Path traversal windows unittest fix (#780)

* fixes to support windows and linux/unix/mac

* fix in matcher

webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java

@@ -55,7 +55,7 @@ public class ProfileUploadFixTest extends LessonTest {
                 .file(profilePicture)
                 .param("fullNameFix", "John Doe"))
                 .andExpect(status().is(200))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/unit-test\\/John Doe\\\"")))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("unit-test\\"+File.separator+"John Doe")))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
 

webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java

@@ -15,6 +15,8 @@ import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import java.io.File;
+
 @RunWith(SpringJUnit4ClassRunner.class)
 public class ProfileUploadRemoveUserInputTest extends LessonTest {
 	
@@ -48,7 +50,7 @@ public class ProfileUploadRemoveUserInputTest extends LessonTest {
                 .file(profilePicture)
                 .param("fullNameFix", "John Doe"))
                 .andExpect(status().is(200))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/unit-test\\/picture.jpg\\\"")))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("unit-test\\"+File.separator+"picture.jpg")))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
 

webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java

@@ -13,6 +13,7 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
+import java.io.File;
 import java.net.URI;
 
 import static org.hamcrest.CoreMatchers.equalTo;
@@ -48,7 +49,7 @@ public class ProfileUploadRetrievalTest extends LessonTest {
         mockMvc.perform(get(uri))
                 .andExpect(status().is(404))
                 .andDo(MockMvcResultHandlers.print())
-                .andExpect(content().string(containsString("/path-traversal-secret.jpg")));
+                .andExpect(content().string(containsString("path-traversal-secret.jpg")));
 
         //Retrieve the secret file (note: .jpg is added by the server)
         uri = new URI("/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret");
@@ -76,6 +77,6 @@ public class ProfileUploadRetrievalTest extends LessonTest {
     public void unknownFileShouldGiveDirectoryContents() throws Exception {
         mockMvc.perform(get("/PathTraversal/random-picture?id=test"))
                 .andExpect(status().is(404))
-                .andExpect(content().string(containsString("cats/8.jpg")));
+                .andExpect(content().string(containsString("cats"+File.separator+"8.jpg")));
     }
 }

webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java

@@ -17,6 +17,8 @@ import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import java.io.File;
+
 @RunWith(SpringJUnit4ClassRunner.class)
 public class ProfileUploadTest extends LessonTest {
 
@@ -60,8 +62,10 @@ public class ProfileUploadTest extends LessonTest {
         var profilePicture = new MockMultipartFile("uploadedFile", "picture.jpg", "text/plain", "an image".getBytes());
         mockMvc.perform(MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
                 .file(profilePicture)
-                .param("fullName", "../" + webSession.getUserName()))
-                .andExpect(jsonPath("$.output", CoreMatchers.containsString("Is a directory")))
+                .param("fullName", ".."+File.separator + webSession.getUserName()))
+                .andExpect(jsonPath("$.output", CoreMatchers.anyOf(
+                		CoreMatchers.containsString("Is a directory"),
+                		CoreMatchers.containsString("..\\\\"+ webSession.getUserName()))))
                 .andExpect(status().is(200));
     }
 
@@ -73,7 +77,7 @@ public class ProfileUploadTest extends LessonTest {
                 .file(profilePicture)
                 .param("fullName", "John Doe"))
                 .andExpect(status().is(200))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/PathTraversal\\/unit-test\\/John Doe\\\"")))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.containsStringIgnoringCase("PathTraversal\\"+File.separator+"unit-test\\"+File.separator+"John Doe")))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }