dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed views for password reset (#679)

Browse Source
This commit is contained in:
René Zubcevic 2019-10-10 07:50:47 +02:00 committed by GitHub
parent 18d43f16d3
commit f140875156
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 26 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
webgoat-lessons/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
View File

@ -31,6 +31,7 @@ import org.owasp.webgoat.password_reset.resetlink.PasswordChangeForm;
import org.springframework.ui.Model; import org.springframework.ui.Model;
import org.springframework.validation.BindingResult; import org.springframework.validation.BindingResult;
import org.springframework.web.bind.annotation.*; import org.springframework.web.bind.annotation.*;
import org.springframework.web.servlet.ModelAndView;
import java.util.Map; import java.util.Map;
@ -46,7 +47,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
static final String TOM_EMAIL = "tom@webgoat-cloud.org"; static final String TOM_EMAIL = "tom@webgoat-cloud.org";
static Map<String, String> userToTomResetLink = Maps.newHashMap(); static Map<String, String> userToTomResetLink = Maps.newHashMap();
static Map<String, String> usersToTomPassword = Maps.newHashMap(); static Map<String, String> usersToTomPassword = Maps.newHashMap();
static EvictingQueue resetLinks = EvictingQueue.create(1000); static EvictingQueue<String> resetLinks = EvictingQueue.create(1000);
static final String TEMPLATE = "Hi, you requested a password reset link, please use this " + static final String TEMPLATE = "Hi, you requested a password reset link, please use this " +
"<a target='_blank' href='http://%s/WebGoat/PasswordReset/reset/reset-password/%s'>link</a> to reset your password." + "<a target='_blank' href='http://%s/WebGoat/PasswordReset/reset/reset-password/%s'>link</a> to reset your password." +
@ -73,32 +74,46 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
} }
@GetMapping("/PasswordReset/reset/reset-password/{link}") @GetMapping("/PasswordReset/reset/reset-password/{link}")
public String resetPassword(@PathVariable(value = "link") String link, Model model) { public ModelAndView resetPassword(@PathVariable(value = "link") String link, Model model) {
if (this.resetLinks.contains(link)) { ModelAndView modelAndView = new ModelAndView();
if (ResetLinkAssignment.resetLinks.contains(link)) {
PasswordChangeForm form = new PasswordChangeForm(); PasswordChangeForm form = new PasswordChangeForm();
form.setResetLink(link); form.setResetLink(link);
model.addAttribute("form", form); model.addAttribute("form", form);
return "password_reset"; //Display html page for changing password modelAndView.addObject("form", form);
modelAndView.setViewName("password_reset"); //Display html page for changing password
} else { } else {
return "password_link_not_found"; modelAndView.setViewName("password_link_not_found");
} }
return modelAndView;
} }
@GetMapping("/PasswordReset/reset/change-password")
public ModelAndView illegalCall() {
ModelAndView modelAndView = new ModelAndView();
modelAndView.setViewName("password_link_not_found");
return modelAndView;
}
@PostMapping("/PasswordReset/reset/change-password") @PostMapping("/PasswordReset/reset/change-password")
public String changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) { public ModelAndView changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
ModelAndView modelAndView = new ModelAndView();
if (!org.springframework.util.StringUtils.hasText(form.getPassword())) { if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
bindingResult.rejectValue("password", "not.empty"); bindingResult.rejectValue("password", "not.empty");
} }
if (bindingResult.hasErrors()) { if (bindingResult.hasErrors()) {
return "password_reset"; modelAndView.setViewName("password_reset");
return modelAndView;
} }
if (!resetLinks.contains(form.getResetLink())) { if (!resetLinks.contains(form.getResetLink())) {
return "password_link_not_found"; modelAndView.setViewName("password_link_not_found");
return modelAndView;
} }
if (checkIfLinkIsFromTom(form.getResetLink())) { if (checkIfLinkIsFromTom(form.getResetLink())) {
usersToTomPassword.put(getWebSession().getUserName(), form.getPassword()); usersToTomPassword.put(getWebSession().getUserName(), form.getPassword());
} }
return "success"; modelAndView.setViewName("success");
return modelAndView;
} }
private boolean checkIfLinkIsFromTom(String resetLinkFromForm) { private boolean checkIfLinkIsFromTom(String resetLinkFromForm) {

2
webgoat-lessons/password-reset/src/main/resources/templates/password_link_not_found.html
View File

@ -3,7 +3,7 @@
<head> <head>
<link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
<link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
<script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"/> <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"></script>
</head> </head>
<body> <body>

2
webgoat-lessons/password-reset/src/main/resources/templates/success.html
View File

@ -3,7 +3,7 @@
<head> <head>
<link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
<link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/> <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
<script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"/> <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"></script>
</head> </head>
<body> <body>