dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added some files required to build OWASP release.

Browse Source 
Modified License text and format to reflect GPL license.
Reformatted most of the code.

git-svn-id: http://webgoat.googlecode.com/svn/trunk@60 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64
2007-01-16 14:56:40 +00:00
parent 036964495b
commit fd9b60f98e
110 changed files with 23099 additions and 17996 deletions
Download Patch File Download Diff File Expand all files Collapse all files

924
webgoat/main/project/JavaSource/org/owasp/webgoat/util/Exec.java
View File

@ -6,44 +6,67 @@ import java.io.InputStream;
import java.io.OutputStream;
import java.util.BitSet;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of the Open Web
* Application Security Project (http://www.owasp.org) This software package org.owasp.webgoat.is published by OWASP
* under the GPL. You should read and accept the LICENSE before you use, modify and/or redistribute
* this software.
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created October 28, 2003
*/
public class Exec
{
/**
* Description of the Method
*
* @param command Description of the Parameter
* @param input Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execInput( String command, String input )
{
return ( execOptions( command, input, 0, 0, false ) );
}
/**
* Description of the Method
*
* @param command Description of the Parameter
* @param input Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execInput(String command, String input)
{
return (execOptions(command, input, 0, 0, false));
}
/**
* Description of the Method
*
* @param command Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execLazy( String command )
{
return ( execOptions( command, "", 0, 0, true ) );
}
/**
* Description of the Method
*
* @param command Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execLazy(String command)
{
return (execOptions(command, "", 0, 0, true));
}
/*
/*
* Execute an OS command and capture the output in an ExecResults.
* All exceptions are caught and stored in the ExecResults.
* @param String command is the OS command to execute
@ -52,185 +75,187 @@ public class Exec
* @param int timeout is the number of milliseconds to wait before interrupting the command
* @param boolean quit tells the method to exit when there is no more output waiting
*/
/**
* Description of the Method
*
* @param command Description of the Parameter
* @param input Description of the Parameter
* @param successCode Description of the Parameter
* @param timeout Description of the Parameter
* @param lazy Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execOptions( String[] command, String input, int successCode, int timeout, boolean lazy )
{
Process child = null;
ByteArrayOutputStream output = new ByteArrayOutputStream();
ByteArrayOutputStream errors = new ByteArrayOutputStream();
ExecResults results = new ExecResults( command[0], input, successCode, timeout );
BitSet interrupted = new BitSet( 1 );
boolean lazyQuit = false;
ThreadWatcher watcher;
/**
* Description of the Method
*
* @param command Description of the Parameter
* @param input Description of the Parameter
* @param successCode Description of the Parameter
* @param timeout Description of the Parameter
* @param lazy Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execOptions(String[] command, String input,
int successCode, int timeout, boolean lazy)
{
Process child = null;
ByteArrayOutputStream output = new ByteArrayOutputStream();
ByteArrayOutputStream errors = new ByteArrayOutputStream();
ExecResults results = new ExecResults(command[0], input, successCode,
timeout);
BitSet interrupted = new BitSet(1);
boolean lazyQuit = false;
ThreadWatcher watcher;
try
{
// start the command
child = Runtime.getRuntime().exec(command);
// get the streams in and out of the command
InputStream processIn = child.getInputStream();
InputStream processError = child.getErrorStream();
OutputStream processOut = child.getOutputStream();
// start the clock running
if (timeout > 0)
{
watcher = new ThreadWatcher(child, interrupted, timeout);
new Thread(watcher).start();
}
// Write to the child process' input stream
if ((input != null) && !input.equals(""))
{
try
{
// start the command
child = Runtime.getRuntime().exec( command );
// get the streams in and out of the command
InputStream processIn = child.getInputStream();
InputStream processError = child.getErrorStream();
OutputStream processOut = child.getOutputStream();
// start the clock running
if ( timeout > 0 )
{
watcher = new ThreadWatcher( child, interrupted, timeout );
new Thread( watcher ).start();
}
// Write to the child process' input stream
if ( ( input != null ) && !input.equals( "" ) )
{
try
{
processOut.write( input.getBytes() );
processOut.flush();
processOut.close();
}
catch ( IOException e1 )
{
results.setThrowable( e1 );
}
}
// Read from the child process' output stream
// The process may get killed by the watcher at any time
int c = 0;
try
{
while ( true )
{
if ( interrupted.get( 0 ) || lazyQuit )
{
break;
}
// interrupted
c = processIn.read();
if ( c == -1 )
{
break;
}
// end of stream
output.write( c );
if ( lazy && ( processIn.available() < 1 ) )
{
lazyQuit = true;
}
// if lazy and nothing then quit (after at least one read)
}
processIn.close();
}
catch ( IOException e2 )
{
results.setThrowable( e2 );
}
finally
{
if ( interrupted.get( 0 ) )
{
results.setInterrupted();
}
results.setOutput( output.toString() );
}
// Read from the child process' error stream
// The process may get killed by the watcher at any time
try
{
while ( true )
{
if ( interrupted.get( 0 ) || lazyQuit )
{
break;
}
// interrupted
c = processError.read();
if ( c == -1 )
{
break;
}
// end of stream
output.write( c );
if ( lazy && ( processError.available() < 1 ) )
{
lazyQuit = true;
}
// if lazy and nothing then quit (after at least one read)
}
processError.close();
}
catch ( IOException e3 )
{
results.setThrowable( e3 );
}
finally
{
if ( interrupted.get( 0 ) )
{
results.setInterrupted();
}
results.setErrors( errors.toString() );
}
// wait for the return value of the child process.
