Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create ContactController.java #3

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,7 @@
<!-- do not update necessary for lesson -->
<zxcvbn.version>1.5.2</zxcvbn.version>
<versions.java-security-toolkit>1.0.6</versions.java-security-toolkit>
<versions.java-security-toolkit-xstream>1.0.2</versions.java-security-toolkit-xstream>
</properties>

<dependencyManagement>
Expand Down Expand Up @@ -254,6 +255,11 @@
<artifactId>java-security-toolkit</artifactId>
<version>${versions.java-security-toolkit}</version>
</dependency>
<dependency>
<groupId>io.github.pixee</groupId>
<artifactId>java-security-toolkit-xstream</artifactId>
<version>${versions.java-security-toolkit-xstream}</version>
</dependency>
</dependencies>
</dependencyManagement>

Expand Down Expand Up @@ -403,6 +409,10 @@
<groupId>io.github.pixee</groupId>
<artifactId>java-security-toolkit</artifactId>
</dependency>
<dependency>
<groupId>io.github.pixee</groupId>
<artifactId>java-security-toolkit-xstream</artifactId>
</dependency>
</dependencies>

<repositories>
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
package org.owasp.webgoat.vulnerable_components;


import com.thoughtworks.xstream.XStream;
import io.github.pixee.security.xstream.HardeningConverter;
import java.sql.PreparedStatement;
import org.owasp.webgoat.LessonDataSource;
import org.springframework.web.bind.annotation.*;

import java.sql.*;

/** Handle contact management */
@RestController
public final class ContactController {

private final LessonDataSource dataSource;

public ContactController(LessonDataSource dataSource) {
this.dataSource = dataSource;
}

@GetMapping("/get-contact-phone")
public @ResponseBody
String getContactPhone(@RequestParam String userId) throws SQLException {
// get the phone number from the database
Connection conn = dataSource.getConnection();
String sql = "select phone from contacts where userid = ?";
PreparedStatement statement = conn.prepareStatement(sql);
statement.setString(1, userId);
ResultSet rs = statement.execute();
if(!rs.next()) {
throw new IllegalArgumentException("invalid contact");
}
return rs.getString("phone");
}

@GetMapping("/update-contact")
public @ResponseBody
void updateContact(@RequestBody String xml) throws SQLException {
// get the xml from our partner to update our contact record
Connection connection = dataSource.getConnection();
XStream xstream = new XStream();
xstream.registerConverter(new HardeningConverter());
Contact contact = (Contact) xstream.fromXML(xml);
String sql = "update contacts set phone = ? where userid = ?";
PreparedStatement stmt = connection.prepareStatement(sql);
stmt.setString(1, contact.name);
stmt.setString(2, contact.phone);
stmt.executeUpdate();
}

private static class Contact {
private String name;
private String phone;
}
}