From 4c2efe3a3776e08a5da9ca742c8a5d6c588329fd Mon Sep 17 00:00:00 2001
From: jamescaillenl <james@northernlabs.ca>
Date: Tue, 9 Jul 2024 15:48:36 -0400
Subject: [PATCH] jamescaillenl Elixir Secure Coding 2024 training

---
 modules/2-owasp.livemd         |  6 +++---
 modules/3-ssdlc.livemd         |  2 +-
 modules/4-graphql.livemd       |  4 ++--
 modules/5-elixir.livemd        |  8 ++++----
 modules/6-cookies.livemd       | 14 +++++++-------
 modules/7-anti-patterns.livemd |  2 +-
 6 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/modules/2-owasp.livemd b/modules/2-owasp.livemd
index c60e52b..666e495 100644
--- a/modules/2-owasp.livemd
+++ b/modules/2-owasp.livemd
@@ -7,7 +7,7 @@ Mix.install([
   :httpoison,
   {:absinthe, "~> 1.7.0"},
   {:phoenix, "~> 1.0"},
-  {:plug, "~> 1.3.2"}
+  {:plug, "~> 1.16.0"}
 ])
 
 md5_hash = :crypto.hash(:md5, "users_password")
@@ -123,7 +123,7 @@ end
 # DO NOT CHANGE CODE ABOVE THIS LINE =========================
 
 # PasswordCompare.option_one("users_password", md5_hash)
-# PasswordCompare.option_two("users_password", bcrypt_salted_hash)
+PasswordCompare.option_two("users_password", bcrypt_salted_hash)
 ```
 
 <!-- livebook:{"branch_parent_index":3} -->
@@ -252,7 +252,7 @@ _HINT: Installed dependencies can be found at the very top, it was the very firs
 
 ```elixir
 # CHANGE ME
-vulnerable_dependency = :vulnerable_dependency
+vulnerable_dependency = :plug
 
 # DO NOT CHANGE CODE BELOW THIS LINE ============================
 Application.spec(vulnerable_dependency)[:vsn] |> List.to_string() |> IO.puts()
diff --git a/modules/3-ssdlc.livemd b/modules/3-ssdlc.livemd
index 6afce3a..9d6f37e 100644
--- a/modules/3-ssdlc.livemd
+++ b/modules/3-ssdlc.livemd
@@ -47,7 +47,7 @@ _Use `System.get_env/1` on line 2._
 
 ```elixir
 # let's assume there is an environment variable named 'envar_secret'
-super_secret_password = "p@ssw0rd"
+super_secret_password = System.get_env("envar_secret")
 
 # DO NOT CHANGE CODE BELOW THIS COMMENT
 IO.puts(super_secret_password)
diff --git a/modules/4-graphql.livemd b/modules/4-graphql.livemd
index 24d9a3f..28845ce 100644
--- a/modules/4-graphql.livemd
+++ b/modules/4-graphql.livemd
@@ -64,7 +64,7 @@ _Uncomment the line with your answer._
 ```elixir
 # answer = :API6_2019_Mass_Assignment
 # answer = :API10_2019_Insufficient_Logging_Monitoring
-# answer = :API3_2019_Excessive_Data_Exposure
+answer = :API3_2019_Excessive_Data_Exposure
 # answer = :API4_2019_Lack_of_Resources_Rate_Limiting
 
 IO.puts(answer)
@@ -92,7 +92,7 @@ _Uncomment the item number (1-4) with your answer_
 
 ```elixir
 # -------------------------------------------------------------
-# answer = 1
+answer = 1
 #
 # HTTP/2 401 Unauthorized
 # Date: Tues, 16 Aug 2022 21:06:42 GMT
diff --git a/modules/5-elixir.livemd b/modules/5-elixir.livemd
index 73c1dc2..f82493f 100644
--- a/modules/5-elixir.livemd
+++ b/modules/5-elixir.livemd
@@ -60,7 +60,7 @@ prev_count = :erlang.system_info(:atom_count)
 try do
   malicious_user_input
   # ONLY CHANGE LINE 8
-  |> String.to_atom()
+  |> String.to_existing_atom()
 rescue
   e -> {ArgumentError, e}
 end
@@ -176,7 +176,7 @@ Benchee.run(%{
   "Constant" => fn -> Constant.compare(user_input, password) end
 }, time: 3, warmup: 2)
 
-# IO.puts(:comparison_ran)
+IO.puts(:comparison_ran)
 ```
 
 ## Boolean Coercion
@@ -226,7 +226,7 @@ user_input = "some_string_which_obviously_isnt_the_same_as_the_password"
 # DO NOT EDIT ANY CODE ABOVE THIS LINE =====================
 
 # if SecurityCheck.validate(user_input, password) or raise(SecurityCheck) do :you_let_a_baddie_in end
-# if SecurityCheck.validate(user_input, password) || raise(SecurityCheck) do :you_let_a_baddie_in end
+if SecurityCheck.validate(user_input, password) || raise(SecurityCheck) do :you_let_a_baddie_in end
 ```
 
 ## Sensitive Data Exposure
@@ -284,7 +284,7 @@ This prevents the table from being read by other processes, such as remote shell
 
 ```elixir
 # ONLY EDIT THIS LINE
-secret_table = :ets.new(:secret_table, [:public])
+secret_table = :ets.new(:secret_table, [:private])
 :ets.info(secret_table)[:protection]
 ```
 
diff --git a/modules/6-cookies.livemd b/modules/6-cookies.livemd
index c261b9a..20bafdc 100644
--- a/modules/6-cookies.livemd
+++ b/modules/6-cookies.livemd
@@ -180,17 +180,17 @@ In the Phoenix Framework, you would use functionality found within the [Plug lib
 _Fill out the `put_resp_cookie/4` function arguments with the settings outlined in the previous section, no other code changes should be necessary._
 
 ```elixir
-cookie_name = "CHANGE_ME_TOO"
+cookie_name = "cookie_test"
 
 conn
 |> Plug.Conn.put_resp_cookie(
   cookie_name,
-  <<42::16>>
-  # domain: ,
-  # path: ,
-  # secure: ,
-  # http_only: ,
-  # same_site:
+  <<42::16>>,
+  domain: "www.example.com",
+  path: "/",
+  secure: true,
+  http_only: true,
+  same_site: "Strict"
 )
 ```
 
diff --git a/modules/7-anti-patterns.livemd b/modules/7-anti-patterns.livemd
index 7de1d62..a55abcf 100644
--- a/modules/7-anti-patterns.livemd
+++ b/modules/7-anti-patterns.livemd
@@ -78,7 +78,7 @@ _Uncomment the line with your answer._
 ```elixir
 # answer = :bubble_sort
 # answer = :merge_sort
-# answer = :quick_sort
+answer = :quick_sort
 # answer = :random_sort
 
 IO.puts(answer)