package org.owasp.webgoat.plugin;

import com.gargoylesoftware.htmlunit.html.HtmlForm;
import java.io.File;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.List;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.Form;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.IMG;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.DatabaseUtilities;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;

/* loaded from: input_file:WebGoat.war:plugin_lessons/malicious-file-execution-1.0.jar:org/owasp/webgoat/plugin/MaliciousFileExecution.class */
public class MaliciousFileExecution extends LessonAdapter {
    private String uploads_and_target_parent_directory = null;
    private static final String UPLOADS_RELATIVE_PATH = "uploads";
    private static final String TARGET_RELATIVE_PATH = "mfe_target";
    private static final Integer DEFAULT_RANKING = new Integer(75);

    private void fill_uploads_and_target_parent_directory(WebSession webSession) {
        this.uploads_and_target_parent_directory = webSession.getContext().getRealPath("/");
        if (!this.uploads_and_target_parent_directory.endsWith(File.separator)) {
            this.uploads_and_target_parent_directory += File.separator;
        }
        System.out.println("uploads_and_target_parent_directory set to = " + this.uploads_and_target_parent_directory);
        new File(this.uploads_and_target_parent_directory + UPLOADS_RELATIVE_PATH).mkdir();
        new File(this.uploads_and_target_parent_directory + TARGET_RELATIVE_PATH).mkdir();
        new File(this.uploads_and_target_parent_directory + TARGET_RELATIVE_PATH + File.separator + webSession.getUserName() + ".txt").delete();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        if (this.uploads_and_target_parent_directory == null) {
            fill_uploads_and_target_parent_directory(webSession);
        }
        ElementContainer elementContainer = new ElementContainer();
        try {
            if (new File(this.uploads_and_target_parent_directory + TARGET_RELATIVE_PATH + File.separator + webSession.getUserName() + ".txt").exists()) {
                makeSuccess(webSession);
            }
            Connection connection = DatabaseUtilities.getConnection(webSession);
            elementContainer.addElement(new H1().addElement("WebGoat Image Storage"));
            elementContainer.addElement(new P().addElement("Your current image:"));
            ResultSet executeQuery = connection.createStatement(1004, 1007).executeQuery("SELECT image_relative_url FROM mfe_images WHERE user_name = '" + webSession.getUserName() + "'");
            if (executeQuery.next()) {
                String string = executeQuery.getString(1);
                elementContainer.addElement(new IMG(string).setBorder(0).setHspace(0).setVspace(0));
                System.out.println("Found image named: " + string);
            } else {
                elementContainer.addElement(new P().addElement("No image uploaded"));
                System.out.println("No image uploaded");
            }
            elementContainer.addElement(new P().addElement("Upload a new image:"));
            elementContainer.addElement(new Input(Input.FILE, "myfile", ""));
            elementContainer.addElement(ECSFactory.makeButton("Start Upload"));
        } catch (Exception e) {
            webSession.setMessage("Error generating " + getClass().getName());
            e.printStackTrace();
        }
        return elementContainer;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Category getDefaultCategory() {
        return Category.MALICIOUS_EXECUTION;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        if (this.uploads_and_target_parent_directory == null) {
            fill_uploads_and_target_parent_directory(webSession);
        }
        String str = this.uploads_and_target_parent_directory + TARGET_RELATIVE_PATH + File.separator + webSession.getUserName() + ".txt";
        ArrayList arrayList = new ArrayList();
        arrayList.add("Where are uploaded images stored?  Can you browse to them directly?");
        arrayList.add("NOTE: To see completion of the lesson, you will need to eventually open the uploaded file (separate tab will make life easier) and navigate back to this page and reload it.");
        arrayList.add("What type of file can you upload to a J2EE server that will be executed when you browse to it?");
        arrayList.add("You want to upload a .jsp file that creates an instance of the class java.io.File  and calls the createNewFile() method of that instance.");
        arrayList.add("Below are some helpful links...<br><br>Here is a page with an example of a simple .jsp file using a Scriptlet:<br><a href=\"http://www.jsptut.com/Scriptlets.jsp\">http://www.jsptut.com/Scriptlets.jsp</a><br><br>Here is an page with an example of using createNewFile():<br><a href=\"http://www.roseindia.net/java/example/java/io/CreateFile.shtml\">http://www.roseindia.net/java/example/java/io/CreateFile.shtml</a><br><br>Here is the API specification for java.io.File:<br><a href=\"http://java.sun.com/j2se/1.5.0/docs/api/java/io/File.html\">http://java.sun.com/j2se/1.5.0/docs/api/java/io/File.html</a>");
        arrayList.add("Here is an example .jsp file, modify it to use java.io.File and its createNewFile() method:<br><br>&lt;HTML&gt;<br>&lt;%<br>java.lang.String hello = new java.lang.String(\"Hello World!\");<br>System.out.println(hello);<br>%&gt;<br>&lt;/HTML&gt;<br><br>NOTE: executing this file will print \"Hello World!\" to the Tomcat Console, not to your client browser");
        arrayList.add("SOLUTION:<br><br>Upload a file with a .jsp extension and this content:<br><br>&lt;HTML&gt;<br>&lt;%<br>java.io.File file = new java.io.File(\"" + str.replaceAll("\\\\", "\\\\\\\\") + "\");<br>file.createNewFile();<br>%&gt;<br>&lt;/HTML&gt;<br><br>After you have uploaded your jsp file, you can get the system to execute it by opening it in your browser at the URL below (or by just refreshing this page):<br><br>http://webgoat_ip:port/WebGoat/" + UPLOADS_RELATIVE_PATH + "/yourfilename.jsp");
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    public String getSubmitMethod() {
        return "POST";
    }

