Some updates and code improvements (#1288)

* try with resources * StringBuilder * removed ant and updated spring boot
2022-07-10 17:13:26 +02:00 · 2022-07-10 17:13:26 +02:00 · e4eb5d783a
commit e4eb5d783a
parent 7dd0dd0923
17 changed files with 46 additions and 62 deletions
--- a/pom.xml
+++ b/pom.xml
@ -11,7 +11,7 @@
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.6.6</version>
+        <version>2.7.1</version>
    </parent>
    <name>WebGoat</name>
@ -119,7 +119,6 @@
        <webwolf.port>9090</webwolf.port>
        <!-- Shared properties with plugins and version numbers across submodules-->
        <ant.version>1.6.5</ant.version>
        <asciidoctorj.version>2.5.2</asciidoctorj.version>
        <bootstrap.version>3.3.7</bootstrap.version>
        <cglib.version>2.2</cglib.version> <!-- do not update necessary for lesson -->
@ -181,16 +180,6 @@
                <artifactId>cglib-nodep</artifactId>
                <version>${cglib.version}</version>
            </dependency>
            <dependency>
                <groupId>ant</groupId>
                <artifactId>ant-launcher</artifactId>
                <version>${ant.version}</version>
            </dependency>
            <dependency>
                <groupId>ant</groupId>
                <artifactId>ant</artifactId>
                <version>${ant.version}</version>
            </dependency>
            <dependency>
                <groupId>xml-resolver</groupId>
                <artifactId>xml-resolver</artifactId>
@ -452,14 +441,6 @@
            <groupId>cglib</groupId>
            <artifactId>cglib-nodep</artifactId>
        </dependency>
        <dependency>
            <groupId>ant</groupId>
            <artifactId>ant-launcher</artifactId>
        </dependency>
        <dependency>
            <groupId>ant</groupId>
            <artifactId>ant</artifactId>
        </dependency>
        <dependency>
            <groupId>xml-resolver</groupId>
            <artifactId>xml-resolver</artifactId>
--- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
+++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
@ -164,9 +164,10 @@ public class MD5 {
     * @since ostermillerutils 1.00.00
     */
    public static byte[] getHash(File f) throws IOException {
-        InputStream is = new FileInputStream(f);
+        byte[] hash = null;
-        byte[] hash = getHash(is);
+        try (InputStream is = new FileInputStream(f)) {
-        is.close();
+            hash = getHash(is);
        }
        return hash;
    }
@ -179,9 +180,10 @@ public class MD5 {
     * @since ostermillerutils 1.00.00
     */
    public static String getHashString(File f) throws IOException {
-        InputStream is = new FileInputStream(f);
+        String hash = null;
-        String hash = getHashString(is);
+        try (InputStream is = new FileInputStream(f)) {
-        is.close();
+            hash = getHashString(is);
        }
        return hash;
    }
@ -515,7 +517,7 @@ public class MD5 {
     * @since ostermillerutils 1.00.00
     */
    private static String toHex(byte hash[]) {
-        StringBuffer buf = new StringBuffer(hash.length * 2);
+        StringBuilder buf = new StringBuilder(hash.length * 2);
        for (byte element : hash) {
            int intVal = element & 0xff;
            if (intVal < 0x10) {
--- a/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java
+++ b/src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java
@ -76,10 +76,14 @@ public class Salaries {
        File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
        XPathFactory factory = XPathFactory.newInstance();
        XPath path = factory.newXPath();
        int columns = 5;
        List<Map<String, Object>> json = new ArrayList<>();
        java.util.Map<String, Object> employeeJson = new HashMap<>();
        try (InputStream is = new FileInputStream(d)) {
            InputSource inputSource = new InputSource(is);
-            StringBuffer sb = new StringBuffer();
+            StringBuilder sb = new StringBuilder();
            sb.append("/Employees/Employee/UserID | ");
            sb.append("/Employees/Employee/FirstName | ");
@ -89,22 +93,19 @@ public class Salaries {
            String expression = sb.toString();
            nodes = (NodeList) path.evaluate(expression, inputSource, XPathConstants.NODESET);
            for (int i = 0; i < nodes.getLength(); i++) {
                if (i % columns == 0) {
                    employeeJson = new HashMap<>();
                    json.add(employeeJson);
                }
                Node node = nodes.item(i);
                employeeJson.put(node.getNodeName(), node.getTextContent());
            }
        } catch (XPathExpressionException e) {
            log.error("Unable to parse xml", e);
        } catch (IOException e) {
            log.error("Unable to read employees.xml at location: '{}'", d);
        }
        int columns = 5;
        List json = new ArrayList();
        java.util.Map<String, Object> employeeJson = new HashMap<>();
        for (int i = 0; i < nodes.getLength(); i++) {
            if (i % columns == 0) {
                employeeJson = new HashMap<>();
                json.add(employeeJson);
            }
            Node node = nodes.item(i);
