dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create WebgoatContext in HammerHead, rather than WebSession

Browse Source 
Now webgoatContext should effectively be a singleton, shared across
all WebSession instances. WebSession now initialises from WebgoatContext.

WebSession methods that refer to static "site wide" properties are deeted
and references to them updated to point to WebgoatContext


git-svn-id: http://webgoat.googlecode.com/svn/trunk@141 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes 2007-07-10 11:51:26 +00:00
parent 53487970f6
commit eaf12c706c
7 changed files with 108 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
webgoat/main/project/JavaSource/org/owasp/webgoat/HammerHead.java
View File

@ -24,6 +24,7 @@ import org.owasp.webgoat.session.ErrorScreen;
import org.owasp.webgoat.session.Screen;
import org.owasp.webgoat.session.UserTracker;
import org.owasp.webgoat.session.WebSession;
import org.owasp.webgoat.session.WebgoatContext;
/*******************************************************************************
*
@ -79,6 +80,12 @@ public class HammerHead extends HttpServlet
*/
public static String propertiesPath = null;
/**
* provides convenience methods for getting setup information
* from the ServletContext
*/
private WebgoatContext webgoatContext = null;
/**
* Description of the Method
@ -289,6 +296,7 @@ public class HammerHead extends HttpServlet
httpDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
propertiesPath = getServletContext().getRealPath(
"./WEB-INF/webgoat.properties");
webgoatContext = new WebgoatContext(this);
}
@ -481,7 +489,7 @@ public class HammerHead extends HttpServlet
{
// Create new custom session and save it in the HTTP session
// System.out.println( "HH Creating new WebSession: " );
session = new WebSession(this, context);
session = new WebSession(webgoatContext, context);
hs.setAttribute(WebSession.SESSION, session);
// reset timeout
hs.setMaxInactiveInterval(sessionTimeoutSeconds);

6
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CommandInjection.java
View File

@ -68,13 +68,13 @@ public class CommandInjection extends LessonAdapter
protected Element createContent(WebSession s)
{
ElementContainer ec = new ElementContainer();
boolean illegalCommand = s.isDefuseOSCommands();
boolean illegalCommand = getWebgoatContext().isDefuseOSCommands();
try
{
String helpFile = s.getParser().getRawParameter(HELP_FILE,
"BasicAuthentication.help");
String safeDirName;
if (s.isDefuseOSCommands()
if (getWebgoatContext().isDefuseOSCommands()
&& (helpFile.indexOf('&') != -1 || helpFile.indexOf(';') != -1))
{
int index = helpFile.indexOf('&');
@ -123,7 +123,7 @@ public class CommandInjection extends LessonAdapter
}
}
if (s.isDefuseOSCommands() && helpFile.indexOf('&') == -1
if (getWebgoatContext().isDefuseOSCommands() && helpFile.indexOf('&') == -1
&& helpFile.indexOf(';') == -1)
{
if (helpFile.length() > 0)

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/LessonAdapter.java
View File

@ -81,7 +81,7 @@ public abstract class LessonAdapter extends AbstractLesson
+ "In fact, most lessons can be created by following the easy to use instructions in the "
+ "<A HREF=http://www.owasp.org/index.php/WebGoat_User_and_Install_Guide_Table_of_Contents>WebGoat User Guide.</A>&nbsp;&nbsp;"
+ "If you would prefer, send your lesson ideas to "
+ s.getFeedbackAddress()));
+ getWebgoatContext().getFeedbackAddress()));
String fileName = s.getContext().getRealPath(
"doc/New Lesson Instructions.txt");

4
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/PathBasedAccessControl.java
View File

@ -102,8 +102,8 @@ public class PathBasedAccessControl extends LessonAdapter
String file = s.getParser().getRawParameter(FILE, "");
// defuse file searching
boolean illegalCommand = s.isDefuseOSCommands();
if (s.isDefuseOSCommands())
boolean illegalCommand = getWebgoatContext().isDefuseOSCommands();
if (getWebgoatContext().isDefuseOSCommands())
{
// allow them to look at any file in the webgoat hierachy. Don't allow them
// to look about the webgoat root, except to see the LICENSE file

