- updated springboot version to latest (added missing deps and fixed …

…some imports)

- updated swagger after adding ignore rules for superfluous types
- updated output file name

pom.xml

@@ -14,7 +14,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>1.5.6.RELEASE</version>
+		<version>2.5.5</version>
 		<relativePath /> <!-- lookup parent from repository -->
 	</parent>
 
@@ -53,6 +53,13 @@
 			<scope>test</scope>
 		</dependency>
 
+		<dependency>
+			<groupId>junit</groupId>
+			<artifactId>junit</artifactId>
+			<version>4.13.2</version>
+			<scope>test</scope>
+		</dependency>
+
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
@@ -160,25 +167,26 @@
 		</dependency>
 
 		<dependency>
-			<groupId>io.springfox</groupId>
-			<artifactId>springfox-swagger2</artifactId>
-			<version>2.9.2</version>
+			<groupId>org.javassist</groupId>
+			<artifactId>javassist</artifactId>
+			<version>3.28.0-GA</version>
 		</dependency>
 		<dependency>
-			<groupId>io.springfox</groupId>
-			<artifactId>springfox-core</artifactId>
-			<version>2.9.2</version>
+			<groupId>ognl</groupId>
+			<artifactId>ognl</artifactId>
+			<version>3.2.21</version>
 		</dependency>
+
 		<dependency>
 			<groupId>io.springfox</groupId>
-			<artifactId>springfox-swagger-ui</artifactId>
-			<version>2.9.2</version>
+			<artifactId>springfox-boot-starter</artifactId>
+			<version>3.0.0</version>
 		</dependency>
 
 	</dependencies>
 
 	<build>
-		<finalName>ROOT</finalName>
+		<finalName>eb-apisec</finalName>
 		<plugins>
 			<plugin>
 				<groupId>org.springframework.boot</groupId>

src/main/java/org/t246osslab/easybuggy4sb/Easybuggy4sbApplication.java

@@ -5,7 +5,7 @@
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.boot.web.servlet.ServletRegistrationBean;
-import org.springframework.boot.web.support.SpringBootServletInitializer;
+import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
 import org.springframework.context.annotation.Bean;
 import org.t246osslab.easybuggy4sb.errors.StackOverflowErrorController;
 

src/main/java/org/t246osslab/easybuggy4sb/SpringFoxConfig.java

@@ -1,9 +1,13 @@
 package org.t246osslab.easybuggy4sb;
 
+import com.fasterxml.classmate.TypeResolver;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.ModelAndView;
 import springfox.documentation.builders.PathSelectors;
 import springfox.documentation.builders.RequestHandlerSelectors;
+import springfox.documentation.schema.AlternateTypeRules;
+import springfox.documentation.schema.WildcardType;
 import springfox.documentation.service.AuthorizationScope;
 import springfox.documentation.service.BasicAuth;
 import springfox.documentation.service.SecurityReference;
@@ -16,6 +20,7 @@
 import springfox.documentation.swagger2.annotations.EnableSwagger2;
 
 import java.util.Arrays;
+import java.util.Locale;
 
 import static org.t246osslab.easybuggy4sb.WebSecurity.AUTH_PATH_SWAGGER_REGEX;
 
@@ -24,14 +29,17 @@
 public class SpringFoxConfig {
 
     @Bean
-    public Docket api() {
+    public Docket api(TypeResolver typeResolver) {
         return new Docket(DocumentationType.SWAGGER_2)
                 .select()
                 .apis(RequestHandlerSelectors.any())
                 .paths(PathSelectors.any())
                 .build()
                 .securitySchemes(Arrays.asList(oauth()))
-                .securityContexts(Arrays.asList(securityContext()));
+                .securityContexts(Arrays.asList(securityContext()))
+                .ignoredParameterTypes(Locale.class)
+                .alternateTypeRules(AlternateTypeRules.newRule(typeResolver.resolve(ModelAndView.class),
+                        typeResolver.resolve(WildcardType.class)));
     }
 
     @Bean

src/main/java/org/t246osslab/easybuggy4sb/core/filters/EncodingFilter.java

@@ -10,7 +10,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.springframework.boot.web.filter.OrderedCharacterEncodingFilter;
+import org.springframework.boot.web.servlet.filter.OrderedCharacterEncodingFilter;
 import org.springframework.stereotype.Component;
 
 /**

src/main/java/org/t246osslab/easybuggy4sb/vulnerabilities/OGNLExpressionInjectionController.java

@@ -1,7 +1,11 @@
 package org.t246osslab.easybuggy4sb.vulnerabilities;
 
+import java.lang.reflect.Member;
+import java.lang.reflect.Modifier;
 import java.util.Locale;
+import java.util.Map;
 
+import ognl.AbstractMemberAccess;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.math.NumberUtils;
 import org.springframework.stereotype.Controller;
@@ -24,7 +28,12 @@ public ModelAndView process(@RequestParam(value = "expression", required = false
         setViewAndCommonObjects(mav, locale, "commandinjection");
         Object value = null;
         String errMessage = "";
-        OgnlContext ctx = new OgnlContext();
+        OgnlContext ctx = new OgnlContext(null, null, (new AbstractMemberAccess() {
+            public boolean isAccessible(Map context, Object target, Member member, String propertyName) {
+                int modifiers = member.getModifiers();// 228
+                return Modifier.isPublic(modifiers);// 229
+            }
+        }));
         if (!StringUtils.isBlank(expression)) {
             try {
                 Object expr = Ognl.parseExpression(expression.replaceAll("Math\\.", "@Math@"));

src/main/resources/application.properties

@@ -32,7 +32,7 @@ logging.level.org.springframework.web=INFO
 
 server.port=${port:8080}
 
-server.tomcat.basedir=
+#server.tomcat.basedir=
 server.tomcat.accesslog.enabled=true
 server.tomcat.accesslog.pattern=%t %a "%r" %s (%D ms)
 server.tomcat.accesslog.buffered=false