dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix database connetion handling.

Browse Source 
Oracle requires us to close our connections after each
request (or else implement a connection pool), otherwise
we will end up running out of available connections.

While the mechanism for doing this was added in a previous
change, actually using it correctly was omitted somehow.
Fix that now.


git-svn-id: http://webgoat.googlecode.com/svn/trunk@233 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes 2008-01-10 10:11:12 +00:00
parent aab0125c50
commit c3cee22113
17 changed files with 21 additions and 260 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java
View File

@ -57,8 +57,6 @@ import org.owasp.webgoat.session.WebSession;
public class BackDoors extends SequentialLessonAdapter
{
private static Connection connection = null;
private final static Integer DEFAULT_RANKING = new Integer(80);
private final static String USERNAME = "username";
@ -96,7 +94,7 @@ public class BackDoors extends SequentialLessonAdapter
{
userInput = SELECT_ST + userInput;
String[] arrSQL = userInput.split(";");
Connection conn = getConnection(s);
Connection conn = DatabaseUtilities.getConnection(s);
Statement statement = conn.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
if (arrSQL.length == 2)
@ -239,17 +237,6 @@ public class BackDoors extends SequentialLessonAdapter
return ec;
}
public static synchronized Connection getConnection(WebSession s) throws SQLException,
ClassNotFoundException
{
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
return connection;
}
public Element getCredits()
{
return super.getCustomCredits("Created by Sherif Koussa ", MAC_LOGO);

12
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BlindSqlInjection.java
View File

@ -57,8 +57,6 @@ public class BlindSqlInjection extends LessonAdapter
private final static int TARGET_ACCT_NUM = 15613;
private static Connection connection = null;
/**
* Description of the Method
*
@ -72,10 +70,7 @@ public class BlindSqlInjection extends LessonAdapter
try
{
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
ec.addElement(new P().addElement("Enter your Account Number: "));
@ -312,11 +307,6 @@ public class BlindSqlInjection extends LessonAdapter
try
{
super.handleRequest(s);
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
}
catch (Exception e)
{

17
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
View File

@ -65,7 +65,6 @@ public class CSRF extends LessonAdapter {
private final static String STANDARD_QUERY = "SELECT * FROM messages";
private final static String TITLE = "title";
private final static int TITLE_COL = 2;
private static Connection connection = null;
private static int count = 1;
private final static int USER_COL = 4; // Added by Chuck Willis - used to show user who posted message
private final static IMG MAC_LOGO = new IMG("images/logos/macadamian.gif").setAlt(
@ -83,10 +82,7 @@ public class CSRF extends LessonAdapter {
String title = HtmlEncoder.encode( s.getParser().getRawParameter( TITLE, "" ) );
String message = s.getParser().getRawParameter( MESSAGE, "" );
if ( connection == null )
{
connection = DatabaseUtilities.getConnection( s );
}
Connection connection = DatabaseUtilities.getConnection( s );
String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
@ -171,10 +167,7 @@ public class CSRF extends LessonAdapter {
try
{
if ( connection == null )
{
connection = DatabaseUtilities.getConnection( s );
}
Connection connection = DatabaseUtilities.getConnection( s );
Statement statement = connection.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
@ -226,11 +219,7 @@ public class CSRF extends LessonAdapter {
{
int messageNum = s.getParser().getIntParameter( NUMBER, 0 );
if ( connection == null )
{
connection = DatabaseUtilities.getConnection( s );
}
Connection connection = DatabaseUtilities.getConnection( s );
String query = "SELECT * FROM messages WHERE user_name LIKE ? and num = ?";
PreparedStatement statement = connection.prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );

7
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/Challenge2Screen.java
View File

@ -118,8 +118,6 @@ public class Challenge2Screen extends SequentialLessonAdapter
*/
protected final static String USERNAME = "Username";
private static Connection connection = null;
private String pass = "goodbye";
private String user = "youaretheweakestlink";
@ -207,10 +205,7 @@ public class Challenge2Screen extends SequentialLessonAdapter
return doStage3(s);
}
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
Statement statement3 = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);

8
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DOS_Login.java
View File

@ -69,9 +69,6 @@ public class DOS_Login extends LessonAdapter
*/
protected final static String USERNAME = "Username";
private static Connection connection = null;
/**
* Description of the Method
*
@ -97,10 +94,7 @@ public class DOS_Login extends LessonAdapter
}
// Check if the login is valid
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
String query = "SELECT * FROM user_system_data WHERE user_name = '"
+ username + "' and password = '" + password + "'";

13
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SoapRequest.java
View File

@ -65,15 +65,6 @@ import org.owasp.webgoat.session.WebgoatContext;
public class SoapRequest extends SequentialLessonAdapter
{
/* TEST CODE
private final static String ACCT_NUM = "account_number";
private static Connection connection = null;
private String accountNumber;
*/
//static boolean completed;
public static Connection connection = null;
public final static String firstName = "getFirstName";
public final static String lastName = "getLastName";
@ -429,10 +420,6 @@ public class SoapRequest extends SequentialLessonAdapter
try
{
Connection connection = DatabaseUtilities.getConnection("guest", getWebgoatContext());
if (connection == null)
{
return null;
}
PreparedStatement ps = connection
.prepareStatement("SELECT * FROM user_data WHERE userid = ?");
ps.setInt(1, id);

