Miscellaneous bug fixes

divide by zero, inaccurate discount and totals, reflection of user input


git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@273 4033779f-a91e-0410-96ef-6bf7bf53c507

main/project/WebContent/lessons/RoleBasedAccessControl/EditProfile.jsp

@@ -0,0 +1,137 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl" 
+	errorPage="" %>
+<%
+	WebSession webSession = ((WebSession)session.getAttribute("websession"));
+	Employee employee = (Employee) session.getAttribute("RoleBasedAccessControl.Employee");
+%>
+		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Edit Profile Page</div>
+		<div class="lesson_text">
+			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+<Table border="0" cellpadding="0" cellspacing="0">
+				<TR><TD width="110">
+						First Name:
+					</TD>
+					<TD width="193">
+						<input class="lesson_text_db" name="<%=RoleBasedAccessControl.FIRST_NAME%>" type="text" value="<%=employee.getFirstName()%>"/>
+				  </TD>
+					<TD width="110">				
+						Last Name:					</TD>
+					<TD width="196">
+					 	<input class="lesson_text_db" name="<%=RoleBasedAccessControl.LAST_NAME%>" type="text" value="<%=employee.getLastName()%>"/>
+				  </TD>
+				</TR>
+				<TR><TD>				
+						Street: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=RoleBasedAccessControl.ADDRESS1%>" type="text" value="<%=employee.getAddress1()%>"/>
+					</TD>
+					<TD>				
+						City/State: 
+					<TD>
+						<input class="lesson_text_db" name="<%=RoleBasedAccessControl.ADDRESS2%>" type="text" value="<%=employee.getAddress2()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>
+						Phone: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=RoleBasedAccessControl.PHONE_NUMBER%>" type="text" value="<%=employee.getPhoneNumber()%>"/>
+					</TD>
+					<TD>				
+						Start Date: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=RoleBasedAccessControl.START_DATE%>" type="text" value="<%=employee.getStartDate()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>
+			    		SSN: 
+			    	</TD>
+			    	<TD>
+			    		<input class="lesson_text_db" name="<%=RoleBasedAccessControl.SSN%>" type="text" value="<%=employee.getSsn()%>"/> 
+					</TD>
+					<TD>				
+						Salary: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=RoleBasedAccessControl.SALARY%>" type="text" value="<%=employee.getSalary()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>
+						Credit Card: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=RoleBasedAccessControl.CCN%>" type="text" value="<%=employee.getCcn()%>"/>
+					</TD>
+					<TD>				
+						Credit Card Limit: 
+					</TD>
+					<TD>
+						<input class="lesson_text_db" name="<%=RoleBasedAccessControl.CCN_LIMIT%>" type="text" value="<%=employee.getCcnLimit()%>"/>
+					</TD>
+				</TR>
+				<TR><TD>
+						Comments: 
+					</TD>
+					<TD colspan="3">
+						<input name="<%=RoleBasedAccessControl.DESCRIPTION%>" type="text" class="lesson_text_db" value="<%=employee.getPersonalDescription()%>" size="58"/>
+					</TD>
+				<TR>
+					<TD colspan="2">				
+						Disciplinary Explanation:  
+					</TD>
+					<TD>			
+						Disc. Date:
+					</TD>
+					<TD>			
+						<input class="lesson_text_db" name="<%=RoleBasedAccessControl.DISCIPLINARY_DATE%>" type="text" value="<%=employee.getDisciplinaryActionDate()%>"/>
+					</TD>
+				</TR>
+				<TR>
+					<TD colspan="4">
+						<textarea name="<%=RoleBasedAccessControl.DISCIPLINARY_NOTES%>" cols="53" rows="2" wrap="off" class="lesson_text_db" ><%=employee.getDisciplinaryActionNotes()%></textarea>
+					</TD>
+				</TR>
+				<TR>	
+				<TD>				
+						Manager: 
+					</TD>
+					<TD>
+						<select class="lesson_text_db" name="<%=RoleBasedAccessControl.MANAGER%>">
+						<%
+				      	List employees = (List) session.getAttribute("RoleBasedAccessControl.Staff");
+				      	Iterator i = employees.iterator();
+						while (i.hasNext())
+						{
+							EmployeeStub stub = (EmployeeStub) i.next();
+								%>
+								<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()%></option>
+						<%}%>
+						</select>
+					</TD>	
+				</TR>
+				</Table>
+				<BR>
+				<div class="lesson_buttons_bottom">
+				<table width="460" height="20" border="0" cellpadding="0" cellspacing="0">
+               		<tr>
+                     		<td width="57">
+							<input type="submit" name="action" value="<%=RoleBasedAccessControl.VIEWPROFILE_ACTION%>"/>
+				  		</td>
+				  		
+                       	<td width="81">
+ 							<input name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" type="hidden" value="<%=employee.getId()%>">
+							<input name="<%=RoleBasedAccessControl.TITLE%>" type="hidden" value="<%=employee.getTitle()%>">
+							<input type="submit" name="action" value="<%=RoleBasedAccessControl.UPDATEPROFILE_ACTION%>"/>
+						</td>
+                        	<td width="211"></td>
+                        	<td width="83">
+	 						<input type="submit" name="action" value="<%=RoleBasedAccessControl.LOGOUT_ACTION%>"/>
+						</td>
+                 	</tr>
+              	</table>			
+			</div></form>
+		</div>
+		

