dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,102 Commits 11 Branches 78 Tags
Commit Graph

3102 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
dependabot[bot]
a95213757d
chore: bump org.springframework.boot:spring-boot-starter-parent from 3.3.5 to 3.4.0 (#1962) 2024-12-16 20:16:10 +01:00
dependabot[bot]
6d90852c1f
chore: bump org.apache.commons:commons-text from 1.12.0 to 1.13.0 (#1986) 2024-12-16 20:15:53 +01:00
Nanne Baars
4f8652758c
refactor: remove unused code (#1985) 2024-12-15 13:06:49 +01:00
Nanne Baars
5fc2e0602c
refactor: move plugin messages (#1968) 2024-12-03 22:13:44 +01:00
dependabot[bot]
f3c7f4588b
chore: bump docker/build-push-action from 6.9.0 to 6.10.0 (#1969) 2024-12-03 22:13:24 +01:00
dependabot[bot]
119b84d034
chore: bump org.wiremock:wiremock-standalone from 3.9.2 to 3.10.0 (#1970) 2024-12-03 22:13:11 +01:00
dependabot[bot]
afd951228d
chore: bump org.jsoup:jsoup from 1.18.1 to 1.18.3 (#1971) 2024-12-03 22:13:00 +01:00
Jeong Rok Suh
51e3f59054
fix: Hint labels showing default text regardless of localization (#1965) 2024-11-26 23:34:09 +01:00
dependabot[bot]
cc0efd8600
chore: bump commons-io:commons-io from 2.17.0 to 2.18.0 (#1961) 2024-11-26 23:21:10 +01:00
dependabot[bot]
e29dccf3c9
chore: bump org.testcontainers:junit-jupiter from 1.20.3 to 1.20.4 (#1963) 2024-11-26 23:20:25 +01:00
dependabot[bot]
0cf861fb3c
chore: bump org.testcontainers:testcontainers from 1.20.3 to 1.20.4 (#1964) 2024-11-26 23:20:11 +01:00
Nanne Baars
d8100385b6
fix: automatically solve XSS mitigation (#1957) 
This PR moves the mitigation Java class into the correct package.

The lesson was automatically solved because no assignments were found.

Closes: #1943
 2024-11-14 08:42:55 +01:00
Nanne Baars
4880afa0e3
fix: remove implicit context path guessing (#1956) 
Pass the context-path in the assignment overview so the frontend can easily match an assignment.
 2024-11-13 21:32:28 +01:00
dependabot[bot]
e60ca6ce72
chore: bump org.jruby:jruby from 9.4.8.0 to 9.4.9.0 (#1954) 2024-11-11 13:46:45 +01:00
dependabot[bot]
88a763f513
chore: bump org.testcontainers:junit-jupiter from 1.20.1 to 1.20.3 (#1946) 
Bumps [org.testcontainers:junit-jupiter](https://github.com/testcontainers/testcontainers-java) from 1.20.1 to 1.20.3.
- [Release notes](https://github.com/testcontainers/testcontainers-java/releases)
- [Changelog](https://github.com/testcontainers/testcontainers-java/blob/main/CHANGELOG.md)
- [Commits](https://github.com/testcontainers/testcontainers-java/compare/1.20.1...1.20.3)

---
updated-dependencies:
- dependency-name: org.testcontainers:junit-jupiter
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-11-07 16:13:27 +01:00
dependabot[bot]
7f33d3609f
chore: bump org.apache.maven.plugins:maven-surefire-plugin (#1948) 
Bumps [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) from 3.5.1 to 3.5.2.
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.5.1...surefire-3.5.2)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-surefire-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-11-07 16:13:10 +01:00
dependabot[bot]
bf02077427
chore: bump org.wiremock:wiremock-standalone from 3.9.1 to 3.9.2 (#1947) 
Bumps [org.wiremock:wiremock-standalone](https://github.com/wiremock/wiremock) from 3.9.1 to 3.9.2.
- [Release notes](https://github.com/wiremock/wiremock/releases)
- [Commits](https://github.com/wiremock/wiremock/compare/3.9.1...3.9.2)

---
updated-dependencies:
- dependency-name: org.wiremock:wiremock-standalone
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-11-07 15:46:43 +01:00
Nanne Baars
e1e00bca73
fix: JWT kid/jku lessons (#1949) 
* refactor: rewrite hints

Use active voice and fix grammar issues.

