Merge pull request diffblue#435 from diffblue/owen-jones-diffblue/webgoat-makefile

owen-jones-diffblue · web-flow · commit 9eea141d3327 · 2018-06-04T10:37:44.000+01:00
SEC-430: WebGoat makefile
diff --git a/benchmarks/GENUINE/Makefile b/benchmarks/GENUINE/Makefile
@@ -0,0 +1,17 @@
+lessons-which-work := webgoat-run-SqlInjectionLesson5a webgoat-run-SqlInjectionLesson5b webgoat-run-SqlInjectionLesson6a webgoat-run-SqlInjectionLesson12a webgoat-run-SqlInjectionChallenge webgoat-run-Assignment5 webgoat-run-Assignment6 webgoat-run-CrossSiteScriptingLesson5a webgoat-run-SimpleXXE webgoat-run-BlindSendFileAssignment
+lessons-which-do-not-work := webgoat-run-CrossSiteScriptingLesson5a webgoat-run-Assignment3 webgoat-run-ContentTypeAssignment webgoat-run-VulnerableComponentsLesson webgoat-run-MissingFunctionACUsers
+
+webgoat-run: $(lessons-which-work)
+
+webgoat-run-all: $(lessons-which-work) $(lessons-which-do-not-work)
+
+webgoat-run-%: WebGoat/__MAIN__/target/classes/Main.class
+	cd ../../dist && python3 ../driver/run.py -C ../benchmarks/GENUINE/WebGoatRules.json -I ../benchmarks/GENUINE/WebGoat -L ../benchmarks/GENUINE/WebGoat -R GENUINE/WebGoat/$*/RESULTS -T GENUINE/WebGoat/TEMP --name WebGoat --verbosity 9 --use-models-library --do-not-use-precise-access-paths --rebuild --timeout 10000000 --entry-point Main.$*
+
+WebGoat/__MAIN__/target/classes/Main.class:
+	git clone git@github.com:WebGoat/WebGoat.git
+	cd WebGoat && git checkout a922c00
+	cd WebGoat && mvn clean install -DskipTests
+	mkdir -p WebGoat/__MAIN__/src/main/java && cp WebGoat_files/Main.java WebGoat/__MAIN__/src/main/java/Main.java && cp WebGoat_files/pom.xml WebGoat/__MAIN__/pom.xml && cp -r ../LIBRARIES/models/model/src/main/java/org WebGoat/__MAIN__/src/main/java/
+	cd WebGoat/__MAIN__ && rm -rf target && mvn clean package && rm -rf ./target/classes/org && rm -f ./target/__MAIN__-8.0.0.M3.jar
+	rm -rf webgoat-container
diff --git a/benchmarks/GENUINE/WebGoat_files/Main.java b/benchmarks/GENUINE/WebGoat_files/Main.java
@@ -0,0 +1,234 @@
+/*
+Lessons considered in this file:
+    [Sql Injection] Assignment6, registerNewUser
+    [Sql Injection] Assignment5, login
+    [Sql Injection] SqlInjectionLesson12a, completed
+    [Sql Injection] SqlInjectionLesson5a, completed
+    [Sql Injection] SqlInjectionLesson5b, completed
+    [Sql Injection] SqlInjectionLesson6a, completed
+    [Sql Injection] SqlInjectionChallenge, registerNewUser
+
+    [XXE] Assignment3, createNewComment
+    [XXE] SimpleXXE, createNewComment
+    [XXE] ContentTypeAssignment, createNewUser
+    [XXE] BlindSendFileAssignment, addComment
+
+    [XSS] CrossSiteScriptingLesson5a, completed
+
+    [Insecure Deserialization] VulnerableComponentsLesson, completed
+
+    [Sensitive Data Exposure] MissingFunctionACUsers, usersService
+
+    [Email Redirection] Assignment7, sendPasswordResetLink
+    [Email Redirection] Assignment9, sendPasswordResetLink
+*/
+
+import javax.servlet.http.HttpServletRequest;
+import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5a;
+import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson5b;
+import org.owasp.webgoat.plugin.introduction.SqlInjectionLesson6a;
+import org.owasp.webgoat.plugin.mitigation.SqlInjectionLesson12a;
+import org.owasp.webgoat.plugin.advanced.SqlInjectionChallenge;
+import org.owasp.webgoat.plugin.challenge5.challenge6.Assignment5;
+import org.owasp.webgoat.plugin.challenge6.Assignment6;
+import org.owasp.webgoat.plugin.CrossSiteScriptingLesson5a;
+import org.owasp.webgoat.plugin.challenge3.Assignment3;
+import org.owasp.webgoat.plugin.SimpleXXE;
+import org.owasp.webgoat.plugin.ContentTypeAssignment;
+import org.owasp.webgoat.plugin.BlindSendFileAssignment;
+import org.owasp.webgoat.plugin.VulnerableComponentsLesson;
+import org.owasp.webgoat.plugin.MissingFunctionACUsers;
+import org.cprover.CProver;
+
+public class Main {
+
+    static String makeTainted(String accountName) {
