fixed views for password reset (WebGoat#679)

qpioneer · Oct 10, 2019 · f140875 · f140875
1 parent 18d43f1
commit f140875
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 11 deletions.
diff --git a/...ns/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java b/...ns/password-reset/src/main/java/org/owasp/webgoat/password_reset/ResetLinkAssignment.java
@@ -31,6 +31,7 @@
 import org.springframework.ui.Model;
 import org.springframework.validation.BindingResult;
 import org.springframework.web.bind.annotation.*;
+import org.springframework.web.servlet.ModelAndView;
 
 import java.util.Map;
 
@@ -46,7 +47,7 @@ public class ResetLinkAssignment extends AssignmentEndpoint {
     static final String TOM_EMAIL = "[email protected]";
     static Map<String, String> userToTomResetLink = Maps.newHashMap();
     static Map<String, String> usersToTomPassword = Maps.newHashMap();
-    static EvictingQueue resetLinks = EvictingQueue.create(1000);
+    static EvictingQueue<String> resetLinks = EvictingQueue.create(1000);
 
     static final String TEMPLATE = "Hi, you requested a password reset link, please use this " +
             "<a target='_blank' href='http://%s/WebGoat/PasswordReset/reset/reset-password/%s'>link</a> to reset your password." +
@@ -73,32 +74,46 @@ public AttackResult login(@RequestParam String password, @RequestParam String em
     }
 
     @GetMapping("/PasswordReset/reset/reset-password/{link}")
-    public String resetPassword(@PathVariable(value = "link") String link, Model model) {
-        if (this.resetLinks.contains(link)) {
+    public ModelAndView resetPassword(@PathVariable(value = "link") String link, Model model) {
+    	ModelAndView modelAndView = new ModelAndView();
+        if (ResetLinkAssignment.resetLinks.contains(link)) {
             PasswordChangeForm form = new PasswordChangeForm();
             form.setResetLink(link);
             model.addAttribute("form", form);
-            return "password_reset"; //Display html page for changing password
+            modelAndView.addObject("form", form);
+            modelAndView.setViewName("password_reset"); //Display html page for changing password
         } else {
-            return "password_link_not_found";
+        	modelAndView.setViewName("password_link_not_found");
         }
+        return modelAndView;
     }
 
+    @GetMapping("/PasswordReset/reset/change-password")
+    public ModelAndView illegalCall() {
+    	ModelAndView modelAndView = new ModelAndView();
+    	modelAndView.setViewName("password_link_not_found");
+    	return modelAndView;
+    }
+
     @PostMapping("/PasswordReset/reset/change-password")
-    public String changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
+    public ModelAndView changePassword(@ModelAttribute("form") PasswordChangeForm form, BindingResult bindingResult) {
+    	ModelAndView modelAndView = new ModelAndView();
         if (!org.springframework.util.StringUtils.hasText(form.getPassword())) {
             bindingResult.rejectValue("password", "not.empty");
         }
         if (bindingResult.hasErrors()) {
-            return "password_reset";
+        	modelAndView.setViewName("password_reset");
+        	return modelAndView;
         }
         if (!resetLinks.contains(form.getResetLink())) {
-            return "password_link_not_found";
+        	modelAndView.setViewName("password_link_not_found");
+        	return modelAndView;
         }
         if (checkIfLinkIsFromTom(form.getResetLink())) {
             usersToTomPassword.put(getWebSession().getUserName(), form.getPassword());
         }
-        return "success";
+        modelAndView.setViewName("success");
+        return modelAndView;
     }
 
     private boolean checkIfLinkIsFromTom(String resetLinkFromForm) {

diff --git a/webgoat-lessons/password-reset/src/main/resources/templates/password_link_not_found.html b/webgoat-lessons/password-reset/src/main/resources/templates/password_link_not_found.html
@@ -3,7 +3,7 @@
 <head>
     <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
-    <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"/>
+    <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"></script>
 </head>
 
 <body>

diff --git a/webgoat-lessons/password-reset/src/main/resources/templates/success.html b/webgoat-lessons/password-reset/src/main/resources/templates/success.html
@@ -3,7 +3,7 @@
 <head>
     <link rel="stylesheet" type="text/css" th:href="@{/plugins/bootstrap/css/bootstrap.min.css}"/>
     <link rel="stylesheet" type="text/css" th:href="@{/css/font-awesome.min.css}"/>
-    <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"/>
+    <script th:src="@{/plugins/bootstrap/js/bootstrap.min.js}"></script>
 </head>
 
 <body>