-
Jeroen Willemsen committed 11 months ago
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
Showing first 150 files as there are too many
-
-
-
-
-
-
-
-
-
skipped 4 lines 5 5 on: 6 6 # Allows you to run this workflow manually from the Actions tab 7 7 workflow_dispatch: 8 - 9 - 8 + permissions: 9 + contents: read 10 10 # A workflow run is made up of one or more jobs that can run sequentially or in parallel 11 11 jobs: 12 12 code-quality: skipped 4 lines 17 17 uses: actions/checkout@v3 18 18 19 19 - name: Run Code Climate 20 - uses: erzz/[email protected].4 20 + uses: erzz/[email protected].5 21 21 with: 22 22 html_report: true 23 23 info_threshold: 50 24 24 minor_threshold: 25 25 - major_threshold: 10 25 + major_threshold: 30 26 26 critical_threshold: 5 27 27 blocker_threshold: 1 28 28 skipped 9 lines -
skipped 12 lines 13 13 14 14 on: 15 15 workflow_dispatch: 16 - 16 + push: 17 + branches: 18 + - master 19 + pull_request: 20 + branches: [master] 21 + permissions: 22 + contents: read 17 23 jobs: 18 24 analyze: 19 25 name: Analyze skipped 6 lines 26 32 strategy: 27 33 fail-fast: false 28 34 matrix: 29 - language: [ 'java' ] 35 + language: ["java"] 30 36 # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] 31 37 # Learn more about CodeQL language support at https://git.io/codeql-language-support 32 38 33 39 steps: 34 - - name: Checkout repository 35 - uses: actions/checkout@v3 36 - 37 - # Initializes the CodeQL tools for scanning. 38 - - name: Initialize CodeQL 39 - uses: github/codeql-action/init@v2 40 - with: 41 - languages: ${{ matrix.language }} 42 - # If you wish to specify custom queries, you can do so here or in a config file. 43 - # By default, queries listed here will override any specified in a config file. 44 - # Prefix the list here with "+" to use these queries and those in the config file. 45 - # queries: ./path/to/local/query, your-org/your-repo/queries@main 40 + - name: Checkout repository 41 + uses: actions/checkout@v3 46 42 47 - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 48 - # If this step fails, then you should remove it and run the build manually (see below) 49 - - name: Autobuild 50 - uses: github/codeql-action/autobuild@v2 43 + # Initializes the CodeQL tools for scanning. 44 + - name: Initialize CodeQL 45 + uses: github/codeql-action/init@v2 46 + with: 47 + languages: ${{ matrix.language }} 48 + # If you wish to specify custom queries, you can do so here or in a config file. 49 + # By default, queries listed here will override any specified in a config file. 50 + # Prefix the list here with "+" to use these queries and those in the config file. 51 + # queries: ./path/to/local/query, your-org/your-repo/queries@main 51 52 52 - # ℹ️ Command-line programs to run using the OS shell. 53 - # 📚 https://git.io/JvXDl 53 + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 54 + # If this step fails, then you should remove it and run the build manually (see below) 55 + #- name: Autobuild 56 + # uses: github/codeql-action/autobuild@v2 54 57 55 - # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines 56 - # and modify them (or add more) to build your code if your project 57 - # uses a compiled language 58 + # ℹ️ Command-line programs to run using the OS shell. 59 + # 📚 https://git.io/JvXDl 58 60 59 - #- run: | 60 - # make bootstrap 61 - # make release 61 + # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines 62 + # and modify them (or add more) to build your code if your project 63 + # uses a compiled language 62 64 63 - - name: Perform CodeQL Analysis 64 - uses: github/codeql-action/analyze@v2 65 + #- run: | 66 + # make bootstrap 67 + # make release 68 + - name: Setup Maven Action 69 + uses: "s4u/[email protected]" 70 + with: 71 + java-version: 19 72 + maven-version: 3.8.5 73 + - name: run mvn clean package 74 + run: mvn clean package -Ddependency-check.skip=true -Dmaven.test.skip=true 75 + - name: Perform CodeQL Analysis 76 + uses: github/codeql-action/analyze@v2 65 77 -