if ( !interrupted.get( 0 ) && !lazyQuit )
{
int returnCode = child.waitFor();
results.setReturnCode( returnCode );
if ( returnCode != successCode )
{
results.setError( ExecResults.BADRETURNCODE );
}
}
processOut.write(input.getBytes());
processOut.flush();
processOut.close();
}
catch ( InterruptedException i )
catch (IOException e1)
{
results.setInterrupted();
results.setThrowable(e1);
}
catch ( Throwable t )
}
// Read from the child process' output stream
// The process may get killed by the watcher at any time
int c = 0;
try
{
while (true)
{
results.setThrowable( t );
}
finally
{
if ( child != null )
{
child.destroy();
}
if (interrupted.get(0) || lazyQuit)
{
break;
}
// interrupted
c = processIn.read();
if (c == -1)
{
break;
}
// end of stream
output.write(c);
if (lazy && (processIn.available() < 1))
{
lazyQuit = true;
}
// if lazy and nothing then quit (after at least one read)
}
return ( results );
processIn.close();
}
catch (IOException e2)
{
results.setThrowable(e2);
}
finally
{
if (interrupted.get(0))
{
results.setInterrupted();
}
results.setOutput(output.toString());
}
// Read from the child process' error stream
// The process may get killed by the watcher at any time
try
{
while (true)
{
if (interrupted.get(0) || lazyQuit)
{
break;
}
// interrupted
c = processError.read();
if (c == -1)
{
break;
}
// end of stream
output.write(c);
if (lazy && (processError.available() < 1))
{
lazyQuit = true;
}
// if lazy and nothing then quit (after at least one read)
}
processError.close();
}
catch (IOException e3)
{
results.setThrowable(e3);
}
finally
{
if (interrupted.get(0))
{
results.setInterrupted();
}
results.setErrors(errors.toString());
}
// wait for the return value of the child process.
if (!interrupted.get(0) && !lazyQuit)
{
int returnCode = child.waitFor();
results.setReturnCode(returnCode);
if (returnCode != successCode)
{
results.setError(ExecResults.BADRETURNCODE);
}
}
}
catch (InterruptedException i)
{
results.setInterrupted();
}
catch (Throwable t)
{
results.setThrowable(t);
}
finally
{
if (child != null)
{
child.destroy();
}
}
return (results);
}
/*
/*
* Execute an OS command and capture the output in an ExecResults.
* All exceptions are caught and stored in the ExecResults.
* @param String command is the OS command to execute
@ -239,270 +264,279 @@ public class Exec
* @param int timeout is the number of milliseconds to wait before interrupting the command
* @param boolean quit tells the method to exit when there is no more output waiting
*/
/**
* Description of the Method
*
* @param command Description of the Parameter
* @param input Description of the Parameter
* @param successCode Description of the Parameter
* @param timeout Description of the Parameter
* @param lazy Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execOptions( String command, String input, int successCode, int timeout, boolean lazy )
{
Process child = null;
ByteArrayOutputStream output = new ByteArrayOutputStream();
ByteArrayOutputStream errors = new ByteArrayOutputStream();
ExecResults results = new ExecResults( command, input, successCode, timeout );
BitSet interrupted = new BitSet( 1 );
boolean lazyQuit = false;
ThreadWatcher watcher;
/**
* Description of the Method
*
* @param command Description of the Parameter
* @param input Description of the Parameter
* @param successCode Description of the Parameter
* @param timeout Description of the Parameter
* @param lazy Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execOptions(String command, String input,
int successCode, int timeout, boolean lazy)
{
Process child = null;
ByteArrayOutputStream output = new ByteArrayOutputStream();
ByteArrayOutputStream errors = new ByteArrayOutputStream();
ExecResults results = new ExecResults(command, input, successCode,
timeout);
BitSet interrupted = new BitSet(1);
boolean lazyQuit = false;
ThreadWatcher watcher;
try
{
// start the command
child = Runtime.getRuntime().exec(command);
// get the streams in and out of the command
InputStream processIn = child.getInputStream();
InputStream processError = child.getErrorStream();
OutputStream processOut = child.getOutputStream();
// start the clock running
if (timeout > 0)
{
watcher = new ThreadWatcher(child, interrupted, timeout);
new Thread(watcher).start();
}
// Write to the child process' input stream
if ((input != null) && !input.equals(""))
{
try
{
// start the command
child = Runtime.getRuntime().exec( command );
// get the streams in and out of the command
InputStream processIn = child.getInputStream();
InputStream processError = child.getErrorStream();
OutputStream processOut = child.getOutputStream();
// start the clock running
if ( timeout > 0 )
{
watcher = new ThreadWatcher( child, interrupted, timeout );
new Thread( watcher ).start();
}
// Write to the child process' input stream
if ( ( input != null ) && !input.equals( "" ) )
{
try
{
processOut.write( input.getBytes() );
processOut.flush();
processOut.close();
}
catch ( IOException e1 )
{
results.setThrowable( e1 );
}
}
// Read from the child process' output stream
// The process may get killed by the watcher at any time
int c = 0;
try
{
while ( true )
{
if ( interrupted.get( 0 ) || lazyQuit )
{
break;
}
// interrupted
c = processIn.read();
if ( c == -1 )
{
break;
}
// end of stream
output.write( c );
if ( lazy && ( processIn.available() < 1 ) )
{
lazyQuit = true;
}
// if lazy and nothing then quit (after at least one read)
}
processIn.close();
}
catch ( IOException e2 )
{
results.setThrowable( e2 );
}
finally
{
if ( interrupted.get( 0 ) )
{
results.setInterrupted();
}
results.setOutput( output.toString() );
}
// Read from the child process' error stream
// The process may get killed by the watcher at any time
try
{
while ( true )
{
if ( interrupted.get( 0 ) || lazyQuit )
{
break;
}
// interrupted
c = processError.read();
if ( c == -1 )
{
break;
}
// end of stream
output.write( c );
if ( lazy && ( processError.available() < 1 ) )
{
lazyQuit = true;
}
// if lazy and nothing then quit (after at least one read)
}
processError.close();
}
catch ( IOException e3 )
{
results.setThrowable( e3 );
}
finally
{
if ( interrupted.get( 0 ) )
{
results.setInterrupted();
}
results.setErrors( errors.toString() );
}
// wait for the return value of the child process.