* fix: use Thymeleaf `th:action`

* fix: JWT kid/jku lessons

Split the JavaScript into two files they pointed to the same URL

The JWTs are now valid, they parse successfully.

The paths now include `/kid` and `/jku` to make sure the hints match accordingly in the UI. Otherwise `/delete` would pick up both hints from both assignments as the paths overlap.

Closes: #1715

* fix: update to latest pre-commit version

* fix: increase timeouts for server to start during integration tests
 2024-11-07 15:45:33 +01:00
Nanne Baars
d59153d6d7
Fix password reset lesson (#1941) 
* docs: improve text

* fix: use correct POST url
 2024-10-29 17:32:51 +01:00
dependabot[bot]
87fae00f03
chore: bump commons-io:commons-io from 2.16.1 to 2.17.0 (#1937) 
Bumps commons-io:commons-io from 2.16.1 to 2.17.0.

---
updated-dependencies:
- dependency-name: commons-io:commons-io
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-10-29 16:30:32 +01:00
Nanne Baars
3f6a74ad86
chore(gh-actions): update dependency 2024-10-28 22:02:02 +01:00
Nanne Baars
1d37ee0877
ci: run pre-commit checks first 
Create a dependency between the jobs.
 2024-10-28 21:59:10 +01:00
Nanne Baars
4f6ab25ebd
ci: run pre-commit checks first 2024-10-28 21:57:43 +01:00
dependabot[bot]
af687e71fe
chore: bump com.google.guava:guava from 33.3.0-jre to 33.3.1-jre (#1939) 2024-10-28 20:02:09 +01:00
dependabot[bot]
83ed4c3d5c
chore: bump org.testcontainers:testcontainers from 1.20.1 to 1.20.3 (#1935) 2024-10-28 15:05:33 +01:00
dependabot[bot]
62cdfd0824
chore: bump com.github.terma:javaniotcpproxy from 1.5 to 1.6 (#1936) 2024-10-28 15:04:15 +01:00
dependabot[bot]
e7457f4821
chore: bump org.apache.maven.plugins:maven-checkstyle-plugin (#1938) 2024-10-28 15:04:01 +01:00
Nanne Baars
4efaf87c7e
Fix passing command line arguments (#1933) 
* fix: use banners correctly

* fix: passing command line arguments

Since we already have `webwolf.port` it makes sense to also define `webwolf.port` explicitly and not rely on `server.port`

Closes: #1910
 2024-10-27 08:39:02 +01:00
dependabot[bot]
cf5101a633
chore: bump org.asciidoctor:asciidoctorj from 2.5.13 to 3.0.0 (#1897) 2024-10-26 22:53:43 +02:00
Nanne Baars
3f049ba53a
Nbaars/1886 (#1932) 
* improved code readbility

* chore: format code

---------

Co-authored-by: guilherme peixoto <peixoto-guilherme7@hotmail.com>
 2024-10-26 22:18:28 +02:00
dependabot[bot]
7e294fbdb5
chore: bump org.apache.commons:commons-compress from 1.26.2 to 1.27.1 (#1884) 2024-10-26 19:27:07 +02:00
dependabot[bot]
2177eb663a
chore: bump docker/build-push-action from 6.7.0 to 6.9.0 (#1920) 2024-10-26 16:59:13 +02:00
François Capon
50692300eb
docs: Show boolean operators priority on where (#1902) 2024-10-26 14:48:50 +02:00
dependabot[bot]
e2c2d425cb
chore: bump actions/cache from 4.0.2 to 4.1.1 (#1925) 2024-10-26 14:25:04 +02:00
dependabot[bot]
6bbd3cb66b
chore: bump org.springframework.boot:spring-boot-starter-parent (#1931) 2024-10-26 14:20:14 +02:00
Nanne Baars
d08a56d351
chore: add test for solving same lesson as different user. (#1930) 
We removed the constraint but did not add an extra testcase to cover this bug.

