Merge branch 'release/v8.2.0' into develop

.github/workflows/build.yml

@@ -11,6 +11,7 @@ on:
     branches:
       - master
       - develop
+      - release/*
     tags-ignore:
       - '*'
     paths-ignore:

.mvn/wrapper/maven-wrapper.properties

@@ -1,2 +1,2 @@
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.2.5/apache-maven-3.2.5-bin.zip
-wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.5/maven-wrapper-0.5.5.jar
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.1/apache-maven-3.8.1-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar

RELEASE_NOTES.md

@@ -1,5 +1,44 @@
 # WebGoat release notes 
 
+## Version 8.2.0
+
+### New functionality
+
+- Add new zip slip lesson (part of path traversal)
+- SQL lessons are now separate for each user, database are now per user and no longer shared across users
+- Moved to Java 15 & Spring Boot 2.4 & moved to JUnit 5
+
+### Bug fixes
+
+- [#974 SQL injection Intro 5 not solvable](https://github.com/WebGoat/WebGoat/issues/974)
+- [#962 SQL-Lesson 5 (Advanced) Solvable with wrong anwser](https://github.com/WebGoat/WebGoat/issues/962)
+- [#961 SQl-Injection lesson 4 not deleting created row](https://github.com/WebGoat/WebGoat/issues/961)
+- [#949 Challenge: Admin password reset always solvable](https://github.com/WebGoat/WebGoat/issues/949)
+- [#923 - Upgrade to Java 15](https://github.com/WebGoat/WebGoat/issues/923)
+- [#922 - Vulnerable components lesson](https://github.com/WebGoat/WebGoat/issues/922)
+- [#891 - Update the OWASP website with the new all-in-one Docker container](https://github.com/WebGoat/WebGoat/issues/891)
+- [#844 - Suggestion: Update navigation](https://github.com/WebGoat/WebGoat/issues/844)
+- [#843 - Bypass front-end restrictions: Field restrictions - confusing text in form](https://github.com/WebGoat/WebGoat/issues/843)
+- [#841 - XSS - Reflected XSS confusing instruction and success messages](https://github.com/WebGoat/WebGoat/issues/841)
+- [#839 - SQL Injection (mitigation) Order by clause confusing](https://github.com/WebGoat/WebGoat/issues/839)
+- [#838 - SQL mitigation (filtering) can only be passed by updating table](https://github.com/WebGoat/WebGoat/issues/838)
+
+## Contributors
+
+Special thanks to the following contributors providing us with a pull request:
+
+- nicholas-quirk
+- VijoPlays
+- aolle
+- trollingHeifer
+- maximmasiutin
+- toshihue
+- avivmu
+- KellyMarchewa 
+- NatasG
+- gabe-sky
+
+
 ## Version 8.1.0
 
 ### New functionality

docker/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.2.0-SNAPSHOT</version>
+        <version>8.2.0</version>
     </parent>
 
     <dependencies>

pom.xml

@@ -6,7 +6,7 @@
     <groupId>org.owasp.webgoat</groupId>
     <artifactId>webgoat-parent</artifactId>
     <packaging>pom</packaging>
-    <version>8.2.0-SNAPSHOT</version>
+    <version>8.2.0</version>
 
     <name>WebGoat Parent Pom</name>
     <description>Parent Pom for the WebGoat Project. A deliberately insecure Web Application</description>

webgoat-container/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.2.0-SNAPSHOT</version>
+        <version>8.2.0</version>
     </parent>
 
     <build>

webgoat-container/src/main/java/org/owasp/webgoat/AsciiDoctorTemplateResolver.java

@@ -84,6 +84,7 @@ protected ITemplateResource computeTemplateResource(IEngineConfiguration configu
                 extensionRegistry.inlineMacro("webGoatVersion", WebGoatVersionMacro.class);
                 extensionRegistry.inlineMacro("webGoatTempDir", WebGoatTmpDirMacro.class);
                 extensionRegistry.inlineMacro("operatingSystem", OperatingSystemMacro.class);
+                extensionRegistry.inlineMacro("username", UsernameMacro.class);
 
                 StringWriter writer = new StringWriter();
                 asciidoctor.convert(new InputStreamReader(is), writer, createAttributes());

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/OperatingSystemMacro.java

@@ -17,6 +17,9 @@ public OperatingSystemMacro(String macroName, Map<String, Object> config) {
 
     @Override
     public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
-        return System.getProperty("os.name");
+        var osName = System.getProperty("os.name");
+
+        //see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
+        return createPhraseNode(contentNode, "quoted", osName);
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/UsernameMacro.java