if ( !interrupted.get( 0 ) && !lazyQuit )
{
int returnCode = child.waitFor();
results.setReturnCode( returnCode );
if ( returnCode != successCode )
{
results.setError( ExecResults.BADRETURNCODE );
}
}
processOut.write(input.getBytes());
processOut.flush();
processOut.close();
}
catch ( InterruptedException i )
catch (IOException e1)
{
results.setInterrupted();
results.setThrowable(e1);
}
catch ( Throwable t )
}
// Read from the child process' output stream
// The process may get killed by the watcher at any time
int c = 0;
try
{
while (true)
{
results.setThrowable( t );
if (interrupted.get(0) || lazyQuit)
{
break;
}
// interrupted
c = processIn.read();
if (c == -1)
{
break;
}
// end of stream
output.write(c);
if (lazy && (processIn.available() < 1))
{
lazyQuit = true;
}
// if lazy and nothing then quit (after at least one read)
}
finally
processIn.close();
}
catch (IOException e2)
{
results.setThrowable(e2);
}
finally
{
if (interrupted.get(0))
{
if ( child != null )
{
child.destroy();
}
results.setInterrupted();
}
return ( results );
}
results.setOutput(output.toString());
}
/**
* Description of the Method
*
* @param command Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execSimple( String[] command )
{
return ( execOptions( command, "", 0, 0, false ) );
}
/**
* Description of the Method
*
* @param command Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execSimple( String command )
{
return ( execOptions( command, "", 0, 0, false ) );
}
/**
* Description of the Method
*
* @param command Description of the Parameter
* @param args Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execSimple( String command, String args )
{
return ( execOptions( command, args, 0, 0, false ) );
}
/**
* Description of the Method
*
* @param command Description of the Parameter
* @param timeout Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execTimeout( String command, int timeout )
{
return ( execOptions( command, "", 0, timeout, false ) );
}
/**
* The main program for the Exec class
*
* @param args The command line arguments
*/
public static void main( String[] args )
{
ExecResults results;
String sep = System.getProperty( "line.separator" );
System.out.println( "-------------------------------------------" + sep + "TEST 1: execSimple" );
results = Exec.execSimple( "c:/swarm-2.1.1/bin/whoami.exe" );
System.out.println( results );
System.out.println( "-------------------------------------------" + sep + "TEST 2: execSimple (with search)" );
results = Exec.execSimple( "netstat -r" );
System.out.println( results );
if ( results.outputContains( "localhost:1031" ) )
// Read from the child process' error stream
// The process may get killed by the watcher at any time
try
{
while (true)
{
System.out.println( "ERROR: listening on 1031" );
if (interrupted.get(0) || lazyQuit)
{
break;
}
// interrupted
c = processError.read();
if (c == -1)
{
break;
}
// end of stream
output.write(c);
if (lazy && (processError.available() < 1))
{
lazyQuit = true;
}
// if lazy and nothing then quit (after at least one read)
}
System.out.println( "-------------------------------------------" + sep + "TEST 3: execInput" );
results = Exec.execInput( "find \"cde\"", "abcdefg1\nhijklmnop\nqrstuv\nabcdefg2" );
System.out.println( results );
System.out.println( "-------------------------------------------" + sep + "TEST 4:execTimeout" );
results = Exec.execTimeout( "ping -t 127.0.0.1", 5 * 1000 );
System.out.println( results );
System.out.println( "-------------------------------------------" + sep + "TEST 5:execLazy" );
results = Exec.execLazy( "ping -t 127.0.0.1" );
System.out.println( results );
System.out.println( "-------------------------------------------" + sep + "TEST 6:ExecTimeout process never outputs" );
results = Exec.execTimeout( "c:/swarm-2.1.1/bin/sleep.exe 20", 5 * 1000 );
System.out.println( results );
System.out.println( "-------------------------------------------" + sep + "TEST 7:ExecTimeout process waits for input" );
results = Exec.execTimeout( "c:/swarm-2.1.1/bin/cat", 5 * 1000 );
System.out.println( results );
processError.close();
}
catch (IOException e3)
{
results.setThrowable(e3);
}
finally
{
if (interrupted.get(0))
{
results.setInterrupted();
}
results.setErrors(errors.toString());
}
// wait for the return value of the child process.
if (!interrupted.get(0) && !lazyQuit)
{
int returnCode = child.waitFor();
results.setReturnCode(returnCode);
if (returnCode != successCode)
{
results.setError(ExecResults.BADRETURNCODE);
}
}
}
catch (InterruptedException i)
{
results.setInterrupted();
}
catch (Throwable t)
{
results.setThrowable(t);
}
finally
{
if (child != null)
{
child.destroy();
}
}
return (results);
}
/**
* Description of the Method
*
* @param command Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execSimple(String[] command)
{
return (execOptions(command, "", 0, 0, false));
}
/**
* Description of the Method
*
* @param command Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execSimple(String command)
{
return (execOptions(command, "", 0, 0, false));
}
/**
* Description of the Method
*
* @param command Description of the Parameter
* @param args Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execSimple(String command, String args)
{
return (execOptions(command, args, 0, 0, false));
}
/**
* Description of the Method
*
* @param command Description of the Parameter
* @param timeout Description of the Parameter
* @return Description of the Return Value
*/
public static ExecResults execTimeout(String command, int timeout)
{
return (execOptions(command, "", 0, timeout, false));
}
/**
* The main program for the Exec class
*
* @param args The command line arguments
*/
public static void main(String[] args)
{
ExecResults results;
String sep = System.getProperty("line.separator");
System.out.println("-------------------------------------------" + sep
+ "TEST 1: execSimple");
results = Exec.execSimple("c:/swarm-2.1.1/bin/whoami.exe");
System.out.println(results);
System.out.println("-------------------------------------------" + sep
+ "TEST 2: execSimple (with search)");
results = Exec.execSimple("netstat -r");
System.out.println(results);
if (results.outputContains("localhost:1031"))
{
System.out.println("ERROR: listening on 1031");
}
System.out.println("-------------------------------------------" + sep
+ "TEST 3: execInput");
results = Exec.execInput("find \"cde\"",
"abcdefg1\nhijklmnop\nqrstuv\nabcdefg2");
System.out.println(results);
System.out.println("-------------------------------------------" + sep
+ "TEST 4:execTimeout");
results = Exec.execTimeout("ping -t 127.0.0.1", 5 * 1000);
System.out.println(results);
System.out.println("-------------------------------------------" + sep
+ "TEST 5:execLazy");
results = Exec.execLazy("ping -t 127.0.0.1");
System.out.println(results);
System.out.println("-------------------------------------------" + sep
+ "TEST 6:ExecTimeout process never outputs");
results = Exec.execTimeout("c:/swarm-2.1.1/bin/sleep.exe 20", 5 * 1000);
System.out.println(results);
System.out.println("-------------------------------------------" + sep
+ "TEST 7:ExecTimeout process waits for input");
results = Exec.execTimeout("c:/swarm-2.1.1/bin/cat", 5 * 1000);
System.out.println(results);
}
}

170
webgoat/main/project/JavaSource/org/owasp/webgoat/util/ExecResults.java
View File

@ -1,15 +1,39 @@
package org.owasp.webgoat.util;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of
* the Open Web Application Security Project (http://www.owasp.org) This
* software package org.owasp.webgoat.is published by OWASP under the GPL. You should read and
* accept the LICENSE before you use, modify and/or redistribute this software.
