STRLCPY/wrongsecrets

■ ■ ■ ■ ■ ■ ■

CONTRIBUTING.md

		skipped 247 lines
248	248		import org.springframework.core.annotation.Order;
249	249		import org.springframework.stereotype.Component;
250	250		import java.util.List;
	251	+	/**
	252	+	* Describe what your challenge does
	253	+	*/
251	254		@Slf4j
252	255		@Component
253	256		@Order(28) //make sure this number is the same as your challenge
		skipped 18 lines
272	275		public boolean answerCorrect(String answer) {
273	276		return secret.equals(answer);
274	277		}
275		-	//which runtime can you use to run the challenge on ? (You can just use Docker here)
	278	+	//which runtime can you use to run the challenge on? (You can just use Docker here)
	279	+	/**
	280	+	* {@inheritDoc}
	281	+	*/
276	282		@Override
277	283		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
278	284		return List.of(RuntimeEnvironment.Environment.DOCKER);
279	285		}
280	286		//set the difficulty: 1=low, 5=very hard
	287	+	/**
	288	+	* {@inheritDoc}
	289	+	* Difficulty: 1.
	290	+	*/
281	291		@Override
282	292		public int difficulty() {
283	293		return 1;
284	294		}
285	295		//on which tech is this challenge? See ChallengeTechnology.Tech for categories
	296	+	/**
	297	+	* {@inheritDoc}
	298	+	* Secrets based.
	299	+	*/
286	300		@Override
287	301		public String getTech() {
288	302		return ChallengeTechnology.Tech.SECRETS.id;
		skipped 80 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/AboutController.java

1	1		package org.owasp.wrongsecrets;
2	2
3	3		import io.swagger.v3.oas.annotations.Operation;
4		-	import org.owasp.wrongsecrets.canaries.CanaryCounter;
5		-	import org.springframework.beans.factory.annotation.Autowired;
6		-	import org.springframework.beans.factory.annotation.Value;
7	4		import org.springframework.stereotype.Controller;
8	5		import org.springframework.ui.Model;
9	6		import org.springframework.web.bind.annotation.GetMapping;
10	7
	8	+	/**
	9	+	* About controler hosting /about endpoint.
	10	+	*/
11	11		@Controller
12	12		public class AboutController {
13	13
		skipped 9 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/ActuatorSecurityConfiguration.java

		skipped 6 lines
7	7		import org.springframework.security.config.annotation.web.builders.HttpSecurity;
8	8		import org.springframework.security.web.SecurityFilterChain;
9	9
	10	+	/**
	11	+	* Configuration used to disable CSRF on the actuator health endpoint otherwise it does not work for health-checks.
	12	+	*/
10	13		@Configuration
11	14		public class ActuatorSecurityConfiguration {
12	15
		skipped 11 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/FailtoStartupException.java

		skipped 1 lines
2	2
3	3		import org.springframework.boot.ExitCodeGenerator;
4	4
	5	+	/**
	6	+	* Used to give a clear non-0 exit code when the Application cannot start.
	7	+	*/
5	8		public class FailtoStartupException extends RuntimeException implements ExitCodeGenerator {
6	9
7	10		public FailtoStartupException(String message) {
		skipped 9 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/HerokuWebSecurityConfig.java

		skipped 7 lines
8	8		import org.springframework.security.web.PortMapper;
9	9		import org.springframework.security.web.SecurityFilterChain;
10	10
	11	+	/**
	12	+	* Used to implement https redirect for our Heroku-hosted workload.
	13	+	*/
11	14		@Configuration
12	15		public class HerokuWebSecurityConfig {
13	16
		skipped 13 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/InMemoryScoreCard.java

		skipped 4 lines
5	5		import java.util.HashSet;
6	6		import java.util.Set;
7	7
	8	+	/**
	9	+	* In-memory implementation of the ScoreCard (E.g. no persistence).
	10	+	*/
8	11		public class InMemoryScoreCard implements ScoreCard {
9	12
10	13		private final int maxNumberOfChallenges;
		skipped 32 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/IndexController.java

		skipped 4 lines
5	5		import org.springframework.stereotype.Controller;
6	6		import org.springframework.web.bind.annotation.GetMapping;
7	7
	8	+	/**
	9	+	* Controller used to return the dynamic data for the welcome screen.
	10	+	*/
8	11		@Controller
9	12		@Slf4j
10	13		public class IndexController {
		skipped 8 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/MvcConfiguration.java

		skipped 20 lines
21	21
22	22		import java.util.Set;
23	23
	24	+	/**
	25	+	* Used to generate and return all the html in thymeleaf and convert asciidoc to html.
	26	+	*/
24	27		@Configuration
25	28		@Slf4j
26	29		public class MvcConfiguration implements WebMvcConfigurer {
		skipped 55 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/RuntimeEnvironment.java

		skipped 12 lines
13	13
14	14		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.*;
15	15
	16	+	/**
	17	+	* Class establishing whether a challenge can run or not depending on the given RuntimeEnvironment and whether components are configured and the CTFmode is enabled or not.
	18	+	*/
16	19		@Component
17	20		public class RuntimeEnvironment {
18	21
		skipped 11 lines
30	33
31	34		private static final Map<Environment, List<Environment>> envToOverlappingEnvs = Map.of(FLY_DOCKER, List.of(DOCKER, FLY_DOCKER), HEROKU_DOCKER, List.of(DOCKER, HEROKU_DOCKER), DOCKER, List.of(DOCKER, HEROKU_DOCKER, FLY_DOCKER), GCP, List.of(DOCKER, K8S, VAULT), AWS, List.of(DOCKER, K8S, VAULT), AZURE, List.of(DOCKER, K8S, VAULT), VAULT, List.of(DOCKER, K8S), K8S, List.of(DOCKER), OKTETO_K8S, List.of(K8S, DOCKER, OKTETO_K8S));
32	35
	36	+	/**
	37	+	* Enum with possible environments supported by the app.
	38	+	*/
33	39		public enum Environment {
34	40		DOCKER("Docker"), HEROKU_DOCKER("Heroku(Docker)"), FLY_DOCKER("Fly(Docker)"), GCP("gcp"), AWS("aws"), AZURE("azure"), VAULT("k8s-with-vault"), K8S("k8s"), OKTETO_K8S("Okteto(k8s)");
35	41
		skipped 11 lines
47	53		@Getter
48	54		private final Environment runtimeEnvironment;
49	55
50		-	private boolean isK8sUnlockedInCTFMode() {
51		-	String defaultValueChallenge5 = "if_you_see_this_please_use_k8s";
52		-	return ctfModeEnabled && !challenge5Value.equals(defaultValueChallenge5);
53		-	}
54		-
55		-	private boolean isVaultUnlockedInCTFMode() {
56		-	String defaultVaultAnswer = "ACTUAL_ANSWER_CHALLENGE7";
57		-	String secondDefaultVaultAnswer = "if_you_see_this_please_use_K8S_and_Vault";
58		-	return ctfModeEnabled && !challenge7Value.equals(defaultVaultAnswer) && !challenge7Value.equals(secondDefaultVaultAnswer);
59		-	}
60		-
61		-	private boolean isCloudUnlockedInCTFMode() {
62		-	String defaultValueAWSValue = "if_you_see_this_please_use_AWS_Setup";
63		-	return ctfModeEnabled && !defaultChallenge9Value.equals(defaultValueAWSValue);
64		-	}
65		-
66	56		@Autowired
67	57		public RuntimeEnvironment(@Value("${K8S_ENV}") String currentRuntimeEnvironment) {
68	58		this.runtimeEnvironment = Environment.fromId(currentRuntimeEnvironment);
		skipped 26 lines
95	85		return ctfModeEnabled;
96	86		}
97	87
	88	+	private boolean isK8sUnlockedInCTFMode() {
	89	+	String defaultValueChallenge5 = "if_you_see_this_please_use_k8s";
	90	+	return ctfModeEnabled && !challenge5Value.equals(defaultValueChallenge5);
	91	+	}
	92	+
	93	+	private boolean isVaultUnlockedInCTFMode() {
	94	+	String defaultVaultAnswer = "ACTUAL_ANSWER_CHALLENGE7";
	95	+	String secondDefaultVaultAnswer = "if_you_see_this_please_use_K8S_and_Vault";
	96	+	return ctfModeEnabled && !challenge7Value.equals(defaultVaultAnswer) && !challenge7Value.equals(secondDefaultVaultAnswer);
	97	+	}
	98	+
	99	+	private boolean isCloudUnlockedInCTFMode() {
	100	+	String defaultValueAWSValue = "if_you_see_this_please_use_AWS_Setup";
	101	+	return ctfModeEnabled && !defaultChallenge9Value.equals(defaultValueAWSValue);
	102	+	}
98	103		}
99	104

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/ScoreCard.java

		skipped 1 lines
2	2
3	3		import org.owasp.wrongsecrets.challenges.Challenge;
4	4
	5	+	/**
	6	+	* Interface of a scorecard where a player's progress is stored into.
	7	+	*/
5	8		public interface ScoreCard {
	9	+
	10	+	/**
	11	+	* Marks a challenge as completed.
	12	+	* @param challenge Challenge object which is completed
	13	+	*/
6	14		void completeChallenge(Challenge challenge);
7	15
	16	+	/**
	17	+	* Checks if the given challenge is marked as completed in the scorecard.
	18	+	* @param challenge Challenge object tested for completion
	19	+	* @return true if challenge solved correctly
	20	+	*/
8	21		boolean getChallengeCompleted(Challenge challenge);
9	22
	23	+	/**
	24	+	* Gives a 0-100 implementation completeness score.
	25	+	* @return float with completeness percentage
	26	+	*/
10	27		float getProgress();
11	28
	29	+	/**
	30	+	* Gives total number of received points.
	31	+	* @return int with points
	32	+	*/
12	33		int getTotalReceivedPoints();
13	34
	35	+	/**
	36	+	* Resets the status of a given challenge its entry in the score-card.
	37	+	* @param challenge Challenge of which the status should be reset.
	38	+	*/
14	39		void reset(Challenge challenge);
15	40		}
16	41

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/SecretsErrorController.java

