Merge pull request #1020 from OWASP/pre-release

Pre-release of 1.7.0

Dockerfile

@@ -1,4 +1,4 @@
-FROM amazoncorretto:21.0.0-al2023-headless
+FROM amazoncorretto:21.0.0-alpine
 
 ARG argBasedPassword="default"
 ARG argBasedVersion="0.0.0"
@@ -15,7 +15,9 @@ RUN echo "2vars"
 RUN echo "$ARG_BASED_PASSWORD"
 RUN echo "$argBasedPassword"
 
-RUN useradd -u 2000 -m wrongsecrets
+# RUN useradd -u 2000 -m wrongsecrets
+RUN adduser -u 2000 -D wrongsecrets
+USER wrongsecrets
 
 COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar /application.jar
 COPY --chown=wrongsecrets .github/scripts/ /var/tmp/helpers

Dockerfile.web

@@ -1,5 +1,5 @@
-FROM jeroenwillemsen/wrongsecrets:1.6.10-no-vault
-ARG argBasedVersion="1.6.10-no-vault"
+FROM jeroenwillemsen/wrongsecrets:1.7.0RC4-no-vault
+ARG argBasedVersion="1.7.0RC4-no-vault"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ARG CTF_ENABLED=false
 ARG HINTS_ENABLED=true

Dockerfile_webdesktop

@@ -9,7 +9,7 @@ RUN \
 
 RUN \
   echo "**** install packages ****" && \
-  apk add --no-cache shadow keepassxc radare2 aws-cli geany git && \
+  apk add --no-cache shadow keepassxc radare2 aws-cli geany git build-base && \
   echo "**** adding abc user to root for Docker ****" && \
   usermod -aG root abc && \
   touch /var/run/docker.sock && \
@@ -20,8 +20,7 @@ RUN \
 WORKDIR /config/Desktop
 
 COPY src/main/resources/executables/*linux* /config/Desktop/wrongsecrets/
-COPY src/test/resources/executables/decrypt /config/Desktop/wrongsecrets/
-COPY src/test/resources/executables/decrypt /config/Desktop/wrongsecrets/
+COPY src/main/resources/executables/decrypt /config/Desktop/wrongsecrets/
 COPY src/main/resources/executables/wrongsecrets-advanced-c-windows.exe /config/Desktop/wrongsecrets/
 COPY src/test/resources/alibabacreds.kdbx /var/tmp/helpers/
 COPY src/test/resources/alibabacreds.kdbx /var/tmp/wrongsecrets/

Dockerfile_webdesktopk8s

@@ -9,7 +9,7 @@ RUN \
 
 RUN \
   echo "**** install packages ****" && \
-  apk add --no-cache shadow keepassxc radare2 aws-cli geany git && \
+  apk add --no-cache shadow keepassxc radare2 aws-cli geany git build-base && \
   echo "**** adding abc user to root for Docker ****" && \
   usermod -aG root abc && \
   touch /var/run/docker.sock && \
@@ -26,7 +26,7 @@ RUN echo "**** clone wrongsecrets.git for webtop in k8s ****" && \
 WORKDIR /config/Desktop
 
 COPY src/main/resources/executables/*linux* /var/tmp/wrongsecrets/
-COPY src/test/resources/executables/decrypt /config/Desktop/wrongsecrets/
+COPY src/main/resources/executables/decrypt /config/Desktop/wrongsecrets/
 COPY src/main/resources/executables/wrongsecrets-advanced-c-windows.exe /config/Desktop/wrongsecrets/
 COPY src/test/resources/alibabacreds.kdbx /var/tmp/helpers/
 COPY src/test/resources/alibabacreds.kdbx /var/tmp/wrongsecrets/

README.md

@@ -9,13 +9,13 @@
 [![Test minikube script (k8s)](https://github.com/OWASP/wrongsecrets/actions/workflows/minikube-k8s-test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/minikube-k8s-test.yml) [![Test minikube script (k8s&vault)](https://github.com/OWASP/wrongsecrets/actions/workflows/minikube-vault-test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/minikube-vault-test.yml) [![Docker container test](https://github.com/OWASP/wrongsecrets/actions/workflows/container_test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/container_test.yml)[![Test container on podman and Colima](https://github.com/OWASP/wrongsecrets/actions/workflows/container-alts-test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/container-alts-test.yml)
 [![DAST with ZAP](https://github.com/OWASP/wrongsecrets/actions/workflows/dast-zap-test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/dast-zap-test.yml)
 
-[![OWASP Lab Project](https://img.shields.io/badge/OWASP-lab%20project-48A646.svg)](https://owasp.org/projects/)
+[![OWASP Production Project](https://img.shields.io/badge/OWASP-production%20project-48A646.svg)](https://owasp.org/projects/)
 [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7024/badge)](https://bestpractices.coreinfrastructure.org/projects/7024)
 [![Discussions](https://img.shields.io/github/discussions/OWASP/wrongsecrets)](https://github.com/OWASP/wrongsecrets/discussions)
 
 Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to _not_ store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy.
 
-Can you solve all the 37 challenges?
+Can you solve all the 38 challenges?
 
 Try some of them on [our Heroku demo environment](https://wrongsecrets.herokuapp.com/) or on our [Okteto demo environment (might need to awake again)](https://wrongsecrets-commjoen.cloud.okteto.net/).
 
@@ -71,7 +71,7 @@ Copyright (c) 2020-2023 Jeroen Willemsen and WrongSecrets contributors.
 
 ## Basic docker exercises
 
-_Can be used for challenges 1-4, 8, 12-32, 34, 35-37_
+_Can be used for challenges 1-4, 8, 12-32, 34, 35-38_
 
 For the basic docker exercises you currently require:
 
@@ -116,6 +116,7 @@ Now you can try to find the secrets by means of solving the challenge offered at
 -   [localhost:8080/challenge/35](http://localhost:8080/challenge/35)
 -   [localhost:8080/challenge/36](http://localhost:8080/challenge/36)
 -   [localhost:8080/challenge/37](http://localhost:8080/challenge/37)
+-   [localhost:8080/challenge/38](http://localhost:8080/challenge/38)
 
 Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look
 better ;-).
@@ -136,7 +137,7 @@ Want to deploy yourself with Render? Click the button below:
 
 ## Basic K8s exercise
 
-_Can be used for challenges 1-6, 8, 12-37_
+_Can be used for challenges 1-6, 8, 12-38_
 
 ### Minikube based
 
@@ -193,7 +194,7 @@ Don't want to go over the hassle of setting up K8S yourself? visit [https://wron
 
 ## Vault exercises with minikube
 
-_Can be used for challenges 1-8, 12-37_
+_Can be used for challenges 1-8, 12-38_
 Make sure you have the following installed:
 
 -   minikube with docker (or comment out line 8 and work at your own k8s setup),
@@ -211,7 +212,7 @@ This is because if you run the start script again it will replace the secret in
 
 ## Cloud Challenges
 
-_Can be used for challenges 1-37_
+_Can be used for challenges 1-38_
 
 **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
 never run this on an account which is related to your production environment or can influence your account-over-arching
@@ -264,15 +265,15 @@ Leaders:
 
 Top contributors:
 
--   [Nanne Baars @nbaars](https://github.com/nbaars)
 -   [Joss Sparkes @remakingeden](https://github.com/remakingeden)
+-   [Nanne Baars @nbaars](https://github.com/nbaars)
+-   [Puneeth Y @puneeth072003](https://github.com/puneeth072003)
 -   [Marcin Nowak @drnow4u](https://github.com/drnow4u)
+-   [Divyanshu Dev @Novice-expert](https://github.com/Novice-expert)
 -   [Tibor Hercz @tiborhercz](https://github.com/tiborhercz)
 -   [Rodolfo Cabral Neves @roddas](https://github.com/roddas)
 -   [Chris Elbring Jr. @neatzsche](https://github.com/neatzsche)
--   [Puneeth Y @puneeth072003](https://github.com/puneeth072003)
 -   [Mike Woudenberg @mikewoudenberg](https://github.com/mikewoudenberg)
--   [Divyanshu Dev @Novice-expert](https://github.com/Novice-expert)
 -   [Filip Chyla @fchyla](https://github.com/fchyla)
 -   [Dmitry Litosh @Dlitosh](https://github.com/Dlitosh)
 -   [Josh Grossman @tghosth](https://github.com/tghosth)