dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Some updates and code improvements (#1288)

Browse Source 
* try with resources

* StringBuilder

* removed ant and updated spring boot
This commit is contained in:
René Zubcevic 2022-07-10 17:13:26 +02:00 committed by GitHub
parent 7dd0dd0923
commit e4eb5d783a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 46 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
pom.xml
View File

@ -11,7 +11,7 @@
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.6</version>
<version>2.7.1</version>
</parent>
<name>WebGoat</name>
@ -119,7 +119,6 @@
<webwolf.port>9090</webwolf.port>
<!-- Shared properties with plugins and version numbers across submodules-->
<ant.version>1.6.5</ant.version>
<asciidoctorj.version>2.5.2</asciidoctorj.version>
<bootstrap.version>3.3.7</bootstrap.version>
<cglib.version>2.2</cglib.version> <!-- do not update necessary for lesson -->
@ -181,16 +180,6 @@
<artifactId>cglib-nodep</artifactId>
<version>${cglib.version}</version>
</dependency>
<dependency>
<groupId>ant</groupId>
<artifactId>ant-launcher</artifactId>
<version>${ant.version}</version>
</dependency>
<dependency>
<groupId>ant</groupId>
<artifactId>ant</artifactId>
<version>${ant.version}</version>
</dependency>
<dependency>
<groupId>xml-resolver</groupId>
<artifactId>xml-resolver</artifactId>
@ -452,14 +441,6 @@
<groupId>cglib</groupId>
<artifactId>cglib-nodep</artifactId>
</dependency>
<dependency>
<groupId>ant</groupId>
<artifactId>ant-launcher</artifactId>
</dependency>
<dependency>
<groupId>ant</groupId>
<artifactId>ant</artifactId>
</dependency>
<dependency>
<groupId>xml-resolver</groupId>
<artifactId>xml-resolver</artifactId>

16
src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/MD5.java
View File

@ -164,9 +164,10 @@ public class MD5 {
* @since ostermillerutils 1.00.00
*/
public static byte[] getHash(File f) throws IOException {
InputStream is = new FileInputStream(f);
byte[] hash = getHash(is);
is.close();
byte[] hash = null;
try (InputStream is = new FileInputStream(f)) {
hash = getHash(is);
}
return hash;
}
@ -179,9 +180,10 @@ public class MD5 {
* @since ostermillerutils 1.00.00
*/
public static String getHashString(File f) throws IOException {
InputStream is = new FileInputStream(f);
String hash = getHashString(is);
is.close();
String hash = null;
try (InputStream is = new FileInputStream(f)) {
hash = getHashString(is);
}
return hash;
}
@ -515,7 +517,7 @@ public class MD5 {
* @since ostermillerutils 1.00.00
*/
private static String toHex(byte hash[]) {
StringBuffer buf = new StringBuffer(hash.length * 2);
StringBuilder buf = new StringBuilder(hash.length * 2);
for (byte element : hash) {
int intVal = element & 0xff;
if (intVal < 0x10) {

25
src/main/java/org/owasp/webgoat/lessons/client_side_filtering/Salaries.java
View File

@ -76,10 +76,14 @@ public class Salaries {
File d = new File(webGoatHomeDirectory, "ClientSideFiltering/employees.xml");
XPathFactory factory = XPathFactory.newInstance();
XPath path = factory.newXPath();
int columns = 5;
List<Map<String, Object>> json = new ArrayList<>();
java.util.Map<String, Object> employeeJson = new HashMap<>();
try (InputStream is = new FileInputStream(d)) {
InputSource inputSource = new InputSource(is);
StringBuffer sb = new StringBuffer();
StringBuilder sb = new StringBuilder();
sb.append("/Employees/Employee/UserID | ");
sb.append("/Employees/Employee/FirstName | ");
@ -89,22 +93,19 @@ public class Salaries {
String expression = sb.toString();
nodes = (NodeList) path.evaluate(expression, inputSource, XPathConstants.NODESET);
for (int i = 0; i < nodes.getLength(); i++) {
if (i % columns == 0) {
employeeJson = new HashMap<>();
json.add(employeeJson);
}
Node node = nodes.item(i);
employeeJson.put(node.getNodeName(), node.getTextContent());
}
} catch (XPathExpressionException e) {
log.error("Unable to parse xml", e);
} catch (IOException e) {
log.error("Unable to read employees.xml at location: '{}'", d);
}
int columns = 5;
List json = new ArrayList();
java.util.Map<String, Object> employeeJson = new HashMap<>();
for (int i = 0; i < nodes.getLength(); i++) {
if (i % columns == 0) {
employeeJson = new HashMap<>();
json.add(employeeJson);
}
Node node = nodes.item(i);
employeeJson.put(node.getNodeName(), node.getTextContent());
}
return json;
}
}

