Merge pull request #1047 from OWASP/release-1.7.1-preps

release 1.7.1 final fixes (ui and contributors), minor node update

.github/workflows/main.yml

@@ -40,6 +40,9 @@ jobs:
           fetch-depth: 0
       - name: Install node
         uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: "npm"
       - name: Set up JDK 21
         uses: actions/setup-java@v3
         with:

Dockerfile.web

@@ -1,5 +1,5 @@
-FROM jeroenwillemsen/wrongsecrets:1.7.0-no-vault
-ARG argBasedVersion="1.7.0RC4-no-vault"
+FROM jeroenwillemsen/wrongsecrets:1.7.1-no-vault
+ARG argBasedVersion="1.7.1-no-vault"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ARG CTF_ENABLED=false
 ARG HINTS_ENABLED=true

README.md

@@ -15,7 +15,7 @@
 
 Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to _not_ store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy.
 
-Can you solve all the 38 challenges?
+Can you solve all the 41 challenges?
 
 Try some of them on [our Heroku demo environment](https://wrongsecrets.herokuapp.com/) or on our [Okteto demo environment (might need to awake again)](https://wrongsecrets-commjoen.cloud.okteto.net/).
 
@@ -72,7 +72,7 @@ Copyright (c) 2020-2023 Jeroen Willemsen and WrongSecrets contributors.
 
 ## Basic docker exercises
 
-_Can be used for challenges 1-4, 8, 12-32, 34, 35-38_
+_Can be used for challenges 1-4, 8, 12-32, 34, 35-41_
 
 For the basic docker exercises you currently require:
 
@@ -118,6 +118,9 @@ Now you can try to find the secrets by means of solving the challenge offered at
 -   [localhost:8080/challenge/36](http://localhost:8080/challenge/36)
 -   [localhost:8080/challenge/37](http://localhost:8080/challenge/37)
 -   [localhost:8080/challenge/38](http://localhost:8080/challenge/38)
+-   [localhost:8080/challenge/39](http://localhost:8080/challenge/39)
+-   [localhost:8080/challenge/40](http://localhost:8080/challenge/40)
+-   [localhost:8080/challenge/41](http://localhost:8080/challenge/41)
 
 Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look
 better ;-).
@@ -142,7 +145,7 @@ If you want to host WrongSecrets on Railway, you can do so by deploying [this on
 
 ## Basic K8s exercise
 
-_Can be used for challenges 1-6, 8, 12-38_
+_Can be used for challenges 1-6, 8, 12-41_
 
 ### Minikube based
 
@@ -199,7 +202,7 @@ Don't want to go over the hassle of setting up K8S yourself? visit [https://wron
 
 ## Vault exercises with minikube
 
-_Can be used for challenges 1-8, 12-38_
+_Can be used for challenges 1-8, 12-41_
 Make sure you have the following installed:
 
 -   minikube with docker (or comment out line 8 and work at your own k8s setup),
@@ -217,7 +220,7 @@ This is because if you run the start script again it will replace the secret in
 
 ## Cloud Challenges
 
-_Can be used for challenges 1-38_
+_Can be used for challenges 1-41_
 
 **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
 never run this on an account which is related to your production environment or can influence your account-over-arching
@@ -265,47 +268,56 @@ You can enable Swagger documentation and the Swagger UI by overriding the `SPRIN
 
 Leaders:
 
--   [Ben de Haan @bendehaan](https://github.com/bendehaan)
--   [Jeroen Willemsen @commjoen](https://github.com/commjoen)
+- [Ben de Haan @bendehaan](https://www.github.com/bendehaan)
+- [Jeroen Willemsen @commjoen](https://www.github.com/commjoen)
 
 Top contributors:
 
