dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed hard coded rewriting of html files was fixed on SqlStringInjection

Browse Source 
Added testcases for this situation
This commit is contained in:
nbaars 2015-02-08 14:12:01 +01:00
parent 861f3e9d37
commit bc21a86b68
6 changed files with 107 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/main/java/org/owasp/webgoat/plugins/Plugin.java
View File

@ -11,11 +11,13 @@ import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import static java.nio.file.StandardOpenOption.APPEND;
import static java.nio.file.StandardOpenOption.CREATE;
import static java.nio.file.StandardOpenOption.TRUNCATE_EXISTING;
import static org.owasp.webgoat.plugins.PluginFileUtils.fileEndsWith;
import static org.owasp.webgoat.plugins.PluginFileUtils.hasParentDirectoryWithName;
@ -96,9 +98,9 @@ public class Plugin {
Path propertiesPath = createPropertiesDirectory();
ResourceBundleClassLoader.setPropertiesPath(propertiesPath);
if ( reload ) {
Files.write(propertiesPath.resolve(file.getFileName()), bos.toByteArray(), StandardOpenOption.CREATE, StandardOpenOption.APPEND);
Files.write(propertiesPath.resolve(file.getFileName()), bos.toByteArray(), CREATE, APPEND);
} else {
Files.write(propertiesPath.resolve(file.getFileName()), bos.toByteArray(), StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING);
Files.write(propertiesPath.resolve(file.getFileName()), bos.toByteArray(), CREATE, TRUNCATE_EXISTING);
}
} catch (IOException io) {
throw new PluginLoadingFailure("Property file detected, but unable to copy the properties", io);
@ -118,9 +120,9 @@ public class Plugin {
for (Map.Entry<String, File> html : solutionLanguageFiles.entrySet()) {
byte[] htmlFileAsBytes = Files.readAllBytes(Paths.get(html.getValue().toURI()));
String htmlFile = new String(htmlFileAsBytes);
htmlFile = htmlFile.replaceAll(this.lesson.getSimpleName() + "_files", pluginTarget.getFileName().toString() + "/lessons/plugin/SqlStringInjection/lessonSolutions/en/" + this.lesson.getSimpleName() + "_files");
Files.write(Paths.get(html.getValue().toURI()), htmlFile.getBytes(), StandardOpenOption.CREATE,
StandardOpenOption.TRUNCATE_EXISTING);
htmlFile = htmlFile.replaceAll("lesson_solutions/" + this.lesson.getSimpleName() + "_files", pluginTarget.getFileName().toString() + "/lessons/plugin/" + this.lesson.getSimpleName() + "/lessonSolutions/en/" + this.lesson.getSimpleName() + "_files");
Files.write(Paths.get(html.getValue().toURI()), htmlFile.getBytes(), CREATE,
TRUNCATE_EXISTING);
}
} catch (IOException e) {
throw new PluginLoadingFailure("Unable to rewrite the paths in the solutions", e);
@ -143,4 +145,5 @@ public class Plugin {
public Map<String, File> getLessonPlans() {
return this.lessonPlansLanguageFiles;
}
}

11
src/test/java/org/owasp/webgoat/plugins/GlobalPropertiesTest.java
View File

@ -1,6 +1,5 @@
package org.owasp.webgoat.plugins;
import org.junit.Before;
import org.junit.Test;
import java.io.IOException;
@ -14,16 +13,9 @@ import static org.junit.Assert.assertNotNull;
public class GlobalPropertiesTest {
private Path tempDirectory;
@Before
public void createTmpDir() throws IOException {
tempDirectory = Files.createTempDirectory(GlobalPropertiesTest.class.getSimpleName());
tempDirectory.toFile().deleteOnExit();
}
@Test
public void propertyFilesShouldBeLoaded() throws IOException {
Path tempDirectory = PluginTestHelper.createTmpDir();
Path pluginDirectory = Files.createDirectory(Paths.get(tempDirectory.toString(), "plugins"));
Path directory = Files.createDirectory(Paths.get(tempDirectory.toString(), "i18n"));
Path globalProperties = Files.createFile(Paths.get(directory.toString(), "global.properties"));
@ -37,6 +29,7 @@ public class GlobalPropertiesTest {
@Test(expected = IllegalStateException.class)
public void propertyFilesDirectoryNotFoundShouldRaiseError() throws IOException {
Path tempDirectory = PluginTestHelper.createTmpDir();
Path pluginDirectory = Files.createDirectory(Paths.get(tempDirectory.toString(), "plugins"));
Path directory = Files.createDirectory(Paths.get(tempDirectory.toString(), "i18n"));
Files.delete(directory);

