fix: JWT kid/jku lessons (#1949)

* refactor: rewrite hints Use active voice and fix grammar issues. * fix: use Thymeleaf `th:action` * fix: JWT kid/jku lessons Split the JavaScript into two files they pointed to the same URL The JWTs are now valid, they parse successfully. The paths now include `/kid` and `/jku` to make sure the hints match accordingly in the UI. Otherwise `/delete` would pick up both hints from both assignments as the paths overlap. Closes: #1715 * fix: update to latest pre-commit version * fix: increase timeouts for server to start during integration tests
2024-11-07 15:45:33 +01:00
parent d59153d6d7
commit e1e00bca73
46 changed files with 133 additions and 122 deletions
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderJKUEndpoint.java
@ -19,7 +19,7 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.bind.annotation.RestController;

-@RequestMapping("/JWT/jku")
+@RequestMapping("/JWT/")
@RestController
@AssignmentHints({
  "jwt-jku-hint1",
@ -30,7 +30,7 @@ import org.springframework.web.bind.annotation.RestController;
 })
 public class JWTHeaderJKUEndpoint extends AssignmentEndpoint {

-  @PostMapping("/follow/{user}")
+  @PostMapping("jku/follow/{user}")
  public @ResponseBody String follow(@PathVariable("user") String user) {
    if ("Jerry".equals(user)) {
      return "Following yourself seems redundant";
@ -39,7 +39,7 @@ public class JWTHeaderJKUEndpoint extends AssignmentEndpoint {
    }
  }

-  @PostMapping("/delete")
+  @PostMapping("jku/delete")
  public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) {
    if (StringUtils.isEmpty(token)) {
      return failed(this).feedback("jwt-invalid-token").build();
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/claimmisuse/JWTHeaderKIDEndpoint.java
@ -52,7 +52,7 @@ import org.springframework.web.bind.annotation.RestController;
  "jwt-kid-hint5",
  "jwt-kid-hint6"
 })
-@RequestMapping("/JWT/kid")
+@RequestMapping("/JWT/")
 public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {

  private final LessonDataSource dataSource;
@ -61,7 +61,7 @@ public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
    this.dataSource = dataSource;
  }

-  @PostMapping("/follow/{user}")
+  @PostMapping("kid/follow/{user}")
  public @ResponseBody String follow(@PathVariable("user") String user) {
    if ("Jerry".equals(user)) {
      return "Following yourself seems redundant";
@ -70,7 +70,7 @@ public class JWTHeaderKIDEndpoint extends AssignmentEndpoint {
    }
  }

-  @PostMapping("/delete")
+  @PostMapping("kid/delete")
  public @ResponseBody AttackResult resetVotes(@RequestParam("token") String token) {
    if (StringUtils.isEmpty(token)) {
      return failed(this).feedback("jwt-invalid-token").build();
--- a/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/passwordreset/ResetLinkAssignment.java
@ -22,6 +22,8 @@

 package org.owasp.webgoat.lessons.passwordreset;

+import static org.springframework.util.StringUtils.hasText;
+
 import com.google.common.collect.Maps;
 import java.util.ArrayList;
 import java.util.HashMap;
@ -117,7 +119,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
      BindingResult bindingResult,
      @CurrentUsername String username) {
    ModelAndView modelAndView = new ModelAndView();
-    if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
+    if (!hasText(form.getPassword())) {
      bindingResult.rejectValue("password", "not.empty");
    }
    if (bindingResult.hasErrors()) {