22
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlNumericInjection.java
View File

@ -59,8 +59,6 @@ public class SqlNumericInjection extends SequentialLessonAdapter
{
private final static String STATION_ID = "station";
private static Connection connection = null;
private String station;
@ -116,10 +114,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
if (station == null)
return ec;
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
try
{
@ -182,10 +177,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
try
{
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
ec.addElement(makeStationList(s));
@ -282,10 +274,7 @@ public class SqlNumericInjection extends SequentialLessonAdapter
ClassNotFoundException
{
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
Map<String, String> stations = new TreeMap<String, String>();
String query = "SELECT DISTINCT station, name FROM WEATHER_DATA";
@ -388,11 +377,6 @@ public class SqlNumericInjection extends SequentialLessonAdapter
try
{
super.handleRequest(s);
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
}
catch (Exception e)
{

18
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SqlStringInjection.java
View File

@ -55,8 +55,6 @@ public class SqlStringInjection extends SequentialLessonAdapter
{
private final static String ACCT_NAME = "account_name";
private static Connection connection = null;
private static String STAGE = "stage";
private String accountName;
@ -92,10 +90,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
try
{
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
ec.addElement(makeAccountLine(s));
@ -143,6 +138,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
catch (SQLException sqle)
{
ec.addElement(new P().addElement(sqle.getMessage()));
sqle.printStackTrace();
}
}
catch (Exception e)
@ -174,10 +170,7 @@ public class SqlStringInjection extends SequentialLessonAdapter
try
{
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
ec.addElement(makeAccountLine(s));
@ -304,11 +297,6 @@ public class SqlStringInjection extends SequentialLessonAdapter
try
{
super.handleRequest(s);
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
}
catch (Exception e)
{

17
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/StoredXss.java
View File

@ -73,8 +73,6 @@ public class StoredXss extends LessonAdapter
private final static int TITLE_COL = 2;
private static Connection connection = null;
private static int count = 1;
private final static int USER_COL = 4; // Added by Chuck Willis - used to show user who posted message
@ -93,10 +91,7 @@ public class StoredXss extends LessonAdapter
TITLE, ""));
String message = s.getParser().getRawParameter(MESSAGE, "");
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
String query = "INSERT INTO messages VALUES (?, ?, ?, ? )";
@ -208,10 +203,7 @@ public class StoredXss extends LessonAdapter
{
int messageNum = s.getParser().getIntParameter(NUMBER, 0);
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
// edit by Chuck Willis - Added logic to associate similar usernames
// The idea is that users chuck-1, chuck-2, etc will see each other's messages
@ -330,10 +322,7 @@ public class StoredXss extends LessonAdapter
try
{
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
Statement statement = connection.createStatement(
ResultSet.TYPE_SCROLL_INSENSITIVE,

12
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/ThreadSafetyProblem.java
View File

@ -54,8 +54,6 @@ public class ThreadSafetyProblem extends LessonAdapter
private final static String USER_NAME = "username";
private Connection connection = null;
private static String currentUser;
private String originalUser;
@ -73,10 +71,7 @@ public class ThreadSafetyProblem extends LessonAdapter
try
{
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
ec.addElement(new StringElement("Enter user name: "));
ec.addElement(new Input(Input.TEXT, USER_NAME, ""));
@ -205,11 +200,6 @@ public class ThreadSafetyProblem extends LessonAdapter
try
{
super.handleRequest(s);
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
}
catch (Exception e)
{

10
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WSDLScanning.java
View File

@ -80,8 +80,6 @@ public class WSDLScanning extends LessonAdapter
static boolean beenRestartedYet = false;
public static Connection connection = null;
public final static String firstName = "getFirstName";
public final static String lastName = "getLastName";
@ -219,10 +217,6 @@ public class WSDLScanning extends LessonAdapter
{
String[] fields = s.getParser().getParameterValues("field");
int id = s.getParser().getIntParameter("id");
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Table t = new Table().setCellSpacing(0).setCellPadding(2)
.setBorder(1);
@ -292,10 +286,6 @@ public class WSDLScanning extends LessonAdapter
try
{
Connection connection = DatabaseUtilities.getConnection("guest", getWebgoatContext());
if (connection == null)
{
return null;
}
PreparedStatement ps = connection
.prepareStatement("SELECT * FROM user_data WHERE userid = ?");
ps.setInt(1, id);

10
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/WsSqlInjection.java
View File