1	1		package org.owasp.wrongsecrets;
2	2
	3	+	import io.swagger.v3.oas.annotations.Operation;
3	4		import org.springframework.boot.web.servlet.error.ErrorController;
4	5		import org.springframework.stereotype.Controller;
5	6		import org.springframework.web.bind.annotation.GetMapping;
6	7		import org.springframework.web.bind.annotation.RequestMapping;
7	8
	9	+	/**
	10	+	* Controller used to generate content for the error page.
	11	+	*/
8	12		@Controller
9	13		public class SecretsErrorController implements ErrorController {
10	14
11	15		@GetMapping("/error")
	16	+	@Operation(summary = "Returns data for the error page")
12	17		public String handleError() {
13	18		return "error";
14	19		}
		skipped 2 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/SecurityHeaderAddingFilter.java

		skipped 5 lines
6	6		import jakarta.servlet.http.HttpServletResponse;
7	7		import java.io.IOException;
8	8
	9	+	/**
	10	+	* Filter used to provide basic security headers in all cases.
	11	+	*/
9	12		@Component
10	13		public class SecurityHeaderAddingFilter implements Filter {
11	14
		skipped 11 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/SessionConfiguration.java

		skipped 7 lines
8	8		import jakarta.servlet.http.HttpSessionListener;
9	9		import java.util.concurrent.atomic.AtomicInteger;
10	10
	11	+	/**
	12	+	* HTTPSessionListener with decorator: adds logging on new sessions started so we can keep track somewhat.
	13	+	*/
11	14		@Configuration
12	15		@Slf4j
13	16		public class SessionConfiguration {
		skipped 23 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/StartupListener.java

		skipped 8 lines
9	9		import java.util.Arrays;
10	10		import java.util.stream.Collectors;
11	11
	12	+	/**
	13	+	* Helps handling application startup and breaks nicely if K8S_ENV is wrong.
	14	+	*/
12	15		@Slf4j
13	16		public class StartupListener implements ApplicationListener<ApplicationEvent> {
14	17
		skipped 31 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/StatsController.java

		skipped 7 lines
8	8		import org.springframework.ui.Model;
9	9		import org.springframework.web.bind.annotation.GetMapping;
10	10
	11	+	/**
	12	+	* Controller that is used to render data in the stats page.
	13	+	*/
11	14		@Controller
12	15		public class StatsController {
13	16
		skipped 47 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/asciidoc/TemplateGenerator.java

		skipped 2 lines
3	3		import java.io.IOException;
4	4
5	5		/**
6		-	* Template generagor used for Asciidoc to HTMLK conversion
	6	+	* Template generator used for Asciidoc to HTML conversion.
7	7		*/
8	8		public interface TemplateGenerator {
9	9
		skipped 3 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/canaries/AdditionalCanaryData.java

		skipped 4 lines
5	5		import lombok.RequiredArgsConstructor;
6	6
7	7		/**
8		-	* Canarytokens used to communicate with <a href="http://canarytokens.com/">canarytokens.com</a>
9		-	* will send a CanaryToken with this AdditionalCanaryData
	8	+	* Canarytokens used to communicate with <a href="http://canarytokens.com/">canarytokens.com</a>.
	9	+	* canarytokens.com will send a CanaryToken with this AdditionalCanaryData.
10	10		* @see org.owasp.wrongsecrets.canaries.CanaryToken
11	11		*/
12	12		@RequiredArgsConstructor
		skipped 17 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/canaries/CanaryCounter.java

1	1		package org.owasp.wrongsecrets.canaries;
2	2
3	3		/**
4		-	* Used for counting the number of canary-token based callbacks
	4	+	* Used for counting the number of canary-token based callbacks.
5	5		* @see org.owasp.wrongsecrets.StatsController for the tracking controller
6	6		* @see org.owasp.wrongsecrets.canaries.CanariesController for the calling controler
7	7		*/
8	8		public interface CanaryCounter {
9	9
10	10		/**
11		-	* incement the counter of callbacks with 1
	11	+	* incement the counter of callbacks with 1.
12	12		*/
13	13		void upCallBackCounter();
14	14
15	15		/**
16		-	* Gets the total number of canary token callback calls
	16	+	* Gets the total number of canary token callback calls.
17	17		* @return int ≥ 0
18	18		*/
19	19		int getTotalCount();
20	20
21	21		/**
22		-	* Sets the content of the last token its contents as a Strings
	22	+	* Sets the content of the last token its contents as a Strings.
23	23		* @param tokenContent unprocessed contents of the callback (E.g. full data of the canarytoken)
24	24		*/
25	25		void setLastCanaryToken(String tokenContent);
26	26
27	27		/**
28		-	* Returns the last token given during the callback invocation
	28	+	* Returns the last token given during the callback invocation.
29	29		* @return unprocessed callback token contents
30	30		*/
31	31		String getLastToken();
		skipped 3 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/canaries/CanaryCounterImpl.java

		skipped 4 lines
5	5		import java.util.concurrent.atomic.AtomicInteger;
6	6
7	7		/**
8		-	* Implementation of CanaryCounter using an Atomic integer for actual implementation
	8	+	* Implementation of CanaryCounter using an Atomic integer for actual implementation.
9	9		*/
10	10		@Service
11	11		public class CanaryCounterImpl implements CanaryCounter {
		skipped 27 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/Challenge.java

		skipped 16 lines
17	17
18	18		private final ScoreCard scoreCard;
19	19
	20	+	/**
	21	+	* Returns a Spoiler object containing the secret for the challenge.
	22	+	* @return Spoiler with anser
	23	+	*/
20	24		public abstract Spoiler spoiler();
21	25
22	26		/**
23		-	* method that needs to be overwritten by the Challenge implementation class to do the actual
24		-	* evaluation of the answer
	27	+	* method that needs to be overwritten by the Challenge implementation class to do the actual evaluation of the answer.
25	28		* @param answer String provided by the user
26	29		* @return true if answer is Correct
27	30		*/
28	31		protected abstract boolean answerCorrect(String answer);
29	32
30	33		/**
31		-	* Gives the supported runtine envs in which the class can run
	34	+	* Gives the supported runtime envs in which the class can run.
32	35		* @return a list of Environment objects representing supported envs for the class
33	36		*/
34	37		public abstract List<Environment> supportedRuntimeEnvironments();
35	38
36	39		/**
37		-	* returns the difficulty (1-5)
	40	+	* returns the difficulty (1-5).
38	41		* @return int with difficulty
39	42		*/
40	43		public abstract int difficulty();
41	44
42	45		/**
43		-	* returns the technology used
	46	+	* returns the technology used.
44	47		* @see ChallengeTechnology.Tech
45	48		* @return a string from Tech.id
46	49		*/
47	50		public abstract String getTech();
48	51
49	52		/**
50		-	* boolean indicating a challenge needs to be run differently with a different explanation/steps when running on a shared platform
	53	+	* boolean indicating a challenge needs to be run differently with a different explanation/steps when running on a shared platform.
51	54		* @return boolean with true if a different explanation is required when running on a shared platform
52	55		*/
53	56		public abstract boolean isLimittedWhenOnlineHosted();
		skipped 1 lines
55	58		/**
56	59		* boolean indicating if the challenge can be enabled when running in CTF mode.
57	60		* Note: All challenges should be able to run in non-CTF mode.
58		-	* @return true if th echallenge can be run in CTF mode.
	61	+	* @return true if the challenge can be run in CTF mode.
59	62		*/
60	63		public abstract boolean canRunInCTFMode();
61	64
62	65		/**
63		-	* Solving method which, if the correct answer is provided, will mark the challenge as solved in the scorecard
	66	+	* Solving method which, if the correct answer is provided, will mark the challenge as solved in the scorecard.
64	67		* @param answer String provided by the user to validate.
65	68		* @return true if answer was correct.
66	69		*/
		skipped 6 lines
73	76		}
74	77
75	78		/**
76		-	* Returns the name of the explanation file for adoc rendering
	79	+	* Returns the name of the explanation file for adoc rendering.
77	80		* @return String with name of file for explanation
78	81		*/
79	82		public String getExplanation() {
		skipped 1 lines
81	84		}
82	85
83	86		/**
84		-	* Returns the name of the hints file for adoc rendering
	87	+	* Returns the name of the hints file for adoc rendering.
85	88		* @return String with name of file for hints
86	89		*/
87	90		public String getHint() {
		skipped 1 lines
89	92		}
90	93
91	94		/**
92		-	* Returns the name of the reason file for adoc rendering
	95	+	* Returns the name of the reason file for adoc rendering.
93	96		* @return String with name of file for reason
94	97		*/
95	98		public String getReason() {
		skipped 4 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/ChallengeForm.java

1	1		package org.owasp.wrongsecrets.challenges;
2	2
	3	+	/**
	4	+	* Used to communicate with the front-end.
	5	+	* @param solution as provided throught the form.
	6	+	*/
3	7		public record ChallengeForm(String solution) {
4	8
5	9		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/ChallengeTechnology.java

		skipped 1 lines
2	2
3	3		import java.util.Arrays;
4	4
	5	+	/**
	6	+	* provides the technology used within a challenge.
	7	+	*/
5	8		public class ChallengeTechnology {
6	9
	10	+	/**
	11	+	* enum from which you can choose the tech to have consistent naming.
	12	+	*/
7	13		public enum Tech {
8	14
9	15		GIT("Git"), DOCKER("Docker"), CONFIGMAPS("Configmaps"), SECRETS("Secrets"), VAULT("Vault"), LOGGING("Logging"), TERRAFORM("Terraform"), CSI("CSI-Driver"), CICD("CI/CD"), PASSWORD_MANAGER("Password Manager"), CRYPTOGRAPHY("Cryptography"), BINARY("Binary"), FRONTEND("Front-end"), IAM("IAM privilege escalation"), WEB3("Web3"), DOCUMENTATION("Documentation");
		skipped 12 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/ChallengeUI.java

