From e4eb5d783ac5f3877edb97698b1fda6d7c67f369 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= Date: Sun, 10 Jul 2022 17:13:26 +0200 Subject: [PATCH] Some updates and code improvements (#1288) * try with resources * StringBuilder * removed ant and updated spring boot --- pom.xml | 21 +--------------- .../lessons/challenges/challenge7/MD5.java | 16 ++++++------ .../client_side_filtering/Salaries.java | 25 ++++++++++--------- .../SecurePasswordsAssignment.java | 2 +- .../advanced/SqlInjectionLesson6a.java | 2 +- .../introduction/SqlInjectionLesson10.java | 2 +- .../introduction/SqlInjectionLesson2.java | 2 +- .../introduction/SqlInjectionLesson3.java | 2 +- .../introduction/SqlInjectionLesson4.java | 2 +- .../introduction/SqlInjectionLesson5b.java | 2 +- .../introduction/SqlInjectionLesson8.java | 4 +-- .../introduction/SqlInjectionLesson9.java | 4 +-- .../owasp/webgoat/lessons/ssrf/SSRFTask1.java | 2 +- .../xss/CrossSiteScriptingLesson5a.java | 2 +- .../en/ClientSideFiltering.html | 6 ++--- .../webgoat/static/js/libs/mode-java.js | 2 +- .../resources/webgoat/static/js/libs/text.js | 12 ++++----- 17 files changed, 46 insertions(+), 62 deletions(-) diff --git a/pom.xml b/pom.xml index d9554ac96..a56818b80 100644 --- a/pom.xml +++ b/pom.xml @@ -11,7 +11,7 @@ org.springframework.boot spring-boot-starter-parent - 2.6.6 + 2.7.1 WebGoat @@ -119,7 +119,6 @@ 9090 - 1.6.5 2.5.2 3.3.7 2.2 @@ -181,16 +180,6 @@ cglib-nodep ${cglib.version} - - ant - ant-launcher - ${ant.version} - - - ant - ant - ${ant.version} - xml-resolver xml-resolver @@ -452,14 +441,6 @@ cglib cglib-nodep - - ant - ant-launcher - - - ant - ant - xml-resolver xml-resolver diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java index 9bc444627..7b502c887 100644 --- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java +++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java @@ -164,9 +164,10 @@ public class MD5 { * @since ostermillerutils 1.00.00 */ public static byte[] getHash(File f) throws IOException { - InputStream is = new FileInputStream(f); - byte[] hash = getHash(is); - is.close(); + byte[] hash = null; + try (InputStream is = new FileInputStream(f)) { + hash = getHash(is); + } return hash; } @@ -179,9 +180,10 @@ public class MD5 { * @since ostermillerutils 1.00.00 */ public static String getHashString(File f) throws IOException { - InputStream is = new FileInputStream(f); - String hash = getHashString(is); - is.close(); + String hash = null; + try (InputStream is = new FileInputStream(f)) { + hash = getHashString(is); + } return hash; } @@ -515,7 +517,7 @@ public class MD5 { * @since ostermillerutils 1.00.00 */ private static String toHex(byte hash[]) { - StringBuffer buf = new StringBuffer(hash.length * 2); + StringBuilder buf = new StringBuilder(hash.length * 2); for (byte element : hash) { int intVal = element & 0xff; if (intVal < 0x10) { diff --git a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java index 55843baff..8ad86e647 100644 --- a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java +++ b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java @@ -76,10 +76,14 @@ public class Salaries { File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml"); XPathFactory factory = XPathFactory.newInstance(); XPath path = factory.newXPath(); + int columns = 5; + List> json = new ArrayList<>(); + java.util.Map employeeJson = new HashMap<>(); + try (InputStream is = new FileInputStream(d)) { InputSource inputSource = new InputSource(is); - StringBuffer sb = new StringBuffer(); + StringBuilder sb = new StringBuilder(); sb.append("/Employees/Employee/UserID | "); sb.append("/Employees/Employee/FirstName | "); @@ -89,22 +93,19 @@ public class Salaries { String expression = sb.toString(); nodes = (NodeList) path.evaluate(expression, inputSource, XPathConstants.NODESET); + for (int i = 0; i < nodes.getLength(); i++) { + if (i % columns == 0) { + employeeJson = new HashMap<>(); + json.add(employeeJson); + } + Node node = nodes.item(i); + employeeJson.put(node.getNodeName(), node.getTextContent()); + } } catch (XPathExpressionException e) { log.error("Unable to parse xml", e); } catch (IOException e) { log.error("Unable to read employees.xml at location: '{}'", d); } - int columns = 5; - List json = new ArrayList(); - java.util.Map employeeJson = new HashMap<>(); - for (int i = 0; i < nodes.getLength(); i++) { - if (i % columns == 0) { - employeeJson = new HashMap<>(); - json.add(employeeJson); - } - Node node = nodes.item(i); - employeeJson.put(node.getNodeName(), node.getTextContent()); - } return json; } } diff --git a/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java index ac8ba7f1f..c8108237f 100644 --- a/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java +++ b/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java @@ -42,7 +42,7 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint { @ResponseBody public AttackResult completed(@RequestParam String password) { Zxcvbn zxcvbn = new Zxcvbn(); - StringBuffer output = new StringBuffer(); + StringBuilder output = new StringBuilder(); DecimalFormat df = new DecimalFormat("0", DecimalFormatSymbols.getInstance(Locale.ENGLISH)); df.setMaximumFractionDigits(340); Strength strength = zxcvbn.measure(password); diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java index 819b460fe..943d44570 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java +++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java @@ -68,7 +68,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint { if ((results != null) && (results.first())) { ResultSetMetaData resultsMetaData = results.getMetaData(); - StringBuffer output = new StringBuffer(); + StringBuilder output = new StringBuilder(); output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java