2
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/admin/ReportCardScreen.java
View File

@ -104,7 +104,7 @@ public class ReportCardScreen extends LessonAdapter
ElementContainer ec = new ElementContainer();
ec.addElement(new Center(new StringElement(
"Comments and suggestions are welcome. "
+ s.getFeedbackAddress())));
+ getWebgoatContext().getFeedbackAddress())));
return ec;
}

95
webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebSession.java
View File

@ -123,29 +123,6 @@ public class WebSession
*/
public final static String SESSION = "Session";
/**
* Description of the Field
*/
public final static String ENTERPRISE = "Enterprise";
/**
* Description of the Field
*/
public final static String SHOWCOOKIES = "ShowCookies";
/**
* Description of the Field
*/
public final static String SHOWPARAMS = "ShowParams";
/**
* Description of the Field
*/
public final static String SHOWREQUEST = "ShowRequest";
/**
* Description of the Field
*/
public final static String SHOWSOURCE = "ShowSource";
public final static String SHOWHINTS = "ShowHints";
@ -162,20 +139,7 @@ public class WebSession
public final static String SHOW_SOURCE = "Source";
/**
* Description of the Field
*/
public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
/**
* Description of the Field
*/
public final static String FEEDBACK_ADDRESS = "FeedbackAddress";
/**
* Description of the Field
*/
public final String DEBUG = "debug";
public final static String DEBUG = "debug";
/**
* Description of the Field
@ -205,7 +169,6 @@ public class WebSession
private boolean isColor = false;
private boolean isDebug = false;
private boolean hasHackedHackableAdmin = false;
private StringBuffer message = new StringBuffer( "" );
@ -228,12 +191,6 @@ public class WebSession
private boolean showSource = false;
private boolean defuseOSCommands = false;
private boolean enterprise = false;
private String feedbackAddress = "<A HREF=mailto:webgoat@g2-inc.com>webgoat@g2-inc.com</A>";
private boolean completedHackableAdmin = false;
private int currentMenu;
@ -244,20 +201,14 @@ public class WebSession
* @param servlet Description of the Parameter
* @param context Description of the Parameter
*/
public WebSession( HttpServlet servlet, ServletContext context )
public WebSession(WebgoatContext webgoatContext, ServletContext context )
{
webgoatContext = new WebgoatContext(servlet);
this.webgoatContext = webgoatContext;
// initialize from web.xml
showParams = "true".equals( servlet.getInitParameter( SHOWPARAMS ) );
showCookies = "true".equals( servlet.getInitParameter( SHOWCOOKIES ) );
showSource = "true".equals( servlet.getInitParameter( SHOWSOURCE ) );
defuseOSCommands = "true".equals( servlet.getInitParameter( DEFUSEOSCOMMANDS ) );
enterprise = "true".equals( servlet.getInitParameter( ENTERPRISE ) );
feedbackAddress = servlet.getInitParameter( FEEDBACK_ADDRESS ) != null ? servlet
.getInitParameter( FEEDBACK_ADDRESS ) : feedbackAddress;
showRequest = "true".equals( servlet.getInitParameter( SHOWREQUEST ) );
isDebug = "true".equals( servlet.getInitParameter( DEBUG ) );
servletName = servlet.getServletName();
showParams = webgoatContext.isShowParams();
showCookies = webgoatContext.isShowCookies();
showSource = webgoatContext.isShowSource();
showRequest = webgoatContext.isShowRequest();
this.context = context;
course = new Course();
course.loadCourses( webgoatContext, context, "/" );
@ -854,36 +805,6 @@ public class WebSession
return ( showSource );
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public boolean isDefuseOSCommands()
{
return ( defuseOSCommands );
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public boolean isEnterprise()
{
return ( enterprise );
}
/**
* Description of the Method
*
* @return Description of the Return Value
*/
public String getFeedbackAddress()
{
return ( feedbackAddress );
}
/**
* Gets the userName attribute of the WebSession object
*
@ -976,7 +897,7 @@ public class WebSession
// clear variables when switching screens
if ( this.getCurrentScreen() != this.getPreviousScreen() )
{
if ( isDebug )
if ( webgoatContext.isDebug() )
{
setMessage( "Changed to a new screen, clearing cookies and hints" );
}