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/
public class ExecResults
{
/**
* Description of the Field
*/
@ -19,18 +43,30 @@ public class ExecResults
* Description of the Field
*/
public final static int THROWABLE = 1;
private String myCommand;
private boolean myError = false;
private int myErrorType = 0;
private String myErrors = null;
private String myInput;
private boolean myInterrupted = false;
private String myOutput = null;
private int myReturnCode = 0;
private int mySuccessCode;
private Throwable myThrowable = null;
private int myTimeout;
/**
* Constructor for the ExecResults object
*
@ -39,14 +75,16 @@ public class ExecResults
*@param successCode Description of the Parameter
*@param timeout Description of the Parameter
*/
public ExecResults(String command, String input, int successCode, int timeout)
public ExecResults(String command, String input, int successCode,
int timeout)
{
myCommand = command.trim();
myInput = input.trim();
mySuccessCode = successCode;
myTimeout = timeout;
myCommand = command.trim();
myInput = input.trim();
mySuccessCode = successCode;
myTimeout = timeout;
}
/**
* Description of the Method
*
@ -57,7 +95,8 @@ public class ExecResults
*/
private boolean contains(String haystack, String needle, int fromIndex)
{
return (haystack.trim().toLowerCase().indexOf(needle.trim().toLowerCase(), fromIndex) != -1);
return (haystack.trim().toLowerCase().indexOf(
needle.trim().toLowerCase(), fromIndex) != -1);
}
@ -69,7 +108,7 @@ public class ExecResults
*/
public boolean errorsContains(String value)
{
return (errorsContains(value, 0));
return (errorsContains(value, 0));
}
@ -82,7 +121,7 @@ public class ExecResults
*/
public boolean errorsContains(String value, int fromIndex)
{
return (contains(myErrors, value, fromIndex));
return (contains(myErrors, value, fromIndex));
}
@ -93,7 +132,7 @@ public class ExecResults
*/
public boolean getError()
{
return (myError);
return (myError);
}
@ -104,17 +143,17 @@ public class ExecResults
*/
public String getErrorMessage()
{
switch (getErrorType())
{
case THROWABLE:
return ("Exception: " + myThrowable.getMessage());
switch (getErrorType())
{
case THROWABLE:
return ("Exception: " + myThrowable.getMessage());
case BADRETURNCODE:
return ("Bad return code (expected " + mySuccessCode + ")");
case BADRETURNCODE:
return ("Bad return code (expected " + mySuccessCode + ")");
default:
return ("Unknown error");
}
default:
return ("Unknown error");
}
}
@ -125,7 +164,7 @@ public class ExecResults
*/
public int getErrorType()
{
return (myErrorType);
return (myErrorType);
}
@ -136,7 +175,7 @@ public class ExecResults
*/
public String getErrors()
{
return (myErrors);
return (myErrors);
}
@ -147,7 +186,7 @@ public class ExecResults
*/
public boolean getInterrupted()
{
return (myInterrupted);
return (myInterrupted);
}
@ -158,7 +197,7 @@ public class ExecResults
*/
public String getOutput()
{
return (myOutput);
return (myOutput);
}
@ -169,7 +208,7 @@ public class ExecResults
*/
public int getReturnCode()
{
return (myReturnCode);
return (myReturnCode);
}
@ -180,7 +219,7 @@ public class ExecResults
*/
public Throwable getThrowable()
{
return (myThrowable);
return (myThrowable);
}
@ -192,7 +231,7 @@ public class ExecResults
*/
public boolean outputContains(String value)
{
return (outputContains(value, 0));
return (outputContains(value, 0));
}
@ -205,7 +244,7 @@ public class ExecResults
*/
public boolean outputContains(String value, int fromIndex)
{
return (contains(myOutput, value, fromIndex));
return (contains(myOutput, value, fromIndex));
}
@ -216,8 +255,8 @@ public class ExecResults
*/
public void setError(int value)
{
myError = true;
myErrorType = value;
myError = true;
myErrorType = value;
}
@ -228,7 +267,7 @@ public class ExecResults
*/
public void setErrors(String errors)
{
myErrors = errors.trim();
myErrors = errors.trim();
}
@ -237,7 +276,7 @@ public class ExecResults
*/
public void setInterrupted()
{
myInterrupted = true;
myInterrupted = true;
}
@ -248,7 +287,7 @@ public class ExecResults
*/
public void setOutput(String value)
{
myOutput = value.trim();
myOutput = value.trim();
}
@ -259,7 +298,7 @@ public class ExecResults
*/
public void setReturnCode(int value)
{
myReturnCode = value;
myReturnCode = value;
}
@ -270,8 +309,8 @@ public class ExecResults
*/
public void setThrowable(Throwable value)
{
setError(THROWABLE);
myThrowable = value;
setError(THROWABLE);
myThrowable = value;
}
@ -282,39 +321,40 @@ public class ExecResults
*/
public String toString()
{
String sep = System.getProperty("line.separator");
StringBuffer value = new StringBuffer();
value.append("ExecResults for \'" + myCommand + "\'" + sep);
String sep = System.getProperty("line.separator");
StringBuffer value = new StringBuffer();
value.append("ExecResults for \'" + myCommand + "\'" + sep);
if ((myInput != null) && !myInput.equals(""))
{
value.append(sep + "Input..." + sep + myInput + sep);
}
if ((myInput != null) && !myInput.equals(""))
{
value.append(sep + "Input..." + sep + myInput + sep);
}
if ((myOutput != null) && !myOutput.equals(""))
{
value.append(sep + "Output..." + sep + myOutput + sep);
}
if ((myOutput != null) && !myOutput.equals(""))
{
value.append(sep + "Output..." + sep + myOutput + sep);
}
if ((myErrors != null) && !myErrors.equals(""))
{
value.append(sep + "Errors..." + sep + myErrors + sep);
}
if ((myErrors != null) && !myErrors.equals(""))
{
value.append(sep + "Errors..." + sep + myErrors + sep);
}
value.append(sep);
value.append(sep);
if (myInterrupted)
{
value.append("Command timed out after " + (myTimeout / 1000) + " seconds " + sep);
}
if (myInterrupted)
{
value.append("Command timed out after " + (myTimeout / 1000)
+ " seconds " + sep);
}
value.append("Returncode: " + myReturnCode + sep);
value.append("Returncode: " + myReturnCode + sep);
if (myError)
{
value.append(getErrorMessage() + sep);
}
if (myError)
{
value.append(getErrorMessage() + sep);
}
return (value.toString());
return (value.toString());
}
}

38
webgoat/main/project/JavaSource/org/owasp/webgoat/util/ExecutionException.java
View File

@ -1,21 +1,45 @@
package org.owasp.webgoat.util;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of
* the Open Web Application Security Project (http://www.owasp.org) This
* software package org.owasp.webgoat.is published by OWASP under the GPL. You should read and
* accept the LICENSE before you use, modify and/or redistribute this software.