		skipped 25 lines
26	26		this.runtimeEnvironment = runtimeEnvironment;
27	27		}
28	28
	29	+	/**
	30	+	* Converts the name of the class into the challenge name.
	31	+	* @return String with name of the challenge.
	32	+	*/
29	33		public String getName() {
30	34		var matchers = challengePattern.matcher(challenge.getClass().getSimpleName());
31	35		if (matchers.matches()) {
		skipped 2 lines
34	38		return "Unknown";
35	39		}
36	40
	41	+	/**
	42	+	* gives back the number of the challenge.
	43	+	* @return int with challenge number.
	44	+	*/
37	45		public Integer getLink() {
38	46		return challengeNumber;
39	47		}
40	48
	49	+	/**
	50	+	* Returns the tech used for a challenge.
	51	+	* @return string with tech.
	52	+	*/
41	53		public String getTech() {
42	54		return challenge.getTech();
43	55		}
44	56
	57	+	/**
	58	+	* Returns the number of the next challenge (e.g current+1).
	59	+	* @return int with next challenge number.
	60	+	*/
45	61		public Integer next() {
46	62		return challengeNumber + 1;
47	63		}
48	64
	65	+	/**
	66	+	* Returns the number of the previous challenge (e.g current-1).
	67	+	* @return int with previous challenge number.
	68	+	*/
49	69		public Integer previous() {
50	70		return challengeNumber - 1;
51	71		}
52	72
	73	+	/**
	74	+	* Returns filename of the explanation of the challenge.
	75	+	* @return String with filename.
	76	+	*/
53	77		public String getExplanation() {
54	78		return challenge.getExplanation();
55	79		}
56	80
	81	+	/**
	82	+	* Returns filename of the hints for the challenge.
	83	+	* @return String with filename.
	84	+	*/
57	85		public String getHint() {
58	86		List<RuntimeEnvironment.Environment> limitedOnlineEnvs = List.of(RuntimeEnvironment.Environment.HEROKU_DOCKER, RuntimeEnvironment.Environment.FLY_DOCKER, RuntimeEnvironment.Environment.OKTETO_K8S);
59	87		if (limitedOnlineEnvs.contains(runtimeEnvironment.getRuntimeEnvironment()) && challenge.isLimittedWhenOnlineHosted()) {
		skipped 2 lines
62	90		return challenge.getHint();
63	91		}
64	92
	93	+	/**
	94	+	* Returns filename of the reasons of the challenge.
	95	+	* @return String with filename.
	96	+	*/
65	97		public String getReason() {
66	98		return challenge.getReason();
67	99		}
68	100
	101	+	/**
	102	+	* String providing the minimal required env. Used in homescreen.
	103	+	* @return String with required env.
	104	+	*/
69	105		public String requiredEnv() {
70	106		return challenge.supportedRuntimeEnvironments().stream()
71	107		.map(Enum::name)
		skipped 1 lines
73	109		.collect(Collectors.joining());
74	110		}
75	111
	112	+	/**
	113	+	* returns integer with difficulty of the challenge.
	114	+	* @return int
	115	+	*/
76	116		public int difficulty() {
77	117		return challenge.difficulty();
78	118		}
79	119
	120	+	/**
	121	+	* checks whether challenge is enabled based on used runtimemode and CTF enablement.
	122	+	* @return boolean true if the challenge can run.
	123	+	*/
80	124		public boolean isChallengeEnabled() {
81	125		if (runtimeEnvironment.runtimeInCTFMode()) {
82	126		return runtimeEnvironment.canRun(challenge) && challenge.canRunInCTFMode();
		skipped 1 lines
84	128		return runtimeEnvironment.canRun(challenge);
85	129		}
86	130
	131	+	/**
	132	+	* returns the list of challengeUIs based on the status sof the runtime.
	133	+	* @param challenges actual challenges to be used in app.
	134	+	* @param environment the runtime env we are running on as an app.
	135	+	* @return list of ChallengeUIs.
	136	+	*/
87	137		public static List<ChallengeUI> toUI(List<Challenge> challenges, RuntimeEnvironment environment) {
88	138		return challenges.stream()
89	139		.sorted(Comparator.comparingInt(challenge -> Integer.parseInt(challenge.getClass().getSimpleName().replace("Challenge", ""))))
		skipped 5 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/ChallengesAPIController.java

		skipped 10 lines
11	11		import java.util.ArrayList;
12	12		import java.util.List;
13	13
	14	+	import io.swagger.v3.oas.annotations.Operation;
14	15		import lombok.extern.slf4j.Slf4j;
15	16		import org.asciidoctor.Asciidoctor;
16	17		import org.asciidoctor.Options;
		skipped 5 lines
22	23		import org.springframework.web.bind.annotation.GetMapping;
23	24		import org.springframework.web.bind.annotation.RestController;
24	25
	26	+	/**
	27	+	* Used to request and generate the required json for setting up a CTF through juiceshop CTF CLI.
	28	+	*/
25	29		@Slf4j
26	30		@RestController
27	31		public class ChallengesAPIController {
		skipped 20 lines
48	52
49	53
50	54		@GetMapping(value = {"/api/Challenges", "/api/challenges"}, produces = MediaType.APPLICATION_JSON_VALUE)
	55	+	@Operation(summary = "Gives all challenges back in a jsonArray, to be used with the Juiceshop CTF cli")
51	56		public String getChallenges() {
52	57		if (descriptions.size() == 0) {
53	58		initiaLizeHintsAndDescriptions();
		skipped 84 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/ChallengesController.java

		skipped 25 lines
26	26		import java.util.List;
27	27		import java.util.stream.Collectors;
28	28
	29	+	/**
	30	+	* Controller used to host the Challenges UI.
	31	+	*/
29	32		@Controller
30	33		public class ChallengesController {
31	34
		skipped 216 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge10.java

		skipped 18 lines
19	19		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.GCP;
20	20		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.AZURE;
21	21
	22	+	/**
	23	+	* Cloud challenge that leverages the CSI secrets driver of the cloud you are running in.
	24	+	*/
22	25		@Component
23	26		@Slf4j
24	27		@Order(10)
		skipped 12 lines
37	40		this.challengeAnswer = getCloudChallenge9and10Value(filePath, fileName);
38	41		}
39	42
	43	+	/**
	44	+	* {@inheritDoc}
	45	+	*/
40	46		@Override
41	47		public Spoiler spoiler() {
42	48		return new Spoiler(challengeAnswer);
43	49		}
44	50
	51	+	/**
	52	+	* {@inheritDoc}
	53	+	*/
45	54		@Override
46	55		public boolean answerCorrect(String answer) {
47	56		return challengeAnswer.equals(answer);
		skipped 9 lines
57	66		}
58	67		}
59	68
	69	+	/**
	70	+	* {@inheritDoc}
	71	+	*/
60	72		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
61	73		return List.of(GCP, AWS, AZURE);
62	74		}
63	75
	76	+	/**
	77	+	* {@inheritDoc}
	78	+	* Difficulty: 4
	79	+	*/
64	80		@Override
65	81		public int difficulty() {
66	82		return 4;
67	83		}
68	84
	85	+	/**
	86	+	* {@inheritDoc}
	87	+	* Uses CSI Driver
	88	+	*/
69	89		@Override
70	90		public String getTech() {
71	91		return ChallengeTechnology.Tech.CSI.id;
		skipped 8 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge11.java

		skipped 31 lines
32	32
33	33		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.*;
34	34
	35	+	/**
	36	+	* Cloud challenge which uses IAM privilelge escalation (differentiating per cloud).
	37	+	*/
35	38		@Component
36	39		@Slf4j
37	40		@Order(11)
		skipped 42 lines
80	83		this.challengeAnswer = getChallenge11Value(runtimeEnvironment);
81	84		}
82	85
	86	+	/**
	87	+	* {@inheritDoc}
	88	+	*/
83	89		@Override
84	90		public Spoiler spoiler() {
85	91		return new Spoiler(challengeAnswer);
86	92		}
87	93
	94	+	/**
	95	+	* {@inheritDoc}
	96	+	*/
88	97		@Override
89	98		public boolean answerCorrect(String answer) {
90	99		return challengeAnswer.equals(answer);
91	100		}
92	101
	102	+	/**
	103	+	* {@inheritDoc}
	104	+	*/
93	105		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
94	106		return List.of(AWS, GCP, AZURE);
95	107		}
96	108
	109	+	/**
	110	+	* {@inheritDoc}
	111	+	* Difficulty: 4
	112	+	*/
97	113		@Override
98	114		public int difficulty() {
99	115		return 4;
100	116		}
101	117
	118	+	/**
	119	+	* {@inheritDoc}
	120	+	* Uses IAM Privilege escalation
	121	+	*/
102	122		@Override
103	123		public String getTech() {
104	124		return ChallengeTechnology.Tech.IAM.id;
		skipped 103 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge9.java

		skipped 19 lines
20	20		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.AZURE;
21	21
22	22		/**
23		-	* Cloud challenge which focuses on Terraform and secrets
	23	+	* Cloud challenge which focuses on Terraform and secrets.
24	24		*/
25	25		@Component
26	26		@Slf4j
		skipped 4 lines
31	31		private final String challengeAnswer;
32	32
33	33		/**
34		-	* Cloud challenge which focuses on Terraform and secrets
	34	+	* Cloud challenge which focuses on Terraform and secrets.
35	35		* @param scoreCard required for score keeping
36	36		* @param filePath used to mount in the secrets store where teh actual secret lands in from the cloud
37	37		* @param awsDefaultValue used to indicate whether a cloud setup is enabled.
		skipped 10 lines
48	48		this.challengeAnswer = getCloudChallenge9and10Value(filePath, fileName);
49	49		}
50	50
	51	+	/**
	52	+	* {@inheritDoc}
	53	+	*/
51	54		@Override
52	55		public Spoiler spoiler() {
53	56		return new Spoiler(challengeAnswer);
54	57		}
55	58
	59	+	/**
	60	+	* {@inheritDoc}
	61	+	*/
56	62		@Override
57	63		public boolean answerCorrect(String answer) {
58	64		return challengeAnswer.equals(answer);
		skipped 9 lines
68	74		}
69	75		}
70	76
	77	+	/**
	78	+	* {@inheritDoc}
	79	+	*/
71	80		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
72	81		return List.of(GCP, AWS, AZURE);
73	82		}
74	83
	84	+	/**
	85	+	* {@inheritDoc}
	86	+	* Difficulty: 3
	87	+	*/
75	88		@Override
76	89		public int difficulty() {
77	90		return 3;
78	91		}
79	92
	93	+	/**
	94	+	* {@inheritDoc}
	95	+	* Uses Terraform
	96	+	*/
80	97		@Override
81	98		public String getTech() {
82	99		return ChallengeTechnology.Tech.TERRAFORM.id;
		skipped 8 lines