Closes: #1890
 2024-10-26 12:06:30 +02:00
dependabot[bot]
ec97568ec2
chore: bump org.apache.maven.plugins:maven-surefire-plugin (#1922) 
Bumps [org.apache.maven.plugins:maven-surefire-plugin](https://github.com/apache/maven-surefire) from 3.3.1 to 3.5.1.
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](https://github.com/apache/maven-surefire/compare/surefire-3.3.1...surefire-3.5.1)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-surefire-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-10-26 10:55:02 +02:00
dependabot[bot]
9b68368b23
chore: bump pre-commit-ci/lite-action from 1.0.1 to 1.1.0 (#1926) 
Bumps [pre-commit-ci/lite-action](https://github.com/pre-commit-ci/lite-action) from 1.0.1 to 1.1.0.
- [Release notes](https://github.com/pre-commit-ci/lite-action/releases)
- [Commits](https://github.com/pre-commit-ci/lite-action/compare/v1.0.1...v1.1.0)

---
updated-dependencies:
- dependency-name: pre-commit-ci/lite-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-10-26 10:54:46 +02:00
Nanne Baars
ab068901f1
Remove WebGoat session object (#1929) 
* refactor: modernize code

* refactor: move to Tomcat

* chore: bump to Spring Boot 3.3.3

* refactor: use Testcontainers to run integration tests

* refactor: lesson/assignment progress

* chore: format code

* refactor: first step into removing base class for assignment

Always been a bit of an ugly construction, as none of the dependencies are clear. The constructors are hidden due to autowiring the base class. This PR removes two of the fields.

As a bonus we now wire the authentication principal directly in the controllers.

* refactor: use authentication principal directly.

* refactor: pass lesson to the endpoints

No more need to get the current lesson set in a session. The lesson is now passed to the endpoints.

* fix: Testcontainers cannot run on Windows host in Github actions.

Since we have Windows specific paths let's run it standalone for now. We need to run these tests on Docker as well (for now disabled)
 2024-10-26 10:54:21 +02:00
François Capon
cb7c508046
fix: reset form and quiz color on reset lesson (#1903) 
* ./mvnw spotless:apply

```
[INFO] --- spotless-maven-plugin:2.41.1:apply (default-cli) @ webgoat ---
[INFO] Writing clean file: /home/ulyssa/labs/WebGoat/WebGoat-bb6e84d/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson5a.java
```

* On reset lesson: reset form and quizzes colors
 2024-10-26 09:22:18 +02:00
Rui Melo
f4c86be6c7 Update fix version 2024-10-18 22:50:19 +02:00
Benjamin Mouncer
cf2c115093 fix: xss lesson typo 2024-10-18 22:38:32 +02:00
dependabot[bot]
bb6e84ddcf
chore: bump com.google.guava:guava from 33.2.1-jre to 33.3.0-jre (#1879) 
Bumps [com.google.guava:guava](https://github.com/google/guava) from 33.2.1-jre to 33.3.0-jre.
- [Release notes](https://github.com/google/guava/releases)
- [Commits](https://github.com/google/guava/commits)

