dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Admin should also be able to see the solution, source and lesson plan.

Browse Source
This commit is contained in:
Nanne Baars 2016-03-29 01:24:07 +02:00
parent a52df28ec6
commit b06d9ffd81
4 changed files with 11 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java
View File

@ -29,17 +29,15 @@
*/ */
package org.owasp.webgoat.service; package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.model.SourceListing;
import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
/** /**
* <p>LessonPlanService class.</p> * <p>LessonPlanService class.</p>
* *
@ -61,9 +59,6 @@ public class LessonPlanService extends BaseService {
WebSession ws = getWebSession(session); WebSession ws = getWebSession(session);
String plan = getPlan(ws); String plan = getPlan(ws);
return plan; return plan;
//SourceListing sl = new SourceListing();
//sl.setSource(source);
//return sl;
} }
/** /**
@ -73,15 +68,12 @@ public class LessonPlanService extends BaseService {
* @return Description of the Return Value * @return Description of the Return Value
*/ */
protected String getPlan(WebSession s) { protected String getPlan(WebSession s) {
String plan = null; String plan = null;
int scr = s.getCurrentScreen(); int scr = s.getCurrentScreen();
Course course = s.getCourse(); Course course = s.getCourse();
if (s.isUser() || s.isChallenge()) { if (s.isUser() || s.isAdmin()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) { if (lesson != null) {
plan = lesson.getLessonPlan(s); plan = lesson.getLessonPlan(s);
} }

13
webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java
View File

@ -29,7 +29,6 @@
*/ */
package org.owasp.webgoat.service; package org.owasp.webgoat.service;
import javax.servlet.http.HttpSession;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course; import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession; import org.owasp.webgoat.session.WebSession;
@ -37,6 +36,8 @@ import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpSession;
/** /**
* <p>SolutionService class.</p> * <p>SolutionService class.</p>
* *
@ -67,23 +68,19 @@ public class SolutionService extends BaseService {
* @return a {@link java.lang.String} object. * @return a {@link java.lang.String} object.
*/ */
protected String getSolution(WebSession s) { protected String getSolution(WebSession s) {
String source = null; String source = null;
int scr = s.getCurrentScreen(); int scr = s.getCurrentScreen();
Course course = s.getCourse(); Course course = s.getCourse();
if (s.isUser() || s.isChallenge()) { if (s.isUser() || s.isAdmin()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) { if (lesson != null) {
source = lesson.getSolution(s); source = lesson.getSolution(s);
} }
} }
if (source == null) { if (source == null) {
return "Solution is not available. Contact " return "Solution is not available. Contact " + s.getWebgoatContext().getFeedbackAddressHTML();
+ s.getWebgoatContext().getFeedbackAddressHTML();
} }
return (source); return source;
} }
} }

9
webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java
View File

@ -75,15 +75,12 @@ public class SourceService extends BaseService {
* @return Description of the Return Value * @return Description of the Return Value
*/ */
protected String getSource(WebSession s) { protected String getSource(WebSession s) {
String source = null; String source = null;
int scr = s.getCurrentScreen(); int scr = s.getCurrentScreen();
Course course = s.getCourse(); Course course = s.getCourse();
if (s.isUser() || s.isChallenge()) { if (s.isUser() || s.isAdmin()) {
AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE); AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
if (lesson != null) { if (lesson != null) {
source = lesson.getRawSource(s); source = lesson.getRawSource(s);
} }
@ -91,7 +88,7 @@ public class SourceService extends BaseService {
if (source == null) { if (source == null) {
return "Source code is not available for this lesson."; return "Source code is not available for this lesson.";
} }
return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP, return source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
"Code Section Deliberately Omitted")); "Code Section Deliberately Omitted");
} }
} }

1
webgoat-container/src/main/webapp/WEB-INF/webgoat.properties
View File

@ -10,7 +10,6 @@ lesson.BasicAuthentication.hidden=true
lesson.BlindScript.hidden=true lesson.BlindScript.hidden=true
lesson.RemoteAdminFlaw.hidden=true lesson.RemoteAdminFlaw.hidden=true
lesson.HttpSplitting.hidden=true lesson.HttpSplitting.hidden=true
lesson.BasicAuthentication.hidden=true
lesson.SameOriginPolicyProtection.hidden=true lesson.SameOriginPolicyProtection.hidden=true
lesson.SilentTransactions.hidden=true lesson.SilentTransactions.hidden=true
lesson.TraceXSS.hidden=true lesson.TraceXSS.hidden=true