dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/feature/spring-boot' into feature/spring-boot

Browse Source
This commit is contained in:
Jason White 2016-06-28 17:04:12 +02:00
commit f203f38702
6 changed files with 129 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.MD
View File

@ -175,3 +175,23 @@ show an extra set of links below the cookie overview.
To be able to see which labels are loaded through a property file, open up the developer tools avalailable from the info menu To be able to see which labels are loaded through a property file, open up the developer tools avalailable from the info menu
After the reload is complete, all labels which are loaded from a property file will be __marked green__. After the reload is complete, all labels which are loaded from a property file will be __marked green__.
## Docker support
WebGoat now has Docker support you can build a container with the following commands:
```Shell
cd WebGoat
mvn -pl webgoat-container package docker:build
```
With the following command you are able to run the Docker container on your local machine:
```Shell
docker run -p 8080:8080 -t webgoat/webgoat-container
docker ps
```
With the last command you are able to determine ip address to connect to.
At the moment the Docker image is not distributed to a Docker registry.

58
webgoat-container/pom.xml
View File

@ -113,6 +113,22 @@
</resource> </resource>
</resources> </resources>
<plugins> <plugins>
<plugin>
<groupId>com.spotify</groupId>
<artifactId>docker-maven-plugin</artifactId>
<version>0.4.10</version>
<configuration>
<imageName>webgoat/${project.artifactId}</imageName>
<dockerDirectory>src/main/docker</dockerDirectory>
<resources>
<resource>
<targetPath>/</targetPath>
<directory>${project.build.directory}</directory>
<include>${project.build.finalName}.war</include>
</resource>
</resources>
</configuration>
</plugin>
<plugin> <plugin>
<groupId>org.apache.maven.plugins</groupId> <groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId> <artifactId>maven-jar-plugin</artifactId>
@ -182,21 +198,23 @@
<plugin> <plugin>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId> <artifactId>spring-boot-maven-plugin</artifactId>
<executions> <configuration>
<execution> <!-- See http://docs.spring.io/spring-boot/docs/current/reference/html/howto-build.html#howto-extract-specific-libraries-when-an-executable-jar-runs -->
<goals> <requiresUnpack>
<goal>repackage</goal> <dependency>
</goals> <groupId>org.thymeleaf.extra</groupId>
<configuration> <artifactId>thymeleaf-extras-springsecurity4</artifactId>
<requiresUnpack> </dependency>
<dependency> <dependency>
<groupId>org.thymeleaf.extra</groupId> <groupId>org.asciidoctor</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId> <artifactId>asciidoctorj</artifactId>
</dependency> </dependency>
</requiresUnpack> <dependency>
</configuration> <groupId>org.jruby</groupId>
</execution> <artifactId>jruby-complete</artifactId>
</executions> </dependency>
</requiresUnpack>
</configuration>
</plugin> </plugin>
</plugins> </plugins>
</build> </build>
@ -233,6 +251,10 @@
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-loader</artifactId> <artifactId>spring-boot-loader</artifactId>
</dependency> </dependency>
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-yaml</artifactId>
</dependency>
<dependency> <dependency>
<groupId>org.asciidoctor</groupId> <groupId>org.asciidoctor</groupId>
<artifactId>asciidoctorj</artifactId> <artifactId>asciidoctorj</artifactId>
@ -318,7 +340,11 @@
<artifactId>guava</artifactId> <artifactId>guava</artifactId>
<version>${guava.version}</version> <version>${guava.version}</version>
</dependency> </dependency>
<dependency>
<groupId>com.spotify</groupId>
<artifactId>docker-maven-plugin</artifactId>
<version>0.4.10</version>
</dependency>
<!-- ************* END spring MVC and related dependencies ************** --> <!-- ************* END spring MVC and related dependencies ************** -->
<!-- ************* START: Dependencies for Unit and Integration Testing ************** --> <!-- ************* START: Dependencies for Unit and Integration Testing ************** -->

5
webgoat-container/src/main/docker/Dockerfile Normal file
View File

@ -0,0 +1,5 @@
FROM frolvlad/alpine-oraclejdk8:slim
VOLUME /tmp
ADD webgoat-container-7.1-SNAPSHOT.war webgoat.jar
RUN sh -c 'touch /webgoat.jar'
ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/webgoat.jar"]

55
webgoat-container/src/main/java/org/owasp/webgoat/plugins/LessonDescription.java Normal file
View File

@ -0,0 +1,55 @@
/**
* ************************************************************************************************
* This file is part of WebGoat, an Open Web Application Security Project utility. For details,
* please see http://www.owasp.org/
* <p>
* Copyright (c) 2002 - 20014 Bruce Mayhew
* <p>
* This program is free software; you can redistribute it and/or modify it under the terms of the
* GNU General Public License as published by the Free Software Foundation; either version 2 of the
* License, or (at your option) any later version.
* <p>
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
* even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
* <p>
* You should have received a copy of the GNU General Public License along with this program; if
* not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
* 02111-1307, USA.
* <p>
* Getting Source ==============
* <p>
* Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software
* projects.
* <p>
*
* @author WebGoat
* @version $Id: $Id
* @since May 15, 2016
*/
package org.owasp.webgoat.plugins;
import java.util.List;
public class LessonDescription {
private String name;
private String title;
private String category;
private int ranking;
private List<String> hints;
}
/**
lesson:
name: Access Control Matrix
title: Using an Access Control Matrix
category: ACCESS_CONTROL
ranking: 10
hints:
- Many sites attempt to restrict access to resources by role.
- Developers frequently make mistakes implementing this scheme.
- Attempt combinations of users, roles, and resources.
*/