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
*/
public class ExecutionException extends Exception
{
/**
* Constructor for the ExecutionException object
*/
public ExecutionException()
{
super();
super();
}
@ -26,6 +50,6 @@ public class ExecutionException extends Exception
*/
public ExecutionException(String msg)
{
super(msg);
super(msg);
}
}

390
webgoat/main/project/JavaSource/org/owasp/webgoat/util/HtmlEncoder.java
View File

@ -3,193 +3,223 @@ package org.owasp.webgoat.util;
import java.util.HashMap;
import java.util.Map;
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*/
public class HtmlEncoder
{
static Map e2i = new HashMap();
static Map i2e = new HashMap();
// html entity list
private static Object[][] entities =
static Map e2i = new HashMap();
static Map i2e = new HashMap();
// html entity list
private static Object[][] entities = { { "quot", new Integer(34) }, // " - double-quote
{ "amp", new Integer(38) }, // & - ampersand
{ "lt", new Integer(60) }, // < - less-than
{ "gt", new Integer(62) }, // > - greater-than
{ "nbsp", new Integer(160) }, // non-breaking space
{ "copy", new Integer(169) }, // <20> - copyright
{ "reg", new Integer(174) }, // <20> - registered trademark
{ "Agrave", new Integer(192) }, // <20> - uppercase A, grave accent
{ "Aacute", new Integer(193) }, // <20> - uppercase A, acute accent
{ "Acirc", new Integer(194) }, // <20> - uppercase A, circumflex accent
{ "Atilde", new Integer(195) }, // <20> - uppercase A, tilde
{ "Auml", new Integer(196) }, // <20> - uppercase A, umlaut
{ "Aring", new Integer(197) }, // <20> - uppercase A, ring
{ "AElig", new Integer(198) }, // <20> - uppercase AE
{ "Ccedil", new Integer(199) }, // <20> - uppercase C, cedilla
{ "Egrave", new Integer(200) }, // <20> - uppercase E, grave accent
{ "Eacute", new Integer(201) }, // <20> - uppercase E, acute accent
{ "Ecirc", new Integer(202) }, // <20> - uppercase E, circumflex accent
{ "Euml", new Integer(203) }, // <20> - uppercase E, umlaut
{ "Igrave", new Integer(204) }, // <20> - uppercase I, grave accent
{ "Iacute", new Integer(205) }, // <20> - uppercase I, acute accent
{ "Icirc", new Integer(206) }, // <20> - uppercase I, circumflex accent
{ "Iuml", new Integer(207) }, // <20> - uppercase I, umlaut
{ "ETH", new Integer(208) }, // <20> - uppercase Eth, Icelandic
{ "Ntilde", new Integer(209) }, // <20> - uppercase N, tilde
{ "Ograve", new Integer(210) }, // <20> - uppercase O, grave accent
{ "Oacute", new Integer(211) }, // <20> - uppercase O, acute accent
{ "Ocirc", new Integer(212) }, // <20> - uppercase O, circumflex accent
{ "Otilde", new Integer(213) }, // <20> - uppercase O, tilde
{ "Ouml", new Integer(214) }, // <20> - uppercase O, umlaut
{ "Oslash", new Integer(216) }, // <20> - uppercase O, slash
{ "Ugrave", new Integer(217) }, // <20> - uppercase U, grave accent
{ "Uacute", new Integer(218) }, // <20> - uppercase U, acute accent
{ "Ucirc", new Integer(219) }, // <20> - uppercase U, circumflex accent
{ "Uuml", new Integer(220) }, // <20> - uppercase U, umlaut
{ "Yacute", new Integer(221) }, // <20> - uppercase Y, acute accent
{ "THORN", new Integer(222) }, // <20> - uppercase THORN, Icelandic
{ "szlig", new Integer(223) }, // <20> - lowercase sharps, German
{ "agrave", new Integer(224) }, // <20> - lowercase a, grave accent
{ "aacute", new Integer(225) }, // <20> - lowercase a, acute accent
{ "acirc", new Integer(226) }, // <20> - lowercase a, circumflex accent
{ "atilde", new Integer(227) }, // <20> - lowercase a, tilde
{ "auml", new Integer(228) }, // <20> - lowercase a, umlaut
{ "aring", new Integer(229) }, // <20> - lowercase a, ring
{ "aelig", new Integer(230) }, // <20> - lowercase ae
{ "ccedil", new Integer(231) }, // <20> - lowercase c, cedilla
{ "egrave", new Integer(232) }, // <20> - lowercase e, grave accent
{ "eacute", new Integer(233) }, // <20> - lowercase e, acute accent
{ "ecirc", new Integer(234) }, // <20> - lowercase e, circumflex accent
{ "euml", new Integer(235) }, // <20> - lowercase e, umlaut
{ "igrave", new Integer(236) }, // <20> - lowercase i, grave accent
{ "iacute", new Integer(237) }, // <20> - lowercase i, acute accent
{ "icirc", new Integer(238) }, // <20> - lowercase i, circumflex accent
{ "iuml", new Integer(239) }, // <20> - lowercase i, umlaut
{ "igrave", new Integer(236) }, // <20> - lowercase i, grave accent
{ "iacute", new Integer(237) }, // <20> - lowercase i, acute accent
{ "icirc", new Integer(238) }, // <20> - lowercase i, circumflex accent
