merge of upstream, conflict resolution

This commit is contained in:
Jason White
2017-06-27 08:30:58 -04:00
123 changed files with 5035 additions and 2080 deletions

View File

@ -4,6 +4,7 @@ import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.context.annotation.Configuration;
import org.springframework.util.FileSystemUtils;
import javax.annotation.PostConstruct;
import java.io.File;
@ -23,14 +24,10 @@ public class CleanupLocalProgressFiles {
@PostConstruct
public void clean() {
File dir = new File(webgoatHome);
if (dir.exists()) {
File[] progressFiles = dir.listFiles(f -> f.getName().endsWith(".progress"));
if (progressFiles != null) {
log.info("Removing stored user preferences...");
for (File f : progressFiles) {
f.delete();
}
}
//do it safe, check whether the subdir mongodb is available as subdirectory
File[] mongoDir = dir.listFiles(f -> f.isDirectory() && f.getName().contains("mongodb"));
if (mongoDir != null && mongoDir.length == 1) {
FileSystemUtils.deleteRecursively(dir);
}
}
}

View File

@ -124,6 +124,7 @@ public class MvcConfiguration extends WebMvcConfigurerAdapter {
registry.addResourceHandler("/images/**").addResourceLocations("classpath:/images/");
registry.addResourceHandler("/lesson_js/**").addResourceLocations("classpath:/js/");
registry.addResourceHandler("/lesson_css/**").addResourceLocations("classpath:/css/");
registry.addResourceHandler("/video/**").addResourceLocations("classpath:/video/");
super.addResourceHandlers(registry);
}

View File

@ -25,11 +25,10 @@
package org.owasp.webgoat.assignments;
import lombok.AllArgsConstructor;
import lombok.Getter;
import org.apache.commons.lang3.StringEscapeUtils;
import org.owasp.webgoat.i18n.PluginMessages;
@AllArgsConstructor
public class AttackResult {
public static class AttackResultBuilder {
@ -89,6 +88,11 @@ public class AttackResult {
@Getter
private String output;
public AttackResult(boolean lessonCompleted, String feedback, String output) {
this.lessonCompleted = lessonCompleted;
this.feedback = StringEscapeUtils.escapeJson(feedback);
this.output = StringEscapeUtils.escapeJson(output);
}
public static AttackResultBuilder builder(PluginMessages messages) {
return new AttackResultBuilder(messages);

View File

@ -33,7 +33,6 @@ package org.owasp.webgoat.controller;
import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.session.Course;
import org.owasp.webgoat.session.WebSession;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
@ -77,8 +76,8 @@ public class StartLesson {
// I will set here the thymeleaf fragment location based on the resource requested.
ModelAndView model = new ModelAndView();
SecurityContext context = SecurityContextHolder.getContext(); //TODO this should work with the security roles of Spring
GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
String path = request.getServletPath(); // we now got /a/b/c/AccessControlMatrix.lesson
//GrantedAuthority authority = context.getAuthentication().getAuthorities().iterator().next();
String path = request.getRequestURL().toString(); // we now got /a/b/c/AccessControlMatrix.lesson
String lessonName = path.substring(path.lastIndexOf('/') + 1, path.indexOf(".lesson"));
List<AbstractLesson> lessons = course.getLessons();
Optional<AbstractLesson> lesson = lessons.stream()

View File

@ -1,6 +1,6 @@
package org.owasp.webgoat.lessons;
import lombok.Getter;
import com.google.common.collect.Lists;
import lombok.Setter;
import org.owasp.webgoat.session.Screen;
@ -44,10 +44,16 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
private Integer ranking;
@Getter
@Setter
private List<Assignment> assignments;
public List<Assignment> getAssignments() {
if (assignments == null) {
return Lists.newArrayList();
}
return assignments;
}
/**
* Constructor for the Lesson object
*/

View File

@ -52,7 +52,7 @@ public enum Category {
INSECURE_CONFIGURATION("Insecure Configuration", new Integer(1400)),
INSECURE_STORAGE("Insecure Storage", new Integer(1500)),
MALICIOUS_EXECUTION("Malicious Execution", new Integer(1600)),
PARAMETER_TAMPERING("Parameter Tampering", new Integer(1700)),
CLIENT_SIDE("Client side", new Integer(1700)),
SESSION_MANAGEMENT("Session Management Flaws", new Integer(1800)),
WEB_SERVICES("Web Services", new Integer(1900)),
VULNERABLE_COMPONENTS("Vulnerable Components - A9", new Integer(1950)),

View File

@ -16,7 +16,7 @@ security.enable-csrf=false
spring.resources.cache-period=0
spring.thymeleaf.cache=false
webgoat.clean=true
webgoat.clean=false
webgoat.server.directory=${user.home}/.webgoat/
webgoat.user.directory=${user.home}/.webgoat/
webgoat.build.version=@project.version@
@ -29,6 +29,7 @@ webgoat.database.driver=org.hsqldb.jdbcDriver
webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
webgoat.default.language=en
spring.data.mongodb.database=webgoat
spring.mongodb.embedded.storage.databaseDir=${webgoat.user.directory}/mongodb/

View File

@ -80,7 +80,9 @@ define(['jquery',
var self = this;
// TODO custom Data prep for submission
var prepareDataFunctionName = $(curForm).attr('prepareData');
var callbackFunctionName = $(curForm).attr('callback');
var submitData = (typeof webgoat.customjs[prepareDataFunctionName] === 'function') ? webgoat.customjs[prepareDataFunctionName]() : $(curForm).serialize();
var callbackFunction = (typeof webgoat.customjs[callbackFunctionName] === 'function') ? webgoat.customjs[callbackFunctionName] : function() {};
// var submitData = this.$form.serialize();
this.curForm = curForm;
this.$curFeedback = $(curForm).closest('.attack-container').find('.attack-feedback');
@ -93,14 +95,16 @@ define(['jquery',
url:formUrl,
method:formMethod,
contentType:contentType,
data: submitData
data: submitData,
complete: function (data) {
callbackFunction();
}
}).then(self.onSuccessResponse.bind(self), self.onErrorResponse.bind(self));
return false;
},
onSuccessResponse: function(data) {
this.renderFeedback(data.feedback);
this.renderOutput(data.output || "");
//TODO: refactor back assignmentCompleted in Java
if (data.lessonCompleted || data.assignmentCompleted) {