45
src/test/java/org/owasp/webgoat/plugins/PluginTest.java Normal file
View File

@ -0,0 +1,45 @@
package org.owasp.webgoat.plugins;
import org.junit.Test;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Arrays;
import java.util.List;
import static org.junit.Assert.assertThat;
import static org.junit.matchers.JUnitMatchers.containsString;
import static org.junit.matchers.JUnitMatchers.hasItem;
public class PluginTest {
@Test
public void pathShouldBeRewrittenInHtmlFile() throws Exception {
Path tmpDir = PluginTestHelper.createTmpDir();
Path pluginSourcePath = PluginTestHelper.pathForLoading();
Plugin plugin = PluginTestHelper.createPluginFor(TestPlugin.class);
Path htmlFile = Paths.get(pluginSourcePath.toString(), "lessonSolutions", "rewrite_test.html");
plugin.loadFiles(Arrays.asList(htmlFile), true);
plugin.rewritePaths(tmpDir);
List<String> allLines = Files.readAllLines(htmlFile, StandardCharsets.UTF_8);
assertThat(allLines,
hasItem(containsString("lessons/plugin/TestPlugin/lessonSolutions/en/TestPlugin_files/image001.png")));
}
@Test
public void shouldNotRewriteOtherLinksStartingWithLesson_solutions() throws Exception {
Path tmpDir = PluginTestHelper.createTmpDir();
Path pluginSourcePath = PluginTestHelper.pathForLoading();
Plugin plugin = PluginTestHelper.createPluginFor(TestPlugin.class);
Path htmlFile = Paths.get(pluginSourcePath.toString(), "lessonSolutions", "rewrite_test.html");
plugin.loadFiles(Arrays.asList(htmlFile), true);
plugin.rewritePaths(tmpDir);
List<String> allLines = Files.readAllLines(htmlFile, StandardCharsets.UTF_8);
assertThat(allLines,
hasItem(containsString("lesson_solutions/Unknown_files/image001.png")));
}
}

34
src/test/java/org/owasp/webgoat/plugins/PluginTestHelper.java Normal file
View File

@ -0,0 +1,34 @@
package org.owasp.webgoat.plugins;
import java.io.IOException;
import java.net.URISyntaxException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;
public class PluginTestHelper {
private static Path tempDirectory;
public static Path createTmpDir() throws IOException {
tempDirectory = Files.createTempDirectory(PluginTestHelper.class.getSimpleName());
tempDirectory.toFile().deleteOnExit();
return tempDirectory;
}
public static Path pathForLoading() throws IOException, URISyntaxException {
Path path = Paths.get(PluginTestHelper.class.getProtectionDomain().getCodeSource().getLocation().toURI());
return Paths.get(path.toString(), "org/owasp/webgoat/plugins");
}
public static Plugin createPluginFor(Class pluginClass) throws Exception {
Path pluginTargetPath = Files.createDirectory(Paths.get(tempDirectory.toString(), "pluginTargetPath"));
Plugin plugin = new Plugin(pluginTargetPath);
Map<String, byte[]> classes = new HashMap<>();
classes.put(pluginClass.getName(), Files.readAllBytes(Paths.get(pathForLoading().toString(), pluginClass.getSimpleName() + ".class")));
plugin.loadClasses(classes);
return plugin;
}
}

6
src/test/java/org/owasp/webgoat/plugins/TestPlugin.java Normal file
View File

@ -0,0 +1,6 @@
package org.owasp.webgoat.plugins;
import org.owasp.webgoat.lessons.SequentialLessonAdapter;
public class TestPlugin extends SequentialLessonAdapter {
}

11
src/test/resources/org/owasp/webgoat/plugins/lessonSolutions/rewrite_test.html Normal file
View File

@ -0,0 +1,11 @@
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8">
<title></title>
</head>
<body>
<v:imagedata src="lesson_solutions/TestPlugin_files/image001.png" o:title=""/>
<v:imagedata src="lesson_solutions/Unknown_files/image001.png" o:title=""/>
</body>
</html>