dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove WebGoat session object (#1929)

Browse Source 
* refactor: modernize code

* refactor: move to Tomcat

* chore: bump to Spring Boot 3.3.3

* refactor: use Testcontainers to run integration tests

* refactor: lesson/assignment progress

* chore: format code

* refactor: first step into removing base class for assignment

Always been a bit of an ugly construction, as none of the dependencies are clear. The constructors are hidden due to autowiring the base class. This PR removes two of the fields.

As a bonus we now wire the authentication principal directly in the controllers.

* refactor: use authentication principal directly.

* refactor: pass lesson to the endpoints

No more need to get the current lesson set in a session. The lesson is now passed to the endpoints.

* fix: Testcontainers cannot run on Windows host in Github actions.

Since we have Windows specific paths let's run it standalone for now. We need to run these tests on Docker as well (for now disabled)
This commit is contained in:
Nanne Baars
2024-10-26 10:54:21 +02:00
committed by GitHub
parent cb7c508046
commit ab068901f1
156 changed files with 1076 additions and 1235 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
src/test/java/org/owasp/webgoat/WithWebGoatUser.java Normal file
View File

@ -0,0 +1,35 @@
package org.owasp.webgoat;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.test.context.support.WithSecurityContext;
import org.springframework.security.test.context.support.WithSecurityContextFactory;
@WithSecurityContext(factory = WithMockWebGoatUserSecurityContextFactory.class)
@Retention(RetentionPolicy.RUNTIME)
public @interface WithWebGoatUser {
String username() default "test";
String password() default "password";
}
class WithMockWebGoatUserSecurityContextFactory
implements WithSecurityContextFactory<WithWebGoatUser> {
@Override
public SecurityContext createSecurityContext(WithWebGoatUser customUser) {
SecurityContext context = SecurityContextHolder.createEmptyContext();
WebGoatUser principal = new WebGoatUser(customUser.username(), customUser.password());
Authentication auth =
UsernamePasswordAuthenticationToken.authenticated(
principal, "password", principal.getAuthorities());
context.setAuthentication(auth);
return context;
}
}

9
src/test/java/org/owasp/webgoat/container/assignments/AssignmentEndpointTest.java
View File

@ -27,11 +27,10 @@ package org.owasp.webgoat.container.assignments;
import java.util.Locale;
import org.mockito.Mock;
import org.owasp.webgoat.WithWebGoatUser;
import org.owasp.webgoat.container.i18n.Language;
import org.owasp.webgoat.container.i18n.Messages;
import org.owasp.webgoat.container.i18n.PluginMessages;
import org.owasp.webgoat.container.session.UserSessionData;
import org.owasp.webgoat.container.session.WebSession;
import org.owasp.webgoat.container.users.UserProgress;
import org.owasp.webgoat.container.users.UserProgressRepository;
import org.springframework.context.support.ClassPathXmlApplicationContext;
@ -39,12 +38,12 @@ import org.springframework.test.util.ReflectionTestUtils;
import org.springframework.web.servlet.i18n.FixedLocaleResolver;
// Do not remove is the base class for all assignments tests
@WithWebGoatUser
public class AssignmentEndpointTest {
@Mock protected UserProgress userTracker;
@Mock protected UserProgressRepository userTrackerRepository;
@Mock protected WebSession webSession;
@Mock protected UserSessionData userSessionData;
private Language language =
new Language(new FixedLocaleResolver()) {
@ -59,8 +58,6 @@ public class AssignmentEndpointTest {
public void init(AssignmentEndpoint a) {
messages.setBasenames("classpath:/i18n/messages", "classpath:/i18n/WebGoatLabels");
ReflectionTestUtils.setField(a, "userSessionData", userSessionData);
ReflectionTestUtils.setField(a, "webSession", webSession);
ReflectionTestUtils.setField(a, "messages", pluginMessages);
}
}

23
src/test/java/org/owasp/webgoat/container/plugins/LessonTest.java
View File

@ -2,23 +2,23 @@ package org.owasp.webgoat.container.plugins;
import static org.mockito.Mockito.when;
import jakarta.annotation.PostConstruct;
import java.util.List;
import java.util.Locale;
import java.util.function.Function;
import org.flywaydb.core.Flyway;
import org.junit.jupiter.api.BeforeEach;
import org.owasp.webgoat.WithWebGoatUser;
import org.owasp.webgoat.container.WebGoat;
import org.owasp.webgoat.container.i18n.Language;
import org.owasp.webgoat.container.i18n.PluginMessages;
import org.owasp.webgoat.container.lessons.Initializeable;
import org.owasp.webgoat.container.session.WebSession;
import org.owasp.webgoat.container.lessons.Initializable;
import org.owasp.webgoat.container.users.WebGoatUser;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.boot.test.mock.mockito.MockBean;
import org.springframework.boot.test.web.server.LocalServerPort;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.test.context.TestPropertySource;
import org.springframework.test.web.servlet.MockMvc;
@ -34,6 +34,7 @@ import org.springframework.web.context.WebApplicationContext;
"classpath:/application-webgoat.properties",
"classpath:/application-webgoat-test.properties"
})
@WithWebGoatUser
public abstract class LessonTest {
@LocalServerPort protected int localPort;
@ -41,8 +42,7 @@ public abstract class LessonTest {
@Autowired protected WebApplicationContext wac;
@Autowired protected PluginMessages messages;
@Autowired private Function<String, Flyway> flywayLessons;
@Autowired private List<Initializeable> lessonInitializers;
@MockBean protected WebSession webSession;
@Autowired private List<Initializable> lessonInitializers;
@MockBean private Language language;
@MockBean private ClientRegistrationRepository clientRegistrationRepository;
@ -52,15 +52,10 @@ public abstract class LessonTest {
@BeforeEach
void init() {
var user = new WebGoatUser("unit-test", "test");
when(webSession.getUserName()).thenReturn(user.getUsername());
when(webSession.getUser()).thenReturn(user);
when(language.getLocale()).thenReturn(Locale.getDefault());
lessonInitializers.forEach(init -> init.initialize(webSession.getUser()));
}
@PostConstruct
public void createFlywayLessonTables() {
flywayLessons.apply("PUBLIC").migrate();
WebGoatUser user =
(WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
flywayLessons.apply(user.getUsername()).migrate();
lessonInitializers.forEach(init -> init.initialize(user));
}
}

5
src/test/java/org/owasp/webgoat/container/report/ReportCardControllerTest.java
View File

@ -17,7 +17,6 @@ import org.mockito.junit.jupiter.MockitoExtension;
import org.owasp.webgoat.container.i18n.PluginMessages;
import org.owasp.webgoat.container.lessons.Lesson;
import org.owasp.webgoat.container.session.Course;
import org.owasp.webgoat.container.session.WebSession;
import org.owasp.webgoat.container.users.LessonProgress;
import org.owasp.webgoat.container.users.UserProgress;
import org.owasp.webgoat.container.users.UserProgressRepository;
@ -35,14 +34,12 @@ public class ReportCardControllerTest {
@Mock private Lesson lesson;
@Mock private LessonProgress lessonTracker;
@Mock private UserProgressRepository userTrackerRepository;
@Mock private WebSession websession;
@Mock private PluginMessages pluginMessages;
@BeforeEach
void setup() {
this.mockMvc =
standaloneSetup(
new ReportCardController(websession, userTrackerRepository, course, pluginMessages))
standaloneSetup(new ReportCardController(userTrackerRepository, course, pluginMessages))
.build();
when(pluginMessages.getMessage(anyString())).thenReturn("Test");
}

21
src/test/java/org/owasp/webgoat/container/service/HintServiceTest.java
View File

@ -1,22 +1,21 @@
package org.owasp.webgoat.container.service;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.container.service.HintService.URL_HINTS_MVC;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
import com.beust.jcommander.internal.Lists;
import java.util.List;
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.jupiter.MockitoExtension;
import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Lesson;
import org.owasp.webgoat.container.session.WebSession;
import org.owasp.webgoat.container.session.Course;
import org.owasp.webgoat.lessons.httpbasics.HttpBasics;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@ -24,22 +23,18 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
public class HintServiceTest {
private MockMvc mockMvc;
@Mock private WebSession websession;
@Mock private Lesson lesson;
@Mock private Assignment assignment;
@BeforeEach
void setup() {
this.mockMvc = standaloneSetup(new HintService(websession)).build();
Lesson lesson = new HttpBasics();
lesson.addAssignment(
new Assignment("test", "/HttpBasics/attack1", Lists.newArrayList("hint 1", "hint 2")));
Course course = new Course(List.of(lesson));
this.mockMvc = standaloneSetup(new HintService(course)).build();
}
@Test
void hintsPerAssignment() throws Exception {
Assignment assignment = Mockito.mock(Assignment.class);
when(assignment.getPath()).thenReturn("/HttpBasics/attack1");
when(assignment.getHints()).thenReturn(Lists.newArrayList("hint 1", "hint 2"));
when(lesson.getAssignments()).thenReturn(Lists.newArrayList(assignment));
when(websession.getCurrentLesson()).thenReturn(lesson);
mockMvc
.perform(MockMvcRequestBuilders.get(URL_HINTS_MVC))
.andExpect(status().isOk())

11
src/test/java/org/owasp/webgoat/container/service/LessonMenuServiceTest.java
View File

@ -22,6 +22,7 @@
package org.owasp.webgoat.container.service;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mock.Strictness.LENIENT;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.container.service.LessonMenuService.URL_LESSONMENU_MVC;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
@ -40,7 +41,6 @@ import org.mockito.junit.jupiter.MockitoExtension;
import org.owasp.webgoat.container.lessons.Category;
import org.owasp.webgoat.container.lessons.Lesson;
import org.owasp.webgoat.container.session.Course;
import org.owasp.webgoat.container.session.WebSession;
import org.owasp.webgoat.container.users.LessonProgress;
import org.owasp.webgoat.container.users.UserProgress;
import org.owasp.webgoat.container.users.UserProgressRepository;
@ -50,13 +50,12 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@ExtendWith(MockitoExtension.class)
public class LessonMenuServiceTest {
@Mock(lenient = true)
@Mock(strictness = LENIENT)
private LessonProgress lessonTracker;
@Mock private Course course;
@Mock private UserProgress userTracker;
@Mock private UserProgressRepository userTrackerRepository;
@Mock private WebSession webSession;
private MockMvc mockMvc;
@BeforeEach
@ -64,11 +63,7 @@ public class LessonMenuServiceTest {
this.mockMvc =
standaloneSetup(
new LessonMenuService(
course,
webSession,
userTrackerRepository,
Arrays.asList("none"),
Arrays.asList("none")))
course, userTrackerRepository, Arrays.asList("none"), Arrays.asList("none")))
.build();
}