--   [Joss Sparkes @remakingeden](https://github.com/remakingeden)
--   [Nanne Baars @nbaars](https://github.com/nbaars)
--   [Puneeth Y @puneeth072003](https://github.com/puneeth072003)
--   [Marcin Nowak @drnow4u](https://github.com/drnow4u)
--   [Divyanshu Dev @Novice-expert](https://github.com/Novice-expert)
--   [Tibor Hercz @tiborhercz](https://github.com/tiborhercz)
--   [Rodolfo Cabral Neves @roddas](https://github.com/roddas)
--   [Chris Elbring Jr. @neatzsche](https://github.com/neatzsche)
--   [Mike Woudenberg @mikewoudenberg](https://github.com/mikewoudenberg)
--   [Filip Chyla @fchyla](https://github.com/fchyla)
--   [Dmitry Litosh @Dlitosh](https://github.com/Dlitosh)
--   [Josh Grossman @tghosth](https://github.com/tghosth)
--   [Turjo Chowdhury @turjoc120](https://github.com/turjoc120)
--   [Spyros @northdpole](https://github.com/northdpole)
--   [Ruben Kruiver @RubenAtBinx](https://github.com/RubenAtBinx)
--   [Shlomo Zalman Heigh @szh](https://github.com/szh)
--   [Nicolas Humblot @nhumblot](https://github.com/nhumblot)
--   [Madhu Akula @madhuakula](https://github.com/madhuakula)
--   [Finn @f3rn0s](https://github.com/f3rn0s)
--   [Alex Bender @alex-bender](https://github.com/alex-bender)
--   [Rick M @kingthorin](https://github.com/kingthorin)
+- [Jannik Hollenbach @J12934](https://www.github.com/J12934)
+- [Puneeth Y @puneeth072003](https://www.github.com/puneeth072003)
+- [Joss Sparkes @RemakingEden](https://www.github.com/RemakingEden)
+
+Contributors:
+
+- [Nanne Baars @nbaars](https://www.github.com/nbaars)
+- [Marcin Nowak @drnow4u](https://www.github.com/drnow4u)
+- [Rodolfo Cabral Neves @roddas](https://www.github.com/roddas)
+- [Osama Magdy @osamamagdy](https://www.github.com/osamamagdy)
+- [Divyanshu Dev @Novice-expert](https://www.github.com/Novice-expert)
+- [Tibor Hercz @tiborhercz](https://www.github.com/tiborhercz)
+- [Chris Elbring Jr. @neatzsche](https://www.github.com/neatzsche)
+- [Diamond Rivero @diamant3](https://www.github.com/diamant3)
+- [Adarsh A @adarsh-a-tw](https://www.github.com/adarsh-a-tw)
+- [Filip Chyla @fchyla](https://www.github.com/fchyla)
+- [Dmitry Litosh @Dlitosh](https://www.github.com/Dlitosh)
+- [Turjo Chowdhury @turjoc120](https://www.github.com/turjoc120)
+- [Josh Grossman @tghosth](https://www.github.com/tghosth)
+- [alphasec @alphasecio](https://www.github.com/alphasecio)
+- [Madhu Akula @madhuakula](https://www.github.com/madhuakula)
+- [Mike Woudenberg @mikewoudenberg](https://www.github.com/mikewoudenberg)
+- [Spyros @northdpole](https://www.github.com/northdpole)
+- [RubenAtBinx @RubenAtBinx](https://www.github.com/RubenAtBinx)
+- [Vineeth Jagadeesh @djvinnie](https://www.github.com/djvinnie)
+- [Alex Bender @alex-bender](https://www.github.com/alex-bender)
+- [Nicolas Humblot @nhumblot](https://www.github.com/nhumblot)
+- [Rick M @kingthorin](https://www.github.com/kingthorin)
+- [Shlomo Zalman Heigh @szh](https://www.github.com/szh)
+- [Fern @f3rn0s](https://www.github.com/f3rn0s)
 
 Testers:
 
--   [Dave van Stein @davevs](https://github.com/davevs)
--   [Marcin Nowak @MarcinNowak-codes](https://github.com/drnow4u)
--   [Marc Chang Sing Pang @mchangsp](https://github.com/mchangsp)
--   [Vineeth Jagadeesh @djvinnie](https://github.com/djvinnie)
+- [Dave van Stein @davevs](https://www.github.com/davevs)
+- [Marcin Nowak @drnow4u](https://www.github.com/drnow4u)
+- [Marc Chang Sing Pang @mchangsp](https://www.github.com/mchangsp)
+- [Vineeth Jagadeesh @djvinnie](https://www.github.com/djvinnie)
 
-Special mentions for helping out:
+Special thanks:
 
--   [Madhu Akula @madhuakula](https://github.com/madhuakula)
--   [Björn Kimminich @bkimminich](https://github.com/bkimminich)
--   [Dan Gora @devsecops](https://github.com/devsecops)
--   [Xiaolu Dai @saragluna](https://github.com/saragluna)
--   [Jonathan Giles @jonathanGiles](https://github.com/JonathanGiles)
+- [Madhu Akula @madhuakula @madhuakula](https://www.github.com/madhuakula)
+- [Björn Kimminich @bkimminich](https://www.github.com/bkimminich)
+- [Dan Gora @devsecops](https://www.github.com/devsecops)
+- [Xiaolu Dai @saragluna](https://www.github.com/saragluna)
+- [Jonathan Giles @jonathanGiles](https://www.github.com/jonathanGiles)
 
