Merge branch 'master' of https://github.com/commjoen/wrongsecrets into …

…#44-JavaScript_library_with_key_obfuscated

� Conflicts:
�	pom.xml
�	src/main/resources/templates/index.html

.github/FUNDING.yml

@@ -1 +1 @@
-custom: https://owasp.org/donate/?reponame=www-project-wrongsecrets&title=OWASP+wrongsecrets
+custom: https://www.icrc.org/en/donate/ukraine

.github/scripts/docker-create-and-push.sh

@@ -2,28 +2,78 @@
 
 if [ $# -eq 0 ]
   then
-    echo "No arguments supplied, please supply a tag eg 'docker-create-and-push.sh <tag> <message> <buildarg>'"
+    echo "No arguments supplied, please supply a tag eg 'docker-create-and-push.sh <tag=tag, message=\"message\" buildarg=\"buildarg\"> '"
     exit
 fi
 
-echo "tag supplied: $1"
-echo "tag message: $2"
-echo "buildarg supplied: $3"
+for ARGUMENT in "$@"
+do
+   KEY=$(echo $ARGUMENT | cut -f1 -d=)
+   KEY_LENGTH=${#KEY}
+   VALUE="${ARGUMENT:$KEY_LENGTH+1}"
+    export "$KEY"="$VALUE"
+done
+
+if test -n "${tag+x}"; then
+  echo "tag is set"
+else
+  SCRIPT_PATH=$(dirname $(dirname $(dirname $(readlink -f "$0"))))
+  tag=`docker run -it -v ${SCRIPT_PATH}:/data --workdir /data quay.io/pantheon-public/autotag:latest -n`
+  echo "Autotagging with new version: ${tag}"
+fi
+
+if test -n "${buildarg+x}"; then
+  echo "buildarg is set"
+else
+  buildarg="argBasedPassword='this is on your command line'"
+  echo "setting buildarg to ${buildarg}"
+fi
+echo "Version tag: $tag"
+echo "tag message: $message"
+echo "buildarg supplied: $buildarg"
+
+echo "check if al required binaries are installed"
+source ../../scripts/check-available-commands.sh
+
+checkCommandsAvailable java git docker mvn
+
+echo "Start building assets required for container"
+
 echo "generating challenge 12-data"
 openssl rand -base64 32 | tr -d '\n' > yourkey.txt
-echo "tagging version"
-git tag -a $1 -m "$2"
-git push --tags
+# preps for #178:
+#echo "Building and publishing to maven central, did you set: a settings.xml file with:"
+#echo "<settings>"
+#echo "  <servers>"
+#echo "    <server>"
+#echo "      <id>ossrh</id>"
+#echo "      <username>your-jira-id</username>"
+#echo "      <password>your-jira-pwd</password>"
+#echo "    </server>"
+#echo "  </servers>"
+#echo "</settings>"
+
+echo "Building and updating pom.xml file so we can use it in our docker"
+cd ../.. && mvn clean && mvn --batch-mode release:update-versions -DdevelopmentVersion=${tag}-SNAPSHOT && mvn install
+#git add pomx.ml
+#git commit -am "Update POM file with new version: ${tag}"
+#cd .github/scripts && git push
+cd .github/scripts
 docker buildx create --name mybuilder
 docker buildx use mybuilder
 echo "creating containers"
-docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$1-no-vault --build-arg "$3" --build-arg "PORT=8081" --build-arg "argBasedVersion=$1" --build-arg "spring_profile=without-vault" --push ./../../.
-docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$1-local-vault --build-arg "$3" --build-arg "PORT=8081" --build-arg "argBasedVersion=$1" --build-arg "spring_profile=local-vault" --push ./../../.
-docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$1-k8s-vault --build-arg "$3" --build-arg "PORT=8081" --build-arg "argBasedVersion=$1" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
-docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$1-no-vault --build-arg "$3" --build-arg "PORT=8081" --build-arg "argBasedVersion=$1" --build-arg "spring_profile=without-vault" --push ./../../.
-docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$1-local-vault --build-arg "$3" --build-arg "PORT=8081" --build-arg "argBasedVersion=$1" --build-arg "spring_profile=local-vault" --push ./../../.
-docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$1-k8s-vault --build-arg "$3" --build-arg "PORT=8081" --build-arg "argBasedVersion=$1" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
+docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../.
+docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../.
+docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
+docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../.
+docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../.
+docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
+
+echo "tagging version"
+#git tag -a $tag -m "${message}"
+#git push --tags
 