index a4b5e94ab..bc5141068 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java +++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java @@ -54,7 +54,7 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint { } protected AttackResult injectableQueryAvailability(String action) { - StringBuffer output = new StringBuffer(); + StringBuilder output = new StringBuilder(); String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; try (Connection connection = dataSource.getConnection()) { diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java index 9bc3a335d..4a8d5f250 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java +++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java @@ -60,7 +60,7 @@ public class SqlInjectionLesson2 extends AssignmentEndpoint { try (var connection = dataSource.getConnection()) { Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY); ResultSet results = statement.executeQuery(query); - StringBuffer output = new StringBuffer(); + StringBuilder output = new StringBuilder(); results.first(); diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java index eba5c2f98..e67275535 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java +++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java @@ -64,7 +64,7 @@ public class SqlInjectionLesson3 extends AssignmentEndpoint { CONCUR_READ_ONLY); statement.executeUpdate(query); ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';"); - StringBuffer output = new StringBuffer(); + StringBuilder output = new StringBuilder(); // user completes lesson if the department of Tobi Barnett now is 'Sales' results.first(); if (results.getString("department").equals("Sales")) { diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java index 42ef23b84..101725c92 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java +++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java @@ -63,7 +63,7 @@ public class SqlInjectionLesson4 extends AssignmentEndpoint { statement.executeUpdate(query); connection.commit(); ResultSet results = statement.executeQuery("SELECT phone from employees;"); - StringBuffer output = new StringBuffer(); + StringBuilder output = new StringBuilder(); // user completes lesson if column phone exists if (results.first()) { output.append(""); diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java index fc1b37a72..c7514ff10 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java +++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java @@ -72,7 +72,7 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint { if ((results != null) && (results.first() == true)) { ResultSetMetaData resultsMetaData = results.getMetaData(); - StringBuffer output = new StringBuffer(); + StringBuilder output = new StringBuilder(); output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData)); results.last(); diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java index 949ba155e..90c1c911d 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java +++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java @@ -56,7 +56,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint { } protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { - StringBuffer output = new StringBuffer(); + StringBuilder output = new StringBuilder(); String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; try (Connection connection = dataSource.getConnection()) { @@ -98,7 +98,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint { ResultSetMetaData resultsMetaData = results.getMetaData(); int numColumns = resultsMetaData.getColumnCount(); results.beforeFirst(); - StringBuffer table = new StringBuffer(); + StringBuilder table = new StringBuilder(); table.append(""); if (results.next()) { diff --git a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java index 77dab2cea..16b60b19d 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java +++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java @@ -57,7 +57,7 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint { } protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { - StringBuffer output = new StringBuffer(); + StringBuilder output = new StringBuilder(); String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; try (Connection connection = dataSource.getConnection()) { try { @@ -86,7 +86,7 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint { } } - private AttackResult checkSalaryRanking(Connection connection, StringBuffer output) { + private AttackResult checkSalaryRanking(Connection connection, StringBuilder output) { try { String query = "SELECT * FROM employees ORDER BY salary DESC"; try (Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); diff --git a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java index 5b797db24..6f12b3d9d 100644 --- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java +++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java @@ -43,7 +43,7 @@ public class SSRFTask1 extends AssignmentEndpoint { protected AttackResult stealTheCheese(String url) { try { - StringBuffer html = new StringBuffer(); + StringBuilder html = new StringBuilder(); if (url.matches("images/tom.png")) { html.append("\"Tom\""); diff --git a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java index 6c679c819..9a7c1135a 100644 --- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java +++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java @@ -61,7 +61,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint { double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99; userSessionData.setValue("xss-reflected1-complete", "false"); - StringBuffer cart = new StringBuffer(); + StringBuilder cart = new StringBuilder(); cart.append("Thank you for shopping at WebGoat.