19
src/test/java/org/owasp/webgoat/container/service/LessonProgressServiceTest.java
View File

@ -15,7 +15,7 @@ import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Lesson;
import org.owasp.webgoat.container.session.WebSession;
import org.owasp.webgoat.container.session.Course;
import org.owasp.webgoat.container.users.LessonProgress;
import org.owasp.webgoat.container.users.UserProgress;
import org.owasp.webgoat.container.users.UserProgressRepository;
@ -60,21 +60,20 @@ class LessonProgressServiceTest {
private MockMvc mockMvc;
@Mock private Lesson lesson;
@Mock private UserProgress userTracker;
@Mock private UserProgress userProgress;
@Mock private LessonProgress lessonTracker;
@Mock private UserProgressRepository userTrackerRepository;
@Mock private WebSession websession;
@Mock private UserProgressRepository userProgressRepository;
@Mock private Course course;
@BeforeEach
void setup() {
Assignment assignment = new Assignment("test", "test", List.of());
when(userTrackerRepository.findByUser(any())).thenReturn(userTracker);
when(userTracker.getLessonProgress(any(Lesson.class))).thenReturn(lessonTracker);
when(websession.getCurrentLesson()).thenReturn(lesson);
when(userProgressRepository.findByUser(any())).thenReturn(userProgress);
when(userProgress.getLessonProgress(any(Lesson.class))).thenReturn(lessonTracker);
when(course.getLessonByName(any())).thenReturn(lesson);
when(lessonTracker.getLessonOverview()).thenReturn(Maps.newHashMap(assignment, true));
this.mockMvc =
MockMvcBuilders.standaloneSetup(
new LessonProgressService(userTrackerRepository, websession))
MockMvcBuilders.standaloneSetup(new LessonProgressService(userProgressRepository, course))
.build();
}
@ -82,7 +81,7 @@ class LessonProgressServiceTest {
void jsonLessonOverview() throws Exception {
this.mockMvc
.perform(
MockMvcRequestBuilders.get("/service/lessonoverview.mvc")
MockMvcRequestBuilders.get("/service/lessonoverview.mvc/test.lesson")
.accept(MediaType.APPLICATION_JSON_VALUE))
.andExpect(status().isOk())
.andExpect(jsonPath("$[0].assignment.name", is("test")))

2
src/test/java/org/owasp/webgoat/container/session/LessonTrackerTest.java
View File

@ -7,6 +7,7 @@ import static org.mockito.Mockito.when;
import java.util.List;
import java.util.Map;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.container.lessons.Assignment;
import org.owasp.webgoat.container.lessons.Lesson;
@ -56,6 +57,7 @@ class LessonTrackerTest {
}
@Test
@DisplayName("Given two assignments when only one is solved then lesson is not solved")
void noAssignmentsSolvedShouldMarkLessonAsInComplete() {
Lesson lesson = mock(Lesson.class);
Assignment a1 = new Assignment("a1");

3
src/test/java/org/owasp/webgoat/lessons/authbypass/BypassVerificationTest.java
View File

@ -32,6 +32,7 @@ import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.junit.jupiter.MockitoExtension;
import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
import org.owasp.webgoat.container.session.LessonSession;
import org.springframework.test.web.servlet.MockMvc;
@ExtendWith(MockitoExtension.class)
@ -41,7 +42,7 @@ public class BypassVerificationTest extends AssignmentEndpointTest {
@BeforeEach
public void setup() {
VerifyAccount verifyAccount = new VerifyAccount();
VerifyAccount verifyAccount = new VerifyAccount(new LessonSession());
init(verifyAccount);
this.mockMvc = standaloneSetup(verifyAccount).build();
}

2
src/test/java/org/owasp/webgoat/lessons/bypassrestrictions/BypassRestrictionsFrontendValidationTest.java
View File

@ -1,7 +1,6 @@
package org.owasp.webgoat.lessons.bypassrestrictions;
import static org.hamcrest.Matchers.is;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -19,7 +18,6 @@ public class BypassRestrictionsFrontendValidationTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new BypassRestrictions());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

2
src/test/java/org/owasp/webgoat/lessons/chromedevtools/ChromeDevToolsTest.java
View File

@ -1,6 +1,5 @@
package org.owasp.webgoat.lessons.chromedevtools;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -22,7 +21,6 @@ public class ChromeDevToolsTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new ChromeDevTools());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

2
src/test/java/org/owasp/webgoat/lessons/cia/CIAQuizTest.java
View File

@ -2,7 +2,6 @@ package org.owasp.webgoat.lessons.cia;
import static org.assertj.core.api.Assertions.assertThat;
import static org.hamcrest.CoreMatchers.is;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -21,7 +20,6 @@ public class CIAQuizTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new CIA());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

2
src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringAssignmentTest.java
View File

@ -1,6 +1,5 @@
package org.owasp.webgoat.lessons.clientsidefiltering;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.lessons.clientsidefiltering.ClientSideFilteringFreeAssignment.SUPER_COUPON_CODE;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
@ -19,7 +18,6 @@ public class ClientSideFilteringAssignmentTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new ClientSideFiltering());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

2
src/test/java/org/owasp/webgoat/lessons/clientsidefiltering/ClientSideFilteringFreeAssignmentTest.java
View File

@ -1,6 +1,5 @@
package org.owasp.webgoat.lessons.clientsidefiltering;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import org.hamcrest.CoreMatchers;
@ -15,7 +14,6 @@ public class ClientSideFilteringFreeAssignmentTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new ClientSideFiltering());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

2
src/test/java/org/owasp/webgoat/lessons/csrf/CSRFFeedbackTest.java
View File

@ -23,7 +23,6 @@
package org.owasp.webgoat.lessons.csrf;
import static org.hamcrest.core.Is.is;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -44,7 +43,6 @@ public class CSRFFeedbackTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new CSRF());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

2
src/test/java/org/owasp/webgoat/lessons/jwt/JWTDecodeEndpointTest.java
View File

@ -1,7 +1,6 @@
package org.owasp.webgoat.lessons.jwt;
import static org.hamcrest.Matchers.is;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -15,7 +14,6 @@ public class JWTDecodeEndpointTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new JWT());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

5
src/test/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpointTest.java
View File

@ -23,7 +23,6 @@
package org.owasp.webgoat.lessons.jwt;
import static org.hamcrest.Matchers.is;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.lessons.jwt.JWTRefreshEndpoint.PASSWORD;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -35,19 +34,19 @@ import java.util.Map;
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.WithWebGoatUser;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.http.MediaType;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@WithWebGoatUser
public class JWTRefreshEndpointTest extends LessonTest {
@BeforeEach
void setup() {
when(webSession.getCurrentLesson()).thenReturn(new JWT());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
@Test

5
src/test/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpointTest.java
View File

@ -24,7 +24,6 @@ package org.owasp.webgoat.lessons.jwt;
import static io.jsonwebtoken.SignatureAlgorithm.HS512;
import static org.hamcrest.Matchers.is;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.lessons.jwt.JWTSecretKeyEndpoint.JWT_SECRET;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -37,17 +36,17 @@ import java.util.Date;
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.WithWebGoatUser;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@WithWebGoatUser
public class JWTSecretKeyEndpointTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new JWT());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
private Claims createClaims(String username) {

5
src/test/java/org/owasp/webgoat/lessons/jwt/JWTVotesEndpointTest.java
View File

@ -25,7 +25,6 @@ package org.owasp.webgoat.lessons.jwt;
import static org.assertj.core.api.Assertions.assertThat;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.is;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.lessons.jwt.JWTVotesEndpoint.JWT_PASSWORD;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
@ -39,19 +38,19 @@ import java.util.Map;
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.WithWebGoatUser;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.http.MediaType;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@WithWebGoatUser
public class JWTVotesEndpointTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new JWT());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
when(webSession.getUserName()).thenReturn("unit-test");
}
@Test

3
src/test/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpointTest.java
View File

@ -4,7 +4,6 @@ import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.options;
import static io.jsonwebtoken.SignatureAlgorithm.RS256;
import static org.hamcrest.Matchers.is;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -22,7 +21,6 @@ import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.owasp.webgoat.lessons.jwt.JWT;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@ -33,7 +31,6 @@ class JWTHeaderJKUEndpointTest extends LessonTest {
@BeforeEach
public void setup() throws Exception {
when(webSession.getCurrentLesson()).thenReturn(new JWT());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
setupWebWolf();

3
src/test/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpointTest.java
View File

@ -1,7 +1,6 @@
package org.owasp.webgoat.lessons.jwt.claimmisuse;
import static org.hamcrest.Matchers.is;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -14,7 +13,6 @@ import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.owasp.webgoat.lessons.jwt.JWT;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@ -25,7 +23,6 @@ public class JWTHeaderKIDEndpointTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new JWT());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

2
src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACUsersTest.java
View File

@ -23,7 +23,6 @@
package org.owasp.webgoat.lessons.missingac;
import static org.hamcrest.Matchers.is;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -38,7 +37,6 @@ class MissingFunctionACUsersTest extends LessonTest {
@BeforeEach
void setup() {
when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

2
src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionACYourHashAdminTest.java
View File

@ -1,6 +1,5 @@
package org.owasp.webgoat.lessons.missingac;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.lessons.missingac.MissingFunctionAC.PASSWORD_SALT_ADMIN;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -16,7 +15,6 @@ class MissingFunctionACYourHashAdminTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

2
src/test/java/org/owasp/webgoat/lessons/missingac/MissingFunctionYourHashTest.java
View File

@ -22,7 +22,6 @@
package org.owasp.webgoat.lessons.missingac;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -37,7 +36,6 @@ class MissingFunctionYourHashTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new MissingFunctionAC());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

2
src/test/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignmentTest.java
View File

@ -1,6 +1,5 @@
package org.owasp.webgoat.lessons.passwordreset;
import static org.mockito.Mockito.when;
import static org.owasp.webgoat.lessons.passwordreset.ResetLinkAssignment.TOM_EMAIL;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;
@ -32,7 +31,6 @@ class ResetLinkAssignmentTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new PasswordReset());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

2
src/test/java/org/owasp/webgoat/lessons/passwordreset/SecurityQuestionAssignmentTest.java
View File

@ -1,6 +1,5 @@
package org.owasp.webgoat.lessons.passwordreset;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -22,7 +21,6 @@ public class SecurityQuestionAssignmentTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new PasswordReset());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

16
src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadFixTest.java
View File

@ -7,23 +7,22 @@ import java.io.File;
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.owasp.webgoat.WithWebGoatUser;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.mock.web.MockMultipartFile;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
public class ProfileUploadFixTest extends LessonTest {
@WithWebGoatUser
class ProfileUploadFixTest extends LessonTest {
@BeforeEach
public void setup() {
Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
void setup() {
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
Mockito.when(webSession.getUserName()).thenReturn("unit-test");
}
@Test
public void solve() throws Exception {
void solve() throws Exception {
var profilePicture =
new MockMultipartFile(
"uploadedFileFix", "../picture.jpg", "text/plain", "an image".getBytes());
@ -39,7 +38,7 @@ public class ProfileUploadFixTest extends LessonTest {
}
@Test
public void normalUpdate() throws Exception {
void normalUpdate() throws Exception {
var profilePicture =
new MockMultipartFile(
"uploadedFileFix", "picture.jpg", "text/plain", "an image".getBytes());
@ -52,8 +51,7 @@ public class ProfileUploadFixTest extends LessonTest {
.andExpect(status().is(200))
.andExpect(
jsonPath(
"$.feedback",
CoreMatchers.containsString("unit-test\\" + File.separator + "John Doe")))
"$.feedback", CoreMatchers.containsString("test\\" + File.separator + "John Doe")))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
}

15
src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRemoveUserInputTest.java
View File

@ -7,23 +7,22 @@ import java.io.File;
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.owasp.webgoat.WithWebGoatUser;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.mock.web.MockMultipartFile;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
public class ProfileUploadRemoveUserInputTest extends LessonTest {
@WithWebGoatUser
class ProfileUploadRemoveUserInputTest extends LessonTest {
@BeforeEach
public void setup() {
Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
void setup() {
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
Mockito.when(webSession.getUserName()).thenReturn("unit-test");
}
@Test
public void solve() throws Exception {
void solve() throws Exception {
var profilePicture =
new MockMultipartFile(
"uploadedFileRemoveUserInput", "../picture.jpg", "text/plain", "an image".getBytes());
@ -39,7 +38,7 @@ public class ProfileUploadRemoveUserInputTest extends LessonTest {
}
@Test
public void normalUpdate() throws Exception {
void normalUpdate() throws Exception {
var profilePicture =
new MockMultipartFile(
"uploadedFileRemoveUserInput", "picture.jpg", "text/plain", "an image".getBytes());
@ -53,7 +52,7 @@ public class ProfileUploadRemoveUserInputTest extends LessonTest {
.andExpect(
jsonPath(
"$.feedback",
CoreMatchers.containsString("unit-test\\" + File.separator + "picture.jpg")))
CoreMatchers.containsString("test\\" + File.separator + "picture.jpg")))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
}

18
src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadRetrievalTest.java
View File

@ -14,23 +14,22 @@ import java.io.File;
import java.net.URI;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.owasp.webgoat.WithWebGoatUser;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.http.MediaType;
import org.springframework.security.core.token.Sha512DigestUtils;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
public class ProfileUploadRetrievalTest extends LessonTest {
@WithWebGoatUser
class ProfileUploadRetrievalTest extends LessonTest {
@BeforeEach
public void setup() {
Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
void setup() {
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
Mockito.when(webSession.getUserName()).thenReturn("unit-test");
}
@Test
public void solve() throws Exception {
void solve() throws Exception {
// Look at the response
mockMvc
.perform(get("/PathTraversal/random-picture"))
@ -58,15 +57,14 @@ public class ProfileUploadRetrievalTest extends LessonTest {
// Post flag
mockMvc
.perform(
post("/PathTraversal/random").param("secret", Sha512DigestUtils.shaHex("unit-test")))
.perform(post("/PathTraversal/random").param("secret", Sha512DigestUtils.shaHex("test")))
.andExpect(status().is(200))
.andExpect(jsonPath("$.assignment", equalTo("ProfileUploadRetrieval")))
.andExpect(jsonPath("$.lessonCompleted", is(true)));
}
@Test
public void shouldReceiveRandomPicture() throws Exception {
void shouldReceiveRandomPicture() throws Exception {
mockMvc
.perform(get("/PathTraversal/random-picture"))
.andExpect(status().is(200))
@ -75,7 +73,7 @@ public class ProfileUploadRetrievalTest extends LessonTest {
}
@Test
public void unknownFileShouldGiveDirectoryContents() throws Exception {
void unknownFileShouldGiveDirectoryContents() throws Exception {
mockMvc
.perform(get("/PathTraversal/random-picture?id=test"))
.andExpect(status().is(404))