main/project/WebContent/lessons/RoleBasedAccessControl/ListStaff.jsp

@@ -0,0 +1,55 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl" 
+	errorPage="" %>
+<%
+	WebSession webSession = ((WebSession)session.getAttribute("websession"));
+	int myUserId = webSession.getUserIdInLesson();
+%>
+	<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - Staff Listing Page</div>
+		<br>
+		<br>
+		<br>
+		<p>Select from the list below	</p>
+
+		<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+  <table width="60%" border="0" cellpadding="3">
+    <tr>
+      <td>  <label>
+  <select name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" size="11">
+			      	<%
+			      	List employees = (List) session.getAttribute("RoleBasedAccessControl." + RoleBasedAccessControl.STAFF_ATTRIBUTE_KEY);
+			      	Iterator i = employees.iterator();
+					while (i.hasNext())
+					{
+						EmployeeStub stub = (EmployeeStub) i.next();%>
+						<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName()+ " (" + stub.getRole() + ")"%></option><%
+					}%>
+  </select>
+  </label></td>
+      <td>
+	        	<input type="submit" name="action" value="<%=RoleBasedAccessControl.SEARCHSTAFF_ACTION%>"/><br>
+	        	<input type="submit" name="action" value="<%=RoleBasedAccessControl.VIEWPROFILE_ACTION%>"/><br>
+            		<% 
+				if (webSession.isAuthorizedInLesson(myUserId, RoleBasedAccessControl.CREATEPROFILE_ACTION))
+				{
+				%>
+					<input type="submit" name="action" value="<%=RoleBasedAccessControl.CREATEPROFILE_ACTION%>"/><br>
+				<% 
+				}
+				%>
+            		<% 
+				if (webSession.isAuthorizedInLesson(myUserId, RoleBasedAccessControl.DELETEPROFILE_ACTION))
+				{
+				%>
+					<input type="submit" name="action" value="<%=RoleBasedAccessControl.DELETEPROFILE_ACTION%>"/><br>
+				<% 
+				}
+				%>
+			<br>
+					<input type="submit" name="action" value="<%=RoleBasedAccessControl.LOGOUT_ACTION%>"/>
+	  </td>
+    </tr>
+  </table>
+
+		</form>
+		

main/project/WebContent/lessons/RoleBasedAccessControl/Login.jsp

@@ -0,0 +1,32 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="java.util.*, org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl" 
+	errorPage="" %>
+	<div id="lesson_login">
+		<div id="lesson_login_txt">
+			<% 
+			WebSession webSession = ((WebSession)session.getAttribute("websession"));
+			%>
+			<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+			    	<label>
+			      	<select name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>">
+			      	<%
+			      	//System.out.println("Retrieving employees list");
+			      	List employees = (List) session.getAttribute("RoleBasedAccessControl." + RoleBasedAccessControl.STAFF_ATTRIBUTE_KEY);
+			      	Iterator i = employees.iterator();
+					while (i.hasNext())
+					{
+						EmployeeStub stub = (EmployeeStub) i.next();
+					%>
+			      	<option value="<%=Integer.toString(stub.getId())%>"><%=stub.getFirstName() + " " + stub.getLastName() + " (" + stub.getRole() + ")"%></option>
+					<%}%>
+	                </select>
+		        </label>
+				<br>
+			    	<label>Password
+			    		<input name="password" type="password" size="10" maxlength="8" />
+			    </label>
+				<br>
+				<input type="submit" name="action" value="<%=RoleBasedAccessControl.LOGIN_ACTION%>"/>
+			</form>
+		</div>
+	</div>

main/project/WebContent/lessons/RoleBasedAccessControl/RoleBasedAccessControl.css