            employeeJson.put(node.getNodeName(), node.getTextContent());
        }
        return json;
    }
 }
--- a/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java
@ -42,7 +42,7 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
    @ResponseBody
    public AttackResult completed(@RequestParam String password) {
        Zxcvbn zxcvbn = new Zxcvbn();
-        StringBuffer output = new StringBuffer();
+        StringBuilder output = new StringBuilder();
        DecimalFormat df = new DecimalFormat("0", DecimalFormatSymbols.getInstance(Locale.ENGLISH));
        df.setMaximumFractionDigits(340);
        Strength strength = zxcvbn.measure(password);
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
@ -68,7 +68,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
                if ((results != null) && (results.first())) {
                    ResultSetMetaData resultsMetaData = results.getMetaData();
-                    StringBuffer output = new StringBuffer();
+                    StringBuilder output = new StringBuilder();
                    output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java
@ -54,7 +54,7 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint {
    }
    protected AttackResult injectableQueryAvailability(String action) {
-        StringBuffer output = new StringBuffer();
+        StringBuilder output = new StringBuilder();
        String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";
        try (Connection connection = dataSource.getConnection()) {
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java
@ -60,7 +60,7 @@ public class SqlInjectionLesson2 extends AssignmentEndpoint {
        try (var connection = dataSource.getConnection()) {
            Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY);
            ResultSet results = statement.executeQuery(query);
-            StringBuffer output = new StringBuffer();
+            StringBuilder output = new StringBuilder();
            results.first();
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java
@ -64,7 +64,7 @@ public class SqlInjectionLesson3 extends AssignmentEndpoint {
                        CONCUR_READ_ONLY);
                statement.executeUpdate(query);
                ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';");
-                StringBuffer output = new StringBuffer();
+                StringBuilder output = new StringBuilder();
                // user completes lesson if the department of Tobi Barnett now is 'Sales'
                results.first();
                if (results.getString("department").equals("Sales")) {
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java
@ -63,7 +63,7 @@ public class SqlInjectionLesson4 extends AssignmentEndpoint {
                statement.executeUpdate(query);
                connection.commit();
                ResultSet results = statement.executeQuery("SELECT phone from employees;");
-                StringBuffer output = new StringBuffer();
+                StringBuilder output = new StringBuilder();
                // user completes lesson if column phone exists
                if (results.first()) {
                    output.append("<span class='feedback-positive'>" + query + "</span>");
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java
@ -72,7 +72,7 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {
                if ((results != null) && (results.first() == true)) {
                    ResultSetMetaData resultsMetaData = results.getMetaData();
-                    StringBuffer output = new StringBuffer();
+                    StringBuilder output = new StringBuilder();
                    output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
                    results.last();
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java
@ -56,7 +56,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
    }
    protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
-        StringBuffer output = new StringBuffer();
+        StringBuilder output = new StringBuilder();
        String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
        try (Connection connection = dataSource.getConnection()) {
@ -98,7 +98,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
        ResultSetMetaData resultsMetaData = results.getMetaData();
        int numColumns = resultsMetaData.getColumnCount();
        results.beforeFirst();
-        StringBuffer table = new StringBuffer();
+        StringBuilder table = new StringBuilder();
        table.append("<table>");
        if (results.next()) {
--- a/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java
+++ b/src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java
@ -57,7 +57,7 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint {
    }
    protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
-        StringBuffer output = new StringBuffer();
+        StringBuilder output = new StringBuilder();
        String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
        try (Connection connection = dataSource.getConnection()) {
            try {
@ -86,7 +86,7 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint {
        }
    }
