From f66ad517210db611cead62792b22363e13cfd424 Mon Sep 17 00:00:00 2001
From: Max Geldner <max.sgeldner@t-online.de>
Date: Mon, 19 Nov 2018 17:48:49 +0100
Subject: [PATCH] Added comment parsing and feedback to text editor lessons

---
 .../mitigation/SqlInjectionLesson10b.java     | 34 ++++++++++++-------
 .../html/SqlInjectionMitigations.html         |  6 ++--
 .../resources/i18n/WebGoatLabels.properties   |  4 +++
 .../src/main/resources/js/assignment10b.js    | 15 ++++++--
 4 files changed, 42 insertions(+), 17 deletions(-)

diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
index 1ff872a10..8731fd565 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10b.java
@@ -9,6 +9,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
+import javax.servlet.http.HttpServletRequest;
 import javax.tools.*;
 import java.io.IOException;
 import java.net.URI;
@@ -21,22 +22,31 @@ import java.util.regex.Pattern;
 @AssignmentHints(value = {"SqlStringInjectionHint-mitigation-10b-1", "SqlStringInjectionHint-mitigation-10b-2", "SqlStringInjectionHint-mitigation-10b-3"})
 public class SqlInjectionLesson10b extends AssignmentEndpoint {
 
+    // Problem: Form has two submits, first submit is null and already wants to throw an attack result. Seconds attack result cant be thrown
     @RequestMapping(method = RequestMethod.POST)
     @ResponseBody
-    public AttackResult completed(@RequestParam String editor) {
-        String regex1 = "(?=.*PreparedStatement.*)(?=.*setString.*)(?=.*\\=\\?.*|.*\\=\\s\\?.*)";
-        editor = editor.replaceAll("\\<.*?>","");
-        boolean hasImportant = this.check_text(regex1, editor.replace("\n", "").replace("\r", ""));
-        List<Diagnostic> hasCompiled = this.compileFromString(editor);
-        String errors = "";
-        if(hasImportant && hasCompiled.size() < 1) {
-            return trackProgress(success().build());
-        } else if(hasCompiled.size() > 1) {
-            for(Diagnostic d : hasCompiled) {
-                errors += d.getMessage(null) + "\n";
+    public AttackResult completed(HttpServletRequest req) {
+        String editor = req.getParameter("editor");
+        try {
+            if (editor == null) {
+                throw new Exception();
             }
+            String regex1 = "(?=.*PreparedStatement.*)(?=.*setString.*)(?=.*\\=\\?.*|.*\\=\\s\\?.*)";
+            editor = editor.replaceAll("\\<.*?>", "");
+            boolean hasImportant = this.check_text(regex1, editor.replace("\n", "").replace("\r", ""));
+            List<Diagnostic> hasCompiled = this.compileFromString(editor);
+            String errors = "";
+            if (hasImportant && hasCompiled.size() < 1) {
+                return trackProgress(success().feedback("sql-injection.10b.success").build());
+            } else if (hasCompiled.size() > 1) {
+                for (Diagnostic d : hasCompiled) {
+                    errors += d.getMessage(null) + "\n";
+                }
+            }
+            return trackProgress(failed().feedback("sql-injection.10b.failed").output(errors).build());
+        } catch(Exception e) {
+            return trackProgress(success().build());
         }
-        return trackProgress(failed().output(errors).build());
     }
 
     private List<Diagnostic> compileFromString(String s) {
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
index 500e88116..c00ffd5ca 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
@@ -41,9 +41,9 @@
 
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_newcode.adoc"></div>
-    <div class="attack-container" style="height: 300px; border: none !important">
+    <div id="insertcode" class="attack-container" style="height: 300px; border: none !important">
         <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10b" enctype="application/json;charset=UTF-8">
+        <form id="codesubmit" class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10b" enctype="application/json;charset=UTF-8">
             <div>
                 <div id="editor" style="position: absolute; top: 0; right: 0; bottom: 0; left: 0;" name="editor"></div>
                 <script th:src="@{/js/libs/ace/src-noconflict/ace.js}" type="text/javascript" charset="utf-8"></script>
@@ -55,9 +55,11 @@
                 </script>
             </div>
             <div class="input-group" style="margin-top: 10px">
+                <!--<input name="solution" value="Submit code" style="margin-top: 350%; margin-left: 60%;" type="SUBMIT" onclick="ace_collect()"/>-->
                 <button type="button" class="btn btn-primary" style="margin-top: 350%; margin-left: 60%;" onclick="ace_collect()">Submit</button>
             </div>
         </form>
+        <br />
         <div class="attack-feedback"></div>
         <div class="attack-output"></div>
     </div>
diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
index f2f9b70dc..a6183f6e4 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@@ -66,6 +66,10 @@ SqlStringInjectionHint.9.5=How about something like '; UPDATE employees....
 
 sql-injection.10.success=<span class='feedback-positive'>Success! You successfully deleted the access_log table and that way compromised the availability of the data.</span>
 sql-injection.10.entries=<span class='feedback-negative'>There's still evidence of what you did. Better remove the whole table.</span>
+
+sql-injection.10b.success=Your code can prevent an SQL Injection! Success!
+sql-injection.10b.failed=Something doesn't seem right with that code. Maybe you should look at an example how to prevent SQL Injections with JDBC?
+        
 SqlStringInjectionHint.10.1=Use the techniques that you have learned before.
 SqlStringInjectionHint.10.2=The application takes your input and filters for entries that are LIKE it.
 SqlStringInjectionHint.10.3=Try query chaining to reach the goal.
diff --git a/webgoat-lessons/sql-injection/src/main/resources/js/assignment10b.js b/webgoat-lessons/sql-injection/src/main/resources/js/assignment10b.js
index 42be3af63..907832cf4 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/js/assignment10b.js
+++ b/webgoat-lessons/sql-injection/src/main/resources/js/assignment10b.js
@@ -1,16 +1,25 @@
 function ace_collect() {
     let code = "";
+    console.log("Test");
     $(".ace_line").each(function(i, el) {
-        code += el.innerHTML;
+        var to_add = el.innerHTML;
+        if(/\/\/.*/.test(to_add)) {
+            to_add = to_add.replace(/\/\/.*/i, '');
+        }
+        code += to_add;
     });
-    console.log(code);
-    code = $(".ace_content")[0].innerHTML;
     $.ajax({
         type: "POST",
         url: "/WebGoat/SqlInjection/attack10b",
         dataType: "text",
         data: {
             editor: code
+        },
+        success: function(data) {
+            console.log("entry");
+            let lesson_feedback = JSON.parse(data);
+            $("#insertcode .attack-feedback").css("display", "block");
+            $("#insertcode .attack-feedback").html(lesson_feedback.feedback);
         }
     });
 }
\ No newline at end of file