    public void restartLesson(WebSession webSession) {
        if (this.uploads_and_target_parent_directory == null) {
            fill_uploads_and_target_parent_directory(webSession);
        }
        System.out.println("Restarting Malicious File Execution lesson for user " + webSession.getUserName());
        new File(this.uploads_and_target_parent_directory + TARGET_RELATIVE_PATH + File.separator + webSession.getUserName() + ".txt").delete();
        try {
            DatabaseUtilities.getConnection(webSession).createStatement().executeUpdate("DELETE from mfe_images WHERE user_name = '" + webSession.getUserName() + "';");
        } catch (SQLException e) {
            e.printStackTrace();
        }
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    public String getInstructions(WebSession webSession) {
        if (this.uploads_and_target_parent_directory == null) {
            fill_uploads_and_target_parent_directory(webSession);
        }
        return "The form below allows you to upload an image which will be displayed on this page.  Features like this are often found on web based discussion boards and social networking sites.  This feature is vulnerable to Malicious File ntExecution.<br><br>In order to pass this lesson, upload and run a malicious file.  In order to prove that your file can execute, it should create another file named:<br><br> " + this.uploads_and_target_parent_directory + TARGET_RELATIVE_PATH + File.separator + webSession.getUserName() + ".txt<br><br>Once you have created this file, you will pass the lesson.";
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "Malicious File Execution";
    }

    @Override // org.owasp.webgoat.lessons.AbstractLesson
    public void handleRequest(WebSession webSession) {
        if (this.uploads_and_target_parent_directory == null) {
            fill_uploads_and_target_parent_directory(webSession);
        }
        try {
            if (ServletFileUpload.isMultipartContent(webSession.getRequest())) {
                DiskFileItemFactory diskFileItemFactory = new DiskFileItemFactory();
                diskFileItemFactory.setSizeThreshold(500000);
                for (FileItem fileItem : new ServletFileUpload(diskFileItemFactory).parseRequest(webSession.getRequest())) {
                    if (!fileItem.isFormField()) {
                        if (fileItem.getName().contains("/") || fileItem.getName().contains("\\")) {
                            System.out.println("Uploaded file contains a / or \\ (i.e. attempted directory traversal).  Not storing file.");
                            webSession.setMessage("Directory traversal not allowed.  Nice try though.");
                        } else {
                            String str = this.uploads_and_target_parent_directory + UPLOADS_RELATIVE_PATH + File.separator + fileItem.getName();
                            fileItem.write(new File(str));
                            System.out.println("Stored file:\n" + str);
                            Statement createStatement = DatabaseUtilities.getConnection(webSession).createStatement();
                            String str2 = "UPDATE mfe_images SET image_relative_url='uploads/" + fileItem.getName() + "' WHERE user_name = '" + webSession.getUserName() + "';";
                            System.out.println("Updating row:\n" + str2);
                            if (createStatement.executeUpdate(str2) == 0) {
                                String str3 = "INSERT INTO mfe_images VALUES ('" + webSession.getUserName() + "','" + UPLOADS_RELATIVE_PATH + "/" + fileItem.getName() + "')";
                                System.out.println("Inserting row:\n" + str3);
                                createStatement.executeUpdate(str3);
                            }
                        }
                    }
                }
            }
            Form encType = new Form(getFormAction(), "POST").setName(HtmlForm.TAG_NAME).setEncType("multipart/form-data");
            encType.addElement(createContent(webSession));
            setContent(encType);
        } catch (Exception e) {
            System.out.println("Exception caught: " + e);
            e.printStackTrace(System.out);
        }
    }
}