-
-
1 + name: DAST with ZAP 2 + 3 + on: 4 + pull_request: 5 + branches: [master] 6 + workflow_dispatch: 7 + 8 + permissions: 9 + contents: read 10 + 11 + jobs: 12 + test-dast: 13 + name: DAST test with ZAP 14 + runs-on: ubuntu-latest 15 + steps: 16 + - uses: actions/checkout@v3 17 + - name: Set up JDK 19 18 + uses: actions/setup-java@v3 19 + with: 20 + java-version: "19" 21 + distribution: "temurin" 22 + - name: Clean install 23 + run: ./mvnw --no-transfer-progress clean install -DskipTests -Ddependency-check.skip -Dcyclonedx.skip=true -Dexec.skip 24 + - name: Start wrongsecrets 25 + run: nohup ./mvnw spring-boot:run -Dspring-boot.run.profiles=without-vault & 26 + - name: ZAP Scan 27 + uses: zaproxy/[email protected] 28 + with: 29 + allow_issue_writing: false 30 + docker_name: "owasp/zap2docker-stable" 31 + target: "http://localhost:8080" 32 + rules_file_name: config/zap/rule-config.tsv 33 + fail_action: true 34 + -
-
-
-
-
-
1 + name: Pre-commit check 2 + 3 + # Controls when the workflow will run 4 + on: 5 + pull_request: 6 + branches: [master] 7 + workflow_dispatch: 8 + 9 + env: 10 + TF_DOCS_VERSION: v0.16.0 11 + TFSEC_VERSION: v1.27.6 12 + TFLINT_VERSION: v0.41.0 13 + permissions: 14 + contents: read 15 + jobs: 16 + pre-commit: 17 + name: Pre-commit check 18 + runs-on: ubuntu-latest 19 + steps: 20 + - name: Checkout git repository 21 + uses: actions/checkout@v3 22 + - name: Setup python 23 + uses: actions/setup-python@v4 24 + with: 25 + python-version: "3.9" 26 + - uses: actions/setup-node@v3 27 + with: 28 + node-version: 18 29 + cache: "npm" 30 + - uses: actions/setup-java@v3 31 + with: 32 + distribution: 'temurin' 33 + java-version: '19' 34 + - name: Install npm dependencies 35 + run: npm install 36 + - uses: actions/cache@v3 37 + name: Cache plugin dir 38 + with: 39 + path: ~/.tflint.d/plugins 40 + key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }} 41 + - name: Setup Terraform 42 + uses: hashicorp/setup-terraform@v2 43 + with: 44 + terraform_version: 1.1.7 45 + - name: Setup TFLint 46 + uses: terraform-linters/setup-tflint@v3 47 + with: 48 + tflint_version: ${{env.TFLINT_VERSION}} 49 + - name: Setup Terraform docs 50 + run: | 51 + wget https://github.com/terraform-docs/terraform-docs/releases/download/${{env.TF_DOCS_VERSION}}/terraform-docs-${{env.TF_DOCS_VERSION}}-linux-amd64.tar.gz -O terraform_docs.tar.gz 52 + tar -zxvf terraform_docs.tar.gz terraform-docs 53 + chmod +x terraform-docs 54 + mv terraform-docs /usr/local/bin/ 55 + - name: Setup tfsec 56 + run: | 57 + curl --output tfsec https://github.com/aquasecurity/tfsec/releases/download/${{env.TFSEC_VERSION}}/tfsec-linux-amd64 58 + chmod +x tfsec 59 + mv tfsec /usr/local/bin/ 60 + - name: Pre-commit checks 61 + uses: pre-commit/[email protected] 62 + - name: pre-commit-ci-lite 63 + uses: pre-commit-ci/[email protected] 64 + if: always() 65 + -
-
-
-
-
1 1 # Contributing 2 2 3 - [![GitHub contributors](https://img.shields.io/github/contributors/commjoen/wrongsecrets.svg)](https://github.com/commjoen/wrongsecrets/graphs/contributors) 4 - ![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/commjoen/wrongsecrets/help%20wanted.svg) 3 + [![GitHub contributors](https://img.shields.io/github/contributors/OWASP/wrongsecrets.svg)](https://github.com/OWASP/wrongsecrets/graphs/contributors) 4 + ![GitHub issues by-label "help wanted"](https://img.shields.io/github/issues/OWASP/wrongsecrets/help%20wanted.svg) 5 5 6 6 This document describes how you can contribute to WrongSecrets. Please read it carefully. 7 7 8 8 **Table of Contents** 9 9 10 - * [How to Contribute to the Project](#how-to-contribute-to-the-project) 11 - * [How to set up your Contributor Environment](#how-to-set-up-your-contributor-environment) 12 - * [How to get your PR Accepted](#how-to-get-your-pr-accepted) 10 + - [How to Contribute to the Project](#how-to-contribute-to-the-project) 11 + - [How to set up your Contributor Environment](#how-to-set-up-your-contributor-environment) 12 + - [How to get your PR Accepted](#how-to-get-your-pr-accepted) 13 + - [Beginner Guide](#beginner-guide) 14 + - [About the Project](#OWASP-WrongSecrets) 15 + - [Prerequisites](#Prerequisites) 16 + - [Pictorial Guide on how to get started with the project in IntelliJ IDEA](#How-to-get-started-with-the-project-in-IntelliJ-IDEA) 17 + - [How to add a Challenge](#how-to-add-a-challenge) 13 18 14 19 ## How to Contribute to the project 15 20 16 21 There are a couple of ways on how you can contribute to the project: 17 22 18 - * **File [issues](https://github.com/commjoen/wrongsecrets/issues "WrongSecret Issues")** for missing content or errors. Explain what you think is missing and give a suggestion as to where it could be added. 19 - * **Create a [pull request (PR)](https://github.com/commjoen/wrongsecrets/pulls "Create a pull request")**. This is a direct contribution to the project and may be merged after review. You should ideally [create an issue](https://github.com/commjoen/wrongsecrets/issues "WrongSecret Issues") for any PR you would like to submit, as we can first review the merit of the PR and avoid any unnecessary work. This is of course not needed for small modifications such as correcting typos. 20 - * **Promote us by giving us a Star or share information via social media**. 23 + - **File [issues](https://github.com/OWASP/wrongsecrets/issues "WrongSecret Issues")** for missing content or errors. Explain what you think is missing and give a suggestion as to where it could be added. 24 + - **Create a [pull request (PR)](https://github.com/OWASP/wrongsecrets/pulls "Create a pull request")**. This is a direct contribution to the project and may be merged after review. You should ideally [create an issue](https://github.com/OWASP/wrongsecrets/issues "WrongSecret Issues") for any PR you would like to submit, as we can first review the merit of the PR and avoid any unnecessary work. This is of course not needed for small modifications such as correcting typos. 25 + - **Promote us by giving us a Star or share information via social media**. 21 26 22 27 ## How to get your PR accepted 23 28 24 29 Your PR is valuable to us, and to make sure we can integrate it smoothly, we have a few items for you to consider. In short: 25 30 The minimum requirements for code contributions are: 26 31 27 - 1. The code _must_ be compliant with the configured Checkstyle and PMD rules. 32 + 1. The code _must_ be compliant with the configured pre-commit hooks, and Checkstyle and PMD rules. 28 33 2. All new and changed code _should_ have a corresponding unit and/or integration test. 29 34 3. New and changed lessons _must_ have a corresponding integration test. 30 35 4. [Status checks](https://docs.github.com/en/github/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks) should pass for your last commit. skipped 4 lines 35 40 36 41 Pull requests should be as small/atomic as possible. Large, wide-sweeping changes in a pull request will be **rejected**, with comments to isolate the specific code in your pull request. Some examples: 37 42 38 - * If you are making spelling corrections in the docs, don't modify other files. 39 - * If you are adding new functions don't '_cleanup_' unrelated functions. That cleanup belongs in another pull request. 43 + - If you are making spelling corrections in the docs, don't modify other files. 44 + - If you are adding new functions don't '_cleanup_' unrelated functions. That cleanup belongs in another pull request. 40 45 41 46 ### Write a good commit message 42 47 43 - * Explain why you make the changes. [More infos about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d) 44 - 45 - * If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message. 48 + - Make sure your commit message passes the [conventional commit standards](https://www.conventionalcommits.org/en/v1.0.0/) 49 + - Explain why you make the changes. [More info about a good commit message.](https://betterprogramming.pub/stop-writing-bad-commit-messages-8df79517177d) 50 + - If you fix an issue with your commit, please close the issue by [adding one of the keywords and the issue number](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue) to your commit message. 46 51 47 - For example: `Fix #545` or `Closes #10` 52 + For example: `Fix #545` or `Closes #10` 48 53 49 54 ## How to set up your Contributor Environment 50 55 skipped 7 lines 58 63 origin [email protected]:<your Github handle>/wrongsecrets.git (fetch) 59 64 origin [email protected]:<your Github handle>/wrongsecrets.git (push) 60 65 61 - $ git remote add upstream [email protected]:commjoen/wrongsecrets.git 66 + $ git remote add upstream [email protected]:OWASP/wrongsecrets.git 62 67 63 68 $ git remote -v 64 69 origin [email protected]:<your Github handle>/wrongsecrets.git (fetch) 65 70 origin [email protected]:<your Github handle>/wrongsecrets.git (push) 66 - upstream [email protected]:commjoen/wrongsecrets.git (fetch) 67 - upstream [email protected]:commjoen/wrongsecrets.git (push) 71 + upstream [email protected]:OWASP/wrongsecrets.git (fetch) 72 + upstream [email protected]:OWASP/wrongsecrets.git (push) 68 73 ``` 69 74 70 75 See also the GitHub documentation on "[Configuring a remote for a fork](https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/configuring-a-remote-for-a-fork "Configuring a remote for a fork")". 71 - 5. Choose what to work on, based on any of the outstanding [issues](https://github.com/commjoen/wrongsecrets/issues "WrongSecrets Issues"). 72 - 6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b FixingIssue66` 76 + 77 + 5. Choose what to work on, based on any of the outstanding [issues](https://github.com/OWASP/wrongsecrets/issues "WrongSecrets Issues"). 78 + 6. Create a branch so that you can cleanly work on the chosen issue: `git checkout -b fix/Issue66` 73 79 7. Open your favorite editor and start making modifications. We recommend using the [IntelliJ Idea](https://www.jetbrains.com/idea/). 74 - 8. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m 'your commit message here'` to commit the modifications and `git push` to push your modifications to GitHub. 75 - 9. Create a Pull Request (PR) by going to your fork, <https://github.com/Your_Github_Handle/wrongsecrets> and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer. 76 - 10. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR. 77 - 11. When starting on a new PR in the future, make sure to always keep your local repo up to date: 80 + 8. Install [pre-commit](https://pre-commit.com/#install) the dependencies for our pre-commit configuration to make sure your code complies with standards used in the project. This requires terraform, [terraform-docs](https://github.com/terraform-docs/terraform-docs#installation), [tflint](https://github.com/terraform-linters/tflint#installation), and [commitlint](https://commitlint.js.org/#/guides-local-setup). For commitlint, you need [NodeJS](https://nodejs.org/en/download/) installed, after which you you can use `npm install` in the root folder of this project. 81 + 9. Install the pre-commit hook using `pre-commit install --hook-type commit-msg`. We recommend to run `pre-commit run -a` every so often if you're working on a bigger change. 82 + 10. After your modifications are done, push them to your forked repository. This can be done by executing the command `git add MYFILE` for every file you have modified, followed by `git commit -m 'your commit message here'` to commit the modifications and `git push` to push your modifications to GitHub. 83 + 11. Create a Pull Request (PR) by going to your fork, <https://github.com/Your_Github_Handle/wrongsecrets> and click on the "New Pull Request" button. The target branch should typically be the Master branch. When submitting a PR, be sure to follow the checklist that is provided in the PR template. The checklist itself will be filled out by the reviewer. 84 + 12. If something in your git workflow went wrong (and e.g., the precommit hook CI run failed), check out ["O Shit, Git!?!"](https://ohshitgit.com/) to view tips on editing your historical commit message(s), among others. 85 + 13. Your PR will be reviewed and comments may be given. In order to process a comment, simply make modifications to the same branch as before and push them to your repository. GitHub will automatically detect these changes and add them to your existing PR. If pre-commit can auto-fix the issue, it will automatically try to do so by adding a new commit. This new commit can be pulled in with a simple `git pull`, or, if you've already made one or more new commits: `git pull --rebase`. 86 + 14. When starting on a new PR in the future, make sure to always keep your local repo up to date: 78 87 79 88 ```bash 80 89 git fetch upstream skipped 10 lines 91 100 92 101 Although we greatly appreciate any and all contributions to the project, there are a few things that you should take into consideration: 93 102 94 - * The Wrongsecrets project should not be used as a platform for advertisement for commercial tools, companies or individuals. Write-ups should be written with free and open-source tools in mind and commercial tools are typically not accepted, unless as a reference in the security tools section. 95 - * Unnecessary self-promotion of tools or blog posts is frowned upon. If you have a relation with on of the URLs or tools you are referencing, please state so in the PR so that we can verify that the reference is in line with the rest of the guide. 103 + - The Wrongsecrets project should not be used as a platform for advertisement for commercial tools, companies or individuals. Write-ups should be written with free and open-source tools in mind and commercial tools are typically not accepted, unless as a reference in the security tools section. 104 + - Unnecessary self-promotion of tools or blog posts is frowned upon. If you have a relation with on of the URLs or tools you are referencing, please state so in the PR so that we can verify that the reference is in line with the rest of the guide. 105 + 106 + Please be sure to take a careful look at our [Code of Conduct](https://github.com/OWASP/wrongsecrets/blob/master/CODE_OF_CONDUCT.md) for all the details. 107 + 108 + --- 109 + 110 + # Beginner guide 111 + 112 + ## OWASP WrongSecrets 113 + 114 + [_WrongSecrets_](https://owasp.org/www-project-wrongsecrets/) is an application teaching how to _not_ store secrets by offering challenges to the user, helping the user to Self-reflect and correct those mistakes. 115 + 116 + ## Prerequisites 117 + 118 + 1. **Docker** 119 + [_Docker_](https://www.docker.com/) is a software platform that allows you to build, test, and deploy applications quickly and in a more efficient manner. 120 + 121 + 2. **Node.Js** 122 + [_Node.Js_](https://nodejs.org/en/) is an open-source library and a cross-platform JavaScript **runtime environment** specifically for running web applications outside one's browser. 123 + 124 + 3. **JDK-19** 125 + [_JDK_](https://www.oracle.com/java/technologies/javase/jdk19-archive-downloads.html) is a tool used in development and testing programs written in the Java programming language. 126 + 127 + 4. **IntelliJ IDEA** 128 + [_IntelliJ IDEA_](https://www.jetbrains.com/idea/download/#section=windows) is an integrated development environment basically an **IDE** written in Java for developing software written in Java, Kotlin, Groovy etc. 129 + 130 + 5. **GitHub Desktop** 131 + [_GitHub Desktop_](https://desktop.github.com/) is an application that enables you to interact with GitHub using a **GUI** instead of the command line or a web browser. 132 + (_Not Mandatory but is recommended for beginners_) 133 + 134 + --- 135 + 136 + ## How to get started with the project in IntelliJ IDEA 137 + 138 + - 139 + 140 + ### Step 1: Fork the Project. 141 + 142 + Navigate to the landing page of the repository in your web browser and click on the **_Fork_** button on the repository’s home page. 143 + A forked copy of that Git repository will be added to your personal GitHub. 144 + 145 + ![](images/fork-project-1.png) 146 + 147 + - 148 + 149 + ### Step 2: Clone the Project. 150 + 151 + A **clone** is a full copy of a repository, including all logging and versions of files. 152 + To **_clone_** the Project to your local desktop by clicking on the button as shown below. 153 + 154 + ![](images/clone-project-2.png) 155 + 156 + - 157 + 158 + ### Step 3: Open the Project using IntelliJ IDEA 159 + 160 + - **_Open_** the Cloned Project using IntelliJ IDEA by clicking on the button as shown below. 161 + 162 + ![](images/open-project-3.1.png) 163 + 164 + - **Wait** till the Project Loads. 165 + 166 + ![](images/wait-3.2.png) 167 + 168 + 169 + ### Step 4: Setup. 170 + 171 + - Open Settings by pressing **_Ctrl+Alt+S_** 172 + ![](images/open-settings-4.1.png) 173 + 174 + - Follow the path **_IDE settings>Language & Frameworks > Lombok_** and then click on **_Lombok._** 175 + ![](images/lombok-setup-4.2.png) 176 + 177 + - Make sure that the **_Lombok processing_** is enabled. 178 + ![](images/lombok-processing-4.3.png) 179 + 180 + - Select **_Plugins > Marketplace_** and type 'google-java-format' and restart IntelliJ to install the plugin. 181 + 182 + - Open Settings by pressing **_Ctrl+Alt+S_** 183 + ![](images/open-settings-4.1.png) 184 + 185 + - Select **_google-java-format Settings_** and click enable. 186 + ![](images/open-settings-4.4.png) 187 + 188 + - ### Step 5: Reload the project 189 + 190 + - Open the **_Maven_** Tab 191 + 192 + ![](images/open-maven-5.1.png) 193 + 194 + - Press the **_Reload_** button as shown below and allow the project to Reload. 195 + 196 + ![](images/reload-maven-5.2.png) 197 + 198 + - Further use the **_OWASP WrongSecrets --> Lifecycle --> install_** step to load all the depedencies 199 + 200 + **NOTE:** Indians and other Asia-Pacific countries users may have to use **VPN** if you enounter this exception `org.owasp.dependencycheck.utils.DownloadFailedException: TLS Connection Reset`. 201 + 202 + - 203 + 204 + ### Step 6: Running the Project. 205 + 206 + - Open the **_WrongSecretsApplication_** by following the path **_main>java>org.owasp.wrongsecrets>WrongSecretApplication_**. 207 + ![](images/open-application-6.1.png) 208 + - Press **_Shift+F10_** to run the application, this will open up the **_Run/Debug Configurations Menu._** 209 + ![](images/run-application-6.2.png) 210 + 211 + - ### Step 7: Setting up Configurations. 212 + 213 + - Select **_Edit configuration templates_** then select **_Application_** section. 96 214 97 - Please be sure to take a careful look at our [Code of Conduct](https://github.com/commjoen/wrongsecrets/blob/master/CODE_OF_CONDUCT.md) for all the details. 215 + ![](images/edit-config-7.1.png) 216 + 217 + - There under the **_Application_** section click on the button shown below. 218 + 219 + ![](images/modify-options-7.2.png) 220 + 221 + - **_Select_** all the fields that are Selected in the below picture. 222 + 223 + ![](images/select-options-7.3.png) 224 + 225 + - **_Fill out_** all the fields as shown below. 226 + 227 + ![](images/fill-fields-7.4.png) 228 + 229 + - Again press **_Shift+F10_** which runs the Application. 230 + 231 + ![](images/run-application-6.2.png) 232 + 233 + - 234 + 235 + ### There you have it, **_WrongSecrets_** running successfully. 