Merge branch 'develop' of https://github.com/juice-shop/juice-shop in…

…to develop

.dockerignore

@@ -9,6 +9,8 @@ vagrant/
 logs/
 Dockerfile
 .npmrc
+/bom.json
+/bom.xml
 
 # Pattern is *not covered* by node_modules/ above no matter what IntelliJ says!
 frontend/node_modules/

.github/workflows/ci.yml

@@ -19,6 +19,7 @@ on:
       - 'frontend/src/assets/i18n/*.json'
 env:
   ANGULAR_CLI_VERSION: 13
+  CYCLONEDX_NPM_VERSION: '^1.12.0'
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -71,7 +72,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest]
+        os: [ubuntu-latest, macos-latest] # FIXME: Removed "windows-latest" due to 'Error: ENOENT: no such file or directory, open' error breaking at least on Node 20.5.0 constantly
         node-version: [16, 18, 20]
     steps:
       - name: "Check out Git repository"
@@ -268,6 +269,7 @@ jobs:
       - name: "Install CLI tools"
         run: |
           npm install -g @angular/cli@$ANGULAR_CLI_VERSION
+          npm install -g @cyclonedx/cyclonedx-npm@$CYCLONEDX_NPM_VERSION
           npm install -g grunt-cli
       - name: "Set packaging options for Grunt"
         run: |
@@ -277,7 +279,6 @@ jobs:
       - name: "Package application"
         run: |
           npm install --production
-          npm install -g grunt-cli
           npm run package:ci
       - name: "Unpack application archive"
         run: |
@@ -334,6 +335,7 @@ jobs:
           build-args: |
             VCS_REF=${{ env.VCS_REF }}
             BUILD_DATE=${{ env.BUILD_DATE }}
+            CYCLONEDX_NPM_VERSION=${{ env.CYCLONEDX_NPM_VERSION }}
   heroku:
     if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && (github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master')
     needs: [test, api-test, e2e, custom-config-test]

.github/workflows/lint-fixer.yml

@@ -8,7 +8,7 @@ jobs:
     steps:
     - name: "Check out Git repository"
       uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available
-    - name: "Use Node.js 14"
+    - name: "Use Node.js 16"
       uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available
       with:
         node-version: 16
@@ -21,7 +21,7 @@ jobs:
         npm install --ignore-scripts --legacy-peer-deps
     - name: "Fix everything which can be fixed"
       run: 'npm run lint:fix'
-    - uses: stefanzweifel/git-auto-commit-action@v4.0.0
+    - uses: stefanzweifel/git-auto-commit-action@v4.16.0
       with:
         commit_message: "Auto-fix linting issues"
         branch: ${{ github.head_ref }}

.github/workflows/release.yml

@@ -3,6 +3,8 @@ on:
   push:
     tags:
       - v*
+env:
+  CYCLONEDX_NPM_VERSION: '^1.12.0'
 jobs:
   package:
     runs-on: ${{ matrix.os }}
@@ -20,6 +22,7 @@ jobs:
       - name: "Install CLI tools"
         run: |
           npm install -g @angular/cli
+          npm install -g @cyclonedx/cyclonedx-npm@$CYCLONEDX_NPM_VERSION
           npm install -g grunt-cli
       - name: "Set packaging options for Grunt"
         run: |
@@ -36,7 +39,6 @@ jobs:
       - name: "Package application"
         run: |
           npm install --production
-          npm install -g grunt-cli
           npm run package:ci
       - name: 'Attach packaged archive to tag release'
         uses: softprops/action-gh-release@v1
@@ -78,6 +80,7 @@ jobs:
           build-args: |
             VCS_REF=${{ env.VCS_REF }}
             BUILD_DATE=${{ env.BUILD_DATE }}
+            CYCLONEDX_NPM_VERSION=${{ env.CYCLONEDX_NPM_VERSION }}
   notify-slack:
     if: always()
     needs:

.gitignore

@@ -30,6 +30,8 @@ vagrant/.vagrant/
 JSON
 JSON.map
 frontend/src/**/*.js
+/bom.json
+/bom.xml
 
 # IDEs
 .idea/
@@ -59,3 +61,6 @@ config/*.yml
 !config/unsafe.yml
 !config/tutorial.yml
 !config/oss.yml
+
+# System Files
+.DS_Store

Dockerfile

@@ -15,6 +15,10 @@ RUN rm data/chatbot/botDefaultTrainingData.json || true
 RUN rm ftp/legal.md || true
 RUN rm i18n/*.json || true
 
+ARG CYCLONEDX_NPM_VERSION=latest
+RUN npm install -g @cyclonedx/cyclonedx-npm@$CYCLONEDX_NPM_VERSION
+RUN npm run sbom
+
 FROM gcr.io/distroless/nodejs:18
 ARG BUILD_DATE
 ARG VCS_REF

Gruntfile.js

@@ -42,12 +42,15 @@ module.exports = function (grunt) {
               'config.schema.yml',
               'build/**',
               '!build/reports/**',
+              'bom.json',
+              'bom.xml',
               'config/*.yml',
               'data/*.ts',
               'data/static/**',
               'data/chatbot/.gitkeep',
               'encryptionkeys/**',
               'frontend/dist/frontend/**',
+              'frontend/dist/bom/**',
               'frontend/src/**/*.ts',
               'ftp/**',
               'i18n/.gitkeep',

config.schema.yml

@@ -499,6 +499,16 @@ ctf:
         type: string
       code:
         type: string
+    nftUnlockChallenge:
+      name:
+        type: string
+      code:
+        type: string
+    nftMintChallenge:
+      name:
+        type: string
+      code:
+        type: string
     securityPolicyChallenge:
       name:
         type: string

config/default.yml

@@ -412,6 +412,10 @@ memories:
     caption: 'My old workplace...'
     geoStalkingVisualSecurityQuestion: 10
     geoStalkingVisualSecurityAnswer: 'ITsec'
+  -
+    image: 'BeeHaven.png'
+    caption: 'Welcome to the Bee Haven(/bee-haven)🐝'
+    user: evm
 ctf:
   showFlagsInNotifications: false
   showCountryDetailsInNotifications: none # Options: none  name  flag  both

config/fbctf.yml

@@ -320,4 +320,10 @@ ctf:
       code: ZM
     emptyUserRegistration:
       name: Kenya
-      code: KE
+      code: KE
+    nftUnlockChallenge:
+      name: Afghanistan
+      code: AF
+    nftMintChallenge:
+      name: United Arab Emirates
+      code: UAE

data/static/challenges.yml

@@ -75,12 +75,37 @@
   tags:
     - Contraption
     - Code Analysis
+    - Web3
   description: 'Learn about the Token Sale before its official announcement.'
   difficulty: 5
   hint: 'The developers truly believe in "Security through Obscurity" over actual access restrictions.'
   hintUrl: 'https://pwning.owasp-juice.shop/part2/security-through-obscurity.html#learn-about-the-token-sale-before-its-official-announcement'
   mitigationUrl: ~
   key: tokenSaleChallenge
+-
+  name: 'NFT Takeover'
+  category: 'Sensitive Data Exposure'
+  tags:
+    - Contraption
+    - Good for Demos
+    - Web3
+  description: 'Take over the wallet containing our official Soul Bound Token (NFT).'
+  difficulty: 2
+  hint: 'Find the seed phrase posted accidentally.'
+  hintUrl: ''
+  mitigationUrl: ~
+  key: nftUnlockChallenge
+-
+  name: 'Mint the Honey Pot'
+  category: 'Improper Input Validation'
+  tags:
+      - Web3
+  description: 'Mint the Honey Pot NFT by gathering BEEs from the bee haven.'
+  difficulty: 3
+  hint: 'Discover NFT wonders among the captivating visual memories.'
+  hintUrl: ''
+  mitigationUrl: ~
+  key: nftMintChallenge
 -
   name: 'Blocked RCE DoS'
   category: 'Insecure Deserialization'

data/static/codefixes/adminSectionChallenge_1_correct.ts

@@ -157,6 +157,14 @@ const routes: Routes = [
         component: LastLoginIpComponent
       }
     ]
+  },
+  {
+    path: 'juicy-nft',
+    component: NFTUnlockComponent
+  },
+  {
+    path: 'bee-haven',
+    loadChildren: async () => await loadFaucetModule()
   },
    {
     matcher: oauthMatcher,

data/static/codefixes/adminSectionChallenge_2.ts

@@ -154,6 +154,14 @@ const routes: Routes = [
         component: LastLoginIpComponent
       }
     ]
+  },
+  {
+    path: 'juicy-nft',
+    component: NFTUnlockComponent
+  },
+  {
+    path: 'bee-haven',
+    loadChildren: async () => await loadFaucetModule()
   },
    {
     matcher: oauthMatcher,

data/static/codefixes/adminSectionChallenge_3.ts

@@ -154,6 +154,14 @@ const routes: Routes = [
         component: LastLoginIpComponent
       }
     ]
+  },
+  {
+    path: 'juicy-nft',
+    component: NFTUnlockComponent
+  },
+  {
+    path: 'bee-haven',
+    loadChildren: async () => await loadFaucetModule()
   },
    {
     matcher: oauthMatcher,

data/static/codefixes/adminSectionChallenge_4.ts

@@ -154,6 +154,14 @@ const routes: Routes = [
         component: LastLoginIpComponent
       }
     ]
+  },
+  {
+    path: 'juicy-nft',
+    component: NFTUnlockComponent
+  },
+  {
+    path: 'bee-haven',
+    loadChildren: async () => await loadFaucetModule()
   },
    {
     matcher: oauthMatcher,

data/static/codefixes/scoreBoardChallenge_1_correct.ts

@@ -154,6 +154,14 @@ const routes: Routes = [
         component: LastLoginIpComponent
       }
     ]
+  },
+  {
+    path: 'juicy-nft',
+    component: NFTUnlockComponent
+  },
+  {
+    path: 'bee-haven',
+    loadChildren: async () => await loadFaucetModule()
   },
    {
     matcher: oauthMatcher,

data/static/codefixes/scoreBoardChallenge_2.ts

@@ -154,6 +154,14 @@ const routes: Routes = [
         component: LastLoginIpComponent
       }
     ]
+  },
+  {
+    path: 'juicy-nft',
+    component: NFTUnlockComponent
+  },
+  {
+    path: 'bee-haven',
+    loadChildren: async () => await loadFaucetModule()
   },
    {
     matcher: oauthMatcher,

data/static/codefixes/scoreBoardChallenge_3.ts

@@ -150,6 +150,14 @@ const routes: Routes = [
         component: LastLoginIpComponent
       }
     ]
+  },
+  {
+    path: 'juicy-nft',
+    component: NFTUnlockComponent
+  },
+  {
+    path: 'bee-haven',
+    loadChildren: async () => await loadFaucetModule()
   },
    {
     matcher: oauthMatcher,