc/' + encodeURIComponent(self.name),
method:'GET'
}).done(function(lessonLink) {
self.loadLesson(self.name);

2
src/main/resources/webgoat/static/js/goatApp/model/HintCollection.js
View File

@ -10,7 +10,7 @@ define(['jquery',
return Backbone.Collection.extend({
model: HintModel,
url:'service/hint.mvc',
initialize: function () {
initialize: function (options) {
var self = this;
this.fetch().then(function (data) {
this.models = data;

4
src/main/resources/webgoat/static/js/goatApp/model/LessonInfoModel.js
View File

@ -6,15 +6,15 @@ define(['jquery',
Backbone){
return Backbone.Model.extend({
url:'service/lessoninfo.mvc',
url: function() { return 'service/lessoninfo.mvc/' + this.lesson; },
initialize: function (options) {
this.lesson = options.lesson;
this.fetch().then(this.infoLoaded.bind(this));
},
infoLoaded: function(data) {
this.trigger('info:loaded',this,data);
}
});
});

31
src/main/resources/webgoat/static/js/goatApp/model/LessonOverviewCollection.js
View File

@ -1,13 +1,20 @@
define([
'backbone',
'goatApp/model/AssignmentStatusModel'
],
function(
Backbone,
AssignmentStatusModel) {
return Backbone.Collection.extend({
//tagName: 'ul',
url: 'service/lessonoverview.mvc',
model: AssignmentStatusModel
});
});
'backbone',
'goatApp/model/AssignmentStatusModel'
],
function (
Backbone,
AssignmentStatusModel) {
return Backbone.Collection.extend({
url: function () {
return 'service/lessonoverview.mvc/' + this.lesson;
},
model: AssignmentStatusModel,
initialize: function (options) {
//TODO: Not the best way to do this, but it works for now.
this.lesson = options.baseLessonUrl.substring(options.baseLessonUrl.lastIndexOf('/') + 1);
},
});
});

1
src/main/resources/webgoat/static/js/goatApp/support/goatConstants.js
View File

@ -18,7 +18,6 @@ var goatConstants = {
solutionService: 'service/solution.mvc',
lessonPlanService: 'service/lessonplan.mvc',
menuService: 'service/lessonmenu.mvc',
lessonTitleService: 'service/lessontitle.mvc',
restartLessonService: 'service/restartlesson.mvc'
}
},

4
src/main/resources/webgoat/static/js/goatApp/view/PaginationControlView.js
View File

@ -14,7 +14,7 @@ define(['jquery',
initialize: function ($contentPages,baseLessonUrl,initPageNum) {
this.$contentPages = $contentPages;
this.collection = new LessonOverviewCollection();
this.collection = new LessonOverviewCollection({baseLessonUrl: baseLessonUrl});
this.listenTo(this.collection, 'reset', this.render);
this.numPages = this.$contentPages.length;
this.baseUrl = baseLessonUrl;
@ -144,7 +144,7 @@ define(['jquery',
if (this.currentPage >= this.numPages -1) {
this.hideNextPageButton();
this.showPrevPageButton;
this.showPrevPageButton();
}
this.collection.fetch({reset:true});
},