-
-
Notifications
You must be signed in to change notification settings - Fork 380
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
- Loading branch information
Showing
16 changed files
with
179 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
54 changes: 54 additions & 0 deletions
54
src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge12.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
package org.owasp.wrongsecrets.challenges.docker; | ||
|
||
|
||
import lombok.extern.slf4j.Slf4j; | ||
import org.owasp.wrongsecrets.ScoreCard; | ||
import org.owasp.wrongsecrets.challenges.Challenge; | ||
import org.owasp.wrongsecrets.challenges.ChallengeEnvironment; | ||
import org.owasp.wrongsecrets.challenges.ChallengeNumber; | ||
import org.owasp.wrongsecrets.challenges.Spoiler; | ||
import org.springframework.beans.factory.annotation.Value; | ||
import org.springframework.stereotype.Component; | ||
|
||
import java.nio.file.Files; | ||
import java.nio.file.Paths; | ||
|
||
@Slf4j | ||
@Component | ||
@ChallengeNumber("12") | ||
public class Challenge12 extends Challenge { | ||
|
||
|
||
private String dockerMountPath; | ||
|
||
public Challenge12(ScoreCard scoreCard, @Value("${challengedockermtpath}") String dockerMountPath) { | ||
super(scoreCard, ChallengeEnvironment.DOCKER); | ||
this.dockerMountPath = dockerMountPath; | ||
} | ||
|
||
@Override | ||
public Spoiler spoiler() { | ||
return new Spoiler(getActualData()); | ||
} | ||
|
||
@Override | ||
public boolean answerCorrect(String answer) { | ||
log.info("challenge 12, actualdata: {}, answer: {}", getActualData(), answer); | ||
return getActualData().equals(answer); | ||
} | ||
|
||
@Override | ||
public boolean environmentSupported() { | ||
return !"if_you_see_this_please_use_docker_instead".equals(getActualData()); | ||
} | ||
|
||
|
||
private String getActualData() { | ||
try { | ||
return Files.readString(Paths.get(dockerMountPath, "yourkey.txt")); | ||
} catch (Exception e) { | ||
log.warn("Exception during file reading, defaulting to default without cloud environment"); | ||
return "if_you_see_this_please_use_docker_instead"; | ||
} | ||
} | ||
} |
23 changes: 21 additions & 2 deletions
23
src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge8.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,33 +1,52 @@ | ||
package org.owasp.wrongsecrets.challenges.docker; | ||
|
||
|
||
import lombok.extern.slf4j.Slf4j; | ||
import org.owasp.wrongsecrets.ScoreCard; | ||
import org.owasp.wrongsecrets.challenges.Challenge; | ||
import org.owasp.wrongsecrets.challenges.ChallengeEnvironment; | ||
import org.owasp.wrongsecrets.challenges.ChallengeNumber; | ||
import org.owasp.wrongsecrets.challenges.Spoiler; | ||
import org.springframework.stereotype.Component; | ||
|
||
import java.security.SecureRandom; | ||
import java.util.Random; | ||
|
||
@Slf4j | ||
@Component | ||
@ChallengeNumber("8") | ||
public class Challenge8 extends Challenge { | ||
|
||
private final Random secureRandom = new SecureRandom(); | ||
private final String alphabet = "0123456789QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm"; | ||
private String randomValue; | ||
|
||
public Challenge8(ScoreCard scoreCard) { | ||
super(scoreCard, ChallengeEnvironment.DOCKER); | ||
randomValue = generateRandomString(10); | ||
log.info("Initializing challenge 8 with value {}", randomValue); | ||
} | ||
|
||
@Override | ||
public Spoiler spoiler() { | ||
return new Spoiler(Constants.newKey); | ||
return new Spoiler(randomValue); | ||
} | ||
|
||
@Override | ||
public boolean answerCorrect(String answer) { | ||
return Constants.newKey.equals(answer); | ||
return randomValue.equals(answer); | ||
} | ||
|
||
@Override | ||
public boolean environmentSupported() { | ||
return true; | ||
} | ||
|
||
private String generateRandomString(int length) { | ||
StringBuilder builder = new StringBuilder(length); | ||
for (int i = 0; i < length; i++) { | ||
builder.append(alphabet.charAt(secureRandom.nextInt(alphabet.length()))); | ||
} | ||
return new String(builder); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
Challenge 12: Docker COPY and WORKDIR | ||
Sometimes large parts of the local filesystem are copied over to the container so that they are available in the container for the convenience of the author. | ||
|
||
In this challenge, we did some COPY’ing as well and hid a key there. Note that the key changes on every generation of the docker container, so you’d better extract and use it quickly :). | ||
|
||
Try deepfenceio/secretscanning, docker inspect of the image, or just docker exec against a running container. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,6 @@ | ||
=== Challenge 8: Generating random values | ||
|
||
Now, let's randomize the secret... Can you find the answer? | ||
How can we use this on the next startup ;-)? | ||
Now, let's randomize the secret at startup... Can you find the answer? | ||
How can we use this on the next startup ;-)? | ||
|
||
Tip: take a look at the logging of the application at startup! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
54 changes: 54 additions & 0 deletions
54
src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge12Test.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
package org.owasp.wrongsecrets.challenges.docker; | ||
|
||
import org.assertj.core.api.Assertions; | ||
import org.junit.jupiter.api.Test; | ||
import org.junit.jupiter.api.extension.ExtendWith; | ||
import org.junit.jupiter.api.io.TempDir; | ||
import org.mockito.Mock; | ||
import org.mockito.junit.jupiter.MockitoExtension; | ||
import org.owasp.wrongsecrets.ScoreCard; | ||
import org.owasp.wrongsecrets.challenges.Spoiler; | ||
import org.owasp.wrongsecrets.challenges.cloud.Challenge9; | ||
|
||
import java.io.File; | ||
import java.io.IOException; | ||
import java.nio.file.Files; | ||
import java.nio.file.Path; | ||
|
||
@ExtendWith(MockitoExtension.class) | ||
class Challenge12Test { | ||
|
||
@Mock | ||
private ScoreCard scoreCard; | ||
|
||
@Test | ||
void solveChallenge12WithoutFile(@TempDir Path dir) throws Exception { | ||
var challenge = new Challenge12(scoreCard, dir.toString()); | ||
|
||
Assertions.assertThat(challenge.answerCorrect("secretvalueWitFile")).isFalse(); | ||
Assertions.assertThat(challenge.answerCorrect("if_you_see_this_please_use_docker_instead")).isTrue(); | ||
} | ||
|
||
@Test | ||
void solveChallenge12WithMNTFile(@TempDir Path dir) throws Exception { | ||
var testFile = new File(dir.toFile(), "yourkey.txt"); | ||
var secret = "secretvalueWitFile"; | ||
Files.writeString(testFile.toPath(), secret); | ||
|
||
var challenge = new Challenge12(scoreCard, dir.toString()); | ||
|
||
Assertions.assertThat(challenge.answerCorrect("secretvalueWitFile")).isTrue(); | ||
} | ||
|
||
@Test | ||
void spoilShouldReturnCorrectAnswer(@TempDir Path dir) throws IOException { | ||
var testFile = new File(dir.toFile(), "yourkey.txt"); | ||
var secret = "secretvalueWitFile"; | ||
Files.writeString(testFile.toPath(), secret); | ||
|
||
var challenge = new Challenge12(scoreCard, dir.toString()); | ||
|
||
Assertions.assertThat(challenge.spoiler()).isEqualTo(new Spoiler("secretvalueWitFile")); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters