Feature/command line tests

.mvn/jvm.config

@@ -1,2 +1,3 @@
 --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED
+--add-opens java.base/java.lang=ALL-UNNAMED
 

examplescripts_configfiles/sample.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<TestSuite name="benchmark" version="1.3">
+    <TestCase Category="crypto" DataflowFile="" Name="BenchmarkTest00001" NotAutoverifiable="The Crypto test cases do not return any value in the response that can be used to automatically verify whether the attack worked or not." SinkFile="CipherGetInstance-S4.code" SourceFile="RequestGetCookies.code" SourceUIType="post_getCookies" TemplateFile="/Users/David.H.Anderson/git/Generator/codeblocks/templates/_NoDataflowTemplate.code" UITemplateFile="/Users/David.H.Anderson/git/Generator/codeblocks/uitemplates/UI_HTML_post_getCookies.code" Configuration="HttpClientConfig" Vulnerable="false">
+        <Input type="HttpGet">
+            <url value="https://localhost:8443/benchmark/pathtraver-00/BenchmarkTest00001" />
+            <getParams>
+                <getParam safeName="BenchmarkTest00001" safeValue="someSecret" attackValue="anotherSensitiveValue" />
+            </getParams>
+        </Input>
+        <Setup class="HttpClientConfig" />
+    </TestCase>
+    <TestCase AttackSuccess="conf&amp;#x2f;tomcat-users.xml" Category="pathtraver" DataflowFile="" Name="BenchmarkTest00002" SinkFile="FileOutputStream-F.code" SourceFile="RequestGetCookies.code" SourceUIType="post_getCookies" TemplateFile="/Users/David.H.Anderson/git/Generator/codeblocks/templates/_NoDataflowTemplate.code" BodyFormat="Json" UITemplateFile="/Users/David.H.Anderson/git/Generator/codeblocks/uitemplates/UI_HTML_post_getCookies.code" Configuration="HttpClientConfig" Vulnerable="true">
+        <Input type="HttpPost">
+            <url value="https://localhost:8443/benchmark/pathtraver-00/BenchmarkTest00002" />
+            <cookies>
+                <cookie safeName="BenchmarkTest00002" safeValue="someSecret" attackValue="anotherSensitiveValue" />
+            </cookies>
+            <content format="Json" />
+        </Input>
+        <Setup class="HttpClientConfig" />
+    </TestCase>
+    <TestCase AttackSuccess="conf&amp;#x2f;tomcat-users.xml" Category="sqli" DataflowFile="" Name="BenchmarkTest00003" SinkFile="FileOutputStream-F.code" SourceFile="HibernateResultSet.code" SourceUIType="sql_resultset" TemplateFile="/Users/David.H.Anderson/git/Generator/codeblocks/templates/_NoDataflowTemplate.code" UITemplateFile="/Users/David.H.Anderson/git/Generator/codeblocks/uitemplates/UI_HTML_sql_resultset.code" Configuration="HibernateDatabaseConfig" Vulnerable="true">
+        <Input type="CliArg">
+            <command value="benchmark-python.py -t BenchmarkTest00003" />
+            <args>
+                <arg safeName="BenchmarkTest00003" safeValue="someSecret" attackValue="anotherSensitiveValue" />
+            </args>
+        </Input>
+        <Setup class="Sqlite3Config" script="BenchmarkTest00003.sql" />
+    </TestCase>
+</TestSuite>

library/pom.xml

@@ -12,13 +12,76 @@
         <version>1.3</version>
     </parent>
 
+    <dependencies>
+
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+        </dependency>
+
+        <!-- dependency>
+            <groupId>org.eclipse.persistence</groupId>
+            <artifactId>org.eclipse.persistence.core</artifactId>
+            <version>2.7.14</version>
+            </dependency -->
+
+        <dependency>
+            <groupId>org.eclipse.persistence</groupId>
+            <artifactId>org.eclipse.persistence.moxy</artifactId>
+            <version>2.7.14</version>
+        </dependency>
+
+        <dependency>
+            <groupId>javax.validation</groupId>
+            <artifactId>validation-api</artifactId>
+            <version>2.0.1.Final</version>
+        </dependency>
+
+        <dependency>
+            <groupId>javax.xml.bind</groupId>
+            <artifactId>jaxb-api</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.httpcomponents.client5</groupId>
+            <artifactId>httpclient5</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.httpcomponents.core5</groupId>
+            <artifactId>httpcore5</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.eclipse.persistence</groupId>
+            <artifactId>org.eclipse.persistence.core</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>xml-apis</groupId>
+            <artifactId>xml-apis</artifactId>
+        </dependency>
+
+    </dependencies>
+
     <build>
         <finalName>benchmarkutils</finalName>
 
