-
-
Notifications
You must be signed in to change notification settings - Fork 296
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #903 from RemakingEden/git-notes-challenge
Feature(#614): Challenge38 - Git notes challenge
- Loading branch information
Showing
6 changed files
with
127 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
78 changes: 78 additions & 0 deletions
78
src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge38.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
package org.owasp.wrongsecrets.challenges.docker; | ||
|
||
import java.util.List; | ||
import org.owasp.wrongsecrets.RuntimeEnvironment; | ||
import org.owasp.wrongsecrets.ScoreCard; | ||
import org.owasp.wrongsecrets.challenges.Challenge; | ||
import org.owasp.wrongsecrets.challenges.ChallengeTechnology; | ||
import org.owasp.wrongsecrets.challenges.Difficulty; | ||
import org.owasp.wrongsecrets.challenges.Spoiler; | ||
import org.springframework.core.annotation.Order; | ||
import org.springframework.stereotype.Component; | ||
|
||
/** This is a challenge based on leaking secrets with the misuse of Git notes */ | ||
@Component | ||
@Order(38) | ||
public class Challenge38 extends Challenge { | ||
|
||
public Challenge38(ScoreCard scoreCard) { | ||
super(scoreCard); | ||
} | ||
|
||
@Override | ||
public boolean canRunInCTFMode() { | ||
return true; | ||
} | ||
|
||
@Override | ||
public Spoiler spoiler() { | ||
return new Spoiler(getSolution()); | ||
} | ||
|
||
@Override | ||
public boolean answerCorrect(String answer) { | ||
return getSolution().equals(answer); | ||
} | ||
|
||
/** {@inheritDoc} */ | ||
@Override | ||
public int difficulty() { | ||
return Difficulty.EASY; | ||
} | ||
|
||
/** {@inheritDoc} Git based. */ | ||
@Override | ||
public String getTech() { | ||
return ChallengeTechnology.Tech.GIT.id; | ||
} | ||
|
||
@Override | ||
public boolean isLimitedWhenOnlineHosted() { | ||
return false; | ||
} | ||
|
||
@Override | ||
public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() { | ||
return List.of(RuntimeEnvironment.Environment.DOCKER); | ||
} | ||
|
||
private String getSolution() { | ||
return unobfuscate("UOZFGZTLOLLXHTKEGGS"); | ||
} | ||
|
||
private String unobfuscate(String obfuscatedString) { | ||
final String key = "QWERTYUIOPASDFGHJKLZXCVBNM"; | ||
StringBuilder plainText = new StringBuilder(); | ||
for (char c : obfuscatedString.toCharArray()) { | ||
if (Character.isLetter(c)) { | ||
int index = key.indexOf(Character.toUpperCase(c)); | ||
char replacement = (char) ('A' + index); | ||
plainText.append(replacement); | ||
} else { | ||
plainText.append(c); | ||
System.out.println(plainText); | ||
} | ||
} | ||
return plainText.toString(); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
=== Git Notes | ||
|
||
Git commit messages can be a constant pain point. | ||
|
||
It is fine to use a short message, unintelligible garble or a simple mash of the keyboard in a git message until you have the unfortunate task of reviewing. At this point these scruffy messages can be a nightmare. | ||
|
||
Git notes are here to solve this, it has been around for a long while but often gets overlooked. Add extra metadata about the commit without affecting the commit message itself. | ||
|
||
Like all Git, once information is committed, it is very very hard to remove all reference of it. What could possible go wrong? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
Unlike other Git challenges this cannot be solved by the plethora of tools that will automatically search for secrets leaked in Git repos. | ||
|
||
Try solving the challenge by manually combing the Git metadata. | ||
|
||
1. Clone the repository - `git clone https://github.com/OWASP/wrongsecrets`. | ||
2. Navigate to the directory - `cd wrongsecrets` | ||
3. Fetch the notes - `git fetch origin 'refs/notes/*:refs/notes/*'` | ||
4. List all notes in the repo - `git notes` | ||
5. Using the note reference that is displayed, show the note - `git notes show [ref]` (2 references will show for each note, the second one is the note reference) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
*Why should you be careful with Git notes?* | ||
|
||
1. Like all Git repo's, once a secret is leaked it here it is very tough/impossible to remove from all history. | ||
2. Git Notes appears to be a rarely used feature of Git, therefore a lot of the secret scanners do not check them. This means it can be missed in CI.* | ||
**Concern 2 is currently being researched by the team at WrongSecrets, we are sampling the biggest open source projects to understand if Git notes is used. If it is used we may try to contribute to secret scanners to accommodate this, if it is not used we may recommend simply not using this feature of Git to ensure no issues arise. Keep an eye out on the WrongSecrets Slack for the progression of this project.** |
23 changes: 23 additions & 0 deletions
23
src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge38Test.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
package org.owasp.wrongsecrets.challenges.docker; | ||
|
||
import org.assertj.core.api.Assertions; | ||
import org.junit.jupiter.api.Test; | ||
import org.mockito.Mock; | ||
import org.owasp.wrongsecrets.ScoreCard; | ||
|
||
public class Challenge38Test { | ||
@Mock private ScoreCard scoreCard; | ||
|
||
@Test | ||
void spoilerShouldGiveAnswer() { | ||
var challenge = new Challenge38(scoreCard); | ||
Assertions.assertThat(challenge.spoiler().solution()).isNotEmpty(); | ||
Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue(); | ||
} | ||
|
||
@Test | ||
void incorrectAnswerShouldNotSolveChallenge() { | ||
var challenge = new Challenge38(scoreCard); | ||
Assertions.assertThat(challenge.solved("wrong answer")).isFalse(); | ||
} | ||
} |