■ ■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/cloud/CloudChallenge.java

		skipped 4 lines
5	5		import org.owasp.wrongsecrets.challenges.Challenge;
6	6
7	7		/**
8		-	* Abstract class used to provide convinient wrapper helpers for cloud type detection for the cloud challenges
	8	+	* Abstract class used to provide convinient wrapper helpers for cloud type detection for the cloud challenges.
9	9		*/
10	10		public abstract class CloudChallenge extends Challenge {
11	11
		skipped 4 lines
16	16		this.runtimeEnvironment = runtimeEnvironment;
17	17		}
18	18
	19	+	/**
	20	+	* boolean showing whether we run in AWS.
	21	+	* @return true if we are on AWS
	22	+	*/
19	23		public boolean isAWS() {
20	24		return this.runtimeEnvironment.getRuntimeEnvironment() == RuntimeEnvironment.Environment.AWS;
21	25		}
22	26
	27	+	/**
	28	+	* boolean showing whether we run in GCP.
	29	+	* @return true if we are on GCP
	30	+	*/
23	31		public boolean isGCP() {
24	32		return this.runtimeEnvironment.getRuntimeEnvironment() == RuntimeEnvironment.Environment.GCP;
25	33		}
26	34
	35	+	/**
	36	+	* boolean showing whether we run in Azure.
	37	+	* @return true if we are on Azure
	38	+	*/
27	39		public boolean isAzure() {
28	40		return this.runtimeEnvironment.getRuntimeEnvironment() == RuntimeEnvironment.Environment.AZURE;
29	41		}
		skipped 31 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge0.java

		skipped 10 lines
11	11
12	12		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
13	13
	14	+	/**
	15	+	* Introduction challenge to get a user introduced with the setup.
	16	+	*/
14	17		@Component
15	18		@Order(0)
16	19		public class Challenge0 extends Challenge {
		skipped 2 lines
19	22		super(scoreCard);
20	23		}
21	24
	25	+	/**
	26	+	* {@inheritDoc}
	27	+	*/
22	28		@Override
23	29		public Spoiler spoiler() {
24	30		return new Spoiler(getData());
25	31		}
26	32
	33	+	/**
	34	+	* {@inheritDoc}
	35	+	*/
27	36		@Override
28	37		protected boolean answerCorrect(String answer) {
29	38		return getData().equals(answer);
30	39		}
31	40
32	41		@Override
	42	+	/**
	43	+	* {@inheritDoc}
	44	+	*/
33	45		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
34	46		return List.of(DOCKER);
35	47		}
36	48
	49	+	/**
	50	+	* {@inheritDoc}
	51	+	* Difficulty: 1
	52	+	*/
37	53		@Override
38	54		public int difficulty() {
39	55		return 1;
		skipped 22 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge1.java

		skipped 12 lines
13	13
14	14		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
15	15
	16	+	/**
	17	+	* Challenge to find the hardcoded password in code.
	18	+	*/
16	19		@Component
17	20		@Order(1)
18	21		public class Challenge1 extends Challenge {
		skipped 7 lines
26	29		return true;
27	30		}
28	31
	32	+	/**
	33	+	* {@inheritDoc}
	34	+	*/
29	35		@Override
30	36		public Spoiler spoiler() {
31	37		return new Spoiler(Constants.password);
32	38		}
33	39
	40	+	/**
	41	+	* {@inheritDoc}
	42	+	*/
34	43		@Override
35	44		public boolean answerCorrect(String answer) {
36	45		return Constants.password.equals(answer);
37	46		}
38	47
	48	+	/**
	49	+	* {@inheritDoc}
	50	+	*/
39	51		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
40	52		return List.of(DOCKER);
41	53		}
42	54
	55	+	/**
	56	+	* {@inheritDoc}
	57	+	* Difficulty: 1
	58	+	*/
43	59		@Override
44	60		public int difficulty() {
45	61		return 1;
46	62		}
47	63
	64	+	/**
	65	+	* {@inheritDoc}
	66	+	* Git based.
	67	+	*/
48	68		@Override
49	69		public String getTech() {
50	70		return ChallengeTechnology.Tech.GIT.id;
		skipped 9 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge12.java

		skipped 15 lines
16	16		import java.nio.file.Paths;
17	17		import java.util.List;
18	18
	19	+	/**
	20	+	* Challenge focused on filesystem issues in docker container due to workdir copying.
	21	+	*/
19	22		@Slf4j
20	23		@Component
21	24		@Order(12)
		skipped 11 lines
33	36		return true;
34	37		}
35	38
	39	+	/**
	40	+	* {@inheritDoc}
	41	+	*/
36	42		@Override
37	43		public Spoiler spoiler() {
38	44		return new Spoiler(getActualData());
39	45		}
40	46
	47	+	/**
	48	+	* {@inheritDoc}
	49	+	*/
41	50		@Override
42	51		public boolean answerCorrect(String answer) {
43	52		//log.debug("challenge 12, actualdata: {}, answer: {}", getActualData(), answer);
		skipped 1 lines
45	54		}
46	55
47	56		@Override
	57	+	/**
	58	+	* {@inheritDoc}
	59	+	*/
48	60		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
49	61		return List.of(RuntimeEnvironment.Environment.DOCKER);
50	62		}
51	63
	64	+	/**
	65	+	* {@inheritDoc}
	66	+	* Difficulty: 3
	67	+	*/
52	68		@Override
53	69		public int difficulty() {
54	70		return 3;
55	71		}
56	72
	73	+	/**
	74	+	* {@inheritDoc}
	75	+	* Docker based.
	76	+	*/
57	77		@Override
58	78		public String getTech() {
59	79		return ChallengeTechnology.Tech.DOCKER.id;
		skipped 19 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge13.java

		skipped 18 lines
19	19		import java.util.Base64;
20	20		import java.util.List;
21	21
	22	+	/**
	23	+	* Challenge focused on showing CI/CD issues through Github Actions.
	24	+	*/
22	25		@Slf4j
23	26		@Component
24	27		@Order(13)
		skipped 2 lines
27	30		private final String plainText;
28	31		private final String cipherText;
29	32
	33	+	/**
	34	+	* {@inheritDoc}
	35	+	*/
30	36		@Override
31	37		public Spoiler spoiler() {
32	38		String answer = Base64.getEncoder().encodeToString("This is our first key as github secret".getBytes(StandardCharsets.UTF_8));
		skipped 11 lines
44	50		return true;
45	51		}
46	52
	53	+	/**
	54	+	* {@inheritDoc}
	55	+	*/
47	56		@Override
48	57		protected boolean answerCorrect(String answer) {
49	58		return isKeyCorrect(answer);
50	59		}
51	60
52	61		@Override
	62	+	/**
	63	+	* {@inheritDoc}
	64	+	*/
53	65		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
54	66		return List.of(RuntimeEnvironment.Environment.DOCKER);
55	67		}
56	68
	69	+	/**
	70	+	* {@inheritDoc}
	71	+	* Difficulty: 3
	72	+	*/
57	73		@Override
58	74		public int difficulty() {
59	75		return 3;
60	76		}
61	77
	78	+	/**
	79	+	* {@inheritDoc}
	80	+	* CI/CD based.
	81	+	*/
62	82		@Override
63	83		public String getTech() {
64	84		return ChallengeTechnology.Tech.CICD.id;
		skipped 37 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge14.java

		skipped 23 lines
24	24		import java.nio.file.Paths;
25	25		import java.util.List;
26	26
	27	+	/**
	28	+	* This challenge is about having a weak password for your password manager.
	29	+	*/
27	30		@Slf4j
28	31		@Component
29	32		@Order(14)
		skipped 17 lines
47	50		return true;
48	51		}
49	52
	53	+	/**
	54	+	* {@inheritDoc}
	55	+	*/
50	56		@Override
51	57		public Spoiler spoiler() {
52	58		return new Spoiler(findAnswer());
53	59		}
54	60
	61	+	/**
	62	+	* {@inheritDoc}
	63	+	*/
55	64		@Override
56	65		protected boolean answerCorrect(String answer) {
57	66		return isanswerCorrectInKeeyPassx(answer);
58	67		}
59	68
60	69		@Override
	70	+	/**
	71	+	* {@inheritDoc}
	72	+	*/
61	73		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
62	74		return List.of(RuntimeEnvironment.Environment.DOCKER);
63	75		}
64	76
	77	+	/**
	78	+	* {@inheritDoc}
	79	+	* Difficulty: 4
	80	+	*/
65	81		@Override
66	82		public int difficulty() {
67	83		return 4;
68	84		}
69	85
	86	+	/**
	87	+	* {@inheritDoc}
	88	+	* Password manager based.
	89	+	*/
70	90		@Override
71	91		public String getTech() {
72	92		return ChallengeTechnology.Tech.PASSWORD_MANAGER.id;
		skipped 36 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge15.java

		skipped 18 lines
19	19		import java.util.Base64;
20	20		import java.util.List;
21	21
	22	+	/**
	23	+	* This challenge is about AWS keys in git history, with actual canarytokens.
	24	+	*/
22	25		@Slf4j
23	26		@Component
24	27		@Order(15)
		skipped 14 lines
39	42		return true;
40	43		}
41	44
	45	+	/**
	46	+	* {@inheritDoc}
	47	+	*/
42	48		@Override
43	49		public Spoiler spoiler() {
44	50		return new Spoiler(quickDecrypt(ciphterText));
45	51		}
46	52
	53	+	/**
	54	+	* {@inheritDoc}
	55	+	*/
47	56		@Override
48	57		protected boolean answerCorrect(String answer) {
49	58		String correctString = quickDecrypt(ciphterText);
		skipped 1 lines
51	60		}
52	61
53	62		@Override
	63	+	/**
	64	+	* {@inheritDoc}
	65	+	*/
54	66		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
55	67		return List.of(RuntimeEnvironment.Environment.DOCKER);
56	68		}
57	69
	70	+	/**
	71	+	* {@inheritDoc}
	72	+	* Difficulty: 2.
	73	+	*/
58	74		@Override
59	75		public int difficulty() {
60	76		return 2;
61	77		}
62	78
	79	+	/**
	80	+	* {@inheritDoc}
	81	+	* Git based.
	82	+	*/
63	83		@Override
64	84		public String getTech() {
65	85		return ChallengeTechnology.Tech.GIT.id;
		skipped 49 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge16.java