{ "iuml", new Integer(239) }, // <20> - lowercase i, umlaut
{ "eth", new Integer(240) }, // <20> - lowercase eth, Icelandic
{ "ntilde", new Integer(241) }, // <20> - lowercase n, tilde
{ "ograve", new Integer(242) }, // <20> - lowercase o, grave accent
{ "oacute", new Integer(243) }, // <20> - lowercase o, acute accent
{ "ocirc", new Integer(244) }, // <20> - lowercase o, circumflex accent
{ "otilde", new Integer(245) }, // <20> - lowercase o, tilde
{ "ouml", new Integer(246) }, // <20> - lowercase o, umlaut
{ "oslash", new Integer(248) }, // <20> - lowercase o, slash
{ "ugrave", new Integer(249) }, // <20> - lowercase u, grave accent
{ "uacute", new Integer(250) }, // <20> - lowercase u, acute accent
{ "ucirc", new Integer(251) }, // <20> - lowercase u, circumflex accent
{ "uuml", new Integer(252) }, // <20> - lowercase u, umlaut
{ "yacute", new Integer(253) }, // <20> - lowercase y, acute accent
{ "thorn", new Integer(254) }, // <20> - lowercase thorn, Icelandic
{ "yuml", new Integer(255) }, // <20> - lowercase y, umlaut
{ "euro", new Integer(8364) },// Euro symbol
};
public HtmlEncoder()
{
for (int i = 0; i < entities.length; i++)
e2i.put(entities[i][0], entities[i][1]);
for (int i = 0; i < entities.length; i++)
i2e.put(entities[i][1], entities[i][0]);
}
/**
* Turns funky characters into HTML entity equivalents<p>
*
* e.g. <tt>"bread" & "butter"</tt> => <tt>&amp;quot;bread&amp;quot; &amp;amp;
* &amp;quot;butter&amp;quot;</tt> . Update: supports nearly all HTML entities, including funky
* accents. See the source code for more detail. Adapted from
* http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
*
* @param s1 Description of the Parameter
* @return Description of the Return Value
*/
public static String encode(String s1)
{
StringBuffer buf = new StringBuffer();
int i;
for (i = 0; i < s1.length(); ++i)
{
{"quot", new Integer( 34 )}, // " - double-quote
{"amp", new Integer( 38 )}, // & - ampersand
{"lt", new Integer( 60 )}, // < - less-than
{"gt", new Integer( 62 )}, // > - greater-than
{"nbsp", new Integer( 160 )}, // non-breaking space
{"copy", new Integer( 169 )}, // <20> - copyright
{"reg", new Integer( 174 )}, // <20> - registered trademark
{"Agrave", new Integer( 192 )}, // <20> - uppercase A, grave accent
{"Aacute", new Integer( 193 )}, // <20> - uppercase A, acute accent
{"Acirc", new Integer( 194 )}, // <20> - uppercase A, circumflex accent
{"Atilde", new Integer( 195 )}, // <20> - uppercase A, tilde
{"Auml", new Integer( 196 )}, // <20> - uppercase A, umlaut
{"Aring", new Integer( 197 )}, // <20> - uppercase A, ring
{"AElig", new Integer( 198 )}, // <20> - uppercase AE
{"Ccedil", new Integer( 199 )}, // <20> - uppercase C, cedilla
{"Egrave", new Integer( 200 )}, // <20> - uppercase E, grave accent
{"Eacute", new Integer( 201 )}, // <20> - uppercase E, acute accent
{"Ecirc", new Integer( 202 )}, // <20> - uppercase E, circumflex accent
{"Euml", new Integer( 203 )}, // <20> - uppercase E, umlaut
{"Igrave", new Integer( 204 )}, // <20> - uppercase I, grave accent
{"Iacute", new Integer( 205 )}, // <20> - uppercase I, acute accent
{"Icirc", new Integer( 206 )}, // <20> - uppercase I, circumflex accent
{"Iuml", new Integer( 207 )}, // <20> - uppercase I, umlaut
{"ETH", new Integer( 208 )}, // <20> - uppercase Eth, Icelandic
{"Ntilde", new Integer( 209 )}, // <20> - uppercase N, tilde
{"Ograve", new Integer( 210 )}, // <20> - uppercase O, grave accent
{"Oacute", new Integer( 211 )}, // <20> - uppercase O, acute accent
{"Ocirc", new Integer( 212 )}, // <20> - uppercase O, circumflex accent
{"Otilde", new Integer( 213 )}, // <20> - uppercase O, tilde
{"Ouml", new Integer( 214 )}, // <20> - uppercase O, umlaut
{"Oslash", new Integer( 216 )}, // <20> - uppercase O, slash
{"Ugrave", new Integer( 217 )}, // <20> - uppercase U, grave accent
{"Uacute", new Integer( 218 )}, // <20> - uppercase U, acute accent
{"Ucirc", new Integer( 219 )}, // <20> - uppercase U, circumflex accent
{"Uuml", new Integer( 220 )}, // <20> - uppercase U, umlaut
{"Yacute", new Integer( 221 )}, // <20> - uppercase Y, acute accent
{"THORN", new Integer( 222 )}, // <20> - uppercase THORN, Icelandic
{"szlig", new Integer( 223 )}, // <20> - lowercase sharps, German
{"agrave", new Integer( 224 )}, // <20> - lowercase a, grave accent
{"aacute", new Integer( 225 )}, // <20> - lowercase a, acute accent
{"acirc", new Integer( 226 )}, // <20> - lowercase a, circumflex accent
{"atilde", new Integer( 227 )}, // <20> - lowercase a, tilde
