Fix mistake the SQL exception should be throws otherwise users cannot see the table name (servers) makes it impossible to

solve the assignment. Add explicit test for this to guard against future mistakes
2019-11-11 17:24:46 +01:00 · 2019-11-11 17:24:46 +01:00 · e07a2aff48
commit e07a2aff48
parent 7d48427d4f
3 changed files with 51 additions and 42 deletions
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ProgressRaceConditionTest.java
@ -38,6 +38,6 @@ public class ProgressRaceConditionTest extends IntegrationTest {
            } catch (InterruptedException | ExecutionException e) {
                throw new IllegalStateException(e);
            }
-        }).count()).isGreaterThan(10);
+        }).count()).isGreaterThan(8);
    }
 }
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/SqlInjectionMitigationTest.java
@ -1,5 +1,6 @@
 package org.owasp.webgoat;

+import org.hamcrest.CoreMatchers;
 import org.junit.Test;

 import io.restassured.RestAssured;
@ -8,6 +9,8 @@ import io.restassured.http.ContentType;
 import java.util.HashMap;
 import java.util.Map;

+import static org.hamcrest.CoreMatchers.containsString;
+
 public class SqlInjectionMitigationTest extends IntegrationTest {

    @Test
@ -43,6 +46,14 @@ public class SqlInjectionMitigationTest extends IntegrationTest {
                .then()
                .statusCode(200);

+        RestAssured.given()
+                .when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie())
+                .contentType(ContentType.JSON)
+                .get(url("/WebGoat/SqlInjectionMitigations/servers?column=unknown"))
+                .then()
+                .statusCode(500)
+                .body("message", containsString("select id, hostname, ip, mac, status, description from servers  where status <> 'out of order' order by"));
+
        params.clear();
        params.put("ip", "104.130.219.202");
        checkAssignment(url("/WebGoat/SqlInjectionMitigations/attack12a"), params, true);
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java
@ -66,7 +66,7 @@ public class Servers {

    @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
    @ResponseBody
-    public List<Server> sort(@RequestParam String column) {
+    public List<Server> sort(@RequestParam String column) throws Exception {
        List<Server> servers = new ArrayList<>();

        try (Connection connection = dataSource.getConnection();
@ -76,8 +76,6 @@ public class Servers {
                Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6));
                servers.add(server);
            }
-        } catch (SQLException e) {
-            log.error("Unable to get servers", e);
        }
        return servers;
    }