 ### Sponsorships
 

aws/k8s/secret-challenge-vault-deployment.yml

@@ -41,7 +41,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.7.0-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.7.1-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           securityContext:

azure/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -41,7 +41,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.7.0-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.7.1-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           securityContext:

fly.toml

@@ -8,7 +8,7 @@ app = "wrongsecrets"
 primary_region = "ams"
 
 [build]
-  image = "docker.io/jeroenwillemsen/wrongsecrets:1.7.0-no-vault"
+  image = "docker.io/jeroenwillemsen/wrongsecrets:1.7.1-no-vault"
 
 [env]
   K8S_ENV = "Fly(Docker)"

gcp/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -39,7 +39,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.7.0-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.7.1-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           ports:

k8s/secret-challenge-deployment.yml

@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.7.0-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.7.1-no-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           ports:

k8s/secret-challenge-vault-deployment.yml

@@ -30,7 +30,7 @@ spec:
         runAsNonRoot: true
       serviceAccountName: vault
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.7.0-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.7.1-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           securityContext:

okteto/k8s/secret-challenge-ctf-deployment.yml

@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.7.0-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.7.1-no-vault
           name: secret-challenge-ctf
           imagePullPolicy: IfNotPresent
           securityContext:

okteto/k8s/secret-challenge-deployment.yml

@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.7.0-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.7.1-no-vault
           name: secret-challenge
           imagePullPolicy: IfNotPresent
           securityContext:

pom.xml

@@ -431,7 +431,7 @@
             </goals>
             <phase>generate-resources</phase>
             <configuration>
-              <nodeVersion>v20.6.0</nodeVersion>
+              <nodeVersion>v20.9.0</nodeVersion>
               <!-- download node from https://nodejs.org/dist/ -->
               <workingDirectory>js</workingDirectory>
             </configuration>

scripts/sort_contibutors/main.py

@@ -2,12 +2,12 @@
 import os
 from dotenv import load_dotenv
 
+
 # This function parses the contribution list, sorting
 # the users per its ranks
 
 
 def print_file(s: str, flag: bool) -> None:
-
     # True for MD , false for HTML file
     if flag:
         f = open('contributors_file.md', 'w')
@@ -18,47 +18,45 @@ def print_file(s: str, flag: bool) -> None:
 
 
 def print_md(user_list: dict, label="") -> str:
-
     string = '{}:\n\n'.format(label)
     for value in user_list:
         string += '- [{} @{}](https://www.github.com/{})\n'.format(value['name'],
                                                                    value['username'], value['username'])
-    return string + '\n\n'
+    return string + '\n'
 
 
 def print_html(leaders: dict, top_contributors: dict, contributors: dict, testers: dict, special_thanks: dict) -> str:
-
     string = '<html><head></head><body>\n'
 
-    string += '<h1>Leaders</h1>\n'
+    string += 'OWASP Project Leaders:\n'
     string += '<ul>\n'
     for value in leaders:
         string += '<li><a href=\'https://www.github.com/{}\'>{} @{}</a></li>\n'.format(
             value['username'], value['name'], value['username'])
     string += '</ul>\n'
 
-    string += '\n<h1>Top contributors</h1>\n'
+    string += 'Top Contributors:\n'
     string += '<ul>\n'
     for value in top_contributors:
         string += '<li><a href=\'https://www.github.com/{}\'>{} @{}</a></li>\n'.format(
             value['username'], value['name'], value['username'])
     string += '</ul>\n'
 
-    string += '\n<h1>Contributors</h1>\n'
+    string += 'Contributors:\n'
     string += '<ul>\n'
     for value in contributors:
         string += '<li><a href=\'https://www.github.com/{}\'>{} @{}</a></li>\n'.format(
             value['username'], value['name'], value['username'])
     string += '</ul>\n'
 
-    string += '<h1>Testers</h1>\n'
+    string += 'Testers:\n'
     string += '<ul>\n'
     for value in testers:
         string += '<li><a href=\'https://www.github.com/{}\'>{} @{}</a></li>'.format(
             value['username'], value['name'], value['username'])
-    string += '</ul>\n\n'
+    string += '</ul>\n'
 
-    string += '<h1>Special thanks</h1>\n'
+    string += 'Special mentions for helping out:\n'
     string += '<ul>\n'
     for value in special_thanks:
         string += '<li><a href=\'https://www.github.com/{}\'>{} @{}</a></li>\n'.format(
@@ -79,8 +77,11 @@ def parse_contributor_list(user_list: list, user_token: str) -> list:
         if name == None:
             name = username
 
-        leaders_and_multijuicer = ['DerGut', 'bkimminich', 'MichaelEischer', 'rseedorff', 'jonasbg', 'scornelissen85', 'zadjadr', 'stuebingerb', 'sydseter', 'troygerber', 'skandix', 'saymolet',
-                                   'adrianeriksen', 'pseudobeard', 'coffemakingtoaster', 'wurstbrot', 'blucas-accela', 'fwijnholds', 'stefan-schaermeli', 'nickmalcolm', 'orangecola', 'commjoen', 'bendehaan']
+        leaders_and_multijuicer = ['DerGut', 'bkimminich', 'MichaelEischer', 'rseedorff', 'jonasbg', 'scornelissen85',
+                                   'zadjadr', 'stuebingerb', 'sydseter', 'troygerber', 'skandix', 'saymolet',
+                                   'adrianeriksen', 'pseudobeard', 'coffemakingtoaster', 'wurstbrot', 'blucas-accela',
+                                   'fwijnholds', 'stefan-schaermeli', 'nickmalcolm', 'orangecola', 'commjoen',
+                                   'bendehaan', 'benno001']
 
         # Filter the github bots
         if '[bot]' not in username and username not in leaders_and_multijuicer:
@@ -89,10 +90,19 @@ def parse_contributor_list(user_list: list, user_token: str) -> list:
 
     return contributors
 
+
 # Retrieves the list of fullnames of contributors of a repository in JSON format
 
 
 def get_fullname(username: str, user_token: str) -> str:
+    name_dict = {
+        "puneeth072003": "Puneeth Y",
+        "f3rn0s": "Fern",
+        "Novice-expert": "Divyanshu Dev",
+        "neatzsche": "Chris Elbring Jr.",
+    }
+    if username in name_dict:
+        return name_dict[username]
     headers = {'X-GitHub-Api-Version': '2022-11-28',
                'Accept': 'application/vnd.github+json',
                'Authorization': 'Bearer ' + user_token}
@@ -103,6 +113,7 @@ def get_fullname(username: str, user_token: str) -> str:
         os._exit(-1)
     return r.json()['name']
 
+
 # Retrieves the list of contributors of a repository in JSON format
 
 
@@ -111,7 +122,7 @@ def fetch_repository(project: str, user_token: str) -> list:
                'Accept': 'application/vnd.github+json',
                'Authorization': 'Bearer ' + user_token}
     r = requests.get('https://api.github.com/repos/OWASP/' +
-                     project+'/contributors', headers=headers, timeout=20)
+                     project + '/contributors', headers=headers, timeout=20)
     if r.status_code == 401:
         print("Invalid token")
         os._exit(-1)
@@ -132,7 +143,7 @@ def merge_users(l: list) -> list:
                                    'name': a['name'], 'ranking': ranking[a['username']]}
 
     l = dict(sorted(username.items(),
-             key=lambda x: x[1]['ranking'], reverse=True))
+                    key=lambda x: x[1]['ranking'], reverse=True))
 
     special_contributors = []
     contributors = []
@@ -148,7 +159,6 @@ def merge_users(l: list) -> list:
 
 
 def get_contibutors_list(token: str) -> list:
-
     print("[+] Fetching the Wrong Secrets CTF party contributors list ... ")
     wrongsecrets_ctf_list = fetch_repository('wrongsecrets-ctf-party', token)
     print("[+] Fetching the Wrong Secrets Binaries contributors list ... ")
@@ -157,7 +167,7 @@ def get_contibutors_list(token: str) -> list:
     print("[+] Fetching the Wrong Secrets contributors list ... ")
     wrongsecrets_list = fetch_repository('wrongsecrets', token)
     merged_list = wrongsecrets_binaries_list + \
-        wrongsecrets_ctf_list + wrongsecrets_list
+                  wrongsecrets_ctf_list + wrongsecrets_list
     print("[+] Sorting the list .. ")
     return merge_users(merged_list)