Merge branch 'release/v8.0.0.M16'

README.MD

@@ -29,7 +29,18 @@ first thing that all hackers claim.*
 
 # Run Instructions:
 
-## 1. Run using Docker
+## 1. Standalone 
+
+Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
+
+```Shell
+java -jar webgoat-server-<<version>>.jar [--server.port=8080] [--server.address=localhost]
+```
+
+By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you
+can bind it to a different address (default localhost)
+
+## 2. Run using Docker
 
 From time to time we publish a new development preview of WebGoat 8 on Docker HUB, you can download this version
 [https://hub.docker.com/r/webgoat/webgoat-8.0/](https://hub.docker.com/r/webgoat/webgoat-8.0/).
@@ -65,27 +76,6 @@ Here you'll be able to register a new user and get started.
 
 _Please note: this version may not be completely in sync with the develop branch._
 
-## 2. Standalone 
-
-Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
-
-```Shell
-java -jar webgoat-server-<<version>>.jar
-```
-
-By default WebGoat starts at port 8080 in order to change this use the following property:
-
-```Shell
-java -jar webgoat-server-<<version>>.jar --server.port=9090
-```
-
-You can specify one of the following arguments when starting WebGoat:
-
-```Shell
-java -jar webgoat-server-<<version>>.jar --server.port=9090 --server.address=x.x.x.x
-```
-
-This will start WebGoat on a different port and/or different address.
 
 
 ## 3. Run from the sources

docker-compose-postgres.yml

@@ -6,6 +6,7 @@ services:
     user: webgoat
     environment:
       - WEBWOLF_HOST=webwolf
+      - WEBWOLF_PORT=9090
       - spring.datasource.url=jdbc:postgresql://webgoat_db:5432/webgoat
       - spring.datasource.username=webgoat
       - spring.datasource.password=webgoat
@@ -22,7 +23,7 @@ services:
       - spring.datasource.driver-class-name=org.postgresql.Driver
       - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
     ports:
-      - "8081:8081"
+      - "9090:9090"
   db:
     container_name: webgoat_db
     image: postgres:latest

docker-compose.yml

@@ -5,6 +5,7 @@ services:
     image: webgoat/webgoat-8.0
     environment:
       - WEBWOLF_HOST=webwolf
+      - WEBWOLF_PORT=9090
       - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
     ports:
       - "8080:8080"
@@ -15,7 +16,7 @@ services:
     environment:
           - spring.datasource.url=jdbc:hsqldb:hsql://webgoat_db:9001/webgoat
     ports:
-      - "8081:8081"
+      - "9090:9090"
     depends_on:
       - db
   db:

pom.xml

@@ -1,11 +1,12 @@
 <?xml version="1.0"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.owasp.webgoat</groupId>
     <artifactId>webgoat-parent</artifactId>
     <packaging>pom</packaging>
-    <version>v8.0.0.M15</version>
+    <version>v8.0.0.M16</version>
 
     <name>WebGoat Parent Pom</name>
     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>
@@ -53,17 +54,17 @@
         <developer>
             <id>jwayman</id>
             <name>Jeff Wayman</name>
-            <email />
+            <email/>
         </developer>
         <developer>
             <id>dcowden</id>
             <name>Dave Cowden</name>
-            <email />
+            <email/>
         </developer>
         <developer>
             <id>lawson89</id>
             <name>Richard Lawson</name>
-            <email />
+            <email/>
         </developer>
         <developer>
             <id>dougmorato</id>
@@ -92,8 +93,8 @@
         <url>https://github.com/WebGoat/WebGoat</url>
         <connection>scm:git:[email protected]:WebGoat/WebGoat.git</connection>
         <developerConnection>scm:git:[email protected]:WebGoat/WebGoat.git</developerConnection>
-      <tag>HEAD</tag>
-  </scm>
+        <tag>HEAD</tag>
+    </scm>
 
     <issueManagement>
         <system>Github Issues</system>
@@ -202,7 +203,7 @@
     <profiles>
         <profile>
             <id>release</id>
-			<dependencies>
+            <dependencies>
                 <dependency>
                     <groupId>org.owasp.webgoat.lesson</groupId>
                     <artifactId>dist</artifactId>
@@ -214,7 +215,7 @@
             </dependencies>
             <build>
                 <plugins>
-				    <plugin>
+                    <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-dependency-plugin</artifactId>
                         <executions>
@@ -225,7 +226,9 @@
                                 </goals>
                                 <phase>generate-resources</phase>
                                 <configuration>
-                                    <outputDirectory>${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons</outputDirectory>
+                                    <outputDirectory>
+                                        ${project.basedir}/webgoat-container/src/main/webapp/plugin_lessons
+                                    </outputDirectory>
                                     <includeArtifactIds>dist</includeArtifactIds>
                                     <includes>*.jar</includes>
                                 </configuration>
@@ -324,15 +327,15 @@
                 <artifactId>coveralls-maven-plugin</artifactId>
                 <version>${coveralls-maven-plugin.version}</version>
                 <configuration>
-                    <repoToken />
+                    <repoToken/>
                 </configuration>
             </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>cobertura-maven-plugin</artifactId>
                 <version>${cobertura-maven-plugin.version}</version>
                 <configuration>
-                    <check />
+                    <check/>
                     <format>xml</format>
                     <maxmem>256m</maxmem>
                     <!-- aggregated reports for multi-module projects -->