@@ -0,0 +1,31 @@
+package org.owasp.webgoat.asciidoc;
+
+import org.asciidoctor.ast.ContentNode;
+import org.asciidoctor.extension.InlineMacroProcessor;
+import org.owasp.webgoat.users.WebGoatUser;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import java.util.Map;
+
+public class UsernameMacro extends InlineMacroProcessor {
+
+    public UsernameMacro(String macroName) {
+        super(macroName);
+    }
+
+    public UsernameMacro(String macroName, Map<String, Object> config) {
+        super(macroName, config);
+    }
+
+    @Override
+    public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
+        var auth = SecurityContextHolder.getContext().getAuthentication();
+        var username = "unknown";
+        if (auth.getPrincipal() instanceof WebGoatUser) {
+            username = ((WebGoatUser) auth.getPrincipal()).getUsername();
+        }
+
+        //see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
+        return createPhraseNode(contentNode, "quoted", username);
+    }
+}

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatTmpDirMacro.java

@@ -16,7 +16,11 @@ public WebGoatTmpDirMacro(String macroName, Map<String, Object> config) {
     }
 
     @Override
-	public String process(ContentNode contentNode, String target, Map<String, Object> attributes) {
-        return EnvironmentExposure.getEnv().getProperty("webgoat.server.directory");
+	public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
+        var env = EnvironmentExposure.getEnv().getProperty("webgoat.server.directory");
+
+        //see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
+        return createPhraseNode(contentNode, "quoted", env);
+
     }
 }

webgoat-container/src/main/java/org/owasp/webgoat/asciidoc/WebGoatVersionMacro.java

@@ -16,7 +16,10 @@ public WebGoatVersionMacro(String macroName, Map<String, Object> config) {
     }
 
     @Override
-	public String process(ContentNode contentNode, String target, Map<String, Object> attributes) {
-        return EnvironmentExposure.getEnv().getProperty("webgoat.build.version");
+	public Object process(ContentNode contentNode, String target, Map<String, Object> attributes) {
+        var webgoatVersion = EnvironmentExposure.getEnv().getProperty("webgoat.build.version");
+
+        //see https://discuss.asciidoctor.org/How-to-create-inline-macro-producing-HTML-In-AsciidoctorJ-td8313.html for why quoted is used
+        return createPhraseNode(contentNode, "quoted", webgoatVersion);
     }
 }

webgoat-integration-tests/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat</groupId>
         <artifactId>webgoat-parent</artifactId>
-        <version>8.2.0-SNAPSHOT</version>
+        <version>8.2.0</version>
     </parent>
 
     <dependencies>

webgoat-integration-tests/src/test/java/org/owasp/webgoat/DeserializationTest.java

@@ -10,25 +10,25 @@
 
 public class DeserializationTest extends IntegrationTest {
 
-	private static String OS = System.getProperty("os.name").toLowerCase();
-    
+    private static String OS = System.getProperty("os.name").toLowerCase();
+
     @Test
     public void runTests() throws IOException {
         startLesson("InsecureDeserialization");
-        
+
         Map<String, Object> params = new HashMap<>();
         params.clear();
-                
-        if (OS.indexOf("win")>-1) {
-        	params.put("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5")));
+
+        if (OS.indexOf("win") > -1) {
+            params.put("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "ping localhost -n 5")));
         } else {
             params.put("token", SerializationHelper.toString(new VulnerableTaskHolder("wait", "sleep 5")));
         }
-        checkAssignment(url("/WebGoat/InsecureDeserialization/task"),params,true);
-        
+        checkAssignment(url("/WebGoat/InsecureDeserialization/task"), params, true);
+
         checkResults("/InsecureDeserialization/");
-    
+
     }
-    
-    
+
+
 }

webgoat-integration-tests/src/test/java/org/owasp/webgoat/PathTraversalTest.java

@@ -1,14 +1,7 @@
 package org.owasp.webgoat;
 
-import static org.junit.jupiter.api.DynamicTest.dynamicTest;
-
-import java.io.File;
-import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.util.Arrays;
-import java.util.Map;
-
+import io.restassured.RestAssured;
+import lombok.SneakyThrows;
 import org.hamcrest.CoreMatchers;
 import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.AfterEach;
@@ -18,38 +11,49 @@
 import org.junit.jupiter.api.io.TempDir;
 import org.springframework.security.core.token.Sha512DigestUtils;
 
-import io.restassured.RestAssured;
-import lombok.SneakyThrows;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Arrays;
+import java.util.Map;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipOutputStream;
+
+import static org.junit.jupiter.api.DynamicTest.dynamicTest;
 
 public class PathTraversalTest extends IntegrationTest {
-        
-	//the JUnit5 way
+
+    //the JUnit5 way
     @TempDir
     Path tempDir;
-    
+
     private File fileToUpload = null;
-    
+
     @BeforeEach
     @SneakyThrows
     public void init() {
-    	fileToUpload = Files.createFile(
+        fileToUpload = Files.createFile(
                 tempDir.resolve("test.jpg")).toFile();
-    	Files.write(fileToUpload.toPath(), "This is a test" .getBytes());
-    	startLesson("PathTraversal");
+        Files.write(fileToUpload.toPath(), "This is a test".getBytes());
+        startLesson("PathTraversal");
     }
 