		skipped 15 lines
16	16		import java.nio.file.Paths;
17	17		import java.util.List;
18	18
	19	+	/**
	20	+	* This challenge is about having a secret obfuscated in the front-end code.
	21	+	*/
19	22		@Slf4j
20	23		@Component
21	24		@Order(16)
		skipped 11 lines
33	36		return true;
34	37		}
35	38
	39	+	/**
	40	+	* {@inheritDoc}
	41	+	*/
36	42		@Override
37	43		public Spoiler spoiler() {
38	44		return new Spoiler(getActualData());
39	45		}
40	46
	47	+	/**
	48	+	* {@inheritDoc}
	49	+	*/
41	50		@Override
42	51		public boolean answerCorrect(String answer) {
43	52		//log.debug("challenge 16, actualdata: {}, answer: {}", getActualData(), answer);
		skipped 1 lines
45	54		}
46	55
47	56		@Override
	57	+	/**
	58	+	* {@inheritDoc}
	59	+	*/
48	60		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
49	61		return List.of(RuntimeEnvironment.Environment.DOCKER);
50	62		}
51	63
	64	+	/**
	65	+	* {@inheritDoc}
	66	+	* Difficulty: 3
	67	+	*/
52	68		@Override
53	69		public int difficulty() {
54	70		return 3;
55	71		}
56	72
	73	+	/**
	74	+	* {@inheritDoc}
	75	+	* Frontend based.
	76	+	*/
57	77		@Override
58	78		public String getTech() {
59	79		return ChallengeTechnology.Tech.FRONTEND.id;
		skipped 18 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge17.java

		skipped 15 lines
16	16		import java.nio.file.Paths;
17	17		import java.util.List;
18	18
	19	+	/**
	20	+	* This challenge is about having secrets in copied in bash history as part of a container.
	21	+	*/
19	22		@Slf4j
20	23		@Component
21	24		@Order(17)
		skipped 11 lines
33	36		return true;
34	37		}
35	38
	39	+	/**
	40	+	* {@inheritDoc}
	41	+	*/
36	42		@Override
37	43		public Spoiler spoiler() {
38	44		return new Spoiler(getActualData());
39	45		}
40	46
	47	+	/**
	48	+	* {@inheritDoc}
	49	+	*/
41	50		@Override
42	51		public boolean answerCorrect(String answer) {
43	52		return getActualData().equals(answer);
44	53		}
45	54
	55	+	/**
	56	+	* {@inheritDoc}
	57	+	*/
46	58		@Override
47	59		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
48	60		return List.of(RuntimeEnvironment.Environment.DOCKER);
49	61		}
50	62
	63	+	/**
	64	+	* {@inheritDoc}
	65	+	* Difficulty: 3.
	66	+	*/
51	67		@Override
52	68		public int difficulty() {
53	69		return 3;
54	70		}
55	71
	72	+	/**
	73	+	* {@inheritDoc}
	74	+	* Docker based.
	75	+	*/
56	76		@Override
57	77		public String getTech() {
58	78		return ChallengeTechnology.Tech.DOCKER.id;
		skipped 18 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge18.java

		skipped 19 lines
20	20
21	21		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
22	22
	23	+	/**
	24	+	* This challenge is about finding the value of a secret through weak hash mechanisms.
	25	+	*/
23	26		@Component
24	27		@Order(18)
25	28		@Slf4j
		skipped 31 lines
57	60		return "No Hash Selected";
58	61		}
59	62
	63	+	/**
	64	+	* {@inheritDoc}
	65	+	*/
60	66		@Override
61	67		public Spoiler spoiler() {
62	68		return new Spoiler(base64Decode(hashPassword));
63	69		}
64	70
	71	+	/**
	72	+	* {@inheritDoc}
	73	+	*/
65	74		@Override
66	75		public boolean answerCorrect(String answer) {
67	76		return calculateHash(md5Hash, base64Decode(hashPassword)).equals(calculateHash(md5Hash, answer))
68	77		\|\| calculateHash(sha1Hash, base64Decode(hashPassword)).equals(calculateHash(sha1Hash, answer));
69	78		}
70	79
	80	+	/**
	81	+	* {@inheritDoc}
	82	+	*/
71	83		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
72	84		return List.of(DOCKER);
73	85		}
74	86
	87	+	/**
	88	+	* {@inheritDoc}
	89	+	* Difficulty: 5
	90	+	*/
75	91		@Override
76	92		public int difficulty() {
77	93		return 5;
78	94		}
79	95
	96	+	/**
	97	+	* {@inheritDoc}
	98	+	* Cryptography based.
	99	+	*/
80	100		@Override
81	101		public String getTech() {
82	102		return ChallengeTechnology.Tech.CRYPTOGRAPHY.id;
		skipped 8 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge19.java

		skipped 15 lines
16	16
17	17		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
18	18
	19	+	/**
	20	+	* This challenge is about finding a secret hardcoded in a C binary.
	21	+	*/
19	22		@Component
20	23		@Order(19)
21	24		@Slf4j
		skipped 12 lines
34	37		return true;
35	38		}
36	39
	40	+	/**
	41	+	* {@inheritDoc}
	42	+	*/
37	43		@Override
38	44		public Spoiler spoiler() {
39	45		return new Spoiler(binaryExecutionHelper.executeCommand("", "wrongsecrets-c"));
40	46		}
41	47
	48	+	/**
	49	+	* {@inheritDoc}
	50	+	*/
42	51		@Override
43	52		public boolean answerCorrect(String answer) {
44	53		return binaryExecutionHelper.executeCommand(answer, "wrongsecrets-c").equals("This is correct! Congrats!");
45	54		}
46	55
	56	+	/**
	57	+	* {@inheritDoc}
	58	+	*/
47	59		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
48	60		return List.of(DOCKER);
49	61		}
50	62
	63	+	/**
	64	+	* {@inheritDoc}
	65	+	* Difficulty: 4
	66	+	*/
51	67		@Override
52	68		public int difficulty() {
53	69		return 4;
54	70		}
55	71
	72	+	/**
	73	+	* {@inheritDoc}
	74	+	* Binary based.
	75	+	*/
56	76		@Override
57	77		public String getTech() {
58	78		return ChallengeTechnology.Tech.BINARY.id;
		skipped 8 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge2.java

		skipped 16 lines
17	17		/**
18	18		* This challenge requires the participant to provide a hardcoded password to pass the challenge.
19	19		* This challenge can be run in CTF mode and is limited to using Docker as a runtime environment.
	20	+	* The javadoc is generated using ChatGPT.
20	21		*/
21	22		@Component
22	23		@Order(2)
		skipped 23 lines
46	47
47	48		/**
48	49		* {@inheritDoc}
49		-	* Returns a Spoiler object containing the hardcoded password for the challenge.
50	50		*/
51	51		@Override
52	52		public Spoiler spoiler() {
		skipped 7 lines
60	60		* @param answer The answer provided by the participant.
61	61		* @return True if the answer matches the hardcoded password, false otherwise.
62	62		*/
	63	+	/**
	64	+	* {@inheritDoc}
	65	+	*/
63	66		@Override
64	67		public boolean answerCorrect(String answer) {
65	68		return hardcodedPassword.equals(answer);
66	69		}
67	70
68	71		/**
69		-	* Returns a list of supported runtime environments for the challenge.
	72	+	* {@inheritDoc}
70	73		* This challenge supports the Docker runtime environment.
71		-	*
72		-	* @return A list of supported runtime environments.
73	74		*/
74	75		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
75	76		return List.of(DOCKER);
		skipped 1 lines
77	78
78	79		/**
79	80		* {@inheritDoc}
80		-	* Returns the difficulty level of the challenge as 1.
	81	+	* Difficulty: 1
81	82		*/
82	83		@Override
83	84		public int difficulty() {
		skipped 2 lines
86	87
87	88		/**
88	89		* {@inheritDoc}
89		-	* Returns the technology used for the challenge as GIT.
	90	+	* Git based.
90	91		*/
91	92		@Override
92	93		public String getTech() {
		skipped 14 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge20.java

		skipped 15 lines
16	16
17	17		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
18	18
	19	+	/**
	20	+	* This challenge is about finding a secret hardcoded in a C++ binary.
	21	+	*/
19	22		@Component
20	23		@Order(20)
21	24		@Slf4j
		skipped 12 lines
34	37		}
35	38
36	39
	40	+	/**
	41	+	* {@inheritDoc}
	42	+	*/
37	43		@Override
38	44		public Spoiler spoiler() {
39	45		return new Spoiler(binaryExecutionHelper.executeCommand("", "wrongsecrets-cplus"));
40	46		}
41	47
	48	+	/**
	49	+	* {@inheritDoc}
	50	+	*/
42	51		@Override
43	52		public boolean answerCorrect(String answer) {
44	53		return binaryExecutionHelper.executeCommand(answer, "wrongsecrets-cplus").equals("This is correct! Congrats!");
45	54		}
46	55
	56	+	/**
	57	+	* {@inheritDoc}
	58	+	*/
47	59		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
48	60		return List.of(DOCKER);
49	61		}
50	62
	63	+	/**
	64	+	* {@inheritDoc}
	65	+	* Difficulty: 4
	66	+	*/
51	67		@Override
52	68		public int difficulty() {
53	69		return 4;
54	70		}
55	71
	72	+	/**
	73	+	* {@inheritDoc}
	74	+	* Binary based.
	75	+	*/
56	76		@Override
57	77		public String getTech() {
58	78		return ChallengeTechnology.Tech.BINARY.id;
		skipped 8 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge21.java