+        return accountName;
+    }
+
+    public static void main(String[] args) {
+        // [Sql Injection]
+
+        SqlInjectionLesson5a(args);
+        SqlInjectionLesson5b(args);
+        SqlInjectionLesson6a(args);
+        SqlInjectionLesson12a(args);
+        SqlInjectionChallenge(args);
+        Assignment5(args);
+        Assignment6(args);
+
+        // [XSS]
+
+        // CrossSiteScriptingLesson5a(args);
+
+        // [XXE]
+
+        // Assignment3(args);
+        SimpleXXE(args);
+        // ContentTypeAssignment(args);
+        BlindSendFileAssignment(args);
+
+        // [Remaining]
+
+        // VulnerableComponentsLesson(args);
+        // MissingFunctionACUsers(args);
+    }
+
+    public static void SqlInjectionLesson5a(String[] args) {
+        // WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5a.java
+        String test = makeTainted("dave");
+        SqlInjectionLesson5a obj = CProver.nondetWithNull();
+        obj.completed(test);
+    }
+
+    public static void SqlInjectionLesson5b(String[] args) {
+        // WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5b.java
+        String test = makeTainted("dave");
+        SqlInjectionLesson5b obj = CProver.nondetWithNull();
+        try {
+            obj.completed(test, null);
+        }
+        catch(java.io.IOException e) {
+        }
+    }
+
+    public static void SqlInjectionLesson6a(String[] args) {
+        // WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6a.java
+        String test = makeTainted(args[0]);
+        SqlInjectionLesson6a obj = CProver.nondetWithNull();
+        try {
+            obj.completed(test);
+        }
+        catch(java.io.IOException e) {
+        }
+    }
+
+    public static void SqlInjectionLesson12a(String[] args) {
+        // WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
+        String arg0 = makeTainted(args[0]);
+        SqlInjectionLesson12a obj = CProver.nondetWithNull();
+        try {
+            obj.completed(arg0);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void SqlInjectionChallenge(String[] args) {
+        // WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
+        String arg0 = makeTainted(args[0]);
+        String arg1 = makeTainted(args[1]);
+        String arg2 = makeTainted(args[2]);
+        SqlInjectionChallenge obj = CProver.nondetWithNull();
+        try {
+            obj.registerNewUser(arg0, arg1, arg2);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void Assignment5(String[] args) {
+        // WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge5/challenge6/Assignment5.java
+        String arg0 = makeTainted(args[0]);
+        String arg1 = makeTainted(args[1]);
+        Assignment5 obj = CProver.nondetWithNull();
+        try {
+            obj.login(arg0, arg1);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void Assignment6(String[] args) {
+        // WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge6/Assignment6.java
+        String arg0 = makeTainted(args[0]);
+        String arg1 = makeTainted(args[1]);
+        String arg2 = makeTainted(args[2]);
+        Assignment6 obj = CProver.nondetWithNull();
+        try {
+            obj.registerNewUser(arg0, arg1, arg2);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void CrossSiteScriptingLesson5a(String[] args) {
+        // WebGoat/webgoat-lessons/cross-site-scripting/src/main/java/org/owasp/webgoat/plugin/CrossSiteScriptingLesson5a.java
+        String arg0 = makeTainted(args[0]);
+        CrossSiteScriptingLesson5a obj = CProver.nondetWithNull();
+        try {
+            obj.completed(1, 2, 3, 4, arg0, 5, null);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void Assignment3(String[] args) {
+        // WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/plugin/challenge3/Assignment3.java
+        String arg0 = makeTainted(args[0]);
+        String arg1 = makeTainted(args[1]);
