Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Challenge52_#297_Issue #1750

Draft
wants to merge 7 commits into
base: master
Choose a base branch
from
Draft

Challenge52_#297_Issue #1750

wants to merge 7 commits into from

Conversation

Manvendra200125
Copy link

@Manvendra200125 Manvendra200125 commented Nov 8, 2024
edited
Loading

"Bad Encryption Practices"
To address this issue in the repository for Challenge52, review the code to identify and resolve instances of bad encryption practices. Specifically, the challenge focuses on the use of hardcoded encryption keys and ciphertext within the Java code located in src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52. Ensure that best practices for secure encryption are applied, avoiding hardcoded secrets in the codebase.

What kind of changes does this PR include?

  • Fixes or refactors
  • A new challenge
  • Additional documentation
  • Something else

Description

Relations

References

Checklist:

  • I tested the changes in this PR (if applicable)
  • I added unit tests to ensure my change works (when change in Java or on front-end code)
  • I added UI tests to ensure my UI changes work (when change in the overall UI, not needed if just adding a challenge)
  • The PR passes pre-commit hooks and automated tests

@Btourss
Challenge52_#297_Issue
dad65ac 
"Bad Encryption Practices"
To address this issue in the repository for Challenge52, review the code to identify and resolve instances of bad encryption practices. Specifically, the challenge focuses on the use of hardcoded encryption keys and ciphertext within the Java code located in src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52. Ensure that best practices for secure encryption are applied, avoiding hardcoded secrets in the codebase.
@commjoen
Copy link
Collaborator

Hi @Manvendra200125 , thank you for your PR! can you maybe submit the .dockerignore in a separate PR please? That’s something we can easily add. The challenge code & texts might need some more work which I would like to review separately.

Btourss and others added 2 commits November 15, 2024 00:07
@Manvendra200125
Copy link
Author

Hi @Manvendra200125 , thank you for your PR! can you maybe submit the .dockerignore in a separate PR please? That’s something we can easily add. The challenge code & texts might need some more work which I would like to review separately.

Hello, I would like to add that I am joining this. Could you please specify any changes that may be needed or identify any problems I might have made?

commjoen
commjoen reviewed Nov 16, 2024
View reviewed changes
.dockerignore
**/secrets.dev.yaml
**/values.dev.yaml
LICENSE
README.md
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

have you tested building out a container using this .dockerignore?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah

commjoen
commjoen reviewed Nov 16, 2024
View reviewed changes
src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java
Comment on lines +14 to +19
<<<<<<< HEAD
=======
Challenge52Test {

}
>>>>>>> 42db351e9a0a187e934fd9326c782d0ab9b1acbd
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<<<<<<< HEAD
=======
Challenge52Test {
}
>>>>>>> 42db351e9a0a187e934fd9326c782d0ab9b1acbd

HAve you run the tests? I am not sure if this is going to work this way?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i checked again it is working .

commjoen
commjoen reviewed Nov 16, 2024
View reviewed changes
src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Chanllenge52.java

@Slf4j
@Component
public class Challenge52 extends FixedAnswerChallenge {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you tried running hte code? because i don't think the code below will run

@commjoen
Copy link
Collaborator

commjoen commented Nov 16, 2024
edited
Loading

Hello @Btourss and @Manvendra200125 I am a little bit confused:
You both have committed to this PR which would solve #297 which is assigned to @jangalasriramd7.
However the code seems largely untested and the checkbox item All the contributions made are solely the work of me and my co-authors is missing from the PR checklist . Would you be so kind to please join our Slack to have a chat about this?

@commjoen commjoen marked this pull request as draft November 16, 2024 04:12
commjoen
commjoen reviewed Nov 16, 2024
View reviewed changes
src/main/resources/explanations/challenge52_hint.adoc
Comment on lines +3 to +5
Think about what makes this type of encryption insecure. What would happen if someone could read the code? The key to solving this challenge lies in understanding that the encryption key is hardcoded in the Java code.

To solve this challenge, you might try to access the encrypted secret and decrypt it using the hardcoded key. Look closely at the challenge code to find both the encrypted secret and the key.
Copy link
Collaborator

@commjoen commjoen Nov 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please check the other hints within the project? The hint should have the actual solution steps to solve the challenge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@commjoen commjoen commjoen left review comments

@bendehaan bendehaan Awaiting requested review from bendehaan bendehaan is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Manvendra200125 @commjoen @Btourss