         <resources>
             <resource>
                 <directory>${basedir}/src/main/resources</directory>
             </resource>
+            <resource>
+                <directory>${basedir}/src/main/java</directory>
+                <excludes>
+                    <exclude>**/*.java</exclude>
+                </excludes>
+            </resource>
         </resources>
 
     </build>

library/src/main/java/org/owasp/benchmarkutils/entities/CliArgExecutableTestCaseInput.java

@@ -0,0 +1,130 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author David Anderson
+ * @created 2024
+ */
+package org.owasp.benchmarkutils.entities;
+
+import java.util.ArrayList;
+import java.util.List;
+import javax.validation.constraints.NotNull;
+import javax.xml.bind.Marshaller;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlElementWrapper;
+import org.eclipse.persistence.oxm.annotations.XmlDiscriminatorValue;
+
+@XmlDiscriminatorValue("CliArg")
+// @XmlType(name = "CliArgExecutableTestCaseInput")
+public class CliArgExecutableTestCaseInput extends ExecutableTestCaseInput {
+
+    List<RequestVariable> args;
+
+    void beforeMarshal(Marshaller marshaller) {
+        //        System.out.println("Before marshal");
+        if (args != null && args.isEmpty()) args = null;
+    }
+
+    void afterUnmarshal(Unmarshaller unmarshaller, Object parent) {
+        //        System.out.println("After unmarshal");
+        if (args == null) args = new ArrayList<RequestVariable>();
+    }
+
+    @XmlElementWrapper(name = "args")
+    @XmlElement(name = "arg", required = true)
+    @NotNull
+    public List<RequestVariable> getArgs() {
+        return args;
+    }
+
+    public void setArgs(List<RequestVariable> args) {
+        // Copy the given list so setSafe() does not affect other CliArgExecutableTestCaseInput
+        // objects.
+        this.args = new ArrayList<>(args);
+    }
+
+    public void addArg(RequestVariable arg) {
+        if (this.args == null) {
+            this.args = new ArrayList<>();
+        }
+        this.args.add(arg);
+    }
+
+    public CliRequest buildAttackRequest() {
+        //		ArrayList<String> executeArgs = new ArrayList<>();
+        //		// FIXME: This will break if the command string has arguments that contain spaces.
+        //		executeArgs.addAll(Arrays.asList(getCommand().split(" ")));
+        //		executeArgs.addAll(getArgs());
+        ArrayList<RequestVariable> argsCopy = new ArrayList<>();
+        for (RequestVariable arg : args) {
+            RequestVariable argCopy = new RequestVariable(arg);
+            argCopy.setSafe(false);
+            argsCopy.add(argCopy);
+        }
+        return new CliRequest(getCommand(), argsCopy, null);
+    }
+
+    public CliRequest buildSafeRequest() {
+        ArrayList<RequestVariable> argsCopy = new ArrayList<>();
+        for (RequestVariable arg : args) {
+            RequestVariable argCopy = new RequestVariable(arg);
+            argCopy.setSafe(true);
+            argsCopy.add(argCopy);
+        }
+        return new CliRequest(getCommand(), argsCopy, null);
+    }
+
+    public void setSafe(boolean isSafe) {
+        //        this.isSafe = isSafe;
+        for (RequestVariable arg : getArgs()) {
+            // setSafe() considers whether attack and safe values exist for this parameter before
+            // setting isSafe true or false. So you don't have to check that here.
+            arg.setSafe(isSafe);
+        }
+    }
+
+    //    @Override
+    //    public String toString() {
+    //        return this.getClass().getSimpleName() + " [args=" + getArgs() + "]";
+    //    }
+    @Override
+    public String toString() {
+        return this.getClass().getSimpleName()
+                + "["
+                + "command="
+                + getCommand()
+                + ", args="
+                + getArgs()
+                + "]";
+    }
+
+    //    public void execute() {
+    //        List<String> executeArgs = Arrays.asList(getCommand());
+    //
+    //        //          crawlArgs.extend([arg1])
+    //        //          child = pexpect.spawn("python", cwd=TEST_SUITE_DIR, args=crawlArgs)
+    //        //          child.logfile = sys.stdout
+    //        //          child.expect(pexpect.EOF)
+    //        //          child.close()
+    //        //          print("Return code: %d" % child.exitstatus)
+    //
+    //        executeArgs.add(getPayload());
+    //        ProcessBuilder builder = new ProcessBuilder(executeArgs);
+    //        final Process process = builder.start();
+    //        int exitValue = process.waitFor();
+    //        System.out.printf("Program terminated with return code: %s%n", exitValue);
+    //    }
+
+}

library/src/main/java/org/owasp/benchmarkutils/entities/CliFileExecutableTestCaseInput.java

@@ -0,0 +1,87 @@
+/**
+ * OWASP Benchmark Project
+ *
+ * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project For
+ * details, please see <a
+ * href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
+ *
+ * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
+ * of the GNU General Public License as published by the Free Software Foundation, version 2.
+ *
+ * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ * PURPOSE. See the GNU General Public License for more details.
+ *
+ * @author David Anderson
+ * @created 2024
+ */
+package org.owasp.benchmarkutils.entities;
+
+import java.util.List;
+import javax.validation.constraints.NotNull;
+import javax.xml.bind.annotation.XmlElement;
+import org.eclipse.persistence.oxm.annotations.XmlDiscriminatorValue;
+
+@XmlDiscriminatorValue("CliFile")
+public class CliFileExecutableTestCaseInput extends ExecutableTestCaseInput {
+
+    List<RequestVariable> fileArgs;
+
+    @XmlElement(name = "fileArg", required = true)
+    @NotNull
+    public List<RequestVariable> getFileArgs() {
+        return fileArgs;
+    }
+
+    public CliRequest buildAttackRequest() {
+        //		ArrayList<String> executeArgs = new ArrayList<>();
+        //		// FIXME: This will break if the command string has arguments that contain spaces.
+        //		executeArgs.addAll(Arrays.asList(getCommand().split(" ")));
+        //		executeArgs.addAll(getArgs());
+
+        setSafe(false);
+        return new CliRequest(getCommand(), getFileArgs(), null);
+    }
+
+    public CliRequest buildSafeRequest() {
+        setSafe(true);
+        return new CliRequest(getCommand(), getFileArgs(), null);
+    }
+
+    public void setSafe(boolean isSafe) {
+        //        this.isSafe = isSafe;
+        for (RequestVariable arg : getFileArgs()) {
+            // setSafe() considers whether attack and safe values exist for this parameter before
+            // setting isSafe true or false. So you don't have to check that here.
+            arg.setSafe(isSafe);
+        }
+    }
+
+    //    public void execute() {
+    //        List<String> executeArgs = Arrays.asList(getCommand());
+    //
+    //        File argsFile = new File(TEST_SUITE_DIR, "args_file.txt");
+    //
+    //        //      args_file = 'args_file.txt'
+    //        //      with open(TEST_SUITE_DIR + args_file, 'w') as f:
+    //        //          f.write(arg1)
+    //        //      crawlArgs.extend([args_file])
+    //        //      child = pexpect.spawn("python", cwd=TEST_SUITE_DIR, args=crawlArgs)
+    //        //      child.logfile = sys.stdout
+    //        //      child.expect(pexpect.EOF)
+    //        //      child.close()
+    //        //      print("Return code: %d" % child.exitstatus)
+    //
+    //        executeArgs.add(getPayload());
+    //        executeArgs.add("-f");
+    //        executeArgs.add(argsFile.getPath());
+    //        try (PrintWriter writer = new PrintWriter(new FileWriter(argsFile))) {
+    //            writer.print(getPayload());
+    //        }
+    //
+    //        ProcessBuilder builder = new ProcessBuilder(executeArgs);
+    //        final Process process = builder.start();
+    //        int exitValue = process.waitFor();
+    //        System.out.printf("Program terminated with return code: %s%n", exitValue);
+    //    }
+}