Some updates and code improvements (#1288)

* try with resources * StringBuilder * removed ant and updated spring boot
2022-07-10 17:13:26 +02:00
parent 7dd0dd0923
commit e4eb5d783a
17 changed files with 46 additions and 62 deletions
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
@ -164,9 +164,10 @@ public class MD5 {
     * @since ostermillerutils 1.00.00
     */
    public static byte[] getHash(File f) throws IOException {
-        InputStream is = new FileInputStream(f);
-        byte[] hash = getHash(is);
-        is.close();
+        byte[] hash = null;
+        try (InputStream is = new FileInputStream(f)) {
+            hash = getHash(is);
+        }
        return hash;
    }

@ -179,9 +180,10 @@ public class MD5 {
     * @since ostermillerutils 1.00.00
     */
    public static String getHashString(File f) throws IOException {
-        InputStream is = new FileInputStream(f);
-        String hash = getHashString(is);
-        is.close();
+        String hash = null;
+        try (InputStream is = new FileInputStream(f)) {
+            hash = getHashString(is);
+        }
        return hash;
    }

@ -515,7 +517,7 @@ public class MD5 {
     * @since ostermillerutils 1.00.00
     */
    private static String toHex(byte hash[]) {
-        StringBuffer buf = new StringBuffer(hash.length * 2);
+        StringBuilder buf = new StringBuilder(hash.length * 2);
        for (byte element : hash) {
            int intVal = element & 0xff;
            if (intVal < 0x10) {
--- a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java
+++ b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java
@ -76,10 +76,14 @@ public class Salaries {
        File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
        XPathFactory factory = XPathFactory.newInstance();
        XPath path = factory.newXPath();
+        int columns = 5;
+        List<Map<String, Object>> json = new ArrayList<>();
+        java.util.Map<String, Object> employeeJson = new HashMap<>();
+
        try (InputStream is = new FileInputStream(d)) {
            InputSource inputSource = new InputSource(is);

-            StringBuffer sb = new StringBuffer();
+            StringBuilder sb = new StringBuilder();

            sb.append("/Employees/Employee/UserID | ");
            sb.append("/Employees/Employee/FirstName | ");
@ -89,22 +93,19 @@ public class Salaries {

            String expression = sb.toString();
            nodes = (NodeList) path.evaluate(expression, inputSource, XPathConstants.NODESET);
+            for (int i = 0; i < nodes.getLength(); i++) {
+                if (i % columns == 0) {
+                    employeeJson = new HashMap<>();
+                    json.add(employeeJson);
+                }
+                Node node = nodes.item(i);
+                employeeJson.put(node.getNodeName(), node.getTextContent());
+            }
        } catch (XPathExpressionException e) {
            log.error("Unable to parse xml", e);
        } catch (IOException e) {
            log.error("Unable to read employees.xml at location: '{}'", d);
        }
-        int columns = 5;
-        List json = new ArrayList();
-        java.util.Map<String, Object> employeeJson = new HashMap<>();
-        for (int i = 0; i < nodes.getLength(); i++) {
-            if (i % columns == 0) {
-                employeeJson = new HashMap<>();
-                json.add(employeeJson);
-            }
-            Node node = nodes.item(i);
-            employeeJson.put(node.getNodeName(), node.getTextContent());
-        }
        return json;
    }
 }
--- a/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java
@ -42,7 +42,7 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
    @ResponseBody
    public AttackResult completed(@RequestParam String password) {
        Zxcvbn zxcvbn = new Zxcvbn();
-        StringBuffer output = new StringBuffer();
+        StringBuilder output = new StringBuilder();
        DecimalFormat df = new DecimalFormat("0", DecimalFormatSymbols.getInstance(Locale.ENGLISH));
        df.setMaximumFractionDigits(340);
        Strength strength = zxcvbn.measure(password);
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
@ -68,7 +68,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {

                if ((results != null) && (results.first())) {
                    ResultSetMetaData resultsMetaData = results.getMetaData();
-                    StringBuffer output = new StringBuffer();
+                    StringBuilder output = new StringBuilder();

                    output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));