31
src/test/java/org/owasp/webgoat/lessons/pathtraversal/ProfileUploadTest.java
View File

@ -7,23 +7,22 @@ import java.io.File;
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.owasp.webgoat.WithWebGoatUser;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.mock.web.MockMultipartFile;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
public class ProfileUploadTest extends LessonTest {
@WithWebGoatUser
class ProfileUploadTest extends LessonTest {
@BeforeEach
public void setup() {
Mockito.when(webSession.getCurrentLesson()).thenReturn(new PathTraversal());
void setup() {
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
Mockito.when(webSession.getUserName()).thenReturn("unit-test");
}
@Test
public void solve() throws Exception {
void solve() throws Exception {
var profilePicture =
new MockMultipartFile(
"uploadedFile", "../picture.jpg", "text/plain", "an image".getBytes());
@ -39,7 +38,8 @@ public class ProfileUploadTest extends LessonTest {
}
@Test
public void attemptWithWrongDirectory() throws Exception {
@WithWebGoatUser
void attemptWithWrongDirectory() throws Exception {
var profilePicture =
new MockMultipartFile(
"uploadedFile", "../picture.jpg", "text/plain", "an image".getBytes());
@ -48,7 +48,7 @@ public class ProfileUploadTest extends LessonTest {
.perform(
MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
.file(profilePicture)
.param("fullName", "../../" + webSession.getUserName()))
.param("fullName", "../../" + "test"))
.andExpect(status().is(200))
.andExpect(jsonPath("$.assignment", CoreMatchers.equalTo("ProfileUpload")))
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("Nice try")))
@ -56,25 +56,26 @@ public class ProfileUploadTest extends LessonTest {
}
@Test
public void shouldNotOverrideExistingFile() throws Exception {
@WithWebGoatUser
void shouldNotOverrideExistingFile() throws Exception {
var profilePicture =
new MockMultipartFile("uploadedFile", "picture.jpg", "text/plain", "an image".getBytes());
mockMvc
.perform(
MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
.file(profilePicture)
.param("fullName", ".." + File.separator + webSession.getUserName()))
.param("fullName", ".." + File.separator + "test"))
.andExpect(
jsonPath(
"$.output",
CoreMatchers.anyOf(
CoreMatchers.containsString("Is a directory"),
CoreMatchers.containsString("..\\\\" + webSession.getUserName()))))
CoreMatchers.containsString("..\\\\" + "test"))))
.andExpect(status().is(200));
}
@Test
public void normalUpdate() throws Exception {
void normalUpdate() throws Exception {
var profilePicture =
new MockMultipartFile("uploadedFile", "picture.jpg", "text/plain", "an image".getBytes());
@ -88,11 +89,7 @@ public class ProfileUploadTest extends LessonTest {
jsonPath(
"$.feedback",
CoreMatchers.containsStringIgnoringCase(
"PathTraversal\\"
+ File.separator
+ "unit-test\\"
+ File.separator
+ "John Doe")))
"PathTraversal\\" + File.separator + "test\\" + File.separator + "John Doe")))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}
}

4
src/test/java/org/owasp/webgoat/lessons/sqlinjection/SqlLessonTest.java
View File

@ -22,18 +22,14 @@
package org.owasp.webgoat.lessons.sqlinjection;
import static org.mockito.Mockito.when;
import org.junit.jupiter.api.BeforeEach;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjection;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
public class SqlLessonTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new SqlInjection());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
}

2
src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest1.java
View File

@ -1,7 +1,6 @@
package org.owasp.webgoat.lessons.ssrf;
import static org.hamcrest.Matchers.is;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -22,7 +21,6 @@ public class SSRFTest1 extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new SSRF());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

2
src/test/java/org/owasp/webgoat/lessons/ssrf/SSRFTest2.java
View File

@ -23,7 +23,6 @@
package org.owasp.webgoat.lessons.ssrf;
import static org.hamcrest.Matchers.is;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -44,7 +43,6 @@ public class SSRFTest2 extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new SSRF());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}

9
src/test/java/org/owasp/webgoat/lessons/xss/DOMCrossSiteScriptingTest.java
View File

