Merge branch 'release/v8.1.0'

hazanasec · May 22, 2020 · bd16fed · bd16fed
2 parents c8ac054 + 39740e0
commit bd16fed
Show file tree

Hide file tree

Showing 657 changed files with 10,935 additions and 76,117 deletions.
diff --git a/.gitignore b/.gitignore
@@ -15,6 +15,7 @@
 /.externalToolBuilders/
 .project
 */target/*
+*.pmd
 mongo-data/*
 .classpath
 .idea/

diff --git a/.travis.yml b/.travis.yml
@@ -2,16 +2,19 @@ services:
   - docker
 language: java
 jdk:
-- openjdk11
+  - openjdk11
+  - openjdk13
 install: "/bin/true"
 script:
-- export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH; else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
-- echo "TRAVIS_BRANCH=$TRAVIS_BRANCH, PR=$PR, BRANCH=$BRANCH"
-- if [ ! -z "${TRAVIS_TAG}" ]; then mvn versions:set -DnewVersion=${TRAVIS_TAG:1}; fi
-- mvn clean install -q
+  - export BRANCH=$(if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then echo $TRAVIS_BRANCH;
+    else echo $TRAVIS_PULL_REQUEST_BRANCH; fi)
+  - echo "TRAVIS_BRANCH=$TRAVIS_BRANCH, PR=$PR, BRANCH=$BRANCH"
+  - if [ ! -z "${TRAVIS_TAG}" ]; then mvn versions:set -DnewVersion=${TRAVIS_TAG:1};
+    fi
+  - mvn clean install -q
 cache:
   directories:
-  - "$HOME/.m2"
+    - "$HOME/.m2"
 before_deploy:
   - export WEBGOAT_SERVER_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webgoat-server/target
   - export WEBWOLF_TARGET_DIR=$HOME/build/$TRAVIS_REPO_SLUG/webwolf/target
@@ -21,27 +24,35 @@ before_deploy:
   - cp -fa $WEBWOLF_TARGET_DIR/*.jar $WEBGOAT_ARTIFACTS_FOLDER/
   - echo "Contents of artifacts folder:"
   - ls $WEBGOAT_ARTIFACTS_FOLDER
-deploy:
-  - provider: script
-    skip_cleanup: true
-    script: bash scripts/deploy-webgoat.sh
-    on:
-      repo: WebGoat/WebGoat
-      tags: true
-  - provider: releases
-    skip_cleanup: true
-    overwrite: true
-    api_key:
-      #api-key from webgoat-github user
-      secure: pJOLBnl6427PcVg/tVy/qB18JC7b8cKpffau+IP0pjdSt7KUfBdBY3QuJ7mrM65zRoVILzggLckaew2PlRmYQRdumyWlyRn44XiJ9KO4n6Bsufbz+ictB4ggtozpp9+I9IIUh1TmqypL9lhkX2ONM9dSHmyblYpAAgMuYSK8FYc=
-    file_glob: true
-    file: $WEBGOAT_ARTIFACTS_FOLDER/*
-    on:
-      repo: WebGoat/WebGoat
-      tags: true
+jobs:
+  include:
+    - stage: deploy
+      if: branch = master AND env(TRAVIS_TAG) IS present
+      jdk: openjdk11
+      skip_cleanup: true
+      script: bash scripts/deploy-webgoat.sh
+      on:
+        repo: WebGoat/WebGoat
+        tags: true
+    - stage: releases
+      if: branch = master AND env(TRAVIS_TAG) IS present
+      jdk: openjdk11
+      skip_cleanup: true
+      overwrite: true
+      api_key:
+        secure: pJOLBnl6427PcVg/tVy/qB18JC7b8cKpffau+IP0pjdSt7KUfBdBY3QuJ7mrM65zRoVILzggLckaew2PlRmYQRdumyWlyRn44XiJ9KO4n6Bsufbz+ictB4ggtozpp9+I9IIUh1TmqypL9lhkX2ONM9dSHmyblYpAAgMuYSK8FYc=
+      file_glob: true
+      file: "$WEBGOAT_ARTIFACTS_FOLDER/*"
+      on:
+        repo: WebGoat/WebGoat
+        tags: true
 env:
   global:
-  #Docker login
-  - secure: XgPc0UKRTUI70I4YWNQpThPPWeQIxkmzh1GNoR/SSDC2GPIBq3EfkkbSQewqil8stTy+S1/xSzc0JXG8NTn7UOxHVHA/2nhI6jX9E+DKtXQ89YwmaDNQjkbMjziAtDCIex+5TRykxNfkxj6VPYbDssrzI7iJXOIZVj/HoyO3O5E=
-  #Docker password
-  - secure: aly5TKBUK9sIiqtMbytNNPZHQhC0a7Yond5tEtuJ8fO+j/KZB4Uro3I6BhzYjGWFb5Kndd0j2TXHPFvtOl402J1CmFsY3v0BhilQd0g6zOssp5T0A73m8Jgq4ItV8wQJJy2bQsXqL1B+uFYieYPiMchj7JxWW0vBn7TV5b68l6U=
+    #Docker login
+    - secure: XgPc0UKRTUI70I4YWNQpThPPWeQIxkmzh1GNoR/SSDC2GPIBq3EfkkbSQewqil8stTy+S1/xSzc0JXG8NTn7UOxHVHA/2nhI6jX9E+DKtXQ89YwmaDNQjkbMjziAtDCIex+5TRykxNfkxj6VPYbDssrzI7iJXOIZVj/HoyO3O5E=
+    #Docker password
+    - secure: aly5TKBUK9sIiqtMbytNNPZHQhC0a7Yond5tEtuJ8fO+j/KZB4Uro3I6BhzYjGWFb5Kndd0j2TXHPFvtOl402J1CmFsY3v0BhilQd0g6zOssp5T0A73m8Jgq4ItV8wQJJy2bQsXqL1B+uFYieYPiMchj7JxWW0vBn7TV5b68l6U=
+notifications:
+  slack:
+    rooms:
+      secure: cDG2URRy7SEipMLyhodwjRBtsPBmfngFB4FyNaIhhr+2/SGyKvGhfW75YA9V+eC7J40KllxQhiIvrxngKDRABb3L1O72Sdj8mZSi8TVsUNLOdamJXHKGUwNSPWXv/1s2m+uC20cgxl66o31vxdV33uvxLdvGOd5e5qOKTsKP7UE=
diff --git a/COPYRIGHT.txt b/COPYRIGHT.txt
@@ -0,0 +1,19 @@
+This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+
+Copyright (c) 2002 - $today.year Bruce Mayhew
+
+This program is free software; you can redistribute it and/or modify it under the terms of the
+GNU General Public License as published by the Free Software Foundation; either version 2 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with this program; if
+not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+02111-1307, USA.
+
+Getting Source ==============
+
+Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
diff --git a/CREATE_RELEASE.MD b/CREATE_RELEASE.MD
@@ -5,7 +5,11 @@
 