scripts/build-all.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+
+cd ..
+
+nc -zv 127.0.0.1 8080 2>/dev/null
+SUCCESS=$?
+nc -zv 127.0.0.1 9090 2>/dev/null
+SUCCESS=${SUCCESS}$?
+
+if [[ "${SUCCESS}" -eq 00 ]] ; then
+  echo "WebGoat and or WebWolf are still running, please stop them first otherwise unit tests might fail!"
+  exit 127
+fi
+
+
+#mvn clean install
+#if [[ "$?" -ne 0 ]] ; then
+#  exit y$?
+#fi
+
+cd -
+sh build_docker.sh
+
+echo "Do you want to run docker-compose?"
+while true; do
+    read -p "Do you want to run docker-compose?" yn
+    case ${yn} in
+        [Yy]* ) sh clean-run-docker-compose.sh; break;;
+        [Nn]* ) exit;;
+        * ) echo "Please answer yes or no.";;
+    esac
+done

scripts/build_docker.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+WEBGOAT_HOME=$(pwd)/../
+
+cd ${WEBGOAT_HOME}/webgoat-server
+docker build -t webgoat/webgoat-8.0 .
+
+cd ${WEBGOAT_HOME}/webwolf
+docker build -t webgoat/webwolf .
+

scripts/clean-run-docker-compose.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+cd ..
+docker-compose rm -f
+docker-compose up

scripts/deploy-webgoat.sh

@@ -10,10 +10,10 @@ if [ "${BRANCH}" == "master" ] && [ ! -z "${TRAVIS_TAG}" ]; then
   # If we push a tag to master this will update the LATEST Docker image and tag with the version number
   docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:latest -t $REPO:${TRAVIS_TAG} .
   docker push $REPO
-elif [ ! -z "${TRAVIS_TAG}" ]; then
-  # Creating a tag build we push it to Docker with that tag
-  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
-  docker push $REPO
+#elif [ ! -z "${TRAVIS_TAG}" ]; then
+#  # Creating a tag build we push it to Docker with that tag
+#  docker build --build-arg webgoat_version=${TRAVIS_TAG:1} -f Dockerfile -t $REPO:${TRAVIS_TAG} -t $REPO:latest .
+#  docker push $REPO
 #elif [ "${BRANCH}" == "develop" ]; then
 #  docker build -f Dockerfile -t $REPO:snapshot .
 #  docker push $REPO

scripts/run-docker-compose.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+cd ..
+docker-compose up

webgoat-container/pom.xml

@@ -10,7 +10,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M16</version>
     </parent>
 
     <profiles>

webgoat-container/src/main/java/org/owasp/webgoat/users/UserForm.java

@@ -4,6 +4,7 @@
 import lombok.Setter;
 
 import javax.validation.constraints.NotNull;
+import javax.validation.constraints.Pattern;
 import javax.validation.constraints.Size;
 
 /**
@@ -16,6 +17,7 @@ public class UserForm {
 
     @NotNull
     @Size(min=6, max=20)
+    @Pattern(regexp = "[a-zA-Z0-9]*", message = "can only contain letters and digits")
     private String username;
     @NotNull
     @Size(min=6, max=10)

webgoat-container/src/main/resources/application.properties

@@ -37,7 +37,7 @@ webgoat.database.connection.string=jdbc:hsqldb:mem:{USER}
 webgoat.default.language=en
 
 webwolf.host=${WEBWOLF_HOST:localhost}
-webwolf.port=${WEBWOLF_PORT:8081}
+webwolf.port=${WEBWOLF_PORT:9090}
 webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf
 webwolf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing
 webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail

webgoat-images/vagrant-training/Vagrantfile

@@ -3,7 +3,7 @@
 Vagrant.configure(2) do |config|
   config.vm.box = "ubuntu/trusty64"
   config.vm.network :forwarded_port, guest: 8080, host: 8080
-  config.vm.network :forwarded_port, guest: 8081, host: 8081
+  config.vm.network :forwarded_port, guest: 9090, host: 9090
   config.vm.provider "virtualbox" do |vb|
   	vb.gui = false
   	vb.memory = "4096"

webgoat-lessons/auth-bypass/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M16</version>
     </parent>
 
 </project>

webgoat-lessons/bypass-restrictions/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M16</version>
     </parent>
 </project>

webgoat-lessons/challenge/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>v8.0.0.M15</version>
+        <version>v8.0.0.M16</version>
     </parent>
 
 

webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/SolutionConstants.java

@@ -11,7 +11,5 @@ public interface SolutionConstants {
     //TODO should be random generated when starting the server
     String PASSWORD = "!!webgoat_admin_1234!!";
     String PASSWORD_TOM = "thisisasecretfortomonly";
-    String PASSWORD_LARRY = "larryknows";
-    String JWT_PASSWORD = "victory";
     String ADMIN_PASSWORD_LINK = "375afe1104f4a487a73823c50a9292a2";
 }