23
webgoat-container/src/main/java/org/owasp/webgoat/plugins/Plugin.java
View File

@ -3,12 +3,10 @@ package org.owasp.webgoat.plugins;
import com.google.common.base.Optional; import com.google.common.base.Optional;
import com.google.common.collect.Lists; import com.google.common.collect.Lists;
import org.owasp.webgoat.lessons.AbstractLesson; import org.owasp.webgoat.lessons.AbstractLesson;
import org.owasp.webgoat.lessons.LessonEndpointMapping;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.lang.annotation.Annotation;
import java.nio.file.Path; import java.nio.file.Path;
import java.util.Arrays; import java.util.Arrays;
import java.util.HashMap; import java.util.HashMap;
@ -36,7 +34,6 @@ public class Plugin {
private Map<String, File> lessonPlansLanguageFiles = new HashMap<>(); private Map<String, File> lessonPlansLanguageFiles = new HashMap<>();
private List<File> pluginFiles = Lists.newArrayList(); private List<File> pluginFiles = Lists.newArrayList();
private File lessonSourceFile; private File lessonSourceFile;
private List<Class> lessonEndpoints = Lists.newArrayList();
public Plugin(PluginClassLoader classLoader) { public Plugin(PluginClassLoader classLoader) {
this.classLoader = classLoader; this.classLoader = classLoader;
@ -50,22 +47,6 @@ public class Plugin {
public void findLesson(List<String> classes) { public void findLesson(List<String> classes) {
for (String clazzName : classes) { for (String clazzName : classes) {
findLesson(clazzName); findLesson(clazzName);
findLessonEndpoints(clazzName);
}
}
private void findLessonEndpoints(String name) {
String realClassName = StringUtils.trimLeadingCharacter(name, '/').replaceAll("/", ".").replaceAll(".class", "");
try {
Class endpointClass = classLoader.loadClass(realClassName);
Annotation annotation = endpointClass.getAnnotation(LessonEndpointMapping.class);
if (annotation != null ) {
this.lessonEndpoints.add(endpointClass);
}
} catch (ClassNotFoundException e) {
e.printStackTrace();
//ignore
} }
} }
@ -104,10 +85,6 @@ public class Plugin {
} }
} }
public List<Class> getLessonEndpoints() {
return lessonEndpoints;
}
/** /**
* <p>rewritePaths.</p> * <p>rewritePaths.</p>
* *

14
webgoat-container/src/main/java/org/owasp/webgoat/plugins/PluginsLoader.java
View File

@ -27,8 +27,8 @@ import java.util.concurrent.CompletionService;
import java.util.concurrent.ExecutorCompletionService; import java.util.concurrent.ExecutorCompletionService;
import java.util.concurrent.ExecutorService; import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors; import java.util.concurrent.Executors;
import java.util.jar.JarFile;
import java.util.zip.ZipEntry; import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;
/** /**
* <p>PluginsLoader class.</p> * <p>PluginsLoader class.</p>
@ -58,11 +58,11 @@ public class PluginsLoader {
public List<Plugin> loadPlugins() { public List<Plugin> loadPlugins() {
List<Plugin> plugins = Lists.newArrayList(); List<Plugin> plugins = Lists.newArrayList();
try { try {
File jarFile = new File(this.getClass().getProtectionDomain().getCodeSource().getLocation().getFile()); URL location = this.getClass().getProtectionDomain().getCodeSource().getLocation();
if (jarFile.isDirectory()) { if (ResourceUtils.isFileURL(location)) {
extractToTempDirectoryFromExplodedDirectory(jarFile); extractToTempDirectoryFromExplodedDirectory(ResourceUtils.getFile(location));
} else { } else {
extractToTempDirectoryFromJarFile(jarFile); extractToTempDirectoryFromJarFile(ResourceUtils.getFile(ResourceUtils.extractJarFileURL(location)));
} }
List<URL> jars = listJars(); List<URL> jars = listJars();
plugins = processPlugins(jars); plugins = processPlugins(jars);
@ -73,7 +73,7 @@ public class PluginsLoader {
} }
private void extractToTempDirectoryFromJarFile(File jarFile) throws IOException { private void extractToTempDirectoryFromJarFile(File jarFile) throws IOException {
JarFile jar = new JarFile(jarFile); ZipFile jar = new ZipFile(jarFile);
Enumeration<? extends ZipEntry> entries = jar.entries(); Enumeration<? extends ZipEntry> entries = jar.entries();
while (entries.hasMoreElements()) { while (entries.hasMoreElements()) {
ZipEntry zipEntry = entries.nextElement(); ZipEntry zipEntry = entries.nextElement();
@ -83,7 +83,7 @@ public class PluginsLoader {
} }
} }
private void unpack(JarFile jar, ZipEntry zipEntry) throws IOException { private void unpack(ZipFile jar, ZipEntry zipEntry) throws IOException {
try (InputStream inputStream = jar.getInputStream(zipEntry)) { try (InputStream inputStream = jar.getInputStream(zipEntry)) {
String name = zipEntry.getName(); String name = zipEntry.getName();
if (name.lastIndexOf("/") != -1) { if (name.lastIndexOf("/") != -1) {