@@ -0,0 +1,14 @@
+#lesson_wrapper {height: 435px;width: 500px;}
+#lesson_header {background-image: url(lessons/RoleBasedAccessControl/images/lesson1_header.jpg);width: 490px;padding-right: 10px;padding-top: 60px;background-repeat: no-repeat;}
+.lesson_workspace {background-image: url(lessons/RoleBasedAccessControl/images/lesson1_workspace.jpg);width: 489px;height: 325px;padding-left: 10px;padding-top: 10px;background-repeat: no-repeat;}
+.lesson_text {height: 240px;width: 460px;padding-top: 5px;}
+#lesson_buttons_bottom {height: 20px;width: 460px;}
+#lesson_b_b_left {width: 300px;float: left;}
+#lesson_b_b_right input {width: 100px;float: right;}
+.lesson_title_box {height: 20px;width: 420px;padding-left: 30px;}
+.lesson_workspace { }
+.lesson_txt_10 {font-family: Arial, Helvetica, sans-serif;font-size: 10px;}
+.lesson_text_db {color: #0066FF}
+#lesson_login {background-image: url(lessons/RoleBasedAccessControl/images/lesson1_loginWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}
+#lesson_login_txt {font-family: Arial, Helvetica, sans-serif;font-size: 12px;text-align: center;}
+#lesson_search {background-image: url(lessons/RoleBasedAccessControl/images/lesson1_SearchWindow.jpg);height: 124px;width: 311px;background-repeat: no-repeat;padding-top: 30px;margin-left: 80px;margin-top: 50px;text-align: center;}

main/project/WebContent/lessons/RoleBasedAccessControl/RoleBasedAccessControl.jsp

@@ -0,0 +1,26 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl" 
+	errorPage="" %>
+<style>
+<jsp:include page="RoleBasedAccessControl.css" />
+</style>
+<%
+WebSession webSession = ((WebSession)session.getAttribute("websession"));
+RoleBasedAccessControl currentLesson = (RoleBasedAccessControl) webSession.getCurrentLesson();
+%>
+<div id="lesson_wrapper">
+	<div id="lesson_header"></div>
+	<div class="lesson_workspace">
+	<%
+	String subViewPage = currentLesson.getPage(webSession);
+	if (subViewPage != null)
+	{
+		//System.out.println("Including sub view page: " + subViewPage);
+	%>
+	<jsp:include page="<%=subViewPage%>" />
+	<%
+	}
+	%>
+
+	</div>
+</div>

main/project/WebContent/lessons/RoleBasedAccessControl/SearchStaff.jsp

@@ -0,0 +1,22 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl" 
+	errorPage="" %>
+	<div id="lesson_search">
+			<% 
+			WebSession webSession = ((WebSession)session.getAttribute("websession"));
+			String searchedName = request.getParameter(RoleBasedAccessControl.SEARCHNAME);
+			if (searchedName != null)
+			{
+			%>
+				Employee <%=searchedName%> not found.
+			<%
+			}
+			%>
+				<form id="form1" name="form1" method="post" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+			    	<label>Name
+					<input class="lesson_text_db" type="text" name="<%=RoleBasedAccessControl.SEARCHNAME%>"/>
+		        </label>
+				<br>
+				<input type="submit" name="action" value="<%=RoleBasedAccessControl.FINDPROFILE_ACTION%>"/>
+			</form>
+	</div>