		skipped 15 lines
16	16
17	17		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
18	18
	19	+	/**
	20	+	* This challenge is about finding a secret hardcoded in a Golang binary.
	21	+	*/
19	22		@Component
20	23		@Order(21)
21	24		@Slf4j
		skipped 11 lines
33	36		return true;
34	37		}
35	38
	39	+	/**
	40	+	* {@inheritDoc}
	41	+	*/
36	42		@Override
37	43		public Spoiler spoiler() {
38	44		return new Spoiler(binaryExecutionHelper.executeGoCommand(""));
39	45		}
40	46
	47	+	/**
	48	+	* {@inheritDoc}
	49	+	*/
41	50		@Override
42	51		public boolean answerCorrect(String answer) {
43	52		return binaryExecutionHelper.executeGoCommand(answer).equals("This is correct! Congrats!");
44	53		}
45	54
	55	+	/**
	56	+	* {@inheritDoc}
	57	+	*/
46	58		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
47	59		return List.of(DOCKER);
48	60		}
49	61
	62	+	/**
	63	+	* {@inheritDoc}
	64	+	* Difficulty: 5.
	65	+	*/
50	66		@Override
51	67		public int difficulty() {
52	68		return 5;
53	69		}
54	70
	71	+	/**
	72	+	* {@inheritDoc}
	73	+	* Binary based.
	74	+	*/
55	75		@Override
56	76		public String getTech() {
57	77		return ChallengeTechnology.Tech.BINARY.id;
		skipped 8 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge22.java

		skipped 15 lines
16	16
17	17		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
18	18
	19	+	/**
	20	+	* This challenge is about finding a secret hardcoded in a Rust binary.
	21	+	*/
19	22		@Component
20	23		@Order(22)
21	24		@Slf4j
		skipped 11 lines
33	36		return true;
34	37		}
35	38
	39	+	/**
	40	+	* {@inheritDoc}
	41	+	*/
36	42		@Override
37	43		public Spoiler spoiler() {
38	44		return new Spoiler(binaryExecutionHelper.executeCommand("", "wrongsecrets-rust"));
39	45		}
40	46
	47	+	/**
	48	+	* {@inheritDoc}
	49	+	*/
41	50		@Override
42	51		public boolean answerCorrect(String answer) {
43	52		return binaryExecutionHelper.executeCommand(answer, "wrongsecrets-rust").equals("This is correct! Congrats!");
44	53		}
45	54
	55	+	/**
	56	+	* {@inheritDoc}
	57	+	*/
46	58		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
47	59		return List.of(DOCKER);
48	60		}
49	61
	62	+	/**
	63	+	* {@inheritDoc}
	64	+	* Difficulty: 5.
	65	+	*/
50	66		@Override
51	67		public int difficulty() {
52	68		return 5;
53	69		}
54	70
	71	+	/**
	72	+	* {@inheritDoc}
	73	+	* Binary based.
	74	+	*/
55	75		@Override
56	76		public String getTech() {
57	77		return ChallengeTechnology.Tech.BINARY.id;
		skipped 8 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge23.java

		skipped 14 lines
15	15		import java.nio.charset.StandardCharsets;
16	16		import java.util.List;
17	17
	18	+	/**
	19	+	* This challenge is about finding a secret hardcoded in comments in a front-end.
	20	+	*/
18	21		@Slf4j
19	22		@Component
20	23		@Order(23)
		skipped 3 lines
24	27		super(scoreCard);
25	28		}
26	29
	30	+	/**
	31	+	* {@inheritDoc}
	32	+	*/
27	33		@Override
28	34		public Spoiler spoiler() {
29	35		return new Spoiler(getActualData());
30	36		}
31	37
	38	+	/**
	39	+	* {@inheritDoc}
	40	+	*/
32	41		@Override
33	42		public boolean answerCorrect(String answer) {
34	43		//log.debug("challenge 23, actualdata: {}, answer: {}", getActualData(), answer);
		skipped 6 lines
41	50		}
42	51
43	52		@Override
	53	+	/**
	54	+	* {@inheritDoc}
	55	+	*/
44	56		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
45	57		return List.of(RuntimeEnvironment.Environment.DOCKER);
46	58		}
47	59
	60	+	/**
	61	+	* {@inheritDoc}
	62	+	* Difficulty: 1.
	63	+	*/
48	64		@Override
49	65		public int difficulty() {
50	66		return 1;
51	67		}
52	68
	69	+	/**
	70	+	* {@inheritDoc}
	71	+	* Frontend based.
	72	+	*/
53	73		@Override
54	74		public String getTech() {
55	75		return ChallengeTechnology.Tech.FRONTEND.id;
		skipped 13 lines

■ ■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge24.java

		skipped 13 lines
14	14		import java.nio.charset.StandardCharsets;
15	15		import java.util.List;
16	16
	17	+	/**
	18	+	* This challenge is about using a publicly specified key to safeguard data.
	19	+	*/
17	20		@Slf4j
18	21		@Component
19	22		@Order(24)
		skipped 8 lines
28	31		return true;
29	32		}
30	33
	34	+	/**
	35	+	* {@inheritDoc}
	36	+	*/
31	37		@Override
32	38		public Spoiler spoiler() {
33	39		return new Spoiler(getActualData());
34	40		}
35	41
	42	+	/**
	43	+	* {@inheritDoc}
	44	+	*/
36	45		@Override
37	46		public boolean answerCorrect(String answer) {
38		-	//log.debug("challenge 24, actualdata: {}, answer: {}", getActualData(), answer);
39	47		return getActualData().equals(answer);
40	48		}
41	49
42	50		@Override
	51	+	/**
	52	+	* {@inheritDoc}
	53	+	*/
43	54		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
44	55		return List.of(RuntimeEnvironment.Environment.DOCKER);
45	56		}
46	57
	58	+	/**
	59	+	* {@inheritDoc}
	60	+	* Difficulty: 2
	61	+	*/
47	62		@Override
48	63		public int difficulty() {
49	64		return 2;
50	65		}
51	66
	67	+	/**
	68	+	* {@inheritDoc}
	69	+	* Cryptography based.
	70	+	*/
52	71		@Override
53	72		public String getTech() {
54	73		return ChallengeTechnology.Tech.CRYPTOGRAPHY.id;
		skipped 13 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge25.java

		skipped 19 lines
20	20		import java.security.spec.AlgorithmParameterSpec;
21	21		import java.util.List;
22	22
	23	+	/**
	24	+	* This challenge is about finding a secret hardcoded in a web3 contract.
	25	+	*/
23	26		@Slf4j
24	27		@Component
25	28		@Order(25)
		skipped 10 lines
36	39		return true;
37	40		}
38	41
	42	+	/**
	43	+	* {@inheritDoc}
	44	+	*/
39	45		@Override
40	46		public Spoiler spoiler() {
41	47		return new Spoiler(quickDecrypt(cipherText));
42	48		}
43	49
	50	+	/**
	51	+	* {@inheritDoc}
	52	+	*/
44	53		@Override
45	54		public boolean answerCorrect(String answer) {
46	55		String correctString = quickDecrypt(cipherText);
		skipped 1 lines
48	57		}
49	58
50	59		@Override
	60	+	/**
	61	+	* {@inheritDoc}
	62	+	*/
51	63		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
52	64		return List.of(RuntimeEnvironment.Environment.DOCKER);
53	65		}
54	66
	67	+	/**
	68	+	* {@inheritDoc}
	69	+	* Difficulty: 2
	70	+	*/
55	71		@Override
56	72		public int difficulty() {
57	73		return 2;
58	74		}
59	75
	76	+	/**
	77	+	* {@inheritDoc}
	78	+	* Web3 based.
	79	+	*/
60	80		@Override
61	81		public String getTech() {
62	82		return ChallengeTechnology.Tech.WEB3.id;
		skipped 21 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge26.java

		skipped 19 lines
20	20		import java.security.spec.AlgorithmParameterSpec;
21	21		import java.util.List;
22	22
	23	+	/**
	24	+	* This challenge is about finding a secret hardcoded in a web3 contract.
	25	+	*/
23	26		@Slf4j
24	27		@Component
25	28		@Order(26)
		skipped 10 lines
36	39		return true;
37	40		}
38	41
	42	+	/**
	43	+	* {@inheritDoc}
	44	+	*/
39	45		@Override
40	46		public Spoiler spoiler() {
41	47		return new Spoiler(quickDecrypt(cipherText));
42	48		}
43	49
	50	+	/**
	51	+	* {@inheritDoc}
	52	+	*/
44	53		@Override
45	54		public boolean answerCorrect(String answer) {
46	55		String correctString = quickDecrypt(cipherText);
47	56		return answer.equals(correctString);
48	57		}
49	58
	59	+	/**
	60	+	* {@inheritDoc}
	61	+	*/
50	62		@Override
51	63		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
52	64		return List.of(RuntimeEnvironment.Environment.DOCKER);
53	65		}
54	66
	67	+	/**
	68	+	* {@inheritDoc}
	69	+	* Difficulty: 2
	70	+	*/
55	71		@Override
56	72		public int difficulty() {
57	73		return 2;
58	74		}
59	75
	76	+	/**
	77	+	* {@inheritDoc}
	78	+	* Web3 based.
	79	+	*/
60	80		@Override
61	81		public String getTech() {
62	82		return ChallengeTechnology.Tech.WEB3.id;
		skipped 21 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge27.java

		skipped 19 lines
20	20		import java.security.spec.AlgorithmParameterSpec;
21	21		import java.util.List;
22	22
	23	+	/**
	24	+	* This challenge is about finding a secret hardcoded in a web3 contract based on hashing.
	25	+	*/
23	26		@Slf4j
24	27		@Component
25	28		@Order(26)
		skipped 10 lines
36	39		return true;
37	40		}
38	41
	42	+	/**
	43	+	* {@inheritDoc}
	44	+	*/
39	45		@Override
40	46		public Spoiler spoiler() {
41	47		return new Spoiler(quickDecrypt(cipherText));
42	48		}
43	49
	50	+	/**
	51	+	* {@inheritDoc}
	52	+	*/
44	53		@Override
45	54		public boolean answerCorrect(String answer) {
46	55		String correctString = quickDecrypt(cipherText);
		skipped 1 lines
48	57		}
49	58
50	59		@Override
	60	+	/**
	61	+	* {@inheritDoc}
	62	+	*/
51	63		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
52	64		return List.of(RuntimeEnvironment.Environment.DOCKER);
53	65		}
54	66
	67	+	/**
	68	+	* {@inheritDoc}
	69	+	* Difficulty: 2
	70	+	*/
55	71		@Override
56	72		public int difficulty() {
57	73		return 2;
58	74		}
59	75
	76	+	/**
	77	+	* {@inheritDoc}
	78	+	* Web3 based.
	79	+	*/
60	80		@Override
61	81		public String getTech() {
62	82		return ChallengeTechnology.Tech.WEB3.id;
		skipped 21 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge28.java

