Merge pull request diffblue#423 from diffblue/webgoat_install_refined

SEC-405: Extended rules file WebGoat and updated of WebGoat's install guide.

Author: marek-trtik

benchmarks/GENUINE/README.txt

@@ -35,38 +35,104 @@ Install guide for Ubuntu:
   1. git clone [email protected]:WebGoat/WebGoat.git
   2. cd WebGoat
   3. git checkout develop
-  4. (optional) Open the file:
-        ./WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java
-     and insert into the line 59 the following code:
-            static String makeTainted(String accountName) {
-                return accountName;
-            }
-
-            public void main() {
-                String test = makeTainted("dave");
-                completed(test);
-            }
-            
-     The code adds an artificial entry point (the function "main") and also
-     an artificial function "makeTainted" for making input to the function
-     "completed" tainted. The reason for "makeTainted" function is that the
-     WebGoat uses the Spring servlet framework which delivers the already 
-     potentially tainted data to the method "completed". But we do not have
-     any feature in our rules specification which would capture that.
-     
-     NOTE: the entry-point for the Python driver script should thus then be:
-         --entry-point org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a.main
-
   4. mvn clean install -DskipTests
-  5. cd ..
-  6. rm -rf ./webgoat-container
+  5. Create the following two files representing the entry point to WebGoat:
+        ./WebGoat/__MAIN__/src/main/java/Main.java:
+            import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a;
+            import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5b;
+            import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson6a;
+
+            public class Main {
+
+                static String makeTainted(String accountName) {
+                    return accountName;
+                }
+
+                public static void main(String[] args) {
+                    // SqlInjectionLesson5a
+                    /*
+                    {
+                        String test = makeTainted("dave");
+                        SqlInjectionLesson5a obj = new SqlInjectionLesson5a();
+                        obj.completed(test);
+                    }
+                    */
+
+                    // SqlInjectionLesson5b
+                    /*
+                    {
+                        String test = makeTainted("dave");
+                        SqlInjectionLesson5b obj = new SqlInjectionLesson5b();
+                        try {
+                            obj.completed(test, null);
+                        }
+                        catch(java.io.IOException e) {
+                        }
+                    }
+                    */
+
+                    // SqlInjectionLesson6a
+                    /*
+                    {
+                        String test = makeTainted(args[0]);
+                        SqlInjectionLesson6a obj = new SqlInjectionLesson6a();
+                        try {
+                            obj.completed(test);
+                        }
+                        catch(java.io.IOException e) {
+                        }
+                    }
+                    */
+                }
+            }
+        Uncomment one of the blocks (depending on what lesson you want to analyse).
+
+        ./WebGoat/__MAIN__/pom.xml:
+            <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                     xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+                <modelVersion>4.0.0</modelVersion>
+                <groupId>__MAIN__</groupId>
+                <artifactId>__MAIN__</artifactId>
+                <packaging>jar</packaging>
+
+                <parent>
+                    <groupId>org.owasp.webgoat</groupId>
+                    <artifactId>webgoat-parent</artifactId>
+                    <version>8.0.0.M3</version>
+                </parent>
+
+                <dependencies>
+                    <dependency>
+                        <groupId>org.owasp.webgoat.lesson</groupId>
+                        <artifactId>sql-injection</artifactId>
+                        <version>${project.version}</version>
+                        <scope>provided</scope>
+                        <type>jar</type>
+                    </dependency>
+                    <dependency>
+                        <groupId>org.owasp.webgoat</groupId>
+                        <artifactId>webgoat-container</artifactId>
+                        <version>${project.version}</version>
+                        <scope>provided</scope>
+                        <type>jar</type>
+                    </dependency>
+                </dependencies>
+            </project>
+  6. cd __MAIN__
+  7. mvn package
+  8. cd ..
+  9. cd ..
+ 10. rm -rf ./webgoat-container
 
 The WebGoat does not seem to have a deployment step. Fortunately, the whole
 app is relatively small, so we can load everything for each lesson. It means
 that we can pass to the Python driver script these options:
     -I <security-scanner-root-dir>/benchmarks/GENUINE/WebGoat
     -L <security-scanner-root-dir>/benchmarks/GENUINE/WebGoat
-  
+
+From the step 5 above it should be clear that the entry point is specified as:
+    --entry-point Main.main
+
 General notes: The project is set up in a relatively standard way, likely to allow people to
 understand easily what's going on if they look at the code. The main vulnerabilities are
 in the webgoat-lessons folder, which holds server web service endpoints that then test if

benchmarks/GENUINE/WebGoatRules.json

@@ -4,7 +4,7 @@
     [
       {
         "comment": "Incoming accountName is potentially dangerous.",
-        "class": "org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a",
+        "class": "Main",
         "method": "makeTainted:(Ljava/lang/String;)Ljava/lang/String;",
         "result": {
           "location": "returns",