From 6c91e7dc8ab4d873cda8550a04b6179db048568b Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Wed, 15 Nov 2017 11:58:31 +0100 Subject: [PATCH] Fixed WebWolf issues with sending e-mails --- .travis.yml | 2 +- CREATE_RELEASE.MD | 29 +++++++ docker-compose.yml | 6 -- .../src/main/resources/application.properties | 2 +- .../plugin/challenge7/Assignment7.java | 2 +- .../owasp/webgoat/plugin/MailAssignment.java | 6 +- .../resources/html/WebWolfIntroduction.html | 5 +- .../main/java/org/owasp/webwolf/WebWolf.java | 6 +- .../org/owasp/webwolf/requests/Requests.java | 5 +- .../requests/WebWolfTraceRepository.java | 80 ++----------------- .../user/WebGoatUserToCookieRepository.java | 14 ---- 11 files changed, 48 insertions(+), 109 deletions(-) create mode 100644 CREATE_RELEASE.MD delete mode 100644 webwolf/src/main/java/org/owasp/webwolf/user/WebGoatUserToCookieRepository.java diff --git a/.travis.yml b/.travis.yml index f63a2211e8..3667101a9c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,7 +7,7 @@ install: "/bin/true" script: - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi) - echo "TRAVIS_BRANCH=$TRAVIS_BRANCH, PR=$PR, BRANCH=$BRANCH" -- mvn clean install +- mvn clean install -q cache: directories: - "$HOME/.m2" diff --git a/CREATE_RELEASE.MD b/CREATE_RELEASE.MD new file mode 100644 index 0000000000..885c7a2fcf --- /dev/null +++ b/CREATE_RELEASE.MD @@ -0,0 +1,29 @@ +## Release WebGoat + + +### Version numbers + +For WebGoat we use milestone releases first before we release the official version, we use `v8.0.0.M3` while tagging + and 8.0.0.M3 in the `pom.xml`. When we create the final release we remove the milestone release and use + `v8.0.0` and 8.0.0 in the `pom.xml` + +At the moment we use Gitflow, for a release you create a new release branch and take the following steps: + +``` +git checkout develop +git flow release start +mvn versions:set < +git commit -am "New release, updaing pom.xml" +git flow release publish +``` + +Now we can make a new release, be sure you committed all your changes. + +``` +git tag v8.0.0.M3 +git push origin v8.0.0.M3 +``` + +Now Travis takes over and will create the release in Github and on Docker Hub. + + diff --git a/docker-compose.yml b/docker-compose.yml index 3212cae13b..6062d33796 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,12 +1,6 @@ version: '2.0' services: - activemq: - image: webcenter/activemq:latest - ports: - - 8161:8161 - - 61616:61616 - - 61613:61613 mongo: image: mongo:latest expose: diff --git a/webgoat-container/src/main/resources/application.properties b/webgoat-container/src/main/resources/application.properties index f2173effdd..a92f16480f 100644 --- a/webgoat-container/src/main/resources/application.properties +++ b/webgoat-container/src/main/resources/application.properties @@ -34,7 +34,7 @@ webwolf.host=${WEBWOLF_HOST:localhost} webwolf.port=${WEBWOLF_PORT:8081} webwolf.url=http://${webwolf.host}:${webwolf.port}/WebWolf webworf.url.landingpage=http://${webwolf.host}:${webwolf.port}/landing -webworf.url.mail=http://${webwolf.host}:${webwolf.port}/mail +webwolf.url.mail=http://${webwolf.host}:${webwolf.port}/mail spring.jackson.serialization.indent_output=true spring.jackson.serialization.write-dates-as-timestamps=false diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java index d7d5e20cff..2e12e14cc3 100644 --- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java +++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge7/Assignment7.java @@ -45,7 +45,7 @@ public class Assignment7 extends AssignmentEndpoint { @Autowired private RestTemplate restTemplate; - @Value("${webworf.url.mail}") + @Value("${webwolf.url.mail}") private String webWolfMailURL; @GetMapping("/reset-password/{link}") diff --git a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java index fa41cb2c4f..54e17a9c2a 100644 --- a/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java +++ b/webgoat-lessons/webwolf-introduction/src/main/java/org/owasp/webgoat/plugin/MailAssignment.java @@ -22,7 +22,7 @@ public class MailAssignment extends AssignmentEndpoint { private final String webWolfURL; private RestTemplate restTemplate; - public MailAssignment(RestTemplate restTemplate, @Value("${webwolf.url}") String webWolfURL) { + public MailAssignment(RestTemplate restTemplate, @Value("${webwolf.url.mail}") String webWolfURL) { this.restTemplate = restTemplate; this.webWolfURL = webWolfURL; } @@ -36,10 +36,10 @@ public AttackResult sendEmail(@RequestParam String email) { .recipient(username) .title("Test messages from WebWolf") .time(LocalDateTime.now()) - .contents("This is a test message from WebWolf, your unique code is" + StringUtils.reverse(username)) + .contents("This is a test message from WebWolf, your unique code is: " + StringUtils.reverse(username)) .sender("webgoat@owasp.org") .build(); - restTemplate.postForEntity(webWolfURL + "/WebWolf/mail", mailEvent, Object.class); + restTemplate.postForEntity(webWolfURL, mailEvent, Object.class); return informationMessage().feedback("webwolf.email_send").feedbackArgs(email).build(); } else { return informationMessage().feedback("webwolf.email_mismatch").feedbackArgs(username).build(); diff --git a/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html b/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html index 3e95b703f6..fc443b7c70 100644 --- a/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html +++ b/webgoat-lessons/webwolf-introduction/src/main/resources/html/WebWolfIntroduction.html @@ -12,9 +12,10 @@
-
+
diff --git a/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java b/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java index 1482d93164..768b78347c 100644 --- a/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java +++ b/webwolf/src/main/java/org/owasp/webwolf/WebWolf.java @@ -2,8 +2,6 @@ import lombok.extern.slf4j.Slf4j; import org.owasp.webwolf.requests.WebWolfTraceRepository; -import org.owasp.webwolf.user.UserRepository; -import org.owasp.webwolf.user.WebGoatUserToCookieRepository; import org.springframework.boot.SpringApplication; import org.springframework.boot.actuate.trace.TraceRepository; import org.springframework.boot.autoconfigure.SpringBootApplication; @@ -16,8 +14,8 @@ public class WebWolf extends SpringBootServletInitializer { @Bean - public TraceRepository traceRepository(WebGoatUserToCookieRepository repository, UserRepository userRepository) { - return new WebWolfTraceRepository(repository, userRepository); + public TraceRepository traceRepository() { + return new WebWolfTraceRepository(); } @Override diff --git a/webwolf/src/main/java/org/owasp/webwolf/requests/Requests.java b/webwolf/src/main/java/org/owasp/webwolf/requests/Requests.java index 8b4acd4a9d..d92bb4bf1f 100644 --- a/webwolf/src/main/java/org/owasp/webwolf/requests/Requests.java +++ b/webwolf/src/main/java/org/owasp/webwolf/requests/Requests.java @@ -5,9 +5,7 @@ import lombok.AllArgsConstructor; import lombok.Getter; import lombok.extern.slf4j.Slf4j; -import org.owasp.webwolf.user.WebGoatUser; import org.springframework.boot.actuate.trace.Trace; -import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestMapping; @@ -46,8 +44,7 @@ private class Tracert { @GetMapping public ModelAndView get(HttpServletRequest request) { ModelAndView m = new ModelAndView("requests"); - WebGoatUser user = (WebGoatUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal(); - List traces = traceRepository.findTraceForUser(user.getUsername()).stream() + List traces = traceRepository.findAllTraces().stream() .map(t -> new Tracert(t.getTimestamp(), path(t), toJsonString(t))).collect(toList()); m.addObject("traces", traces); diff --git a/webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java b/webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java index e63bbd9f52..43a04b1afe 100644 --- a/webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java +++ b/webwolf/src/main/java/org/owasp/webwolf/requests/WebWolfTraceRepository.java @@ -1,30 +1,17 @@ package org.owasp.webwolf.requests; -import com.google.common.cache.CacheBuilder; -import com.google.common.cache.CacheLoader; -import com.google.common.cache.LoadingCache; +import com.google.common.collect.EvictingQueue; import com.google.common.collect.Lists; import com.google.common.collect.Maps; import lombok.extern.slf4j.Slf4j; -import org.owasp.webwolf.user.UserRepository; -import org.owasp.webwolf.user.WebGoatUser; -import org.owasp.webwolf.user.WebGoatUserCookie; -import org.owasp.webwolf.user.WebGoatUserToCookieRepository; import org.springframework.boot.actuate.trace.Trace; import org.springframework.boot.actuate.trace.TraceRepository; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.context.SecurityContextHolder; -import java.net.HttpCookie; import java.util.*; -import java.util.concurrent.ConcurrentLinkedDeque; - -import static java.util.Optional.empty; -import static java.util.Optional.of; /** * Keep track of all the incoming requests, we are only keeping track of request originating from - * WebGoat and only if there is a cookie (otherwise we can never relate it back to a user). + * WebGoat. * * @author nbaars * @since 8/13/17. @@ -32,20 +19,7 @@ @Slf4j public class WebWolfTraceRepository implements TraceRepository { - private final LoadingCache> cookieTraces = CacheBuilder.newBuilder() - .maximumSize(4000).build(new CacheLoader>() { - @Override - public ConcurrentLinkedDeque load(String s) throws Exception { - return new ConcurrentLinkedDeque<>(); - } - }); - private final WebGoatUserToCookieRepository repository; - private final UserRepository userRepository; - - public WebWolfTraceRepository(WebGoatUserToCookieRepository repository, UserRepository userRepository) { - this.repository = repository; - this.userRepository = userRepository; - } + private final EvictingQueue traces = EvictingQueue.create(10000); @Override public List findAll() { @@ -55,59 +29,19 @@ public List findAll() { return Lists.newArrayList(trace); } - public List findTraceForUser(String username) { - return Lists.newArrayList(cookieTraces.getUnchecked(username)); + public List findAllTraces() { + return Lists.newArrayList(traces); } @Override public void add(Map map) { Optional host = getFromHeaders("host", map); String path = (String) map.getOrDefault("path", ""); - if (host.isPresent() && path.contains("/landing/")) { - Optional cookie = getFromHeaders("cookie", map); - Optional user = cookie.isPresent() ? findUserBasedOnCookie(cookie.get()) : getLoggedInUser(); - user.ifPresent(u -> { - ConcurrentLinkedDeque traces = this.cookieTraces.getUnchecked(u); - traces.addFirst(new Trace(new Date(), map)); - cookieTraces.put(u, traces); - }); - //No user found based on cookie and logged in user, so add the trace to all users - //In case of XXE no cookie will be send we cannot retrieve who is logged in. - //Standalone this is ok, in a challenge you need to make sure the solution or secret the users need to - //fetch is unique - if (!user.isPresent()) { - List users = this.userRepository.findAll(); - users.forEach(u -> { - ConcurrentLinkedDeque traces = this.cookieTraces.getUnchecked(u.getUsername()); - traces.addFirst(new Trace(new Date(), map)); - cookieTraces.put(u.getUsername(), traces); - }); - } + if (host.isPresent() && path.contains("/landing")) { + traces.add(new Trace(new Date(), map)); } } - private Optional findUserBasedOnCookie(String cookiesIncomingRequest) { - //Request from WebGoat to WebWolf will contain the session cookie of WebGoat try to map it to a user - //this mapping is added to userSession by the CookieFilter in WebGoat code - HttpCookie cookie = HttpCookie.parse(cookiesIncomingRequest).get(0); - Optional userToCookie = repository.findByCookie(cookie.getValue()); - Optional user = userToCookie.map(u -> u.getUsername()); - - return user; - } - - private Optional getLoggedInUser() { - Optional user = empty(); - //User is maybe logged in to WebWolf use this user - Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); - if (authentication != null && authentication.getPrincipal() instanceof WebGoatUser) { - WebGoatUser wg = (WebGoatUser) authentication.getPrincipal(); - user = of(wg.getUsername()); - } - return user; - } - - private Optional getFromHeaders(String header, Map map) { Map headers = (Map) map.get("headers"); if (headers != null) { diff --git a/webwolf/src/main/java/org/owasp/webwolf/user/WebGoatUserToCookieRepository.java b/webwolf/src/main/java/org/owasp/webwolf/user/WebGoatUserToCookieRepository.java deleted file mode 100644 index 8445a1c3d2..0000000000 --- a/webwolf/src/main/java/org/owasp/webwolf/user/WebGoatUserToCookieRepository.java +++ /dev/null @@ -1,14 +0,0 @@ -package org.owasp.webwolf.user; - -import org.springframework.data.mongodb.repository.MongoRepository; - -import java.util.Optional; - -/** - * @author nbaars - * @since 8/20/17. - */ -public interface WebGoatUserToCookieRepository extends MongoRepository { - - Optional findByCookie(String cookie); -}