@ -22,7 +22,6 @@
package org.owasp.webgoat.lessons.xss;
import static org.mockito.Mockito.lenient;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
@ -33,21 +32,21 @@ import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.junit.jupiter.MockitoExtension;
import org.owasp.webgoat.container.assignments.AssignmentEndpointTest;
import org.owasp.webgoat.container.session.LessonSession;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@ExtendWith(MockitoExtension.class)
public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
private MockMvc mockMvc;
private String randVal = "12034837";
@BeforeEach
public void setup() {
DOMCrossSiteScripting domXss = new DOMCrossSiteScripting();
LessonSession lessonSession = new LessonSession();
DOMCrossSiteScripting domXss = new DOMCrossSiteScripting(lessonSession);
init(domXss);
this.mockMvc = standaloneSetup(domXss).build();
CrossSiteScripting xss = new CrossSiteScripting();
lenient().when(userSessionData.getValue("randValue")).thenReturn(randVal);
}
@Test
@ -59,8 +58,6 @@ public class DOMCrossSiteScriptingTest extends AssignmentEndpointTest {
.param("param1", "42")
.param("param2", "24"))
.andExpect(status().isOk())
.andExpect(
jsonPath("$.output", CoreMatchers.containsString("phoneHome Response is " + randVal)))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
}

8
src/test/java/org/owasp/webgoat/lessons/xss/StoredXssCommentsTest.java
View File

@ -40,19 +40,19 @@ import org.springframework.test.web.servlet.ResultActions;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
@ExtendWith(MockitoExtension.class)
public class StoredXssCommentsTest extends AssignmentEndpointTest {
class StoredXssCommentsTest extends AssignmentEndpointTest {
private MockMvc mockMvc;
@BeforeEach
public void setup() {
void setup() {
StoredXssComments storedXssComments = new StoredXssComments();
init(storedXssComments);
this.mockMvc = standaloneSetup(storedXssComments).build();
}
@Test
public void success() throws Exception {
void success() throws Exception {
ResultActions results =
mockMvc.perform(
MockMvcRequestBuilders.post("/CrossSiteScriptingStored/stored-xss")
@ -65,7 +65,7 @@ public class StoredXssCommentsTest extends AssignmentEndpointTest {
}
@Test
public void failure() throws Exception {
void failure() throws Exception {
ResultActions results =
mockMvc.perform(
MockMvcRequestBuilders.post("/CrossSiteScriptingStored/stored-xss")

26
src/test/java/org/owasp/webgoat/lessons/xxe/BlindSendFileAssignmentTest.java
View File

@ -5,7 +5,6 @@ import static com.github.tomakehurst.wiremock.client.WireMock.getRequestedFor;
import static com.github.tomakehurst.wiremock.client.WireMock.urlMatching;
import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.options;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -20,22 +19,23 @@ import org.hamcrest.CoreMatchers;
import org.hamcrest.Matchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.WithWebGoatUser;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.http.MediaType;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
@WithWebGoatUser
class BlindSendFileAssignmentTest extends LessonTest {
private int port;
private WireMockServer webwolfServer;
@BeforeEach
public void setup() {
void setup() {
this.webwolfServer = new WireMockServer(options().dynamicPort());
webwolfServer.start();
this.port = webwolfServer.port();
when(webSession.getCurrentLesson()).thenReturn(new XXE());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
@ -56,7 +56,7 @@ class BlindSendFileAssignmentTest extends LessonTest {
}
@Test
public void validCommentMustBeAdded() throws Exception {
void validCommentMustBeAdded() throws Exception {
int nrOfComments = countComments();
mockMvc
.perform(
@ -69,7 +69,7 @@ class BlindSendFileAssignmentTest extends LessonTest {
}
@Test
public void wrongXmlShouldGiveErrorBack() throws Exception {
void wrongXmlShouldGiveErrorBack() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/xxe/blind")
@ -82,9 +82,9 @@ class BlindSendFileAssignmentTest extends LessonTest {
}
@Test
public void simpleXXEShouldNotWork() throws Exception {
File targetFile =
new File(webGoatHomeDirectory, "/XXE/" + webSession.getUserName() + "/secret.txt");
@WithWebGoatUser
void simpleXXEShouldNotWork() throws Exception {
File targetFile = new File(webGoatHomeDirectory, "/XXE/" + "test" + "/secret.txt");
String content =
"<?xml version=\"1.0\" standalone=\"yes\" ?><!DOCTYPE user [<!ENTITY root SYSTEM"
+ " \"file:///%s\"> ]><comment><text>&root;</text></comment>";
@ -97,9 +97,8 @@ class BlindSendFileAssignmentTest extends LessonTest {
}
@Test
public void solve() throws Exception {
File targetFile =
new File(webGoatHomeDirectory, "/XXE/" + webSession.getUserName() + "/secret.txt");
void solve() throws Exception {
File targetFile = new File(webGoatHomeDirectory, "/XXE/test/secret.txt");
// Host DTD on WebWolf site
String dtd =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
@ -130,9 +129,8 @@ class BlindSendFileAssignmentTest extends LessonTest {
}
@Test
public void solveOnlyParamReferenceEntityInExternalDTD() throws Exception {
File targetFile =
new File(webGoatHomeDirectory, "/XXE/" + webSession.getUserName() + "/secret.txt");
void solveOnlyParamReferenceEntityInExternalDTD() throws Exception {
File targetFile = new File(webGoatHomeDirectory, "/XXE/test/secret.txt");
// Host DTD on WebWolf site
String dtd =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"