 For WebGoat we use milestone releases first before we release the official version, we use `v8.0.0.M3` while tagging
  and 8.0.0.M3 in the `pom.xml`. When we create the final release we remove the milestone release and use 
- `v8.0.0` and 8.0.0 in the `pom.xml`
+ `v8.0.0` in the `pom.xml`
+
+### Release notes:
+Update the release notes with the correct version. Use `git shortlog -s -n --since "SEP 31 2019"` for the list of 
+committers.
 
 At the moment we use Gitflow, for a release you create a new release branch and take the following steps:
 

diff --git a/README.MD b/README.MD
@@ -4,8 +4,8 @@
 [![Coverage Status](https://coveralls.io/repos/WebGoat/WebGoat/badge.svg?branch=develop&service=github)](https://coveralls.io/github/WebGoat/WebGoat?branch=master)
 [![Codacy Badge](https://api.codacy.com/project/badge/b69ee3a86e3b4afcaf993f210fccfb1d)](https://www.codacy.com/app/dm/WebGoat)
 [![Dependency Status](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa/badge.svg?style=flat)](https://www.versioneye.com/user/projects/562da95ae346d7000e0369aa)
-[![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects) 
-[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest) 
+[![OWASP Labs](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Labs_Projects)
+[![GitHub release](https://img.shields.io/github/release/WebGoat/WebGoat.svg)](https://github.com/WebGoat/WebGoat/releases/latest)
 
 # Introduction
 
@@ -29,35 +29,61 @@ first thing that all hackers claim.*
 
 # Installation Instructions:
 
-## 1. Standalone 
+## 1. Standalone
 
 Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)
 
 ```Shell
 java -jar webgoat-server-8.0.0.VERSION.jar [--server.port=8080] [--server.address=localhost]
 ```
 
-The latest version of WebGoat needs Java 11. By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you
+The latest version of WebGoat needs Java 11 or above. By default WebGoat starts on port 8080 with `--server.port` you can specify a different port. With `server.address` you
 can bind it to a different address (default localhost)
 
 
 ## 2. Run using Docker
 
 Every release is also published on [DockerHub]((https://hub.docker.com/r/webgoat/webgoat-8.0/)).
 