1	1		package org.owasp.wrongsecrets.challenges.docker;
2	2
3	3
4		-	import java.nio.charset.StandardCharsets;
5		-
6	4		import org.bouncycastle.util.encoders.Base64;
7	5		import org.owasp.wrongsecrets.RuntimeEnvironment;
8	6		import org.owasp.wrongsecrets.ScoreCard;
		skipped 8 lines
17	15		import static java.nio.charset.StandardCharsets.UTF_8;
18	16		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
19	17
	18	+	/**
	19	+	* This challenge is about finding a secret in a Github issue.
	20	+	*/
20	21		@Component
21	22		@Order(28)
22	23		public class Challenge28 extends Challenge {
23	24
24		-	private String secretKey = new String(Base64.decode(new String(Base64.decode("WVhOa1ptUndkVmxWU1dGa1ltRnZZWE5rY0dFd04ydHFNakF3TXc9PQ=="), UTF_8)), UTF_8);
25	25
26	26		public Challenge28(ScoreCard scoreCard) {
27	27		super(scoreCard);
		skipped 5 lines
33	33		}
34	34
35	35
	36	+	/**
	37	+	* {@inheritDoc}
	38	+	*/
36	39		@Override
37	40		public Spoiler spoiler() {
38		-	return new Spoiler(secretKey);
	41	+	return new Spoiler(getSecretKey());
39	42		}
40	43
	44	+	/**
	45	+	* {@inheritDoc}
	46	+	*/
41	47		@Override
42	48		public boolean answerCorrect(String answer) {
43		-	return secretKey.equals(answer);
	49	+	return getSecretKey().equals(answer);
44	50		}
45	51
	52	+	/**
	53	+	* {@inheritDoc}
	54	+	*/
46	55		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
47	56		return List.of(DOCKER);
48	57		}
49	58
	59	+	/**
	60	+	* {@inheritDoc}
	61	+	* Difficulty: 1.
	62	+	*/
50	63		@Override
51	64		public int difficulty() {
52	65		return 1;
53	66		}
54	67
	68	+	/**
	69	+	* {@inheritDoc}
	70	+	* Documentation based.
	71	+	*/
55	72		@Override
56	73		public String getTech() {
57	74		return ChallengeTechnology.Tech.DOCUMENTATION.id;
		skipped 2 lines
60	77		@Override
61	78		public boolean isLimittedWhenOnlineHosted() {
62	79		return false;
	80	+	}
	81	+
	82	+	private String getSecretKey() {
	83	+	return new String(Base64.decode(new String(Base64.decode("WVhOa1ptUndkVmxWU1dGa1ltRnZZWE5rY0dFd04ydHFNakF3TXc9PQ=="), UTF_8)), UTF_8);
63	84		}
64	85
65	86		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge29.java

		skipped 19 lines
20	20
21	21		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
22	22
	23	+	/**
	24	+	* This challenge is about finding a secret in a Github issue (screenshot).
	25	+	*/
23	26		@Component
24	27		@Slf4j
25	28		@Order(29)
		skipped 16 lines
42	45
43	46		@Override
44	47		public Spoiler spoiler() {
45		-	return new Spoiler(decrypt());
	48	+	return new Spoiler(decryptActualAnswer());
46	49		}
47	50
48	51		@Override
49	52		public boolean answerCorrect(String answer) {
50		-	return decrypt().equals(answer);
	53	+	return decryptActualAnswer().equals(answer);
51	54		}
52	55
53	56		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
54	57		return List.of(DOCKER);
55	58		}
56	59
	60	+	/**
	61	+	* {@inheritDoc}
	62	+	* Difficulty: 1.
	63	+	*/
57	64		@Override
58	65		public int difficulty() {
59	66		return 1;
60	67		}
61	68
	69	+	/**
	70	+	* {@inheritDoc}
	71	+	* Documentation based.
	72	+	*/
62	73		@Override
63	74		public String getTech() {
64	75		return ChallengeTechnology.Tech.DOCUMENTATION.id;
		skipped 4 lines
69	80		return false;
70	81		}
71	82
72		-	public String decrypt() {
	83	+	private String decryptActualAnswer() {
73	84		try {
74	85		String privateKeyFilePath = "src/test/resources/RSAprivatekey.pem";
75	86		String privateKeyContent = new String(Files.readAllBytes(Paths.get(privateKeyFilePath)), StandardCharsets.UTF_8);
		skipped 19 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge3.java

		skipped 13 lines
14	14
15	15		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
16	16
	17	+	/**
	18	+	* This challenge can be run in CTF mode and is limited to using Docker as a runtime environment.
	19	+	*/
17	20		@Component
18	21		@Order(3)
19	22		public class Challenge3 extends Challenge {
		skipped 5 lines
25	28		this.hardcodedEnvPassword = hardcodedEnvPassword;
26	29		}
27	30
	31	+	/**
	32	+	* {@inheritDoc}
	33	+	*/
28	34		@Override
29	35		public boolean canRunInCTFMode() {
30	36		return true;
31	37		}
32	38
	39	+	/**
	40	+	* {@inheritDoc}
	41	+	*/
33	42		@Override
34	43		public Spoiler spoiler() {
35	44		return new Spoiler(hardcodedEnvPassword);
36	45		}
37	46
	47	+	/**
	48	+	* {@inheritDoc}
	49	+	*/
38	50		@Override
39	51		public boolean answerCorrect(String answer) {
40	52		return hardcodedEnvPassword.equals(answer);
41	53		}
42	54
	55	+	/**
	56	+	* {@inheritDoc}
	57	+	*/
43	58		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
44	59		return List.of(DOCKER);
45	60		}
46	61
	62	+	/**
	63	+	* {@inheritDoc}
	64	+	* Difficulty: 1
	65	+	*/
47	66		@Override
48	67		public int difficulty() {
49	68		return 1;
50	69		}
51	70
	71	+	/**
	72	+	* {@inheritDoc}
	73	+	* Docker based.
	74	+	*/
52	75		@Override
53	76		public String getTech() {
54	77		return ChallengeTechnology.Tech.DOCKER.id;
		skipped 8 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge4.java

		skipped 13 lines
14	14
15	15		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
16	16
	17	+	/**
	18	+	* This challenge is about having a secrets stored as a Docker ARG var.
	19	+	*/
17	20		@Component
18	21		@Order(4)
19	22		public class Challenge4 extends Challenge {
		skipped 10 lines
30	33		return true;
31	34		}
32	35
	36	+
	37	+	/**
	38	+	* {@inheritDoc}
	39	+	*/
33	40		@Override
34	41		public Spoiler spoiler() {
35	42		return new Spoiler(argBasedPassword);
36	43		}
37	44
	45	+	/**
	46	+	* {@inheritDoc}
	47	+	*/
38	48		@Override
39	49		public boolean answerCorrect(String answer) {
40	50		return argBasedPassword.equals(answer)
41	51		\|\| argBasedPassword.equals("'" + answer + "'");
42	52		}
43	53
	54	+	/**
	55	+	* {@inheritDoc}
	56	+	*/
44	57		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
45	58		return List.of(DOCKER);
46	59		}
47	60
	61	+	/**
	62	+	* {@inheritDoc}
	63	+	* Difficulty: 2
	64	+	*/
48	65		@Override
49	66		public int difficulty() {
50	67		return 2;
51	68		}
52	69
	70	+	/**
	71	+	* {@inheritDoc}
	72	+	* Docker based.
	73	+	*/
53	74		@Override
54	75		public String getTech() {
55	76		return ChallengeTechnology.Tech.DOCKER.id;
		skipped 10 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge8.java

		skipped 17 lines
18	18
19	19		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
20	20
	21	+	/**
	22	+	* Challenge which leaks the data in the logs instead of anywhere else.
	23	+	*/
21	24		@Slf4j
22	25		@Component
23	26		@Order(8)
		skipped 19 lines
43	46		return true;
44	47		}
45	48
	49	+	/**
	50	+	* {@inheritDoc}
	51	+	*/
46	52		@Override
47	53		public Spoiler spoiler() {
48	54		return new Spoiler(randomValue);
49	55		}
50	56
	57	+	/**
	58	+	* {@inheritDoc}
	59	+	*/
51	60		@Override
52	61		public boolean answerCorrect(String answer) {
53	62		return randomValue.equals(answer);
54	63		}
55	64
	65	+	/**
	66	+	* {@inheritDoc}
	67	+	*/
56	68		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
57	69		return List.of(DOCKER);
58	70		}
59	71
	72	+	/**
	73	+	* {@inheritDoc}
	74	+	* Difficulty: 2
	75	+	*/
60	76		@Override
61	77		public int difficulty() {
62	78		return 2;
63	79		}
64	80
	81	+	/**
	82	+	* {@inheritDoc}
	83	+	* Challenge is wrapped around logging
	84	+	*/
65	85		@Override
66	86		public String getTech() {
67	87		return ChallengeTechnology.Tech.LOGGING.id;
		skipped 18 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/Constants.java

		skipped 1 lines
2	2
3	3		import lombok.experimental.UtilityClass;
4	4
	5	+	/**
	6	+	* used for Challenges their secrets.
	7	+	*/
5	8		@UtilityClass
6	9		public class Constants {
7	10
		skipped 4 lines

■ ■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/binaryexecution/BinaryExecutionHelper.java

		skipped 10 lines
11	11		import java.nio.charset.StandardCharsets;
12	12		import java.util.stream.Collectors;
13	13
14		-
	14	+	/**
	15	+	* Helper for classes to execute binaries as part of the Binary challenges.
	16	+	*/
15	17		@Slf4j
16	18		public class BinaryExecutionHelper {
17	19
		skipped 13 lines
31	33		this.muslDetector = muslDetector;
32	34		}
33	35
	36	+	/**
	37	+	* Execute the command for the given binary with the actual guess for Golang only.
	38	+	* @param guess containing the guess
	39	+	* @return the actual answer
	40	+	*/
34	41		public String executeGoCommand(String guess) {
35	42		try {
36	43		File execFile = createTempExecutable("wrongsecrets-golang");
		skipped 13 lines
50	57		}
51	58		}
52	59
	60	+
	61	+	/**
	62	+	* Execute the command for the given binary with the actual guess.
	63	+	* @param guess containing the guess
	64	+	* @param fileName of the executable to be used (pre-defined, make sure it is never user input controlled)
	65	+	* @return the actual answer
	66	+	*/
53	67		public String executeCommand(String guess, String fileName) {
54	68		Operation operation;
55	69		if (Strings.isNullOrEmpty(guess)) {
		skipped 138 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/binaryexecution/MuslDetector.java

1	1		package org.owasp.wrongsecrets.challenges.docker.binaryexecution;
2	2
	3	+	/**
	4	+	* Musl detector interface which can have multiple implementations.
	5	+	*/
3	6		public interface MuslDetector {
4	7
	8	+	/**
	9	+	* boolean indicating whether we are running on a MUSL based/enabled environment.
	10	+	* @return true if binaries should use Musl instead of LibC
	11	+	*/
5	12		boolean isMusl();
6	13		}
7	14

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/docker/binaryexecution/MuslDetectorImpl.java

		skipped 6 lines
7	7		import java.nio.charset.StandardCharsets;
8	8		import lombok.extern.slf4j.Slf4j;
9	9
	10	+	/**
	11	+	* Primary implementation of MuslDetector.
	12	+	*/
10	13		@Slf4j
11	14		public class MuslDetectorImpl implements MuslDetector {
12	15
		skipped 18 lines

■ ■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge5.java

		skipped 3 lines
4	4		import org.owasp.wrongsecrets.RuntimeEnvironment;
5	5		import org.owasp.wrongsecrets.ScoreCard;
6	6		import org.owasp.wrongsecrets.challenges.Challenge;
	7	+	import org.owasp.wrongsecrets.challenges.ChallengeTechnology;
7	8		import org.owasp.wrongsecrets.challenges.Spoiler;
8	9		import org.springframework.beans.factory.annotation.Value;
9	10		import org.springframework.core.annotation.Order;
		skipped 3 lines
13	14
14	15		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.K8S;
15	16
	17	+	/**
	18	+	* This challenge is about having a secrets stored as a K8s Configmap.
	19	+	*/
16	20		@Component
17	21		@Order(5)
18	22		public class Challenge5 extends Challenge {
		skipped 10 lines
29	33		return true;
30	34		}
31	35
	36	+	/**
	37	+	* {@inheritDoc}
	38	+	*/
32	39		@Override
33	40		public Spoiler spoiler() {
34	41		return new Spoiler(configmapK8sSecret);
35	42		}
36	43
	44	+	/**
	45	+	* {@inheritDoc}
	46	+	*/
37	47		@Override
38	48		public boolean answerCorrect(String answer) {
39	49		return configmapK8sSecret.equals(answer);
40	50		}
41	51
	52	+	/**
	53	+	* {@inheritDoc}
	54	+	*/
42	55		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
43	56		return List.of(K8S);
44	57		}
45	58
	59	+	/**
	60	+	* {@inheritDoc}
	61	+	* Difficulty: 2
	62	+	*/
46	63		@Override
47	64		public int difficulty() {
48	65		return 2;
49	66		}
50	67
	68	+	/**
	69	+	* {@inheritDoc}
	70	+	* Configmaps based.
	71	+	*/
51	72		@Override
52	73		public String getTech() {
53		-	return "Configmaps";
	74	+	return ChallengeTechnology.Tech.CONFIGMAPS.id;
54	75		}
55	76
56	77		@Override
		skipped 5 lines

■ ■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge6.java

		skipped 3 lines
4	4		import org.owasp.wrongsecrets.RuntimeEnvironment;
5	5		import org.owasp.wrongsecrets.ScoreCard;
6	6		import org.owasp.wrongsecrets.challenges.Challenge;
	7	+	import org.owasp.wrongsecrets.challenges.ChallengeTechnology;
7	8		import org.owasp.wrongsecrets.challenges.Spoiler;
8	9		import org.springframework.beans.factory.annotation.Value;
9	10		import org.springframework.core.annotation.Order;
		skipped 3 lines
13	14
14	15		import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.K8S;
15	16
	17	+	/**
	18	+	* This challenge is about having a secrets stored as a K8s Secret.
	19	+	*/
16	20		@Component
17	21		@Order(6)
18	22		public class Challenge6 extends Challenge {
		skipped 10 lines
29	33		return true;
30	34		}
31	35
	36	+	/**
	37	+	* {@inheritDoc}
	38	+	*/
32	39		@Override
33	40		public Spoiler spoiler() {
34	41		return new Spoiler(secretK8sSecret);
35	42		}
36	43
	44	+	/**
	45	+	* {@inheritDoc}
	46	+	*/
37	47		@Override
38	48		public boolean answerCorrect(String answer) {
39	49		return secretK8sSecret.equals(answer);
40	50		}
41	51
	52	+	/**
	53	+	* {@inheritDoc}
	54	+	*/
42	55		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
43	56		return List.of(K8S);
44	57		}
45	58
	59	+	/**
	60	+	* {@inheritDoc}
	61	+	* Difficulty: 3
	62	+	*/
46	63		@Override
47	64		public int difficulty() {
48	65		return 2;
49	66		}
50	67
	68	+	/**
	69	+	* {@inheritDoc}
	70	+	* K8s secrets based.
	71	+	*/
51	72		@Override
52	73		public String getTech() {
53		-	return "Secrets";
	74	+	return ChallengeTechnology.Tech.SECRETS.id;
54	75		}
55	76
56	77		@Override
		skipped 5 lines

■ ■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge7.java

		skipped 4 lines
5	5		import org.owasp.wrongsecrets.RuntimeEnvironment;
6	6		import org.owasp.wrongsecrets.ScoreCard;
7	7		import org.owasp.wrongsecrets.challenges.Challenge;
	8	+	import org.owasp.wrongsecrets.challenges.ChallengeTechnology;
8	9		import org.owasp.wrongsecrets.challenges.Spoiler;
9	10		import org.springframework.beans.factory.annotation.Value;
10	11		import org.springframework.core.annotation.Order;
		skipped 1 lines
12	13
13	14		import java.util.List;
14	15
	16	+	/**
	17	+	* This challenge is about having a secrets stored in a misconfigured Hashicorp Vault.
	18	+	*/
15	19		@Component
16	20		@Order(7)
17	21		public class Challenge7 extends Challenge {
		skipped 16 lines
34	38		return vaultPassword != null && Strings.isNotEmpty(vaultPassword.getPasssword()) ? vaultPassword.getPasssword() : vaultPasswordString;
35	39		}
36	40
	41	+	/**
	42	+	* {@inheritDoc}
	43	+	*/
37	44		@Override
38	45		public Spoiler spoiler() {
39	46		return new Spoiler(getAnswer());
40	47		}
41	48
	49	+	/**
	50	+	* {@inheritDoc}
	51	+	*/
42	52		@Override
43	53		public boolean answerCorrect(String answer) {
44	54		return getAnswer().equals(answer);
45	55		}
46	56
	57	+	/**
	58	+	* {@inheritDoc}
	59	+	*/
47	60		public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
48	61		return List.of(RuntimeEnvironment.Environment.VAULT);
49	62		}
50	63
	64	+	/**
	65	+	* {@inheritDoc}
	66	+	* Difficulty: 4
	67	+	*/
51	68		@Override
52	69		public int difficulty() {
53	70		return 4;
54	71		}
55	72
	73	+	/**
	74	+	* {@inheritDoc}
	75	+	* Vault based.
	76	+	*/
56	77		@Override
57	78		public String getTech() {
58		-	return "Vault";
	79	+	return ChallengeTechnology.Tech.VAULT.id;
59	80		}
60	81
61	82		@Override
		skipped 5 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Vaultpassword.java

		skipped 1 lines
2	2
3	3		import org.springframework.boot.context.properties.ConfigurationProperties;
4	4
	5	+	/**
	6	+	* Class used to get password from vault usisng the springboot cloud integration with vault.
	7	+	*/
5	8		@ConfigurationProperties("vaultpassword")
6	9		public class Vaultpassword {
7	10
		skipped 13 lines

■ ■ ■ ■ ■ ■

src/main/java/org/owasp/wrongsecrets/oauth/TokenController.java

		skipped 1 lines
2	2
3	3		import com.fasterxml.jackson.annotation.JsonProperty;
4	4		import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
5		-	import io.swagger.v3.oas.annotations.OpenAPIDefinition;
6	5		import io.swagger.v3.oas.annotations.Operation;
7	6		import lombok.extern.slf4j.Slf4j;
8		-	import org.springdoc.core.annotations.RouterOperation;
9	7		import org.springframework.beans.factory.annotation.Value;
10	8		import org.springframework.http.HttpStatus;
11	9		import org.springframework.http.MediaType;
		skipped 5 lines
17	15		import java.nio.file.Paths;
18	16		import java.util.UUID;
19	17
	18	+	/**
	19	+	* Controller used for one of the front-end challenges.
	20	+	*/
20	21		@Slf4j
21	22		@Controller
22	23		public class TokenController {
		skipped 20 lines
43	44		}
44	45
45	46		/**
46		-	* Tokenrequest
47		-	*
48		-	* @param grant_type ew
49		-	* @param client_id we
50		-	* @param client_secret we
	47	+	* TokenRequest used to call tokenController.
	48	+	* @param grant_type string for grant type
	49	+	* @param client_id string for the clientid
	50	+	* @param client_secret holding the client secret for auth. target of challenge.
51	51		*/
52	52		public record TokenRequest(String grant_type,
53	53		String client_id,
54	54		String client_secret) {
55	55		}
56	56
	57	+	/**
	58	+	* TokenResponse returned by TokenController.
	59	+	* @param accessToken string with the token retrieved through oauth
	60	+	* @param tokenType string with the tokentype retrieved through oauth
	61	+	* @param expiresIn long with the token expiration moment
	62	+	* @param scope string with the token scope
	63	+	*/
57	64		public record TokenResponse(@JsonProperty("access_token") String accessToken,
58	65		@JsonProperty("token_type") String tokenType,
59	66		@JsonProperty("expires_in") Long expiresIn,
		skipped 1 lines
61	68		}
62	69
63	70		@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "The location of the dockerMountPath is based on an Env Var")
64		-	public String getActualData() {
	71	+	private String getActualData() {
65	72		try {
66	73		return Files.readString(Paths.get(dockerMountPath, "secondkey.txt"));
67	74		} catch (Exception e) {
		skipped 6 lines

Merge pull request #739 from OWASP/feat-680-javadoc