18
src/test/java/org/owasp/webgoat/lessons/xxe/ContentTypeAssignmentTest.java
View File

@ -22,7 +22,6 @@
package org.owasp.webgoat.lessons.xxe;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
@ -32,25 +31,22 @@ import org.hamcrest.CoreMatchers;
import org.hamcrest.Matchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.owasp.webgoat.WithWebGoatUser;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.http.MediaType;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
/**
* @author nbaars
* @since 11/2/17.
*/
public class ContentTypeAssignmentTest extends LessonTest {
@WithWebGoatUser
class ContentTypeAssignmentTest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new XXE());
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
@Test
public void sendingXmlButContentTypeIsJson() throws Exception {
void sendingXmlButContentTypeIsJson() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/xxe/content-type")
@ -66,7 +62,7 @@ public class ContentTypeAssignmentTest extends LessonTest {
}
@Test
public void workingAttack() throws Exception {
void workingAttack() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/xxe/content-type")
@ -80,7 +76,7 @@ public class ContentTypeAssignmentTest extends LessonTest {
}
@Test
public void postingJsonShouldAddComment() throws Exception {
void postingJsonShouldAddComment() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/xxe/content-type")
@ -108,7 +104,7 @@ public class ContentTypeAssignmentTest extends LessonTest {
}
@Test
public void postingInvalidJsonShouldNotAddComment() throws Exception {
void postingInvalidJsonShouldNotAddComment() throws Exception {
var numberOfComments = countComments();
mockMvc
.perform(

23
src/test/java/org/owasp/webgoat/lessons/xxe/SimpleXXETest.java
View File

@ -22,34 +22,27 @@
package org.owasp.webgoat.lessons.xxe;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import org.hamcrest.CoreMatchers;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.owasp.webgoat.WithWebGoatUser;
import org.owasp.webgoat.container.plugins.LessonTest;
import org.springframework.test.context.junit.jupiter.SpringExtension;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
/**
* @author nbaars
* @since 11/2/17.
*/
@ExtendWith(SpringExtension.class)
public class SimpleXXETest extends LessonTest {
@WithWebGoatUser
class SimpleXXETest extends LessonTest {
@BeforeEach
public void setup() {
when(webSession.getCurrentLesson()).thenReturn(new XXE());
void setup() {
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
}
@Test
public void workingAttack() throws Exception {
void workingAttack() throws Exception {
// Call with XXE injection
mockMvc
.perform(
@ -63,7 +56,7 @@ public class SimpleXXETest extends LessonTest {
}
@Test
public void postingJsonCommentShouldNotSolveAssignment() throws Exception {
void postingJsonCommentShouldNotSolveAssignment() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/xxe/simple")
@ -74,7 +67,7 @@ public class SimpleXXETest extends LessonTest {
}
@Test
public void postingXmlCommentWithoutXXEShouldNotSolveAssignment() throws Exception {
void postingXmlCommentWithoutXXEShouldNotSolveAssignment() throws Exception {
mockMvc
.perform(
MockMvcRequestBuilders.post("/xxe/simple")
@ -87,7 +80,7 @@ public class SimpleXXETest extends LessonTest {
}
@Test
public void postingPlainTextShouldThrowException() throws Exception {
void postingPlainTextShouldThrowException() throws Exception {
mockMvc
.perform(MockMvcRequestBuilders.post("/xxe/simple").content("test"))
.andExpect(status().isOk())

4
src/test/java/org/owasp/webgoat/webwolf/user/UserServiceTest.java
View File

@ -47,7 +47,7 @@ public class UserServiceTest {
public void testLoadUserByUsername() {
var username = "guest";
var password = "123";
WebGoatUser user = new WebGoatUser(username, password);
WebWolfUser user = new WebWolfUser(username, password);
when(mockUserRepository.findByUsername(username)).thenReturn(user);
var webGoatUser = sut.loadUserByUsername(username);
@ -73,6 +73,6 @@ public class UserServiceTest {
sut.addUser(username, password);
verify(mockUserRepository, times(1)).save(any(WebGoatUser.class));
verify(mockUserRepository, times(1)).save(any(WebWolfUser.class));
}
}

32
src/test/resources/logback-test.xml
View File

@ -1,15 +1,21 @@
<configuration />
<!--
Enable below if you want to debug a unit test and see why the controller fails the configuration above is there
to keep the Travis build going otherwise it fails with too much logging.
//TODO we should use a different Spring profile for Travis
-->
<!--
<configuration>
<include resource="org/springframework/boot/logging/logback/base.xml"/>
<logger name="org.springframework.web" level="DEBUG"/>
</configuration>
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>[%thread] %highlight(%-5level) %cyan(%logger{15}) - %msg %n</pattern>
</encoder>
</appender>
-->
<include resource="org/springframework/boot/logging/logback/base.xml"/>
<root level="INFO">
<appender-ref ref="STDOUT"/>
</root>
<logger name="org.owasp.webgoat" level="INFO" additivity="false">
<appender-ref ref="STDOUT"/>
</logger>
<logger name="org.springframework" level="INFO" additivity="false">
<appender-ref ref="STDOUT"/>
</logger>
</configuration>