From cfb3e27f261466f7ed85f600210cadbf4980af70 Mon Sep 17 00:00:00 2001 From: jamescaillenl Date: Mon, 5 Jun 2023 15:23:14 -0400 Subject: [PATCH 1/4] James Caille secure code training --- modules/2-owasp.livemd | 6 +++--- modules/3-ssdlc.livemd | 2 +- modules/4-graphql.livemd | 4 ++-- modules/5-elixir.livemd | 8 ++++---- modules/6-cookies.livemd | 14 +++++++------- modules/7-anti-patterns.livemd | 2 +- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/modules/2-owasp.livemd b/modules/2-owasp.livemd index c60e52b..04e94b0 100644 --- a/modules/2-owasp.livemd +++ b/modules/2-owasp.livemd @@ -7,7 +7,7 @@ Mix.install([ :httpoison, {:absinthe, "~> 1.7.0"}, {:phoenix, "~> 1.0"}, - {:plug, "~> 1.3.2"} + :plug ]) md5_hash = :crypto.hash(:md5, "users_password") @@ -123,7 +123,7 @@ end # DO NOT CHANGE CODE ABOVE THIS LINE ========================= # PasswordCompare.option_one("users_password", md5_hash) -# PasswordCompare.option_two("users_password", bcrypt_salted_hash) +PasswordCompare.option_two("users_password", bcrypt_salted_hash) ``` @@ -252,7 +252,7 @@ _HINT: Installed dependencies can be found at the very top, it was the very firs ```elixir # CHANGE ME -vulnerable_dependency = :vulnerable_dependency +vulnerable_dependency = :plug # DO NOT CHANGE CODE BELOW THIS LINE ============================ Application.spec(vulnerable_dependency)[:vsn] |> List.to_string() |> IO.puts() diff --git a/modules/3-ssdlc.livemd b/modules/3-ssdlc.livemd index 6afce3a..9d6f37e 100644 --- a/modules/3-ssdlc.livemd +++ b/modules/3-ssdlc.livemd @@ -47,7 +47,7 @@ _Use `System.get_env/1` on line 2._ ```elixir # let's assume there is an environment variable named 'envar_secret' -super_secret_password = "p@ssw0rd" +super_secret_password = System.get_env("envar_secret") # DO NOT CHANGE CODE BELOW THIS COMMENT IO.puts(super_secret_password) diff --git a/modules/4-graphql.livemd b/modules/4-graphql.livemd index 24d9a3f..28845ce 100644 --- a/modules/4-graphql.livemd +++ b/modules/4-graphql.livemd @@ -64,7 +64,7 @@ _Uncomment the line with your answer._ ```elixir # answer = :API6_2019_Mass_Assignment # answer = :API10_2019_Insufficient_Logging_Monitoring -# answer = :API3_2019_Excessive_Data_Exposure +answer = :API3_2019_Excessive_Data_Exposure # answer = :API4_2019_Lack_of_Resources_Rate_Limiting IO.puts(answer) @@ -92,7 +92,7 @@ _Uncomment the item number (1-4) with your answer_ ```elixir # ------------------------------------------------------------- -# answer = 1 +answer = 1 # # HTTP/2 401 Unauthorized # Date: Tues, 16 Aug 2022 21:06:42 GMT diff --git a/modules/5-elixir.livemd b/modules/5-elixir.livemd index b80d5f7..cdf402e 100644 --- a/modules/5-elixir.livemd +++ b/modules/5-elixir.livemd @@ -60,7 +60,7 @@ prev_count = :erlang.system_info(:atom_count) try do malicious_user_input # ONLY CHANGE LINE 8 - |> String.to_atom() + |> String.to_existing_atom() rescue e -> {ArgumentError, e} end @@ -168,7 +168,7 @@ end password = "HASH_OF_THE_USERS_ACTUAL_PASSWORD" # DO NOT EDIT ANY CODE ABOVE THIS LINE ===================== -user_input = "HASH_OF_asdfasdf" +user_input = "HASH_OF_THE_USERS_ACTUAL" # DO NOT EDIT ANY CODE BELOW THIS LINE (you may uncomment IO.puts) ============= Benchwarmer.benchmark(fn -> Susceptible.compare(user_input, password) end) @@ -223,7 +223,7 @@ user_input = "some_string_which_obviously_isnt_the_same_as_the_password" :ok # DO NOT EDIT ANY CODE ABOVE THIS LINE ===================== -# if SecurityCheck.validate(user_input, password) or raise(SecurityCheck) do :you_let_a_baddie_in end +if SecurityCheck.validate(user_input, password) or raise(SecurityCheck) do :you_let_a_baddie_in end # if SecurityCheck.validate(user_input, password) || raise(SecurityCheck) do :you_let_a_baddie_in end ``` @@ -282,7 +282,7 @@ This prevents the table from being read by other processes, such as remote shell ```elixir # ONLY EDIT THIS LINE -secret_table = :ets.new(:secret_table, [:public]) +secret_table = :ets.new(:secret_table, [:private]) :ets.info(secret_table)[:protection] ``` diff --git a/modules/6-cookies.livemd b/modules/6-cookies.livemd index c261b9a..00b619f 100644 --- a/modules/6-cookies.livemd +++ b/modules/6-cookies.livemd @@ -180,17 +180,17 @@ In the Phoenix Framework, you would use functionality found within the [Plug lib _Fill out the `put_resp_cookie/4` function arguments with the settings outlined in the previous section, no other code changes should be necessary._ ```elixir -cookie_name = "CHANGE_ME_TOO" +cookie_name = "__HostCHANGE_ME_TOO" conn |> Plug.Conn.put_resp_cookie( cookie_name, - <<42::16>> - # domain: , - # path: , - # secure: , - # http_only: , - # same_site: + <<42::16>>, + domain: "www.example.com + path: "/", + secure: "True", + http_only: "True", + same_site: "Strict" ) ``` diff --git a/modules/7-anti-patterns.livemd b/modules/7-anti-patterns.livemd index 7de1d62..ffe6e55 100644 --- a/modules/7-anti-patterns.livemd +++ b/modules/7-anti-patterns.livemd @@ -77,7 +77,7 @@ _Uncomment the line with your answer._ ```elixir # answer = :bubble_sort -# answer = :merge_sort +answer = :merge_sort # answer = :quick_sort # answer = :random_sort From 1537b6c45b9b02ffe66686255198e4a3dd832466 Mon Sep 17 00:00:00 2001 From: jamescaillenl Date: Mon, 5 Jun 2023 15:25:30 -0400 Subject: [PATCH 2/4] fix cookie --- modules/6-cookies.livemd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/6-cookies.livemd b/modules/6-cookies.livemd index 00b619f..b8ab8d0 100644 --- a/modules/6-cookies.livemd +++ b/modules/6-cookies.livemd @@ -188,8 +188,8 @@ conn <<42::16>>, domain: "www.example.com path: "/", - secure: "True", - http_only: "True", + secure: true, + http_only: true, same_site: "Strict" ) ``` From dc1f86029a8b52763b6f57c98d8fe2c7f6e5025f Mon Sep 17 00:00:00 2001 From: jamescaillenl Date: Mon, 5 Jun 2023 15:27:46 -0400 Subject: [PATCH 3/4] update cookie again --- modules/5-elixir.livemd | 5 ++++- modules/6-cookies.livemd | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/5-elixir.livemd b/modules/5-elixir.livemd index cdf402e..69ca147 100644 --- a/modules/5-elixir.livemd +++ b/modules/5-elixir.livemd @@ -223,7 +223,10 @@ user_input = "some_string_which_obviously_isnt_the_same_as_the_password" :ok # DO NOT EDIT ANY CODE ABOVE THIS LINE ===================== -if SecurityCheck.validate(user_input, password) or raise(SecurityCheck) do :you_let_a_baddie_in end +if SecurityCheck.validate(user_input, password) or raise(SecurityCheck) do + :you_let_a_baddie_in +end + # if SecurityCheck.validate(user_input, password) || raise(SecurityCheck) do :you_let_a_baddie_in end ``` diff --git a/modules/6-cookies.livemd b/modules/6-cookies.livemd index b8ab8d0..9992c0a 100644 --- a/modules/6-cookies.livemd +++ b/modules/6-cookies.livemd @@ -186,7 +186,7 @@ conn |> Plug.Conn.put_resp_cookie( cookie_name, <<42::16>>, - domain: "www.example.com + domain: "www.example.com", path: "/", secure: true, http_only: true, From 14ef398ce2ece0737de124d6b67ac6d6511debc0 Mon Sep 17 00:00:00 2001 From: jamescaillenl Date: Mon, 5 Jun 2023 15:31:54 -0400 Subject: [PATCH 4/4] update sorting algorithm --- modules/7-anti-patterns.livemd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/7-anti-patterns.livemd b/modules/7-anti-patterns.livemd index ffe6e55..a55abcf 100644 --- a/modules/7-anti-patterns.livemd +++ b/modules/7-anti-patterns.livemd @@ -77,8 +77,8 @@ _Uncomment the line with your answer._ ```elixir # answer = :bubble_sort -answer = :merge_sort -# answer = :quick_sort +# answer = :merge_sort +answer = :quick_sort # answer = :random_sort IO.puts(answer)