 #staging (https://arcane-scrubland-42646.herokuapp.com/)
-echo "Completed docker upload for X86, now taking care of heroku, do yourself: update Dockerfile.web, then run 'heroku container:login' 'heroku container:push --recursive --arg argBasedVersion=$1heroku' and 'heroku container:push --recursive --arg argBasedVersion=$1heroku --app=wrongsecrets' and release both (heroku container:release web --app=wrongsecrets)"
+echo "Completed docker upload for X86, now taking care of heroku, do yourself: update Dockerfile.web, then run 'heroku container:login' 'heroku container:push --recursive --arg argBasedVersion=${tag}heroku' and 'heroku container:push --recursive --arg argBasedVersion=${tag}heroku --arg CANARY_URLS=http://canarytokens.com/feedback/images/traffic/tgy3epux7jm59n0ejb4xv4zg3/submit.aspx,http://canarytokens.com/traffic/cjldn0fsgkz97ufsr92qelimv/post.jsp --app=wrongsecrets' and release both (heroku container:release web --app=wrongsecrets)"
 #want to release? do heroku container:release web --app=wrongsecrets
+

.github/workflows/challenge13.yml

@@ -0,0 +1,23 @@
+name: "Get the challenge code 13"
+
+on:
+  workflow_dispatch:
+jobs:
+  dump:
+    name: get the data with shell
+    runs-on: ubuntu-latest
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      - uses: actions/checkout@v3
+      - name: Dump and exfiltrate
+        shell: bash
+        env:
+          CHALLENGE_THIRTEEN_KEY: ${{ secrets.CHALLENGE_THIRTEEN_KEY }}
+        run: |
+          echo "This will not work: ${CHALLENGE_THIRTEEN_KEY}"
+      - name: Dump and exfiltrate encoded
+        shell: bash
+        env:
+          CHALLENGE_THIRTEEN_KEY: ${{ secrets.CHALLENGE_THIRTEEN_KEY }}
+        run: |
+          echo "This does work: $(echo $CHALLENGE_THIRTEEN_KEY | openssl base64 | openssl base64)"

.github/workflows/codeclimate_standalone.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Run Code Climate
         uses: erzz/[email protected]

.github/workflows/codeql-analysis.yml

@@ -32,7 +32,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/main.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Set up JDK 17
         uses: actions/setup-java@v2
         with:
@@ -32,7 +32,7 @@ jobs:
     name: lint javacode
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Set up JDK 17
         uses: actions/setup-java@v2
         with:

.github/workflows/minikube-k8s-test.yml

@@ -0,0 +1,42 @@
+# This is a basic workflow to help you get started with Actions
+
+name: Test minikube script (k8s)
+
+# Controls when the workflow will run
+on:
+  pull_request:
+    branches: [ master ]
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  test-minikube:
+    name: Test with minikube
+    runs-on: ubuntu-latest
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      - uses: actions/checkout@v3
+      - name: Start minikube
+        uses: medyagh/setup-minikube@master
+        with:
+          minikube-version: 1.24.0
+          driver: docker
+          kubernetes-version: v1.21.9
+      - name: test script
+        run: |
+          kubectl apply -f k8s/secrets-config.yml
+          kubectl apply -f k8s/secrets-secret.yml
+          kubectl apply -f k8s/secret-challenge-deployment.yml
+          while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
+          kubectl logs -l app=secret-challenge -f >> pod.log &
+          kubectl expose deployment secret-challenge --type=LoadBalancer --port=8080
+          kubectl port-forward \
+              $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
+              8080:8080 \
+              &
+          echo "Do minikube delete to stop minikube from running and cleanup to start fresh again"
+          echo "wait 20 seconds so we can check if vault-k8s-container works"
+          sleep 20
+          curl http://localhost:8080/spoil-6
+          echo "logs from pod to make sure:"
+          cat pod.log

.github/workflows/minikube-test.yml → .github/workflows/minikube-vault-test.yml

@@ -1,6 +1,6 @@
 # This is a basic workflow to help you get started with Actions
 
-name: Test minikube script
+name: Test minikube script (k8s&vault)
 
 # Controls when the workflow will run
 on:
@@ -11,11 +11,11 @@ on:
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   test-minikube:
-    name: Test with minikube
+    name: Test with minikube and Vault
     runs-on: ubuntu-latest
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - uses: innovationnorway/setup-vault@v1
         with:
           version: '~1.4'
@@ -24,11 +24,10 @@ jobs:
         with:
           minikube-version: 1.24.0
           driver: docker
-          kubernetes-version: v1.20.10
+          kubernetes-version: v1.21.9
       - name: Setup helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@v2.0
         id: install
       - name: test script
         run: |
           ./k8s-vault-minkube-start.sh && sleep 5 && curl http://localhost:8080/spoil-7 && minikube delete
-

.github/workflows/terraform.yml

@@ -5,20 +5,24 @@ on:
   push:
     paths: 
     - 'aws/**'
-  workflow_dispatch:
+    - 'gcp/**'
+    - 'azure/**'
   pull_request:
     branches: [ master ]
     paths:
      - 'aws/**'
+     - 'gcp/**'
+     - 'azure/**'
+  workflow_dispatch:
 
 jobs:
   terraform-fmt:
     name: terraform-fmt
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - uses: hashicorp/setup-terraform@v1
         with:
           terraform_version: 0.13.1
       - run: terraform init
-      - run: terraform fmt
+      - run: terraform fmt

CONTRIBUTING.md

@@ -1,8 +1,9 @@
 # Contributing
+
 [![GitHub contributors](https://img.shields.io/github/contributors/commjoen/wrongsecrets.svg)](https://github.com/commjoen/wrongsecrets/graphs/contributors)
 ![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/commjoen/wrongsecrets/help%20wanted.svg)
 
-This document describes how you can contribute to WebGoat. Please read it carefully.
+This document describes how you can contribute to WrongSecrets. Please read it carefully.
 