236 + 237 + - Here is a _preview_ on how does it look after successfully running the Application. 238 + **Note:** Running the Application doesn't open any kind of **_GUI_**, it only initializes the **_local webserver_** that you can open via a **_browser._** 239 + ![](images/final-output-8.png) 240 + 241 + - Here is the preview of the **web server**, you can try to find the secrets by means of solving the challenge offered at: 242 + [**Challenges**](https://github.com/OWASP/wrongsecrets#basic-docker-exercises) 243 + ![](images/screenshot.png) 244 + 245 + --- 246 + 247 + ## How to add a challenge 248 + 249 + - 250 + 251 + ### Step 1: Creating a new issue. 252 + 253 + First make sure that you have an [Issue](https://github.com/OWASP/wrongsecrets/issues/new) reported for which a challenge is really wanted, And make sure the challenge is assigned to you, as others might be working on the challenge. 254 + 255 + - 256 + 257 + ### Step 2: Adding the challenge. 258 + 259 + Add the **new challenge** in this folder `wrongsecrets/src/main/java/org/owasp/wrongsecrets/challenges/`. 260 + These are the things that you have to keep in mind. 261 + - First and foremost make sure your challenge is coded in **Java**. 262 + - Don't forget to add your challenge number in `@Order(28)` annotation, **_28_** in my case. 263 + - Here is an example of a possible Challenge 28: 264 + 265 + ```java 266 + package org.owasp.wrongsecrets.challenges.docker; 267 + import lombok.extern.slf4j.Slf4j; 268 + import org.owasp.wrongsecrets.RuntimeEnvironment; 269 + import org.owasp.wrongsecrets.ScoreCard; 270 + import org.owasp.wrongsecrets.challenges.Challenge; 271 + import org.owasp.wrongsecrets.challenges.ChallengeTechnology; 272 + import org.owasp.wrongsecrets.challenges.Spoiler; 273 + import org.springframework.core.annotation.Order; 274 + import org.springframework.stereotype.Component; 275 + import java.util.List; 276 + /** 277 + * Describe what your challenge does 278 + */ 279 + @Slf4j 280 + @Component 281 + @Order(28) //make sure this number is the same as your challenge 282 + public class Challenge28 extends Challenge { 283 + private final String secret; 284 + public Challenge28(ScoreCard scoreCard) { 285 + super(scoreCard); 286 + secret = "hello world"; 287 + } 288 + //is this challenge usable in CTF mode? 289 + @Override 290 + public boolean canRunInCTFMode() { 291 + return true; 292 + } 293 + //return the plain text secret here 294 + @Override 295 + public Spoiler spoiler() { 296 + return new Spoiler(secret); 297 + } 298 + //here you validate if your answer matches the secret 299 + @Override 300 + public boolean answerCorrect(String answer) { 301 + return secret.equals(answer); 302 + } 303 + //which runtime can you use to run the challenge on? (You can just use Docker here) 304 + /** 305 + * {@inheritDoc} 306 + */ 307 + @Override 308 + public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() { 309 + return List.of(RuntimeEnvironment.Environment.DOCKER); 310 + } 311 + //set the difficulty: 1=low, 5=very hard 312 + /** 313 + * {@inheritDoc} 314 + * Difficulty: 1. 315 + */ 316 + @Override 317 + public int difficulty() { 318 + return 1; 319 + } 320 + //on which tech is this challenge? See ChallengeTechnology.Tech for categories 321 + /** 322 + * {@inheritDoc} 323 + * Secrets based. 324 + */ 325 + @Override 326 + public String getTech() { 327 + return ChallengeTechnology.Tech.SECRETS.id; 328 + } 329 + //if you use this in a shared environment and need to adapt it, then return true here. 330 + @Override 331 + public boolean isLimittedWhenOnlineHosted() { 332 + return false; 333 + 334 + } 335 + } 336 + ``` 337 + - ### Step 3: Adding Test File. 338 + 339 + Add the **new TestFile** in this folder `wrongsecrets/src/test/java/org/owasp/wrongsecrets/challenges/`. TestFile is required to do **unit testing.