Your support is appreciated
"); cart.append("

We have charged credit card:" + field1 + "
"); cart.append(" -------------------
"); diff --git a/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html b/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html index 3a67cfb18..3dc36ab2d 100644 --- a/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html +++ b/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html @@ -51,7 +51,7 @@ even if it is hidden it is easy to find the sensitive date. In this stage you will add a filter to the XPath queries. In this file you will find following construct:

- StringBuffer sb = new StringBuffer();
+ StringBuilder sb = new StringBuilder();
sb.append("/Employees/Employee/UserID | ");
sb.append("/Employees/Employee/FirstName | ");
@@ -66,7 +66,7 @@ This string will be used for the XPath query. You have to guarantee that a mange can see employees which are working for him. To archive this you can use filters in XPath. Following code will exactly do this:

- StringBuffer sb = new StringBuffer();
+ StringBuilder sb = new StringBuilder();
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/UserID | ");
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/FirstName | ");
@@ -81,4 +81,4 @@ Now only information is sent to your client you are authorized for. You can clic

- \ No newline at end of file + diff --git a/src/main/resources/webgoat/static/js/libs/mode-java.js b/src/main/resources/webgoat/static/js/libs/mode-java.js index 779ede26c..3374fdcf0 100644 --- a/src/main/resources/webgoat/static/js/libs/mode-java.js +++ b/src/main/resources/webgoat/static/js/libs/mode-java.js @@ -831,7 +831,7 @@ var JavaHighlightRules = function() { "Readable|Runtime|StringBuilder|Math|IncompatibleClassChangeError|"+ "NoSuchMethodError|ThreadLocal|RuntimePermission|ArithmeticException|"+ "NullPointerException|Long|Integer|Short|Byte|Double|Number|Float|"+ - "Character|Boolean|StackTraceElement|Appendable|StringBuffer|"+ + "Character|Boolean|StackTraceElement|Appendable|StringBuilder|"+ "Iterable|ThreadGroup|Runnable|Thread|IllegalMonitorStateException|"+ "StackOverflowError|OutOfMemoryError|VirtualMachineError|"+ "ArrayStoreException|ClassCastException|LinkageError|"+ diff --git a/src/main/resources/webgoat/static/js/libs/text.js b/src/main/resources/webgoat/static/js/libs/text.js index 4c311edce..2743b46c7 100644 --- a/src/main/resources/webgoat/static/js/libs/text.js +++ b/src/main/resources/webgoat/static/js/libs/text.js @@ -311,14 +311,14 @@ define(['module'], function (module) { typeof Packages !== 'undefined' && typeof java !== 'undefined')) { //Why Java, why is this so awkward? text.get = function (url, callback) { - var stringBuffer, line, + var stringBuilder, line, encoding = "utf-8", file = new java.io.File(url), lineSeparator = java.lang.System.getProperty("line.separator"), input = new java.io.BufferedReader(new java.io.InputStreamReader(new java.io.FileInputStream(file), encoding)), content = ''; try { - stringBuffer = new java.lang.StringBuffer(); + stringBuilder = new java.lang.StringBuilder(); line = input.readLine(); // Byte Order Mark (BOM) - The Unicode Standard, version 3.0, page 324 @@ -334,15 +334,15 @@ define(['module'], function (module) { } if (line !== null) { - stringBuffer.append(line); + stringBuilder.append(line); } while ((line = input.readLine()) !== null) { - stringBuffer.append(lineSeparator); - stringBuffer.append(line); + stringBuilder.append(lineSeparator); + stringBuilder.append(line); } //Make sure we return a JavaScript string and not a Java string. - content = String(stringBuffer.toString()); //String + content = String(stringBuilder.toString()); //String } finally { input.close(); }