From 154ab958010beb328ada2f6fb4704677db3e8504 Mon Sep 17 00:00:00 2001
From: ts <thomashaw@localhost.localdomain>
Date: Wed, 10 Jul 2019 12:33:32 +0100
Subject: [PATCH 1/3] vulnerabilities/unix/webapp/onlinestore: token table flag
 fix

---
 .../unix/webapp/onlinestore/templates/csecvm.sql.erb           | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/vulnerabilities/unix/webapp/onlinestore/templates/csecvm.sql.erb b/modules/vulnerabilities/unix/webapp/onlinestore/templates/csecvm.sql.erb
index b7c894fb4..60401d52e 100644
--- a/modules/vulnerabilities/unix/webapp/onlinestore/templates/csecvm.sql.erb
+++ b/modules/vulnerabilities/unix/webapp/onlinestore/templates/csecvm.sql.erb
@@ -151,7 +151,7 @@ DROP TABLE IF EXISTS `token`;
 /*!40101 SET @saved_cs_client     = @@character_set_client */;
 /*!40101 SET character_set_client = utf8 */;
 CREATE TABLE `token` (
-  `token` varchar(256) DEFAULT NULL
+  `token` text DEFAULT NULL
 ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
@@ -161,7 +161,6 @@ CREATE TABLE `token` (
 
 LOCK TABLES `token` WRITE;
 /*!40000 ALTER TABLE `token` DISABLE KEYS */;
-INSERT INTO `token` VALUES ('f46659047894a919ab5f43c3338811e6');
 /*!40000 ALTER TABLE `token` ENABLE KEYS */;
 UNLOCK TABLES;
 

From fff21105589c3bafd34cb0d7ee2cdc04ea4db92a Mon Sep 17 00:00:00 2001
From: ts <thomashaw@localhost.localdomain>
Date: Wed, 10 Jul 2019 14:47:23 +0100
Subject: [PATCH 2/3] post_provision_tests: fix for if the module name is in
 the path, we still get the correct json file.

---
 lib/objects/post_provision_test.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/objects/post_provision_test.rb b/lib/objects/post_provision_test.rb
index 99e4c9041..a7351f4c0 100644
--- a/lib/objects/post_provision_test.rb
+++ b/lib/objects/post_provision_test.rb
@@ -111,7 +111,10 @@ class PostProvisionTest
   def get_json_inputs
     json_inputs_path = "#{File.expand_path('../', self.module_path)}/secgen_functions/files/json_inputs/*"
     json_inputs_files = Dir.glob(json_inputs_path)
-    json_inputs_files.delete_if {|path| !path.include?(self.module_name)}
+    json_inputs_files.delete_if do |path|
+      end_path = path.split('/')[-1]
+      !end_path.include?(self.module_name)
+    end
     if json_inputs_files.size > 0
       return JSON.parse(Base64.strict_decode64(File.read(json_inputs_files.first)))
     end

From c80a7a155898b531a0fab4be0f6d3b1da2b88745 Mon Sep 17 00:00:00 2001
From: ts <thomashaw@localhost.localdomain>
Date: Wed, 10 Jul 2019 14:49:37 +0100
Subject: [PATCH 3/3] vulnerabilities/unix/webapp/onlinestore: token table flag
 fix

---
 .../unix/webapp/onlinestore/files/mysql_setup.sh               | 3 +--
 .../unix/webapp/onlinestore/manifests/install.pp               | 2 +-
 .../unix/webapp/onlinestore/templates/csecvm.sql.erb           | 1 +
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/vulnerabilities/unix/webapp/onlinestore/files/mysql_setup.sh b/modules/vulnerabilities/unix/webapp/onlinestore/files/mysql_setup.sh
index 8e158345f..06fc2362c 100644
--- a/modules/vulnerabilities/unix/webapp/onlinestore/files/mysql_setup.sh
+++ b/modules/vulnerabilities/unix/webapp/onlinestore/files/mysql_setup.sh
@@ -2,11 +2,10 @@
 
 USERNAME=${1}
 PASSWORD=${2}
-token=${3}
 
 echo "CREATE USER '${USERNAME}'@'localhost' IDENTIFIED BY '${PASSWORD}';"| mysql --force
 echo "GRANT ALL PRIVILEGES ON * . * TO '${USERNAME}'@'localhost';"| mysql --force
 echo "CREATE DATABASE csecvm;"| mysql --user=${USERNAME} --password=${PASSWORD} --force
 mysql --force --user=${USERNAME} --password=${PASSWORD} csecvm < ./csecvm.sql
 
-echo "USE csecvm; INSERT INTO token VALUES ('${token}');" |  mysql --force --user=${USERNAME} --password=${PASSWORD}
\ No newline at end of file
+echo "USE csecvm;" |  mysql --force --user=${USERNAME} --password=${PASSWORD}
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/webapp/onlinestore/manifests/install.pp b/modules/vulnerabilities/unix/webapp/onlinestore/manifests/install.pp
index 8cc7d0041..2a89f5328 100644
--- a/modules/vulnerabilities/unix/webapp/onlinestore/manifests/install.pp
+++ b/modules/vulnerabilities/unix/webapp/onlinestore/manifests/install.pp
@@ -83,7 +83,7 @@ class onlinestore::install {
 
   exec { 'setup_mysql':
     cwd     => "/tmp",
-    command => "sudo ./mysql_setup.sh $db_username $db_password $db_flag",
+    command => "sudo ./mysql_setup.sh $db_username $db_password",
     path    => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
     notify => Exec['create_command_injection_flag'],
   }
diff --git a/modules/vulnerabilities/unix/webapp/onlinestore/templates/csecvm.sql.erb b/modules/vulnerabilities/unix/webapp/onlinestore/templates/csecvm.sql.erb
index 60401d52e..ea056e36d 100644
--- a/modules/vulnerabilities/unix/webapp/onlinestore/templates/csecvm.sql.erb
+++ b/modules/vulnerabilities/unix/webapp/onlinestore/templates/csecvm.sql.erb
@@ -161,6 +161,7 @@ CREATE TABLE `token` (
 
 LOCK TABLES `token` WRITE;
 /*!40000 ALTER TABLE `token` DISABLE KEYS */;
+INSERT INTO token VALUES ('<%= @db_flag -%>');
 /*!40000 ALTER TABLE `token` ENABLE KEYS */;
 UNLOCK TABLES;