{"auml", new Integer( 228 )}, // <20> - lowercase a, umlaut
{"aring", new Integer( 229 )}, // <20> - lowercase a, ring
{"aelig", new Integer( 230 )}, // <20> - lowercase ae
{"ccedil", new Integer( 231 )}, // <20> - lowercase c, cedilla
{"egrave", new Integer( 232 )}, // <20> - lowercase e, grave accent
{"eacute", new Integer( 233 )}, // <20> - lowercase e, acute accent
{"ecirc", new Integer( 234 )}, // <20> - lowercase e, circumflex accent
{"euml", new Integer( 235 )}, // <20> - lowercase e, umlaut
{"igrave", new Integer( 236 )}, // <20> - lowercase i, grave accent
{"iacute", new Integer( 237 )}, // <20> - lowercase i, acute accent
{"icirc", new Integer( 238 )}, // <20> - lowercase i, circumflex accent
{"iuml", new Integer( 239 )}, // <20> - lowercase i, umlaut
{"igrave", new Integer( 236 )}, // <20> - lowercase i, grave accent
{"iacute", new Integer( 237 )}, // <20> - lowercase i, acute accent
{"icirc", new Integer( 238 )}, // <20> - lowercase i, circumflex accent
{"iuml", new Integer( 239 )}, // <20> - lowercase i, umlaut
{"eth", new Integer( 240 )}, // <20> - lowercase eth, Icelandic
{"ntilde", new Integer( 241 )}, // <20> - lowercase n, tilde
{"ograve", new Integer( 242 )}, // <20> - lowercase o, grave accent
{"oacute", new Integer( 243 )}, // <20> - lowercase o, acute accent
{"ocirc", new Integer( 244 )}, // <20> - lowercase o, circumflex accent
{"otilde", new Integer( 245 )}, // <20> - lowercase o, tilde
{"ouml", new Integer( 246 )}, // <20> - lowercase o, umlaut
{"oslash", new Integer( 248 )}, // <20> - lowercase o, slash
{"ugrave", new Integer( 249 )}, // <20> - lowercase u, grave accent
{"uacute", new Integer( 250 )}, // <20> - lowercase u, acute accent
{"ucirc", new Integer( 251 )}, // <20> - lowercase u, circumflex accent
{"uuml", new Integer( 252 )}, // <20> - lowercase u, umlaut
{"yacute", new Integer( 253 )}, // <20> - lowercase y, acute accent
{"thorn", new Integer( 254 )}, // <20> - lowercase thorn, Icelandic
{"yuml", new Integer( 255 )}, // <20> - lowercase y, umlaut
{"euro", new Integer( 8364 )},// Euro symbol
};
public HtmlEncoder()
{
for(int i=0; i<entities.length; i++)
e2i.put(entities[i][0], entities[i][1]);
for(int i=0; i<entities.length; i++)
i2e.put(entities[i][1], entities[i][0]);
}
/**
* Turns funky characters into HTML entity equivalents<p>
*
* e.g. <tt>"bread" & "butter"</tt> => <tt>&amp;quot;bread&amp;quot; &amp;amp;
* &amp;quot;butter&amp;quot;</tt> . Update: supports nearly all HTML entities, including funky
* accents. See the source code for more detail. Adapted from
* http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
*
* @param s1 Description of the Parameter
* @return Description of the Return Value
*/
public static String encode( String s1 )
{
StringBuffer buf = new StringBuffer();
int i;
for ( i = 0; i < s1.length(); ++i )
char ch = s1.charAt(i);
String entity = (String) i2e.get(new Integer((int) ch));
if (entity == null)
{
if (((int) ch) > 128)
{
char ch = s1.charAt( i );
String entity = (String) i2e.get( new Integer( (int) ch ) );
if ( entity == null )
{
if ( ( (int) ch ) > 128 )
{
buf.append( "&#" + ( (int) ch ) + ";" );
}
else
{
buf.append( ch );
}
}
else
{
buf.append( "&" + entity + ";" );
}
buf.append("&#" + ((int) ch) + ";");
}
return buf.toString();
}
/**
* Given a string containing entity escapes, returns a string containing the actual Unicode
* characters corresponding to the escapes. Adapted from
* http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
*
* @param s1 Description of the Parameter
* @return Description of the Return Value
*/
public static String decode( String s1 )
{
StringBuffer buf = new StringBuffer();
int i;
for ( i = 0; i < s1.length(); ++i )
else
{
char ch = s1.charAt( i );
if ( ch == '&' )
{
int semi = s1.indexOf( ';', i + 1 );
if ( semi == -1 )
{
buf.append( ch );
continue;
}
String entity = s1.substring( i + 1, semi );
Integer iso;
if ( entity.charAt( 0 ) == '#' )
{
iso = new Integer( entity.substring( 1 ) );
}
else
{
iso = (Integer) e2i.get( entity );
}
if ( iso == null )
{
buf.append( "&" + entity + ";" );
}
else
{
buf.append( (char) ( iso.intValue() ) );
}
i = semi;
}
else
{
buf.append( ch );
}
buf.append(ch);
}
return buf.toString();
}
else
{
buf.append("&" + entity + ";");
}
}
return buf.toString();
}
/**
* Given a string containing entity escapes, returns a string containing the actual Unicode
* characters corresponding to the escapes. Adapted from
* http://www.purpletech.com/code/src/com/purpletech/util/Utils.java.