@ -74,8 +74,6 @@ public class WsSqlInjection extends LessonAdapter
final static IMG CREDITS_LOGO = new IMG("images/logos/parasoft.jpg")
.setAlt("Parasoft").setBorder(0).setHspace(0).setVspace(0);
private static Connection connection = null;
/* (non-Javadoc)
* @see lessons.AbstractLesson#getMenuItem()
*/
@ -184,10 +182,6 @@ public class WsSqlInjection extends LessonAdapter
ElementContainer ec = new ElementContainer();
try
{
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
ec.addElement(makeAccountLine(s));
String query = "SELECT * FROM user_data WHERE userid = "
@ -247,10 +241,6 @@ public class WsSqlInjection extends LessonAdapter
try
{
Connection connection = DatabaseUtilities.getConnection("guest", getWebgoatContext());
if (connection == null)
{
return null;
}
String query = "SELECT * FROM user_data WHERE userid = " + id;
try
{

8
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ProductsAdminScreen.java
View File

@ -49,9 +49,6 @@ public class ProductsAdminScreen extends LessonAdapter
private final static String QUERY = "SELECT * FROM product_system_data";
private static Connection connection = null;
/**
* Description of the Method
*
@ -64,10 +61,7 @@ public class ProductsAdminScreen extends LessonAdapter
try
{
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
Statement statement = connection.createStatement(
ResultSet.TYPE_SCROLL_INSENSITIVE,

8
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/RefreshDBScreen.java
View File

@ -49,9 +49,6 @@ public class RefreshDBScreen extends LessonAdapter
private final static String REFRESH = "Refresh";
private static Connection connection = null;
/**
* Description of the Method
*
@ -153,10 +150,7 @@ public class RefreshDBScreen extends LessonAdapter
{
try
{
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
CreateDB db = new CreateDB();
db.makeDB(connection);

8
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/UserAdminScreen.java
View File

@ -49,9 +49,6 @@ public class UserAdminScreen extends LessonAdapter
private final static String QUERY = "SELECT * FROM user_system_data";
private static Connection connection = null;
/**
* Description of the Method
*
@ -64,10 +61,7 @@ public class UserAdminScreen extends LessonAdapter
try
{
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
Statement statement = connection.createStatement(
ResultSet.TYPE_SCROLL_INSENSITIVE,

8
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ViewDatabase.java
View File

@ -50,9 +50,6 @@ public class ViewDatabase extends LessonAdapter
private final static String SQL = "sql";
private static Connection connection = null;
/**
* Description of the Method
*
@ -75,10 +72,7 @@ public class ViewDatabase extends LessonAdapter
Element b = ECSFactory.makeButton("Go!");
ec.addElement(b);
if (connection == null)
{
connection = DatabaseUtilities.getConnection(s);
}
Connection connection = DatabaseUtilities.getConnection(s);
if (sqlStatement.length() > 0)
{

88
webgoat/main/project/JavaSource/org/owasp/webgoat/session/CreateDB.java
View File

@ -1,8 +1,6 @@
package org.owasp.webgoat.session;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
@ -42,92 +40,6 @@ import org.owasp.webgoat.lessons.AbstractLesson;
public class CreateDB
{
/**
* The main program for the AccessSqlInjection class
*
* @param args The command line arguments
*/
public static void main(String[] args)
{
CreateDB db = new CreateDB();
Connection connection = null;
try
{
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver").newInstance();
}
catch (Exception e)
{
System.out.println("Failed to load DB driver");
e.printStackTrace();
}
try
{
connection = DriverManager
.getConnection(
"jdbc:odbc:;DRIVER=Microsoft Access Driver (*.mdb);DBQ=c:/webgoat.mdb;PWD=webgoat",
"webgoat", "webgoat");
db.makeDB(connection);
}
catch (Exception e)
{
System.out.println("Driver Manager failed!");
e.printStackTrace();
}
/**
* getAllEmployees
*/
String query = "SELECT userid,first_name,last_name FROM employee WHERE userid in (SELECT employee_id FROM ownership WHERE employer_id = 101)";
try
{
Statement answer_statement = connection.createStatement(
ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet answer_results = answer_statement.executeQuery(query);
answer_results.first();
int employeeId = answer_results.getInt("userid");
String firstName = answer_results.getString("first_name");
String lastName = answer_results.getString("last_name");
System.out.println("Query 1 Results: " + firstName + " " + lastName
+ " " + employeeId);
}
catch (SQLException sqle)
{
sqle.printStackTrace();
}
/**
* isAllowed
*/
query = "SELECT * FROM auth WHERE role in (SELECT role FROM roles WHERE userid = 101) and functionid = 113";
try
{
Statement answer_statement = connection.createStatement(
ResultSet.TYPE_SCROLL_INSENSITIVE,
ResultSet.CONCUR_READ_ONLY);
ResultSet answer_results = answer_statement.executeQuery(query);
boolean allowed = answer_results.first();
//boolean allowed = answer_results.next();
if (allowed)
System.out.println("User is allowed");
else
System.out.println("User is NOT allowed");
}
catch (SQLException sqle)
{
sqle.printStackTrace();
}
}
/**
* Description of the Method
*