---
updated-dependencies:
- dependency-name: com.google.guava:guava
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-09-04 21:44:38 +02:00
dependabot[bot]
5fc2666b43
chore: bump docker/build-push-action from 6.5.0 to 6.7.0 (#1877) 
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.5.0 to 6.7.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6.5.0...v6.7.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-09-04 21:43:46 +02:00
dependabot[bot]
6e946f21a2
chore: bump io.github.bonigarcia:webdrivermanager from 5.9.1 to 5.9.2 (#1866) 
Bumps [io.github.bonigarcia:webdrivermanager](https://github.com/bonigarcia/webdrivermanager) from 5.9.1 to 5.9.2.
- [Release notes](https://github.com/bonigarcia/webdrivermanager/releases)
- [Changelog](https://github.com/bonigarcia/webdrivermanager/blob/master/CHANGELOG.md)
- [Commits](https://github.com/bonigarcia/webdrivermanager/compare/webdrivermanager-5.9.1...webdrivermanager-5.9.2)

---
updated-dependencies:
- dependency-name: io.github.bonigarcia:webdrivermanager
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-08-04 15:57:57 +02:00
dependabot[bot]
d38ba2a626
chore: bump docker/build-push-action from 6.4.1 to 6.5.0 (#1867) 
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.4.1 to 6.5.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/v6.4.1...v6.5.0)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-08-04 15:56:33 +02:00
dependabot[bot]
4c7e6ae4f4
chore: bump org.wiremock:wiremock from 3.9.0 to 3.9.1 (#1865) 
Bumps [org.wiremock:wiremock](https://github.com/wiremock/wiremock) from 3.9.0 to 3.9.1.
- [Release notes](https://github.com/wiremock/wiremock/releases)
- [Commits](https://github.com/wiremock/wiremock/compare/3.9.0...3.9.1)

---
updated-dependencies:
- dependency-name: org.wiremock:wiremock
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-08-04 15:56:12 +02:00
Nanne Baars
58b762eade
fix: copying file using transferTo sometimes fails. (#1862) 
Turns out that using this method sometimes fails with an exception about unable to delete a directory.
The stacktrace points to:

```
java.nio.file.FileSystemException: /tmp/webwolf-fileserver/dumbanddummer/xxe_a11.dtd: Not a directory
        at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100) ~[na:na]
        at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) ~[na:na]
        at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[na:na]
        at java.base/sun.nio.fs.UnixFileSystemProvider.implDelete(UnixFileSystemProvider.java:248) ~[na:na]
        at java.base/sun.nio.fs.AbstractFileSystemProvider.deleteIfExists(AbstractFileSystemProvider.java:110) ~[na:na]
        at java.base/java.nio.file.Files.deleteIfExists(Files.java:1191) ~[na:na]
        at java.base/java.nio.file.Files.copy(Files.java:3147) ~[na:na]
        at io.undertow.server.handlers.form.FormData$FileItem.write(FormData.java:274) ~[undertow-core-2.3.10.Final.jar!/:2.3.10.Final]
        at io.undertow.servlet.spec.PartImpl.write(PartImpl.java:119) ~[undertow-servlet-2.3.10.Final.jar!/:2.3.10.Final]
        at org.springframework.web.multipart.support.StandardMultipartHttpServletRequest$StandardMultipartFile.transferTo(StandardMultipartHttpServletRequest.java:254) ~[spring-web-6.0.13.jar!/:6.0.13]
        at org.owasp.webgoat.webwolf.FileServer.importFile(FileServer.java:89)
```

It has to do with the underlying implmentation in Undertow. An explaination can be found here: https://stackoverflow.com/questions/60336929/java-nio-file-nosuchfileexception-when-file-transferto-is-called

The solution is to take the input stream and use a simple `Files.copy()` to copy the file.

Closes: #1737
 2024-07-28 17:47:30 +02:00
Nanne Baars
2b0c22ac68
Small improvements (#1848) 
* refactor: remove CORS

* improvement: add healthcheck to Docker file
 2024-07-23 17:42:56 +02:00
dependabot[bot]
85103bbcad
chore: bump docker/login-action from 3.2.0 to 3.3.0 (#1855) 
Bumps [docker/login-action](https://github.com/docker/login-action) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v3.2.0...v3.3.0)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-07-23 17:36:27 +02:00