2
src/main/java/org/owasp/webgoat/lessons/secure_passwords/SecurePasswordsAssignment.java
View File

@ -42,7 +42,7 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
@ResponseBody
public AttackResult completed(@RequestParam String password) {
Zxcvbn zxcvbn = new Zxcvbn();
StringBuffer output = new StringBuffer();
StringBuilder output = new StringBuilder();
DecimalFormat df = new DecimalFormat("0", DecimalFormatSymbols.getInstance(Locale.ENGLISH));
df.setMaximumFractionDigits(340);
Strength strength = zxcvbn.measure(password);

2
src/main/java/org/owasp/webgoat/lessons/sql_injection/advanced/SqlInjectionLesson6a.java
View File

@ -68,7 +68,7 @@ public class SqlInjectionLesson6a extends AssignmentEndpoint {
if ((results != null) && (results.first())) {
ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuffer output = new StringBuffer();
StringBuilder output = new StringBuilder();
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));

2
src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson10.java
View File

@ -54,7 +54,7 @@ public class SqlInjectionLesson10 extends AssignmentEndpoint {
}
protected AttackResult injectableQueryAvailability(String action) {
StringBuffer output = new StringBuffer();
StringBuilder output = new StringBuilder();
String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'";
try (Connection connection = dataSource.getConnection()) {

2
src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson2.java
View File

@ -60,7 +60,7 @@ public class SqlInjectionLesson2 extends AssignmentEndpoint {
try (var connection = dataSource.getConnection()) {
Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(query);
StringBuffer output = new StringBuffer();
StringBuilder output = new StringBuilder();
results.first();

2
src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson3.java
View File

@ -64,7 +64,7 @@ public class SqlInjectionLesson3 extends AssignmentEndpoint {
CONCUR_READ_ONLY);
statement.executeUpdate(query);
ResultSet results = checkStatement.executeQuery("SELECT * FROM employees WHERE last_name='Barnett';");
StringBuffer output = new StringBuffer();
StringBuilder output = new StringBuilder();
// user completes lesson if the department of Tobi Barnett now is 'Sales'
results.first();
if (results.getString("department").equals("Sales")) {

2
src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson4.java
View File

@ -63,7 +63,7 @@ public class SqlInjectionLesson4 extends AssignmentEndpoint {
statement.executeUpdate(query);
connection.commit();
ResultSet results = statement.executeQuery("SELECT phone from employees;");
StringBuffer output = new StringBuffer();
StringBuilder output = new StringBuilder();
// user completes lesson if column phone exists
if (results.first()) {
output.append("<span class='feedback-positive'>" + query + "</span>");

2
src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson5b.java
View File

@ -72,7 +72,7 @@ public class SqlInjectionLesson5b extends AssignmentEndpoint {
if ((results != null) && (results.first() == true)) {
ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuffer output = new StringBuffer();
StringBuilder output = new StringBuilder();
output.append(SqlInjectionLesson5a.writeTable(results, resultsMetaData));
results.last();

4
src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson8.java
View File

@ -56,7 +56,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
}
protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
StringBuffer output = new StringBuffer();
StringBuilder output = new StringBuilder();
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
try (Connection connection = dataSource.getConnection()) {
@ -98,7 +98,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
ResultSetMetaData resultsMetaData = results.getMetaData();
int numColumns = resultsMetaData.getColumnCount();
results.beforeFirst();
StringBuffer table = new StringBuffer();
StringBuilder table = new StringBuilder();
table.append("<table>");
if (results.next()) {

4
src/main/java/org/owasp/webgoat/lessons/sql_injection/introduction/SqlInjectionLesson9.java
View File

@ -57,7 +57,7 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint {
}
protected AttackResult injectableQueryIntegrity(String name, String auth_tan) {
StringBuffer output = new StringBuffer();
StringBuilder output = new StringBuilder();
String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'";
try (Connection connection = dataSource.getConnection()) {
try {
@ -86,7 +86,7 @@ public class SqlInjectionLesson9 extends AssignmentEndpoint {
}
}
private AttackResult checkSalaryRanking(Connection connection, StringBuffer output) {
private AttackResult checkSalaryRanking(Connection connection, StringBuilder output) {
try {
String query = "SELECT * FROM employees ORDER BY salary DESC";
try (Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);

2
src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask1.java
View File

@ -43,7 +43,7 @@ public class SSRFTask1 extends AssignmentEndpoint {
protected AttackResult stealTheCheese(String url) {
try {
StringBuffer html = new StringBuffer();
StringBuilder html = new StringBuilder();
if (url.matches("images/tom.png")) {
html.append("<img class=\"image\" alt=\"Tom\" src=\"images/tom.png\" width=\"25%\" height=\"25%\">");

2
src/main/java/org/owasp/webgoat/lessons/xss/CrossSiteScriptingLesson5a.java
View File

@ -61,7 +61,7 @@ public class CrossSiteScriptingLesson5a extends AssignmentEndpoint {
double totalSale = QTY1.intValue() * 69.99 + QTY2.intValue() * 27.99 + QTY3.intValue() * 1599.99 + QTY4.intValue() * 299.99;
userSessionData.setValue("xss-reflected1-complete", "false");
StringBuffer cart = new StringBuffer();
StringBuilder cart = new StringBuilder();
cart.append("Thank you for shopping at WebGoat. <br />Your support is appreciated<hr />");
cart.append("<p>We have charged credit card:" + field1 + "<br />");
cart.append(" ------------------- <br />");

4
src/main/resources/lessons/client_side_filtering/lessonSolutions/en/ClientSideFiltering.html
View File

@ -51,7 +51,7 @@ even if it is hidden it is easy to find the sensitive date. In this
stage you will add a filter to the XPath queries. In this file you will find
following construct:<br><br></p>
<code>
StringBuffer sb = new StringBuffer();<br>
StringBuilder sb = new StringBuilder();<br>
sb.append("/Employees/Employee/UserID | ");<br>
sb.append("/Employees/Employee/FirstName | ");<br>
@ -66,7 +66,7 @@ This string will be used for the XPath query. You have to guarantee that a mange
can see employees which are working for him. To archive this you can use
filters in XPath. Following code will exactly do this:</p>
<code>
StringBuffer sb = new StringBuffer();<br>
StringBuilder sb = new StringBuilder();<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/UserID | ");<br>
sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/FirstName | ");<br>

2
src/main/resources/webgoat/static/js/libs/mode-java.js
View File

@ -831,7 +831,7 @@ var JavaHighlightRules = function() {
"Readable|Runtime|StringBuilder|Math|IncompatibleClassChangeError|"+
"NoSuchMethodError|ThreadLocal|RuntimePermission|ArithmeticException|"+
"NullPointerException|Long|Integer|Short|Byte|Double|Number|Float|"+
"Character|Boolean|StackTraceElement|Appendable|StringBuffer|"+
"Character|Boolean|StackTraceElement|Appendable|StringBuilder|"+
"Iterable|ThreadGroup|Runnable|Thread|IllegalMonitorStateException|"+
"StackOverflowError|OutOfMemoryError|VirtualMachineError|"+
"ArrayStoreException|ClassCastException|LinkageError|"+

12
src/main/resources/webgoat/static/js/libs/text.js
View File

@ -311,14 +311,14 @@ define(['module'], function (module) {
typeof Packages !== 'undefined' && typeof java !== 'undefined')) {
//Why Java, why is this so awkward?
text.get = function (url, callback) {
var stringBuffer, line,
var stringBuilder, line,
encoding = "utf-8",
file = new java.io.File(url),
lineSeparator = java.lang.System.getProperty("line.separator"),
input = new java.io.BufferedReader(new java.io.InputStreamReader(new java.io.FileInputStream(file), encoding)),
content = '';
try {
stringBuffer = new java.lang.StringBuffer();
stringBuilder = new java.lang.StringBuilder();
line = input.readLine();
// Byte Order Mark (BOM) - The Unicode Standard, version 3.0, page 324
@ -334,15 +334,15 @@ define(['module'], function (module) {
}
if (line !== null) {
stringBuffer.append(line);
stringBuilder.append(line);
}
while ((line = input.readLine()) !== null) {
stringBuffer.append(lineSeparator);
stringBuffer.append(line);
stringBuilder.append(lineSeparator);
stringBuilder.append(line);
}
//Make sure we return a JavaScript string and not a Java string.
content = String(stringBuffer.toString()); //String
content = String(stringBuilder.toString()); //String
} finally {
input.close();
}