** 340 + These are the things that you have to keep in mind. 341 + 342 + - Make sure that this file is also of **Java** type. 343 + - Here is a unit test for reference: 344 + ```java 345 + package org.owasp.wrongsecrets.challenges.docker; 346 + import org.assertj.core.api.Assertions; 347 + import org.junit.jupiter.api.Test; 348 + import org.junit.jupiter.api.extension.ExtendWith; 349 + import org.mockito.Mock; 350 + import org.mockito.Mockito; 351 + import org.mockito.junit.jupiter.MockitoExtension; 352 + import org.owasp.wrongsecrets.ScoreCard; 353 + @ExtendWith(MockitoExtension.class) 354 + class Challenge28Test { 355 + @Mock 356 + private ScoreCard scoreCard; 357 + @Test 358 + void rightAnswerShouldSolveChallenge() { 359 + var challenge = new Challenge28(scoreCard); 360 + Assertions.assertThat(challenge.solved("wrong answer")).isFalse(); 361 + Assertions.assertThat(challenge.solved(challenge.spoiler().solution())).isTrue(); 362 + } 363 + } 364 + ``` 365 + Please note that PRs for new challenges are only accepted when unit tests are added to prove that the challenge works. Normally tests should not immediately leak the actual secret, so leverage the `.spoil()` functionality of your test implementation for this. 366 + 367 + - 368 + 369 + ### Step 4: Adding explanations, reasons and hints. 370 + 371 + Add the explanation for your challenge along with the hints that will help in finding the secret in this folder `wrongsecrets/src/main/resources/explanations/`. 372 + Things to be noted. 373 + 374 + - All the possible explanations for your challenge, included with all the hints and reasons should be provided. 375 + - Everything must be in separate **AsciiDoc files**. 376 + - Follow this fashion in naming the file. 377 + 378 + - Here is a Explanation for reference: 379 + 380 + ```adoc 381 + === Hello world challenge 382 + 383 + Welcome to OWASP WrongSecrets Beginner guide Challenge 384 + 385 + Basically this challenge is there only to demonstrate how to add a challenge in our project and to give you a basic idea on how does things work. 386 + 387 + ``` 388 + 389 + - refer this block for reasons: 390 + 391 + ```adoc 392 + ==== What’s the purpose of this specific challenge? 393 + With this challenge, we basically aim to help new contributors to better understand the code and encourage them to add new challenges for our end-user. 394 + ``` 395 + 396 + - Use this block as refrence for hints: 397 + 398 + ```adoc 399 + Your secret is `Hello World` 400 + 401 + Copy this and paste it in the box provided and press "Submit" and you are good to go. 402 + 403 + This challenge is only meant for helping new contributors to add new challenges. Please, have fun with trying more difficult challenges;-). 404 + ``` 405 + 406 + - ### Step 5: Submitting your PR. 407 + After completing all the above steps, final step is to submit the PR and refer [**Contributing.md**](https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md#how-to-get-your-pr-accepted) on how to get your PR accepted. 408 + 409 + --- 98 410 -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
images/1password_logo.png
-
images/aws-white_48x29.png
-
images/clone-project-2.png
-
images/docker_logo.png
-
images/edit-config-7.1.png
-
images/fill-fields-7.4.png
-
images/final-output-8.png
-
images/fork-project-1.png
-
images/gitguardian_logo.jpeg
-
images/jetbrains_logo.png
-
images/lombok-processing-4.3.png
-
images/lombok-setup-4.2.png
-
images/modify-options-7.2.png
-
images/open-application-6.1.png
-
images/open-maven-5.1.png
-
images/open-project-3.1.png
-
images/open-settings-4.1.png
-
images/open-settings-4.4.png
-
images/reload-maven-5.2.png
-
images/run-application-6.2.png
-
images/screenshot.png
-
images/select-options-7.3.png
-
images/wait-3.2.png
-
-
-
k8s/helm-vault-values.ymlContent is identical
-
-
-
-
-
-
-
-
-
-
package-lock.jsonDiff is too large to be displayed.
-