-### Using docker-compose
+### Using docker run
 
-The easiest way to start WebGoat as a Docker container is to use the `docker-compose.yml` [file](https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml) 
-from our Github repository. This will start both containers and it also takes care of setting up the
-connection between WebGoat and WebWolf.
+The easiest way to start WebGoat as a Docker container is to use the all-in-one docker container. This is a docker image that has WebGoat and WebWolf running inside.
 
 ```shell
-curl https://raw.githubusercontent.com/WebGoat/WebGoat/develop/docker-compose.yml | docker-compose -f - up
+docker run -d -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf
 ```
 
-**Important**: the current directory on your host will be mapped into the container for keeping state.
+WebGoat will be located at: http://127.0.0.1:8080/WebGoat
+WebWolf will be located at: http://127.0.0.1:9090/WebWolf
+
+**Important**: Choose the correct timezone, so that the docker container and your host are in the same timezone. As it important for the validity of JWT tokens used in certain exercises.
+
+### Using docker stack deploy
+
+Another way to deply WebGoat and WebWolf in a more advanced way is to use a compose-file in a docker stack deploy.
+You can define which containers should run in which combinations and define all of this in a yaml file.
+An example of such a file is: [goat-with-reverseproxy.yaml](goat-with-reverseproxy.yaml)
+
+This sets up an nginx webserver as reverse proxy to WebGoat and WebWolf. You can change the timezone by adjusting the value in the yaml file.
+
+```shell
+docker stack init
+docker stack deploy --compose-file goat-with-reverseproxy.yaml webgoatdemo
+```
 
-Using the `docker-compose` file will simplify getting WebGoat and WebWolf up and running.
+Add the following entries in your local hosts file:
+
+```shell
+127.0.0.1 www.webgoat.local www.webwolf.localhost
+```
+
+You can use the overall start page: http://www.webgoat.local or:
+
+WebGoat will be located at: http://www.webgoat.local/WebGoat
+
+WebWolf will be located at: http://www.webwolf.local/WebWolf
+
+**Important**: the current directory on your host will be mapped into the container for keeping state.
 
 
 ## 3. Run from the sources

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -0,0 +1,50 @@
+# WebGoat release notes 
+
+## Version 8.1.0
+
+### New functionality
+
+- Added new lessons for cryptography and path-traversal
+- Extra content added to the XXE lesson
+- Explanation of the assignments will be part of WebGoat, in this release we added detailed descriptions on how to solve the XXE lesson. In the upcoming releases new explanations will be added. If you want to contribute please create a pull request on Github.
+- Docker improvements + docker stack for complete container with nginx 
+- Included JWT token decoding and generation, since jwt.io does not support None anymore 
+
+### Bug fixes
+
+- [#743 - Character encoding errors](https://github.com/WebGoat/WebGoat/issues/743)
+- [#811 -  Flag submission fails](https://github.com/WebGoat/WebGoat/issues/811)
+- [#810 - Scoreboard for challenges shows csrf users](https://github.com/WebGoat/WebGoat/issues/810)
+- [#788 - strange copy in constructor](https://github.com/WebGoat/WebGoat/issues/788) 
+- [#760 - Execution of standalone jar fails (Flyway migration step](https://github.com/WebGoat/WebGoat/issues/760)
+- [#766 - Unclear objective of vulnerable components practical assignment](https://github.com/WebGoat/WebGoat/issues/766)
+- [#708 - Seems like the home directory of WebGoat always use @project.version@](https://github.com/WebGoat/WebGoat/issues/708)
+- [#719 - WebGoat: 'Contact Us' email link in header is not correctly set](https://github.com/WebGoat/WebGoat/issues/719)
+ - [#715 - Reset lesson doesn't reset the "HTML lesson" => forms stay succesful](https://github.com/WebGoat/WebGoat/issues/715)
+ - [#725 - Vulnerable Components lesson 12 broken due to too new dependency](https://github.com/WebGoat/WebGoat/issues/725)
+ - [#716 -  On M26 @project.version@ is not "interpreted" #7](https://github.com/WebGoat/WebGoat/issues/716)
+ - [#721 couldn't be able to run CSRF lesson 3: Receive Whitelabel Error Page](https://github.com/WebGoat/WebGoat/issues/721)
+ - [#724 - Dead link in VulnerableComponents lesson 11](https://github.com/WebGoat/WebGoat/issues/724)
+
+ ## Contributors
+
+Special thanks to the following contributors providing us with a pull request:
+
+- Satoshi SAKAO
+- Philippe Lafoucrière
+- Cotonne
+- Tiago Mussi
+- thegoodcrumpets
+- Atharva Vaidya
+- torleif
+- August Detlefsen
+- Choe Hyeong Jin
+
+And everyone who provided feedback through Github.
+
+
+Team WebGoat
+
+
+
+
diff --git a/docker-compose-postgres.yml b/docker-compose-postgres.yml
@@ -11,7 +11,7 @@ services:
       - spring.datasource.username=webgoat
       - spring.datasource.password=webgoat
       - spring.datasource.driver-class-name=org.postgresql.Driver
-      - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
+      - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL10Dialect
       - webgoat.server.directory=/home/webgoat/.webgoat/
       - webgoat.user.directory=/home/webgoat/.webgoat/
     ports:
@@ -23,11 +23,11 @@ services:
       - spring.datasource.username=webgoat
       - spring.datasource.password=webgoat
       - spring.datasource.driver-class-name=org.postgresql.Driver
-      - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL94Dialect
+      - spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL10Dialect
     ports:
       - "9090:9090"
   webgoat_db:
-    image: postgres:9.4
+    image: postgres:10.12
 # Uncomment to store the state of the database on the host.
 #    volumes:
 #      - ./database:/var/lib/postgresql

