Simplify regex (#927)
This commit is contained in:
		| @ -30,11 +30,17 @@ import org.owasp.webgoat.session.UserSessionData; | |||||||
| import org.springframework.beans.factory.annotation.Autowired; | import org.springframework.beans.factory.annotation.Autowired; | ||||||
| import org.springframework.web.bind.annotation.*; | import org.springframework.web.bind.annotation.*; | ||||||
|  |  | ||||||
|  | import java.util.function.Predicate; | ||||||
|  | import java.util.regex.Pattern; | ||||||
|  |  | ||||||
|  |  | ||||||
| @RestController | @RestController | ||||||
| @AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"}) | @AssignmentHints(value = {"xss-reflected-5a-hint-1", "xss-reflected-5a-hint-2", "xss-reflected-5a-hint-3", "xss-reflected-5a-hint-4"}) | ||||||
| public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { | public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { | ||||||
|  |  | ||||||
|  |     public static final Predicate<String> XSS_PATTERN = Pattern.compile( | ||||||
|  |             ".*<script>(console\\.log|alert)\\(.*\\);?<\\/script>.*" | ||||||
|  |             , Pattern.CASE_INSENSITIVE).asMatchPredicate(); | ||||||
|     @Autowired |     @Autowired | ||||||
|     UserSessionData userSessionData; |     UserSessionData userSessionData; | ||||||
|  |  | ||||||
| @ -45,13 +51,13 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { | |||||||
|                                   @RequestParam Integer QTY4, @RequestParam String field1, |                                   @RequestParam Integer QTY4, @RequestParam String field1, | ||||||
|                                   @RequestParam String field2) { |                                   @RequestParam String field2) { | ||||||
|  |  | ||||||
|         if (field2.toLowerCase().matches(".*<script>.*(console\\.log\\(.*\\)|alert\\(.*\\));?<\\/script>.*")) { |         if (XSS_PATTERN.test(field2)) { | ||||||
|             return failed(this).feedback("xss-reflected-5a-failed-wrong-field").build(); |             return failed(this).feedback("xss-reflected-5a-failed-wrong-field").build(); | ||||||
|         } |         } | ||||||
|  |  | ||||||
|         double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99; |         double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99; | ||||||
|  |  | ||||||
|         userSessionData.setValue("xss-reflected1-complete", (Object) "false"); |         userSessionData.setValue("xss-reflected1-complete", "false"); | ||||||
|         StringBuffer cart = new StringBuffer(); |         StringBuffer cart = new StringBuffer(); | ||||||
|         cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />"); |         cart.append("Thank you for shopping at WebGoat. <br />You're support is appreciated<hr />"); | ||||||
|         cart.append("<p>We have charged credit card:" + field1 + "<br />"); |         cart.append("<p>We have charged credit card:" + field1 + "<br />"); | ||||||
| @ -60,11 +66,10 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { | |||||||
|  |  | ||||||
|         //init state |         //init state | ||||||
|         if (userSessionData.getValue("xss-reflected1-complete") == null) { |         if (userSessionData.getValue("xss-reflected1-complete") == null) { | ||||||
|             userSessionData.setValue("xss-reflected1-complete", (Object) "false"); |             userSessionData.setValue("xss-reflected1-complete", "false"); | ||||||
|         } |         } | ||||||
|  |  | ||||||
|         if (field1.toLowerCase().matches("<script>.*(console\\.log\\(.*\\);?|alert\\(.*\\));?<\\/script>")) { |         if (XSS_PATTERN.test(field1)) { | ||||||
|             //return ) |  | ||||||
|             userSessionData.setValue("xss-reflected-5a-complete", "true"); |             userSessionData.setValue("xss-reflected-5a-complete", "true"); | ||||||
|             if (field1.toLowerCase().contains("console.log")) { |             if (field1.toLowerCase().contains("console.log")) { | ||||||
|                 return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build(); |                 return success(this).feedback("xss-reflected-5a-success-console").output(cart.toString()).build(); | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user