Skip to content

Commit

Permalink
remove logging that leaks the secret
Browse files Browse the repository at this point in the history
  • Loading branch information
@commjoen
commjoen committed Sep 22, 2022
1 parent 831a505 commit 6459b7f
Show file tree
Hide file tree
Showing 9 changed files with 17 additions and 13 deletions.
6 changes: 3 additions & 3 deletions src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge11.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ private String getAWSChallenge11Value() {
.build();

AssumeRoleWithWebIdentityResponse tokenResponse = stsClient.assumeRoleWithWebIdentity(webIdentityRequest);
log.info("The token value is " + tokenResponse.credentials().sessionToken());
//log.debug("The token value is " + tokenResponse.credentials().sessionToken());
SsmClient ssmClient = SsmClient.builder()
.region(Region.of(awsRegion))
.credentialsProvider(StsAssumeRoleWithWebIdentityCredentialsProvider.builder()
Expand All @@ -150,7 +150,7 @@ private String getAWSChallenge11Value() {
.withDecryption(true)
.build();
GetParameterResponse parameterResponse = ssmClient.getParameter(parameterRequest);
log.info("The parameter value is " + parameterResponse.parameter().value());
//log.debug("The parameter value is " + parameterResponse.parameter().value());
ssmClient.close();
return parameterResponse.parameter().value();
} catch (StsException e) {
Expand Down Expand Up @@ -188,7 +188,7 @@ private String getGCPChallenge11Value() {

private String getAzureChallenge11Value() {
if (isAzure()) {
log.info(String.format("Using Azure Key Vault URI: %s", azureVaultUri));
//log.debug(String.format("Using Azure Key Vault URI: %s", azureVaultUri));
return azureWrongSecret3;
}
log.error("Fetching secret from Azure did not work, returning default");
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge12.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ public Spoiler spoiler() {

@Override
public boolean answerCorrect(String answer) {
log.info("challenge 12, actualdata: {}, answer: {}", getActualData(), answer);
//log.debug("challenge 12, actualdata: {}, answer: {}", getActualData(), answer);
return getActualData().equals(answer);
}

Expand Down
2 changes: 1 addition & 1 deletion src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge13.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ public boolean isLimittedWhenOnlineHosted() {

private boolean isKeyCorrect(String base64EncodedKey) {
if (Strings.isEmpty(base64EncodedKey) || Strings.isEmpty(plainText) || Strings.isEmpty(cipherText)) {
log.info("Checking secret with values {}, {}, {}", base64EncodedKey, plainText, cipherText);
//log.debug("Checking secret with values {}, {}, {}", base64EncodedKey, plainText, cipherText);
return false;
}

Expand Down
4 changes: 2 additions & 2 deletions src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge14.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ public boolean isLimittedWhenOnlineHosted() {

private String findAnswer() {
if (Strings.isEmpty(keepassxPassword)) {
log.info("Checking secret with values {}", keepassxPassword);
//log.debug("Checking secret with values {}", keepassxPassword);
return defaultKeepassValue;
}
KdbxCreds creds = new KdbxCreds(keepassxPassword.getBytes());
Expand All @@ -95,7 +95,7 @@ private String findAnswer() {

private boolean isanswerCorrectInKeeyPassx(String answer) {
if (Strings.isEmpty(keepassxPassword) || Strings.isEmpty(answer)) {
log.info("Checking secret with values {}, {}", keepassxPassword, answer);
//log.debug("Checking secret with values {}, {}", keepassxPassword, answer);
return false;
}
return answer.equals(findAnswer());
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge16.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ public Spoiler spoiler() {

@Override
public boolean answerCorrect(String answer) {
log.info("challenge 16, actualdata: {}, answer: {}", getActualData(), answer);
//log.debug("challenge 16, actualdata: {}, answer: {}", getActualData(), answer);
return getActualData().equals(answer);
}

Expand Down
2 changes: 1 addition & 1 deletion src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge17.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ public Spoiler spoiler() {

@Override
public boolean answerCorrect(String answer) {
log.info("challenge 17, actualdata: {}, answer: {}", getActualData(), answer);
//log.debug("challenge 17, actualdata: {}, answer: {}", getActualData(), answer);
return getActualData().equals(answer);
}

Expand Down
2 changes: 1 addition & 1 deletion src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge23.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ public Spoiler spoiler() {

@Override
public boolean answerCorrect(String answer) {
log.info("challenge 23, actualdata: {}, answer: {}", getActualData(), answer);
//log.debug("challenge 23, actualdata: {}, answer: {}", getActualData(), answer);
return getActualData().equals(answer);
}

Expand Down
6 changes: 4 additions & 2 deletions src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge24.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@


import lombok.extern.slf4j.Slf4j;
import org.bouncycastle.util.encoders.Hex;
import org.owasp.wrongsecrets.RuntimeEnvironment;
import org.owasp.wrongsecrets.ScoreCard;
import org.owasp.wrongsecrets.challenges.Challenge;
Expand All @@ -10,6 +11,7 @@
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;

import java.nio.charset.StandardCharsets;
import java.util.List;

@Slf4j
Expand All @@ -33,7 +35,7 @@ public Spoiler spoiler() {

@Override
public boolean answerCorrect(String answer) {
log.info("challenge 24, actualdata: {}, answer: {}", getActualData(), answer);
//log.debug("challenge 24, actualdata: {}, answer: {}", getActualData(), answer);
return getActualData().equals(answer);
}

Expand All @@ -58,7 +60,7 @@ public boolean isLimittedWhenOnlineHosted() {
}

public String getActualData() {
return "00010203 04050607 08090A0B 0C0D0E0F 10111213 14151617 18191A1B 1C1D1E1F 20212223 24252627 28292A2B 2C2D2E2F 30313233 34353637 38393A3B 3C3D3E3F";
return new String(Hex.decode("3030303130323033203034303530363037203038303930413042203043304430453046203130313131323133203134313531363137203138313931413142203143314431453146203230323132323233203234323532363237203238323932413242203243324432453246203330333133323333203334333533363337203338333933413342203343334433453346".getBytes(StandardCharsets.UTF_8)));

}
}
4 changes: 3 additions & 1 deletion src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge24Test.java
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
package org.owasp.wrongsecrets.challenges.docker;

import org.assertj.core.api.Assertions;
import org.bouncycastle.util.encoders.Hex;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Mock;
import org.mockito.Mockito;
import org.mockito.junit.jupiter.MockitoExtension;
import org.owasp.wrongsecrets.ScoreCard;

import java.nio.charset.StandardCharsets;

@ExtendWith(MockitoExtension.class)
class Challenge24Test {

Expand All @@ -18,7 +21,6 @@ class Challenge24Test {
@Test
void rightAnswerShouldSolveChallenge() {
var challenge = new Challenge24(scoreCard);

Assertions.assertThat(challenge.solved(challenge.spoiler().solution())).isTrue();
Mockito.verify(scoreCard).completeChallenge(challenge);
}
Expand Down

0 comments on commit 6459b7f

Please sign in to comment.