From dad9c75ee0fca0883d88f30db70e88dde1583ff7 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Mon, 23 Sep 2019 17:35:04 +0200
Subject: [PATCH] Fix tests after updating from develop, changes applied for
 migrating to Spring Boot 2

---
 .../src/test/java/org/owasp/webgoat/JWTLessonTest.java      | 2 +-
 .../src/test/java/org/owasp/webgoat/XXETest.java            | 1 +
 .../java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java    | 2 +-
 .../main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java   | 2 +-
 .../java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java    | 6 +++---
 .../sql_injection/mitigation/SqlInjectionLesson10a.java     | 2 +-
 .../sql_injection/mitigation/SqlInjectionLesson10b.java     | 2 +-
 .../sql_injection/mitigation/SqlInjectionLesson12a.java     | 2 +-
 8 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
index 07bc5b7b6..dc63bb45a 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/JWTLessonTest.java
@@ -13,7 +13,7 @@ import org.hamcrest.CoreMatchers;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
-import org.owasp.webgoat.plugin.JWTSecretKeyEndpoint;
+import org.owasp.webgoat.jwt.JWTSecretKeyEndpoint;
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
index 86f2eb56c..cb2ecb248 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/XXETest.java
@@ -74,6 +74,7 @@ public class XXETest extends IntegrationTest {
         .get(webWolfUrl("/WebWolf/requests"))
         .then()
         .extract().response().getBody().asString();
+        result = result.replace("%20", " ");
         result = result.substring(result.lastIndexOf("WebGoat 8.0 rocks... ("),result.lastIndexOf("WebGoat 8.0 rocks... (")+33);
         return result;
     }
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
index f50fd4a6b..62cd55d77 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTSecretKeyEndpoint.java
@@ -60,7 +60,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
     private static final String WEBGOAT_USER = "WebGoat";
     private static final List<String> expectedClaims = Lists.newArrayList("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");
 
-    @RequestMapping(path="/gettoken",produces=MediaType.TEXT_HTML_VALUE)
+    @RequestMapping(path="/JWT/secret/gettoken",produces=MediaType.TEXT_HTML_VALUE)
     @ResponseBody
     public String getSecretToken() {
     	return Jwts.builder()
diff --git a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
index e204debae..656cb492f 100644
--- a/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
+++ b/webgoat-lessons/jwt/src/main/java/org/owasp/webgoat/jwt/JWTVotesEndpoint.java
@@ -153,7 +153,7 @@ public class JWTVotesEndpoint extends AssignmentEndpoint {
         }
     }
 
-    @PostMapping("/JWT/votings/reset")
+    @PostMapping("/JWT/votings")
     @ResponseBody
     public AttackResult resetVotes(@CookieValue(value = "access_token", required = false) String accessToken) {
         if (StringUtils.isEmpty(accessToken)) {
diff --git a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
index deb435413..5b2475473 100644
--- a/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
+++ b/webgoat-lessons/jwt/src/test/java/org/owasp/webgoat/jwt/JWTVotesEndpointTest.java
@@ -153,7 +153,7 @@ public class JWTVotesEndpointTest extends LessonTest {
         Object[] nodes = new ObjectMapper().readValue(result.getResponse().getContentAsString(), Object[].class);
         int currentNumberOfVotes = (int) findNodeByTitle(nodes, "Admin lost password").get("numberOfVotes");
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/vote/Admin lost password")
+        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/Admin lost password")
                 .cookie(cookie))
                 .andExpect(status().isAccepted());
         result = mockMvc.perform(MockMvcRequestBuilders.get("/JWT/votings")
@@ -176,7 +176,7 @@ public class JWTVotesEndpointTest extends LessonTest {
 
     @Test
     public void guestShouldNotBeAbleToVote() throws Exception {
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/vote/Admin lost password")
+        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/Admin lost password")
                 .cookie(new Cookie("access_token", "")))
                 .andExpect(status().isUnauthorized());
     }
@@ -188,7 +188,7 @@ public class JWTVotesEndpointTest extends LessonTest {
         claims.put("user", "Intruder");
         String token = Jwts.builder().signWith(io.jsonwebtoken.SignatureAlgorithm.HS512, JWT_PASSWORD).setClaims(claims).compact();
 
-        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/vote/Admin lost password")
+        mockMvc.perform(MockMvcRequestBuilders.post("/JWT/votings/Admin lost password")
                 .cookie(new Cookie("access_token", token)))
                 .andExpect(status().isUnauthorized());
     }
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java
index 58d3aa3fa..3d885a002 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10a.java
@@ -41,7 +41,7 @@ public class SqlInjectionLesson10a extends AssignmentEndpoint {
     private WebSession webSession;
     private String[] results = {"getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"};
 
-    @PostMapping("SqlInjectionMitigations/attack10a")
+    @PostMapping("/SqlInjectionMitigations/attack10a")
     @ResponseBody
     public AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7) {
         String[] userInput = {field1, field2, field3, field4, field5, field6, field7};
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java
index cd983c402..7b2e1b496 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson10b.java
@@ -41,7 +41,7 @@ import java.util.regex.Pattern;
 @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3", "SqlStringInjectionHint-mitigation-10b-4", "SqlStringInjectionHint-mitigation-10b-5"})
 public class SqlInjectionLesson10b extends AssignmentEndpoint {
 
-    @PostMapping("SqlInjectionMitigations/attack10b")
+    @PostMapping("/SqlInjectionMitigations/attack10b")
     @ResponseBody
     public AttackResult completed(@RequestParam String editor) {
         try {
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12a.java
index 2c462202f..84d09a919 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/SqlInjectionLesson12a.java
@@ -51,7 +51,7 @@ public class SqlInjectionLesson12a extends AssignmentEndpoint {
     @Autowired
     private WebSession webSession;
 
-    @PostMapping("SqlInjectionMitigations/attack12a")
+    @PostMapping("/SqlInjectionMitigations/attack12a")
     @ResponseBody
     @SneakyThrows
     public AttackResult completed(@RequestParam String ip) {