+        Assignment3 obj = CProver.nondetWithNull();
+        try {
+            obj.createNewComment(arg0, arg1);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void SimpleXXE(String[] args) {
+        // WebGoat/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/SimpleXXE.java
+        String arg0 = makeTainted(args[0]);
+        SimpleXXE obj = CProver.nondetWithNull();
+        try {
+            obj.createNewComment(arg0);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void ContentTypeAssignment(String[] args) {
+        // WebGoat/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/ContentTypeAssignment.java
+        String arg0 = makeTainted(args[0]);
+        String arg1 = args[1];
+        ContentTypeAssignment obj = CProver.nondetWithNull();
+        try {
+            obj.createNewUser(arg0, arg1);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void BlindSendFileAssignment(String[] args) {
+        // WebGoat/webgoat-lessons/xxe/src/main/java/org/owasp/webgoat/plugin/BlindSendFileAssignment.java
+        String arg0 = makeTainted(args[0]);
+        BlindSendFileAssignment obj = CProver.nondetWithNull();
+        try {
+            obj.addComment(arg0);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void VulnerableComponentsLesson(String[] args) {
+        // WebGoat/webgoat-lessons/vulnerable-components/src/main/java/org/owasp/webgoat/plugin/VulnerableComponentsLesson.java
+        String arg0 = makeTainted(args[0]);
+        VulnerableComponentsLesson obj = CProver.nondetWithNull();
+        try {
+            obj.completed(arg0);
+        }
+        catch(Exception e) {
+        }
+    }
+
+    public static void MissingFunctionACUsers(String[] args) {
+        // WebGoat/webgoat-lessons/missing-function-ac/src/main/java/org/owasp/webgoat/plugin/MissingFunctionACUsers.java
+        HttpServletRequest arg0 = CProver.nondetWithNull();
+        MissingFunctionACUsers obj = CProver.nondetWithNull();
+        try {
+            obj.usersService(arg0);
+        }
+        catch(Exception e) {
+        }
+    }
+
+}
diff --git a/benchmarks/GENUINE/WebGoat_files/pom.xml b/benchmarks/GENUINE/WebGoat_files/pom.xml
@@ -0,0 +1,65 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>__MAIN__</groupId>
+    <artifactId>__MAIN__</artifactId>
+    <packaging>jar</packaging>
+
+    <parent>
+        <groupId>org.owasp.webgoat</groupId>
+        <artifactId>webgoat-parent</artifactId>
+        <version>8.0.0.M3</version>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.owasp.webgoat.lesson</groupId>
+            <artifactId>sql-injection</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+            <type>jar</type>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat.lesson</groupId>
+            <artifactId>challenge</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+            <type>jar</type>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat.lesson</groupId>
+            <artifactId>cross-site-scripting</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+            <type>jar</type>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat.lesson</groupId>
+            <artifactId>xxe</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+            <type>jar</type>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat</groupId>
+            <artifactId>webgoat-container</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+            <type>jar</type>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat.lesson</groupId>
+            <artifactId>vulnerable-components</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+            <type>jar</type>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp.webgoat.lesson</groupId>
+            <artifactId>missing-function-ac</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+            <type>jar</type>
+        </dependency>
+    </dependencies>
+</project>