--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java
@ -54,7 +54,7 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint {
    }

    protected AttackResult injectableQueryAvailability(String action) {
-        StringBuffer output = new StringBuffer();
+        StringBuilder output = new StringBuilder();
        String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";

        try (Connection connection = dataSource.getConnection()) {
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java
@ -60,7 +60,7 @@ public class SqlInjectionLesson2 extends AssignmentEndpoint {
        try (var connection = dataSource.getConnection()) {
            Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY);
            ResultSet results = statement.executeQuery(query);
-            StringBuffer output = new StringBuffer();
+            StringBuilder output = new StringBuilder();

            results.first();

--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java
@ -64,7 +64,7 @@ public class SqlInjectionLesson3 extends AssignmentEndpoint {
                        CONCUR_READ_ONLY);
                statement.executeUpdate(query);
                ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';");
-                StringBuffer output = new StringBuffer();
+                StringBuilder output = new StringBuilder();
                // user completes lesson if the department of Tobi Barnett now is 'Sales'
                results.first();
                if (results.getString("department").equals("Sales")) {
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java
@ -63,7 +63,7 @@ public class SqlInjectionLesson4 extends AssignmentEndpoint {
                statement.executeUpdate(query);
                connection.commit();
                ResultSet results = statement.executeQuery("SELECT phone from employees;");
-                StringBuffer output = new StringBuffer();
+                StringBuilder output = new StringBuilder();
                // user completes lesson if column phone exists
                if (results.first()) {
                    output.append("<span class='feedback-positive'>" + query + "</span>");
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java
@ -72,7 +72,7 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {

                if ((results != null) && (results.first() == true)) {
                    ResultSetMetaData resultsMetaData = results.getMetaData();
-                    StringBuffer output = new StringBuffer();
+                    StringBuilder output = new StringBuilder();

                    output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
                    results.last();
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java
@ -56,7 +56,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
    }

    protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
-        StringBuffer output = new StringBuffer();
+        StringBuilder output = new StringBuilder();
        String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";

        try (Connection connection = dataSource.getConnection()) {
@ -98,7 +98,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
        ResultSetMetaData resultsMetaData = results.getMetaData();
        int numColumns = resultsMetaData.getColumnCount();
        results.beforeFirst();
-        StringBuffer table = new StringBuffer();
+        StringBuilder table = new StringBuilder();
        table.append("<table>");

        if (results.next()) {
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java
@ -57,7 +57,7 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint {
    }

    protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
-        StringBuffer output = new StringBuffer();
+        StringBuilder output = new StringBuilder();
        String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
        try (Connection connection = dataSource.getConnection()) {
            try {
@ -86,7 +86,7 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint {
        }
    }

-    private AttackResult checkSalaryRanking(Connection connection, StringBuffer output) {
+    private AttackResult checkSalaryRanking(Connection connection, StringBuilder output) {
        try {
            String query = "SELECT * FROM employees ORDER BY salary DESC";
            try (Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
@ -43,7 +43,7 @@ public class SSRFTask1 extends AssignmentEndpoint {

    protected AttackResult stealTheCheese(String url) {
        try {
-            StringBuffer html = new StringBuffer();
+            StringBuilder html = new StringBuilder();

            if (url.matches("images/tom.png")) {
                html.append("<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\" height=\"25%\">");
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
@ -61,7 +61,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
        double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;

        userSessionData.setValue("xss-reflected1-complete", "false");
-        StringBuffer cart = new StringBuffer();
+        StringBuilder cart = new StringBuilder();
        cart.append("Thank you for shopping at WebGoat. <br />Your support is appreciated<hr />");
        cart.append("<p>We have charged credit card:" + field1 + "<br />");
        cart.append("                             ------------------- <br />");