*
* @param s1 Description of the Parameter
* @return Description of the Return Value
*/
public static String decode(String s1)
{
StringBuffer buf = new StringBuffer();
int i;
for (i = 0; i < s1.length(); ++i)
{
char ch = s1.charAt(i);
if (ch == '&')
{
int semi = s1.indexOf(';', i + 1);
if (semi == -1)
{
buf.append(ch);
continue;
}
String entity = s1.substring(i + 1, semi);
Integer iso;
if (entity.charAt(0) == '#')
{
iso = new Integer(entity.substring(1));
}
else
{
iso = (Integer) e2i.get(entity);
}
if (iso == null)
{
buf.append("&" + entity + ";");
}
else
{
buf.append((char) (iso.intValue()));
}
i = semi;
}
else
{
buf.append(ch);
}
}
return buf.toString();
}
}

199
webgoat/main/project/JavaSource/org/owasp/webgoat/util/Interceptor.java
View File

@ -20,93 +20,134 @@ import javax.servlet.ServletResponse;
import javax.servlet.RequestDispatcher;
import javax.servlet.http.HttpServletRequest;
/**
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
* @author sherif koussa - Macadamian Technologies
*
*/
public class Interceptor implements Filter {
public class Interceptor implements Filter
{
private static final String OSG_SERVER_NAME = "OSGServerName";
private static final String OSG_SERVER_PORT = "OSGServerPort";
private static final String OSG_SERVER_NAME = "OSGServerName";
/* (non-Javadoc)
* @see javax.servlet.Filter#destroy()
*/
public void destroy() {
// TODO Auto-generated method stub
private static final String OSG_SERVER_PORT = "OSGServerPort";
/* (non-Javadoc)
* @see javax.servlet.Filter#destroy()
*/
public void destroy()
{
// TODO Auto-generated method stub
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException
{
HttpServletRequest req = (HttpServletRequest) request;
Socket osgSocket = null;
PrintWriter out = null;
BufferedReader in = null;
String osgServerName = req.getSession().getServletContext()
.getInitParameter(OSG_SERVER_NAME);
String osgServerPort = req.getSession().getServletContext()
.getInitParameter(OSG_SERVER_PORT);
try
{
//If these parameters are not defined then no communication will happen with OSG
if (osgServerName != null && osgServerName.length() != 0
&& osgServerPort != null && osgServerPort.length() != 0)
{
osgSocket = new Socket(osgServerName, Integer
.parseInt(osgServerPort));
if (osgSocket != null)
{
out = new PrintWriter(osgSocket.getOutputStream(), true);
in = new BufferedReader(new InputStreamReader(osgSocket
.getInputStream()));
//String message = "HTTPRECEIVEHTTPREQUEST,-,DataValidation_SqlInjection_Basic.aspx";
//out.println(message);
//System.out.println(in.readLine());
}
}
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
Socket osgSocket = null;
PrintWriter out = null;
BufferedReader in = null;
String osgServerName = req.getSession().getServletContext().getInitParameter(OSG_SERVER_NAME);
String osgServerPort = req.getSession().getServletContext().getInitParameter(OSG_SERVER_PORT);
try {
//If these parameters are not defined then no communication will happen with OSG
if (osgServerName != null && osgServerName.length() != 0 &&
osgServerPort != null && osgServerPort.length() != 0 )
{
osgSocket = new Socket(osgServerName, Integer.parseInt(osgServerPort));
if ( osgSocket != null )
{
out = new PrintWriter(osgSocket.getOutputStream(), true);
in = new BufferedReader(new InputStreamReader(
osgSocket.getInputStream()));
//String message = "HTTPRECEIVEHTTPREQUEST,-,DataValidation_SqlInjection_Basic.aspx";
//out.println(message);
//System.out.println(in.readLine());
}
}
}
catch (UnknownHostException e)
{
e.printStackTrace();
}
catch (IOException e)
{
e.printStackTrace();
}
finally
{
if (out != null)
{
out.close();
}
if (in != null)
{
in.close();
}
if (osgSocket != null)
{
osgSocket.close();
}
}
String url = req.getRequestURL().toString();
RequestDispatcher disp = req.getRequestDispatcher(url.substring(url.lastIndexOf("WebGoat/") + "WebGoat".length()));
disp.forward(request, response);
}
/* (non-Javadoc)
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
catch (UnknownHostException e)
{
e.printStackTrace();
}
catch (IOException e)
{
e.printStackTrace();
}
finally
{
if (out != null)
{
out.close();
}
if (in != null)
{
in.close();
}
if (osgSocket != null)
{
osgSocket.close();
}
}
String url = req.getRequestURL().toString();
RequestDispatcher disp = req.getRequestDispatcher(url.substring(url
.lastIndexOf("WebGoat/")
+ "WebGoat".length()));
disp.forward(request, response);
}
/* (non-Javadoc)
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
public void init(FilterConfig arg0) throws ServletException
{
// TODO Auto-generated method stub
}
}

109
webgoat/main/project/JavaSource/org/owasp/webgoat/util/ThreadWatcher.java
View File

@ -2,23 +2,49 @@ package org.owasp.webgoat.util;
import java.util.BitSet;
/**
* Copyright (c) 2002 Free Software Foundation developed under the custody of
* the Open Web Application Security Project (http://www.owasp.org) This
* software package org.owasp.webgoat.is published by OWASP under the GPL. You should read and
* accept the LICENSE before you use, modify and/or redistribute this software.
/*******************************************************************************
*
*
* This file is part of WebGoat, an Open Web Application Security Project
* utility. For details, please see http://www.owasp.org/
*
* Copyright (c) 2002 - 2007 Bruce Mayhew
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software
* Foundation; either version 2 of the License, or (at your option) any later
* version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 59 Temple
* Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Getting Source ==============
*
* Source for this application is maintained at code.google.com, a repository
* for free software projects.
*
* For details, please see http://code.google.com/p/webgoat/
*
*@author jwilliams@aspectsecurity.com
*@created November 6, 2002
*/
public class ThreadWatcher implements Runnable
{
// time to live in milliseconds
private BitSet myInterrupted;
private Process myProcess;
private int myTimeout;
/**
* Constructor for the ThreadWatcher object
*
@ -28,13 +54,14 @@ public class ThreadWatcher implements Runnable
*/
public ThreadWatcher(Process p, BitSet interrupted, int timeout)
{
myProcess = p;
myProcess = p;
// thread used by whoever constructed this watcher
myTimeout = timeout;
myInterrupted = interrupted;
// thread used by whoever constructed this watcher
myTimeout = timeout;
myInterrupted = interrupted;
}
/*
* Interrupt the thread by marking the interrupted bit and killing the process
*/
@ -44,30 +71,30 @@ public class ThreadWatcher implements Runnable
*/
public void interrupt()
{
myInterrupted.set(0);
myInterrupted.set(0);
// set interrupted bit (bit 0 of the bitset) to 1
myProcess.destroy();
// set interrupted bit (bit 0 of the bitset) to 1
myProcess.destroy();
/*
* try
* {
* myProcess.getInputStream().close();
* }
* catch( IOException e1 )
* {
* / do nothing -- input streams are probably already closed
* }
* try
* {
* myProcess.getErrorStream().close();
* }
* catch( IOException e2 )
* {
* / do nothing -- input streams are probably already closed
* }
* myThread.interrupt();
*/
/*
* try
* {
* myProcess.getInputStream().close();
* }
* catch( IOException e1 )
* {
* / do nothing -- input streams are probably already closed
* }
* try
* {
* myProcess.getErrorStream().close();
* }
* catch( IOException e2 )
* {
* / do nothing -- input streams are probably already closed
* }
* myThread.interrupt();
*/
}
@ -76,15 +103,15 @@ public class ThreadWatcher implements Runnable
*/
public void run()
{
try
{
Thread.sleep(myTimeout);
}
catch (InterruptedException e)
{
// do nothing -- if watcher is interrupted, so is thread
}
try
{
Thread.sleep(myTimeout);
}
catch (InterruptedException e)
{
// do nothing -- if watcher is interrupted, so is thread
}
interrupt();
interrupt();
}
}