Merge branch 'main' into pixeebot/drip-2024-01-26-pixee-java/harden-x…

…mlinputfactory

pom.xml

@@ -147,7 +147,7 @@
     <!-- do not update necessary for lesson -->
     <zxcvbn.version>1.5.2</zxcvbn.version>
     <versions.java-security-toolkit-xstream>1.0.2</versions.java-security-toolkit-xstream>
-    <versions.java-security-toolkit>1.1.1</versions.java-security-toolkit>
+    <versions.java-security-toolkit>1.1.3</versions.java-security-toolkit>
   </properties>
 
   <dependencyManagement>

src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java

@@ -1,5 +1,6 @@
 package org.owasp.webgoat.lessons.challenges.challenge7;
 
+import java.security.SecureRandom;
 import java.util.Random;
 
 /**
@@ -11,7 +12,7 @@
 public class PasswordResetLink {
 
   public String createPasswordReset(String username, String key) {
-    Random random = new Random();
+    Random random = new SecureRandom();
     if (username.equalsIgnoreCase("admin")) {
       // Admin has a fix reset link
       random.setSeed(key.length());

src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java

@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.cryptography;
 
+import java.security.SecureRandom;
 import java.util.Base64;
 import java.util.Random;
 import javax.servlet.http.HttpServletRequest;
@@ -49,7 +50,7 @@ public String getBasicAuth(HttpServletRequest request) {
     String username = request.getUserPrincipal().getName();
     if (basicAuth == null) {
       String password =
-          HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)];
+          HashingAssignment.SECRETS[new SecureRandom().nextInt(HashingAssignment.SECRETS.length)];
       basicAuth = getBasicAuth(username, password);
       request.getSession().setAttribute("basicAuth", basicAuth);
     }

src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java

@@ -24,6 +24,7 @@
 
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.Random;
 import javax.servlet.http.HttpServletRequest;
 import javax.xml.bind.DatatypeConverter;
@@ -50,7 +51,7 @@ public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException
     String md5Hash = (String) request.getSession().getAttribute("md5Hash");
     if (md5Hash == null) {
 
-      String secret = SECRETS[new Random().nextInt(SECRETS.length)];
+      String secret = SECRETS[new SecureRandom().nextInt(SECRETS.length)];
 
       MessageDigest md = MessageDigest.getInstance("MD5");
       md.update(secret.getBytes());
@@ -68,7 +69,7 @@ public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmExcept
 
     String sha256 = (String) request.getSession().getAttribute("sha256");
     if (sha256 == null) {
-      String secret = SECRETS[new Random().nextInt(SECRETS.length)];
+      String secret = SECRETS[new SecureRandom().nextInt(SECRETS.length)];
       sha256 = getHash(secret, "SHA-256");
       request.getSession().setAttribute("sha256Hash", sha256);
       request.getSession().setAttribute("sha256Secret", secret);

src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java

@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.csrf;
 
+import java.security.SecureRandom;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Random;
@@ -56,13 +57,13 @@ public Map<String, Object> invoke(HttpServletRequest req) {
 
     if (referer.equals("NULL")) {
       if ("true".equals(req.getParameter("csrf"))) {
-        Random random = new Random();
+        Random random = new SecureRandom();
         userSessionData.setValue("csrf-get-success", random.nextInt(65536));
         response.put("success", true);
         response.put("message", pluginMessages.getMessage("csrf-get-null-referer.success"));
         response.put("flag", userSessionData.getValue("csrf-get-success"));
       } else {
-        Random random = new Random();
+        Random random = new SecureRandom();
         userSessionData.setValue("csrf-get-success", random.nextInt(65536));
         response.put("success", true);
         response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
@@ -73,7 +74,7 @@ public Map<String, Object> invoke(HttpServletRequest req) {
       response.put("message", "Appears the request came from the original host");
       response.put("flag", null);
     } else {
-      Random random = new Random();
+      Random random = new SecureRandom();
       userSessionData.setValue("csrf-get-success", random.nextInt(65536));
       response.put("success", true);
       response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));

src/main/java/org/owasp/webgoat/lessons/deserialization/InsecureDeserializationTask.java

@@ -22,6 +22,7 @@
 
 package org.owasp.webgoat.lessons.deserialization;
 
+import io.github.pixee.security.ObjectInputFilters;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InvalidClassException;
@@ -56,6 +57,7 @@ public AttackResult completed(@RequestParam String token) throws IOException {
 
     try (ObjectInputStream ois =
         new ObjectInputStream(new ByteArrayInputStream(Base64.getDecoder().decode(b64token)))) {
+      ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
       before = System.currentTimeMillis();
       Object o = ois.readObject();
       if (!(o instanceof VulnerableTaskHolder)) {

src/main/java/org/owasp/webgoat/lessons/deserialization/SerializationHelper.java

@@ -1,5 +1,6 @@
 package org.owasp.webgoat.lessons.deserialization;
 
+import io.github.pixee.security.ObjectInputFilters;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.DataOutputStream;
@@ -16,6 +17,7 @@ public class SerializationHelper {
   public static Object fromString(String s) throws IOException, ClassNotFoundException {
     byte[] data = Base64.getDecoder().decode(s);
     ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
+    ObjectInputFilters.enableObjectFilterIfUnprotected(ois);
     Object o = ois.readObject();
     ois.close();
     return o;

src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java

@@ -23,6 +23,7 @@
 
 package org.owasp.webgoat.lessons.hijacksession.cas;
 
+import java.security.SecureRandom;
 import java.time.Instant;
 import java.util.LinkedList;
 import java.util.Queue;
@@ -45,7 +46,7 @@
 public class HijackSessionAuthenticationProvider implements AuthenticationProvider<Authentication> {
 
   private Queue<String> sessions = new LinkedList<>();
-  private static long id = new Random().nextLong() & Long.MAX_VALUE;
+  private static long id = new SecureRandom().nextLong() & Long.MAX_VALUE;
   protected static final int MAX_SESSIONS = 50;
 
   private static final DoublePredicate PROBABILITY_DOUBLE_PREDICATE = pr -> pr < 0.75;

src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java

@@ -27,6 +27,7 @@
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
 import io.jsonwebtoken.impl.TextCodec;
+import java.security.SecureRandom;
 import java.time.Instant;
 import java.util.Calendar;
 import java.util.Date;
@@ -54,7 +55,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
     "victory", "business", "available", "shipping", "washington"
   };
   public static final String JWT_SECRET =
-      TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]);
+      TextCodec.BASE64.encode(SECRETS[new SecureRandom().nextInt(SECRETS.length)]);
   private static final String WEBGOAT_USER = "WebGoat";
   private static final List<String> expectedClaims =
       List.of("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");