-    private AttackResult checkSalaryRanking(Connection connection, StringBuffer output) {
+    private AttackResult checkSalaryRanking(Connection connection, StringBuilder output) {
        try {
            String query = "SELECT * FROM employees ORDER BY salary DESC";
            try (Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
--- a/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
+++ b/src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
@ -43,7 +43,7 @@ public class SSRFTask1 extends AssignmentEndpoint {
    protected AttackResult stealTheCheese(String url) {
        try {
-            StringBuffer html = new StringBuffer();
+            StringBuilder html = new StringBuilder();
            if (url.matches("images/tom.png")) {
                html.append("<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\" height=\"25%\">");
--- a/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
+++ b/src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
@ -61,7 +61,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
        double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
        userSessionData.setValue("xss-reflected1-complete", "false");
-        StringBuffer cart = new StringBuffer();
+        StringBuilder cart = new StringBuilder();
        cart.append("Thank you for shopping at WebGoat. <br />Your support is appreciated<hr />");
        cart.append("<p>We have charged credit card:" + field1 + "<br />");
        cart.append("                             ------------------- <br />");
--- a/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html
+++ b/src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html
@ -51,7 +51,7 @@ even if it is hidden it is easy to find the sensitive date. In this
 stage you will add a filter to the XPath queries. In this file you will find 
 following construct:<br><br></p>
 <code>
-	StringBuffer sb = new StringBuffer();<br>
+	StringBuilder sb = new StringBuilder();<br>
 	sb.append("/Employees/Employee/UserID | ");<br>
 	sb.append("/Employees/Employee/FirstName | ");<br>
@ -66,7 +66,7 @@ This string will be used for the XPath query. You have to guarantee that a mange
 can see employees which are working for him. To archive this you can use
 filters in XPath. Following code will exactly do this:</p>
 <code>
-	StringBuffer sb = new StringBuffer();<br>
+	StringBuilder sb = new StringBuilder();<br>
 	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/UserID | ");<br>
 	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/FirstName | ");<br>
@ -81,4 +81,4 @@ Now only information is sent to your client you are authorized for. You can clic
 </p>
 </body>
-</html>
+</html>
--- a/src/main/resources/webgoat/static/js/libs/mode-java.js
+++ b/src/main/resources/webgoat/static/js/libs/mode-java.js
@ -831,7 +831,7 @@ var JavaHighlightRules = function() {
        "Readable|Runtime|StringBuilder|Math|IncompatibleClassChangeError|"+
        "NoSuchMethodError|ThreadLocal|RuntimePermission|ArithmeticException|"+
        "NullPointerException|Long|Integer|Short|Byte|Double|Number|Float|"+
-        "Character|Boolean|StackTraceElement|Appendable|StringBuffer|"+
+        "Character|Boolean|StackTraceElement|Appendable|StringBuilder|"+
        "Iterable|ThreadGroup|Runnable|Thread|IllegalMonitorStateException|"+
        "StackOverflowError|OutOfMemoryError|VirtualMachineError|"+
        "ArrayStoreException|ClassCastException|LinkageError|"+
--- a/src/main/resources/webgoat/static/js/libs/text.js
+++ b/src/main/resources/webgoat/static/js/libs/text.js
@ -311,14 +311,14 @@ define(['module'], function (module) {
            typeof Packages !== 'undefined' && typeof java !== 'undefined')) {
        //Why Java, why is this so awkward?
        text.get = function (url, callback) {
-            var stringBuffer, line,
+            var stringBuilder, line,
                encoding = "utf-8",
                file = new java.io.File(url),
                lineSeparator = java.lang.System.getProperty("line.separator"),
                input = new java.io.BufferedReader(new java.io.InputStreamReader(new java.io.FileInputStream(file), encoding)),
                content = '';
            try {
-                stringBuffer = new java.lang.StringBuffer();
+                stringBuilder = new java.lang.StringBuilder();
                line = input.readLine();
                // Byte Order Mark (BOM) - The Unicode Standard, version 3.0, page 324
@ -334,15 +334,15 @@ define(['module'], function (module) {
                }
                if (line !== null) {
-                    stringBuffer.append(line);
+                    stringBuilder.append(line);
                }
                while ((line = input.readLine()) !== null) {
-                    stringBuffer.append(lineSeparator);
+                    stringBuilder.append(lineSeparator);
-                    stringBuffer.append(line);
+                    stringBuilder.append(line);
                }
                //Make sure we return a JavaScript string and not a Java string.
-                content = String(stringBuffer.toString()); //String
+                content = String(stringBuilder.toString()); //String
            } finally {
                input.close();
            }