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,18 +1,22 @@
-version: '2.1'
+version: '3'
 
 services:
   webgoat:
     image: webgoat/webgoat-8.0
     environment:
       - WEBWOLF_HOST=webwolf
       - WEBWOLF_PORT=9090
+      - TZ=Europe/Amsterdam
     ports:
       - "8080:8080"
       - "9001:9001"
     volumes:
       - .:/home/webgoat/.webgoat
+    working_dir: /home/webgoat
   webwolf:
     image: webgoat/webwolf
     ports:
       - "9090:9090"
-    command: --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat --server.address=0.0.0.0
+    command: --spring.datasource.url=jdbc:hsqldb:hsql://webgoat:9001/webgoat --server.address=0.0.0.0
+    depends_on:
+            - webgoat
diff --git a/docker/.gitignore b/docker/.gitignore
@@ -0,0 +1 @@
+*.jar
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -0,0 +1,30 @@
+FROM openjdk:11.0.1-jre-slim-stretch
+
+ARG webgoat_version=v8.0.0-SNAPSHOT
+ENV webgoat_version_env=${webgoat_version}
+
+RUN apt-get update && apt-get install 
+RUN useradd --home-dir /home/webgoat --create-home -U webgoat
+RUN apt-get -y install apt-utils nginx
+
+USER webgoat
+RUN cd /home/webgoat/; mkdir -p .webgoat-${webgoat_version}
+
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY index.html /usr/share/nginx/html/
+COPY webgoat-server-${webgoat_version}.jar /home/webgoat/webgoat.jar
+COPY webwolf-${webgoat_version}.jar /home/webgoat/webwolf.jar
+COPY start.sh /home/webgoat
+
+EXPOSE 8080
+EXPOSE 9090
+
+ENV WEBGOAT_PORT 8080
+ENV WEBGOAT_SSLENABLED false
+
+ENV GOATURL https://127.0.0.1:$WEBGOAT_PORT
+ENV WOLFURL http://127.0.0.1:9090
+
+
+WORKDIR /home/webgoat
+ENTRYPOINT /bin/bash /home/webgoat/start.sh $webgoat_version_env
diff --git a/docker/Readme.md b/docker/Readme.md
@@ -0,0 +1,9 @@
+# Docker all-in-one image
+
+## Docker build
+
+	docker build --no-cache --build-arg webgoat_version=v8.0.0-SNAPSHOT -t webgoat/goatandwolf:latest .
+
+## Docker run
+
+	docker run -d -p 80:8888 -p 8080:8080 -p 9090:9090 -e TZ=Europe/Amsterdam webgoat/goatandwolf:latest
diff --git a/docker/index.html b/docker/index.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+  <body>
+    <h1>OWASP WebGoat Training tools</h1>
+    <p>
+      Use the following links to access the WebGoat and WebWolf applications.
+      Register a user using WebGoat. The same user can access WebWolf.
+    </p>
+
+	<h2>Use without special host name entries</h2>
+
+	<table>
+	<tr>
+		<td>WebGoat URL</td>
+		<td><a href="http://127.0.0.1:8080/WebGoat" target="_blank">http://127.0.0.1:8080/WebGoat</a></td>
+	</tr>
+	<tr>
+		<td>WebWolf URL</td>
+		<td><a href="http://127.0.0.1:9090/WebWolf" target="_blank">http://127.0.0.1:9090/WebWolf</a></td>
+	</tr>
+	<table>
+
+	<h2>Use with www.webgoat.local and www.webwolf.local</h2>
+	<p>
+      Add the following entries to your local <b><i>hosts</i></b> file on Windows (c:\Windows\System32\drivers\etc\hosts) or Linux (/etc/hosts)
+
+<pre>
+127.0.0.1 www.webgoat.local www.webwolf.local
+</pre>
+	Then use the following URL's:
+    </p>
+	<table>
+	<tr>
+		<td>WebGoat URL</td>
+		<td><a href="http://www.webgoat.local/WebGoat" target="_blank">http://www.webgoat.local/WebGoat</a></td>
+	</tr>
+	<tr>
+		<td>WebWolf URL</td>
+		<td><a href="http://www.webwolf.local/WebWolf" target="_blank">http://www.webwolf.local/WebWolf</a></td>
+	</tr>
+	<table>
+  </body>
+</html>