It is now done afterward through an interceptor. No more need to burden assignments with plugin messages etc. Only return the key and the optional args.
* refactor: rewrite hints
Use active voice and fix grammar issues.
* fix: use Thymeleaf `th:action`
* fix: JWT kid/jku lessons
Split the JavaScript into two files they pointed to the same URL
The JWTs are now valid, they parse successfully.
The paths now include `/kid` and `/jku` to make sure the hints match accordingly in the UI. Otherwise `/delete` would pick up both hints from both assignments as the paths overlap.
Closes: #1715
* fix: update to latest pre-commit version
* fix: increase timeouts for server to start during integration tests
* fix: use banners correctly
* fix: passing command line arguments
Since we already have `webwolf.port` it makes sense to also define `webwolf.port` explicitly and not rely on `server.port`
Closes: #1910
* refactor: modernize code
* refactor: move to Tomcat
* chore: bump to Spring Boot 3.3.3
* refactor: use Testcontainers to run integration tests
* refactor: lesson/assignment progress
* chore: format code
* refactor: first step into removing base class for assignment
Always been a bit of an ugly construction, as none of the dependencies are clear. The constructors are hidden due to autowiring the base class. This PR removes two of the fields.
As a bonus we now wire the authentication principal directly in the controllers.
* refactor: use authentication principal directly.
* refactor: pass lesson to the endpoints
No more need to get the current lesson set in a session. The lesson is now passed to the endpoints.
* fix: Testcontainers cannot run on Windows host in Github actions.
Since we have Windows specific paths let's run it standalone for now. We need to run these tests on Docker as well (for now disabled)
Turns out that using this method sometimes fails with an exception about unable to delete a directory.
The stacktrace points to:
```
java.nio.file.FileSystemException: /tmp/webwolf-fileserver/dumbanddummer/xxe_a11.dtd: Not a directory
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100) ~[na:na]
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) ~[na:na]
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[na:na]
at java.base/sun.nio.fs.UnixFileSystemProvider.implDelete(UnixFileSystemProvider.java:248) ~[na:na]
at java.base/sun.nio.fs.AbstractFileSystemProvider.deleteIfExists(AbstractFileSystemProvider.java:110) ~[na:na]
at java.base/java.nio.file.Files.deleteIfExists(Files.java:1191) ~[na:na]
at java.base/java.nio.file.Files.copy(Files.java:3147) ~[na:na]
at io.undertow.server.handlers.form.FormData$FileItem.write(FormData.java:274) ~[undertow-core-2.3.10.Final.jar!/:2.3.10.Final]
at io.undertow.servlet.spec.PartImpl.write(PartImpl.java:119) ~[undertow-servlet-2.3.10.Final.jar!/:2.3.10.Final]
at org.springframework.web.multipart.support.StandardMultipartHttpServletRequest$StandardMultipartFile.transferTo(StandardMultipartHttpServletRequest.java:254) ~[spring-web-6.0.13.jar!/:6.0.13]
at org.owasp.webgoat.webwolf.FileServer.importFile(FileServer.java:89)
```
It has to do with the underlying implmentation in Undertow. An explaination can be found here: https://stackoverflow.com/questions/60336929/java-nio-file-nosuchfileexception-when-file-transferto-is-called
The solution is to take the input stream and use a simple `Files.copy()` to copy the file.
Closes: #1737
* fix: report card
Fix and simplify calculation of the number of assignments a user solved.
Rename `UserTracker` to `UserProgress`
Rename `LessonTracker` to `LessonProgress`
Rename tables in database
When a call directly hits a file it is now show up in the requests overview. This helps the user whether an attack from WebGoat actually requested the uploaded file.
Closes: gh-1551
Since we use two application context, the event listener would print out the last one with the WebWolf context. As WebWolf is part of WebGoat we should not refer to it anymore during startup as users should always go to WebGoat first.
* organizing environment variables
* Update application-webgoat.properties
* Update pom.xml
* test without ssl
* fix docker base image and default env entries
* seperate server.address from webgoat.host and webwolf.host
* change base image and enable endpoint logging for docker as well
* change README
* change README
* make integration test able to verify against alternative host names
* use dynamic ports and remove system println
* better check on host and port for password reset and make context roots more flexible
* spotless applied
* removed hardcoded /WebGoat from js
* removed hardcoded /WebGoat from js
* fix spotless
* fix scoreboard
* upgrade WebWolf bootstrap version and icons and templates - part 1
* fixed more bootstrap 5 style issues and context path issues
* organized WebSecurityConfig based on latest conventions and added basic support for oauth (more work needed)
* spotless applied
* added mock bean
* requires updates to properties - commented for now
* requires updates to properties - commented for now
* oauth secrets through env values
* user creation after oauth login
* integration test against non default context paths
* adjusted StartupMessage
* add global model element username
* conditionally show login oauth links
* fixed WebWolf login
---------
Co-authored-by: René Zubcevic <rene@Mac-mini-van-Rene.local>
One can solve this lesson by using `alg:none` instead of using the refresh token flow. Instead of adding a check to force using the refresh token we opt for giving the user extra feedback.
The lesson did not work properly as the directory is reused across several path traversal lessons. First thing before uploading the zip file we now clean the directory.
The html had a reference to a location of the profile picture, this was part of a hint but this only causes confusion as this is not indicating to where you need to upload the picture with the Zip Slip vulnerability.
The assignment now contains a direct hint as where the image needs to be saved. The assignment is about creating a vulnerable zip file and NOT about guessing where the image should be saved inside WebGoat.