main/project/WebContent/lessons/RoleBasedAccessControl/ViewProfile.jsp

@@ -0,0 +1,157 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl" 
+	errorPage="" %>
+<%
+	Employee employee = (Employee) session.getAttribute("RoleBasedAccessControl." + RoleBasedAccessControl.EMPLOYEE_ATTRIBUTE_KEY);
+	WebSession webSession = ((WebSession)session.getAttribute("websession"));
+//	int myUserId = getIntSessionAttribute(webSession, "RoleBasedAccessControl." + RoleBasedAccessControl.USER_ID);
+%>
+		<div class="lesson_title_box"><strong>Welcome Back </strong><span class="lesson_text_db"><%=webSession.getUserNameInLesson()%></span> - View Profile Page</div>
+		<div class="lesson_text">
+				<Table>
+				<TR><TD>
+						First Name:
+					</TD>
+					<TD>
+						<span class="lesson_text_db"><%=employee.getFirstName()%></span>
+					</TD>
+					<TD>				
+						Last Name:
+					</TD>
+					<TD>
+					 	<span class="lesson_text_db"><%=employee.getLastName()%></span>
+					</TD>
+				</TR>
+				<TR><TD>				
+						Street: 
+					</TD>
+					<TD>
+						<span class="lesson_text_db"><%=employee.getAddress1()%></span>
+					</TD>
+					<TD>				
+						City/State: 
+					<TD>
+						<span class="lesson_text_db"><%=employee.getAddress2()%></span>
+					</TD>
+				</TR>
+				<TR><TD>
+						Phone: 
+					</TD>
+					<TD>
+						<span class="lesson_text_db"><%=employee.getPhoneNumber()%></span>
+					</TD>
+					<TD>				
+						Start Date: 
+					</TD>
+					<TD>
+						<span class="lesson_text_db"><%=employee.getStartDate()%></span>
+					</TD>
+				</TR>
+				<TR><TD>
+			    		SSN: 
+			    	</TD>
+			    	<TD>
+			    		<span class="lesson_text_db"><%=employee.getSsn()%></span>
+					</TD>
+					<TD>				
+						Salary: 
+					</TD>
+					<TD>
+						<span class="lesson_text_db"><%=employee.getSalary()%></span>
+					</TD>
+				</TR>
+				<TR><TD>
+						Credit Card: 
+					</TD>
+					<TD>
+						<span class="lesson_text_db"><%=employee.getCcn()%></span>
+					</TD>
+					<TD>				
+						Credit Card Limit: 
+					</TD>
+					<TD>
+						<span class="lesson_text_db"><%=employee.getCcnLimit()%></span>
+					</TD>
+				</TR>
+				<TR><TD>
+						Comments: 
+					</TD>
+					<TD colspan="3">
+						<span class="lesson_text_db"><%=employee.getPersonalDescription()%></span>
+					</TD>
+				</TR>				
+				<TR>
+					<TD colspan="2">	
+						Disciplinary Explanation: 
+					</TD>
+					<TD>				
+						Disc. Dates: 
+					</TD>
+					<TD>
+						<span class="lesson_text_db"><%=employee.getDisciplinaryActionDate()%></span>
+					</TD>
+				<TR>
+					<TD colspan="4">
+						<span class="lesson_text_db"><%=employee.getDisciplinaryActionNotes()%></span>
+					</TD>
+				</TR>
+				<TR>
+				<TD>				
+						Manager: 
+					</TD>
+					<TD>
+						<span class="lesson_text_db"><%=employee.getManager()%></span>
+					</TD>	
+				</TR>
+				</Table>
+		</div>
+		<div class="lesson_buttons_bottom">
+		    <table width="460" height="20" border="0" cellpadding="0" cellspacing="0">
+                 <tr>
+                 	<td width="50">
+					 <%					
+					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.LISTSTAFF_ACTION))
+					 {
+					 %>
+						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
+							<input type="submit" name="action" value="<%=RoleBasedAccessControl.LISTSTAFF_ACTION%>"/>
+						</form>
+					 <%
+					 }%>
+					 </td>
+		             <td width="50">
+					 <%					
+					 if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.EDITPROFILE_ACTION))
+					 {
+					 %>
+						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
+							<input type="submit" name="action" value="<%=RoleBasedAccessControl.EDITPROFILE_ACTION%>"/>
+						</form>
+					<%
+					}
+					%>
+					</td>					
+                    <td width="60">
+					<%					
+					if (webSession.isAuthorizedInLesson(webSession.getUserIdInLesson(), RoleBasedAccessControl.DELETEPROFILE_ACTION))
+					{
+					%>
+						<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+							<input type="hidden" name="<%=RoleBasedAccessControl.EMPLOYEE_ID%>" value="<%=employee.getId()%>">
+							<input type="submit" name="action" value="<%=RoleBasedAccessControl.DELETEPROFILE_ACTION%>"/>
+						</form>
+					<%
+					}
+					%>
+					</td>
+                      <td width="190">&nbsp;</td>
+                      <td width="76">
+						<form method="POST">
+							<input type="submit" name="action" value="<%=RoleBasedAccessControl.LOGOUT_ACTION%>"/>
+						</form>
+					</td>
+				</tr>
+         	</table>
+		</div>

main/project/WebContent/lessons/RoleBasedAccessControl/error.jsp

@@ -0,0 +1,13 @@
+<%@ page contentType="text/html; charset=ISO-8859-1" language="java" 
+	import="org.owasp.webgoat.session.*, org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl"
+	errorPage="" %>
+<%
+	WebSession webSession = ((WebSession)session.getAttribute("websession"));
+//	int myUserId = getIntSessionAttribute(webSession, "RoleBasedAccessControl." + RoleBasedAccessControl.USER_ID);
+%>
+<br><br><br>An error has occurred.
+<br><br><br>
+<form method="POST" action="<%=webSession.getCurrentLesson().getFormAction()%>">
+
+ <input type="submit" name="action" value="<%=RoleBasedAccessControl.LOGIN_ACTION%>"/>
+</form>