 **Table of Contents**
 
@@ -35,8 +36,7 @@ Additionally, the following guidelines can help:
 Pull requests should be as small/atomic as possible. Large, wide-sweeping changes in a pull request will be **rejected**, with comments to isolate the specific code in your pull request. Some examples:
 
 * If you are making spelling corrections in the docs, don't modify other files.
-* If you are adding new functions don't '*cleanup*' unrelated functions. That cleanup belongs in another pull request.
-
+* If you are adding new functions don't '_cleanup_' unrelated functions. That cleanup belongs in another pull request.
 
 ### Write a good commit message
 
@@ -51,7 +51,7 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
 1. Create a GitHub account. Multiple different GitHub subscription plans are available, but you only need a free one. Follow [these steps](https://help.github.com/en/articles/signing-up-for-a-new-github-account "Signing up for a new GitHub account") to set up your account.
 2. Fork the repository. Creating a fork means creating a copy of the repository on your own account, which you can modify without any impact on this repository. GitHub has an [article that describes all the needed steps](https://help.github.com/en/articles/fork-a-repo "Fork a repo").
 3. Clone your own repository to your host computer so that you can make modifications. If you followed the GitHub tutorial from step 2, you have already done this.
-4. Go to the newly cloned directory "WebGoat" and add the remote upstream repository:
+4. Go to the newly cloned directory "wrongsecrets" and add the remote upstream repository:
 
     ```bash
     $ git remote -v
@@ -68,7 +68,7 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
     ```
 
     See also the GitHub documentation on "[Configuring a remote for a fork](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/configuring-a-remote-for-a-fork "Configuring a remote for a fork")".
-5. Choose what to work on, based on any of the outstanding [issues](https://github.com/commjoen/wrongsecrets/issues "WebGoat Issues").
+5. Choose what to work on, based on any of the outstanding [issues](https://github.com/commjoen/wrongsecrets/issues "WrongSecrets Issues").
 6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b FixingIssue66`
 7. Open your favorite editor and start making modifications. We recommend using the [IntelliJ Idea](https://www.jetbrains.com/idea/).
 8. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m 'your commit message here'` to commit the modifications and `git push` to push your modifications to GitHub.
@@ -77,8 +77,8 @@ Pull requests should be as small/atomic as possible. Large, wide-sweeping change
 11. When starting on a new PR in the future, make sure to always keep your local repo up to date:
 
     ```bash
-    $ git fetch upstream
-    $ git merge upstream/develop
+    git fetch upstream
+    git merge upstream/develop
     ```
 
     See also the following article for further explanation on "[How to Keep a Downstream git Repository Current with Upstream Repository Changes](https://medium.com/sweetmeat/how-to-keep-a-downstream-git-repository-current-with-upstream-repository-changes-10b76fad6d97 "How to Keep a Downstream git Repository Current with Upstream Repository Changes")".

Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:17_35-jdk-focal
+FROM eclipse-temurin:17.0.2_8-jdk-focal
 
 ARG argBasedPassword="default"
 ARG argBasedVersion="0.0.0"
@@ -15,7 +15,8 @@ RUN echo "$argBasedPassword"
 
 RUN useradd -u 2000 wrongsecrets
 
-COPY --chown=wrongsecrets target/wrongsecrets-0.0.2-SNAPSHOT.jar /application.jar
+COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar /application.jar
 COPY --chown=wrongsecrets .github/scripts/ /var/tmp/helpers
+COPY --chown=wrongsecrets src/test/resources/alibabacreds.kdbx /var/tmp/helpers
 USER wrongsecrets
 CMD java -jar -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) /application.jar

Dockerfile.web

@@ -1,8 +1,12 @@
-FROM jeroenwillemsen/wrongsecrets:1.3.1-no-vault
+FROM jeroenwillemsen/wrongsecrets:1.3.7-no-vault
 
-ARG argBasedVersion="1.3.1"
+ARG argBasedVersion="1.3.7"
+ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ENV APP_VERSION=$argBasedVersion
 ENV K8S_ENV=Heroku(Docker)
+ENV canarytokenURLs=$CANARY_URLS
 ENV challengedockermtpath="/var/helpers"
+ENV keepasspath="/var/helpers/alibabacreds.kdbx"
 COPY .github/scripts/ /var/helpers
+COPY src/test/resources/alibabacreds.kdbx /var/helpers
 CMD java -Xms128m -Xmx128m -Xss512k -jar -Dserver.port=$PORT -XX:MaxRAMPercentage=75 -XX:MinRAMPercentage=25 -Dspring.profiles.active=without-vault application.jar

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020-2021 Jeroen Willemsen and WrongSecret contributors.
+Copyright (c) 2020-2022 Jeroen Willemsen and WrongSecret contributors.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal