From f140875156d7984cb437b2099876d5722b4670c4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Thu, 10 Oct 2019 07:50:47 +0200
Subject: [PATCH] fixed views for password reset (#679)

---
 .../password_reset/ResetLinkAssignment.java   | 33 ++++++++++++++-----
 .../templates/password_link_not_found.html    |  2 +-
 .../src/main/resources/templates/success.html |  2 +-
 3 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
index 77ca709b8..8dd2c2d1e 100644
--- a/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
+++ b/webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
@@ -31,6 +31,7 @@ import org.owasp.webgoat.password_reset.resetlink.PasswordChangeForm;
 import org.springframework.ui.Model;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.*;
+import org.springframework.web.servlet.ModelAndView;
 
 import java.util.Map;
 
@@ -46,7 +47,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
     static final String TOM_EMAIL = "tom@webgoat-cloud.org";
     static Map<String, String> userToTomResetLink = Maps.newHashMap();
     static Map<String, String> usersToTomPassword = Maps.newHashMap();
-    static EvictingQueue resetLinks = EvictingQueue.create(1000);
+    static EvictingQueue<String> resetLinks = EvictingQueue.create(1000);
 
     static final String TEMPLATE = "Hi, you requested a password reset link, please use this " +
             "<a target='_blank' href='http://%s/WebGoat/PasswordReset/reset/reset-password/%s'>link</a> to reset your password." +
@@ -73,32 +74,46 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
     }
 
     @GetMapping("/PasswordReset/reset/reset-password/{link}")
-    public String resetPassword(@PathVariable(value = "link") String link, Model model) {
-        if (this.resetLinks.contains(link)) {
+    public ModelAndView resetPassword(@PathVariable(value = "link") String link, Model model) {
+    	ModelAndView modelAndView = new ModelAndView();
+        if (ResetLinkAssignment.resetLinks.contains(link)) {
             PasswordChangeForm form = new PasswordChangeForm();
             form.setResetLink(link);
             model.addAttribute("form", form);
-            return "password_reset"; //Display html page for changing password
+            modelAndView.addObject("form", form);
+            modelAndView.setViewName("password_reset"); //Display html page for changing password
         } else {
-            return "password_link_not_found";
+        	modelAndView.setViewName("password_link_not_found");
         }
+        return modelAndView;
     }
 
+    @GetMapping("/PasswordReset/reset/change-password")
+    public ModelAndView illegalCall() {
+    	ModelAndView modelAndView = new ModelAndView();
+    	modelAndView.setViewName("password_link_not_found");
+    	return modelAndView;
+    }
+    
     @PostMapping("/PasswordReset/reset/change-password")
-    public String changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
+    public ModelAndView changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
+    	ModelAndView modelAndView = new ModelAndView();
         if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
             bindingResult.rejectValue("password", "not.empty");
         }
         if (bindingResult.hasErrors()) {
-            return "password_reset";
+        	modelAndView.setViewName("password_reset");
+        	return modelAndView;
         }
         if (!resetLinks.contains(form.getResetLink())) {
-            return "password_link_not_found";
+        	modelAndView.setViewName("password_link_not_found");
+        	return modelAndView;
         }
         if (checkIfLinkIsFromTom(form.getResetLink())) {
             usersToTomPassword.put(getWebSession().getUserName(), form.getPassword());
         }
-        return "success";
+        modelAndView.setViewName("success");
+        return modelAndView;
     }
 
     private boolean checkIfLinkIsFromTom(String resetLinkFromForm) {
diff --git a/webgoat-lessons/password-reset/src/main/resources/templates/password_link_not_found.html b/webgoat-lessons/password-reset/src/main/resources/templates/password_link_not_found.html
index 6ffe93937..bb9d8cc2b 100644
--- a/webgoat-lessons/password-reset/src/main/resources/templates/password_link_not_found.html
+++ b/webgoat-lessons/password-reset/src/main/resources/templates/password_link_not_found.html
@@ -3,7 +3,7 @@
 <head>
     <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
-    <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"/>
+    <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"></script>
 </head>
 
 <body>
diff --git a/webgoat-lessons/password-reset/src/main/resources/templates/success.html b/webgoat-lessons/password-reset/src/main/resources/templates/success.html
index 9c20509bc..7f0c2d6a6 100644
--- a/webgoat-lessons/password-reset/src/main/resources/templates/success.html
+++ b/webgoat-lessons/password-reset/src/main/resources/templates/success.html
@@ -3,7 +3,7 @@
 <head>
     <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
-    <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"/>
+    <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"></script>
 </head>
 
 <body>