86
webgoat/main/project/JavaSource/org/owasp/webgoat/session/WebgoatContext.java
View File

@ -4,8 +4,6 @@ import java.sql.Connection;
import javax.servlet.http.HttpServlet;
import org.owasp.webgoat.lessons.admin.RefreshDBScreen;
public class WebgoatContext {
public final static String DATABASE_CONNECTION_STRING = "DatabaseConnectionString";
@ -16,6 +14,24 @@ public class WebgoatContext {
public final static String DATABASE_PASSWORD = "DatabasePassword";
public final static String ENTERPRISE = "Enterprise";
public final static String SHOWCOOKIES = "ShowCookies";
public final static String SHOWPARAMS = "ShowParams";
public final static String SHOWREQUEST = "ShowRequest";
public final static String SHOWSOURCE = "ShowSource";
public final static String SHOWHINTS = "ShowHints";
public final static String DEFUSEOSCOMMANDS = "DefuseOSCommands";
public final static String FEEDBACK_ADDRESS = "FeedbackAddress";
public final static String DEBUG = "debug";
private static boolean databaseBuilt = false;
private String databaseConnectionString;
@ -28,6 +44,24 @@ public class WebgoatContext {
private String databasePassword;
private boolean showCookies = false;
private boolean showParams = false;
private boolean showRequest = false;
private boolean showSource = false;
private boolean defuseOSCommands = false;
private boolean enterprise = false;
private String feedbackAddress = "<A HREF=mailto:webgoat@g2-inc.com>webgoat@g2-inc.com</A>";
private boolean isDebug = false;
private String servletName;
private HttpServlet servlet;
public WebgoatContext(HttpServlet servlet) {
@ -38,6 +72,18 @@ public class WebgoatContext {
databaseUser = servlet.getInitParameter(DATABASE_USER);
databasePassword = servlet.getInitParameter(DATABASE_PASSWORD);
// initialize from web.xml
showParams = "true".equals( servlet.getInitParameter( SHOWPARAMS ) );
showCookies = "true".equals( servlet.getInitParameter( SHOWCOOKIES ) );
showSource = "true".equals( servlet.getInitParameter( SHOWSOURCE ) );
defuseOSCommands = "true".equals( servlet.getInitParameter( DEFUSEOSCOMMANDS ) );
enterprise = "true".equals( servlet.getInitParameter( ENTERPRISE ) );
feedbackAddress = servlet.getInitParameter( FEEDBACK_ADDRESS ) != null ? servlet
.getInitParameter( FEEDBACK_ADDRESS ) : feedbackAddress;
showRequest = "true".equals( servlet.getInitParameter( SHOWREQUEST ) );
isDebug = "true".equals( servlet.getInitParameter( DEBUG ) );
servletName = servlet.getServletName();
// FIXME: need to solve concurrency problem here -- make tables for this user
if ( !databaseBuilt ) {
try {
@ -103,4 +149,40 @@ public class WebgoatContext {
return (databasePassword);
}
public boolean isDefuseOSCommands() {
return defuseOSCommands;
}
public boolean isEnterprise() {
return enterprise;
}
public String getFeedbackAddress() {
return feedbackAddress;
}
public boolean isDebug() {
return isDebug;
}
public String getServletName() {
return servletName;
}
public boolean isShowCookies() {
return showCookies;
}
public boolean isShowParams() {
return showParams;
}
public boolean isShowRequest() {
return showRequest;
}
public boolean isShowSource() {
return showSource;
}
}