     @TestFactory
     Iterable<DynamicTest> testPathTraversal() {
-    	return Arrays.asList(
-    			dynamicTest("assignment 1 - profile upload",()-> assignment1()),
-    			dynamicTest("assignment 2 - profile upload fix",()-> assignment2()),
-    			dynamicTest("assignment 3 - profile upload remove user input",()-> assignment3()),
-    			dynamicTest("assignment 4 - profile upload random pic",()-> assignment4())
-    			);
+        return Arrays.asList(
+                dynamicTest("assignment 1 - profile upload", () -> assignment1()),
+                dynamicTest("assignment 2 - profile upload fix", () -> assignment2()),
+                dynamicTest("assignment 3 - profile upload remove user input", () -> assignment3()),
+                dynamicTest("assignment 4 - profile upload random pic", () -> assignment4()),
+                dynamicTest("assignment 5 - zip slip", () -> assignment5())
+        );
     }
-    
+
     public void assignment1() throws IOException {
-    	MatcherAssert.assertThat(
+        MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -63,7 +67,7 @@ public void assignment1() throws IOException {
     }
 
     public void assignment2() throws IOException {
-    	MatcherAssert.assertThat(
+        MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -77,7 +81,7 @@ public void assignment2() throws IOException {
     }
 
     public void assignment3() throws IOException {
-    	MatcherAssert.assertThat(
+        MatcherAssert.assertThat(
                 RestAssured.given()
                         .when()
                         .relaxedHTTPSValidation()
@@ -88,6 +92,7 @@ public void assignment3() throws IOException {
                         .statusCode(200)
                         .extract().path("lessonCompleted"), CoreMatchers.is(true));
     }
+
     public void assignment4() throws IOException {
         var uri = "/WebGoat/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret";
         RestAssured.given().urlEncodingEnabled(false)
@@ -101,10 +106,34 @@ public void assignment4() throws IOException {
 
         checkAssignment("/WebGoat/PathTraversal/random", Map.of("secret", Sha512DigestUtils.shaHex(getWebgoatUser())), true);
     }
-
+
+    public void assignment5() throws IOException {
+        var webGoatHome = System.getProperty("user.dir") + "/target/.webgoat/PathTraversal/" + getWebgoatUser();
+        webGoatHome = webGoatHome.replaceAll("^[a-zA-Z]:", ""); //Remove C: from the home directory on Windows
+
+        var webGoatDirectory = new File(webGoatHome);
+        var zipFile = new File(webGoatDirectory, "upload.zip");
+        try (var zos = new ZipOutputStream(new FileOutputStream(zipFile))) {
+            ZipEntry e = new ZipEntry("../../../../../../../../../../" + webGoatDirectory.toString() + "/image.jpg");
+            zos.putNextEntry(e);
+            zos.write("test".getBytes(StandardCharsets.UTF_8));
+        }
+        MatcherAssert.assertThat(
+                RestAssured.given()
+                        .when()
+                        .relaxedHTTPSValidation()
+                        .cookie("JSESSIONID", getWebGoatCookie())
+                        .multiPart("uploadedFileZipSlip", "upload.zip", Files.readAllBytes(zipFile.toPath()))
+                        .post("/WebGoat/PathTraversal/zip-slip")
+                        .then()
+                        .statusCode(200)
+                        .extract().path("lessonCompleted"), CoreMatchers.is(true));
+
+    }
+
     @AfterEach
     public void shutdown() {
-    	//this will run only once after the list of dynamic tests has run, this is to test if the lesson is marked complete
-    	checkResults("/PathTraversal");
+        //this will run only once after the list of dynamic tests has run, this is to test if the lesson is marked complete
+        checkResults("/PathTraversal");
     }
 }

webgoat-lessons/auth-bypass/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.0-SNAPSHOT</version>
+        <version>8.2.0</version>
     </parent>
 
 </project>

webgoat-lessons/bypass-restrictions/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.0-SNAPSHOT</version>
+        <version>8.2.0</version>
     </parent>
 </project>

webgoat-lessons/challenge/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.0-SNAPSHOT</version>
+        <version>8.2.0</version>
     </parent>
 
 

webgoat-lessons/chrome-dev-tools/pom.xml

@@ -6,6 +6,6 @@
     <parent>
         <groupId>org.owasp.webgoat.lesson</groupId>
         <artifactId>webgoat-lessons-parent</artifactId>
-        <version>8.2.0-SNAPSHOT</version>
+        <version>8.2.0</version>
     </parent>
 </project>