From ee8d10eef582ea54156f4675a57d615c35ffe014 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Sun, 19 May 2024 08:08:12 +0200 Subject: [PATCH 01/16] #809: added first steps for challenge47 based on hardcoded injection --- k8s/secret-challenge-vault-deployment.yml | 6 ++++ pom.xml | 7 +++-- .../challenges/kubernetes/Challenge47.java | 18 ++++++++++++ src/main/resources/application.properties | 1 + .../cypress/e2e/Challenge47Test.cy.js | 28 +++++++++++++++++++ .../kubernetes/Challenge47Test.java | 21 ++++++++++++++ 6 files changed, 78 insertions(+), 3 deletions(-) create mode 100644 src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge47.java create mode 100644 src/test/K8s-tests/cypress/e2e/Challenge47Test.cy.js create mode 100644 src/test/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge47Test.java diff --git a/k8s/secret-challenge-vault-deployment.yml b/k8s/secret-challenge-vault-deployment.yml index 09ec7418b..a5b433dac 100644 --- a/k8s/secret-challenge-vault-deployment.yml +++ b/k8s/secret-challenge-vault-deployment.yml @@ -32,6 +32,12 @@ spec: {{ printf "%s=%s" $k $v }} {{ end }} {{ end }} + vault.hashicorp.com/agent-inject-secret-challenge47: "secret/data/codified" + vault.hashicorp.com/agent-inject-template-challenge47: | + {{ with secret "secret/data/codified" }} + {{ range $k, $v := .Data.data }}export challenge47secret="isthiswhatweneed?" + {{ end }} + {{ end }} vault.hashicorp.com/role: "secret-challenge" labels: app: secret-challenge diff --git a/pom.xml b/pom.xml index f62af6318..3867d9338 100644 --- a/pom.xml +++ b/pom.xml @@ -51,7 +51,7 @@ 5.11.0 8.0.3 2.0.3 - 9.0.10 + 9.2.0 4.9.0 3.11.1 5.1.2 @@ -161,6 +161,7 @@ org.testcontainers testcontainers + 1.19.8 test @@ -320,7 +321,7 @@ com.puppycrawl.tools checkstyle - 10.15.0 + 10.16.0 @@ -343,7 +344,7 @@ com.github.spotbugs spotbugs - 4.8.4 + 4.8.5 diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge47.java b/src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge47.java new file mode 100644 index 000000000..5bf5dea8b --- /dev/null +++ b/src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge47.java @@ -0,0 +1,18 @@ +package org.owasp.wrongsecrets.challenges.kubernetes; + +import org.owasp.wrongsecrets.challenges.FixedAnswerChallenge; +import org.springframework.beans.factory.annotation.Value; + +public class Challenge47 extends FixedAnswerChallenge { + + private final String secret; + + public Challenge47(@Value("${challenge47secret}") String secret) { + this.secret = secret; + } + + @Override + public String getAnswer() { + return secret; + } +} diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 1215764b5..af83c3fd8 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -13,6 +13,7 @@ ARG_BASED_PASSWORD=if_you_see_this_please_use_docker_instead DOCKER_ENV_PASSWORD=if_you_see_this_please_use_docker_instead vaultpassword=if_you_see_this_please_use_K8S_and_Vault vaultinjected=if_you_see_this_please_use_K8S_and_Vault +challenge47secret=if_you_see_this_please_use_K8S_and_Vault spring.cloud.vault.uri=https://tobediefined.org spring.cloud.vault.authentication=NONE spring.cloud.vault.role=none diff --git a/src/test/K8s-tests/cypress/e2e/Challenge47Test.cy.js b/src/test/K8s-tests/cypress/e2e/Challenge47Test.cy.js new file mode 100644 index 000000000..cb7c5ecf4 --- /dev/null +++ b/src/test/K8s-tests/cypress/e2e/Challenge47Test.cy.js @@ -0,0 +1,28 @@ +describe('Challenge47 Tests', () => { + it('Submitting a Correct Answer', () => { + // Visit the spoiler page and extract the spoiler + cy.visit('/spoil/challenge-47') + cy.get('[data-cy=spoiler-answer]').invoke('text').then(spoilerAnswer => { + // Asserting that the spoiler is not a default value + expect(spoilerAnswer.trim()).to.not.equal('if_you_see_this_please_use_K8S_and_Vault') + expect(spoilerAnswer.trim()).to.not.be.empty + + // Visit the challenge page and submit the spoiler as the answer + cy.visit('/challenge/challenge-47') + cy.get('#answerfield').type(spoilerAnswer.trim()) + cy.get('[data-cy=submit-textbox-btn]').click() + cy.get('[data-cy=success-alert]').should('contain', 'correct') + }) + }) + + it('Submitting an Incorrect Answer', () => { + cy.visit('/challenge/challenge-47') + + // Use a known incorrect answer + cy.get('#answerfield').type('definitely_wrong_answer') + cy.get('[data-cy=submit-textbox-btn]').click() + + // Check for incorrect alert + cy.get('[data-cy=incorrect-alert]').should('contain', 'incorrect') + }) +}) diff --git a/src/test/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge47Test.java b/src/test/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge47Test.java new file mode 100644 index 000000000..c7acc79e5 --- /dev/null +++ b/src/test/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge47Test.java @@ -0,0 +1,21 @@ +package org.owasp.wrongsecrets.challenges.kubernetes; + +import static org.assertj.core.api.Assertions.assertThat; + +import org.junit.jupiter.api.Test; + +public class Challenge47Test { + + @Test + void spoilerShouldGiveAnswer() { + var challenge = new Challenge47("answer"); + assertThat(challenge.spoiler().solution()).isEqualTo("answer"); + assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue(); + } + + @Test + void incorrectAnswerShouldNotSolveChallenge() { + var challenge = new Challenge47("answer"); + assertThat(challenge.answerCorrect("wrong answer")).isFalse(); + } +} From cece3c5cb3895e26aebbc014607d19555fa8e214 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Sun, 19 May 2024 08:18:49 +0200 Subject: [PATCH 02/16] #809: added injection for challenge46 and 47 where missing --- README.md | 2 ++ k8s-vault-minkube-start.sh | 3 +++ scripts/install-vault.sh | 3 +++ 3 files changed, 8 insertions(+) diff --git a/README.md b/README.md index 80169f5f0..e66fac05a 100644 --- a/README.md +++ b/README.md @@ -425,6 +425,8 @@ export SPRING_CLOUD_VAULT_URI='http://127.0.0.1:8200' export SPRING_CLOUD_VAULT_TOKEN='' vault token create -id="00000000-0000-0000-0000-000000000000" -policy="root" vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)" +vault kv put secret/injected vaultinjected.value="$(openssl rand -base64 16)" +vault kv put secret/codified challenge47secret.value="debugvalue" ``` Now use the `local-vault` profile to do your development. diff --git a/k8s-vault-minkube-start.sh b/k8s-vault-minkube-start.sh index 11786f932..2fa37d6ae 100755 --- a/k8s-vault-minkube-start.sh +++ b/k8s-vault-minkube-start.sh @@ -84,6 +84,9 @@ kubectl exec vault-0 -n vault -- vault kv put secret/secret-challenge vaultpassw echo "Putting a challenge key in" kubectl exec vault-0 -n vault -- vault kv put secret/injected vaultinjected.value="$(openssl rand -base64 16)" +echo "Putting a challenge key in" +kubectl exec vault-0 -n vault -- vault kv put secret/codified challenge47secret.value="debugvalue" + echo "Putting a subkey issue in" kubectl exec vault-0 -n vault -- vault kv put secret/wrongsecret aaaauser."$(openssl rand -base64 8)"="$(openssl rand -base64 16)" diff --git a/scripts/install-vault.sh b/scripts/install-vault.sh index c290a0aa3..a07c68715 100644 --- a/scripts/install-vault.sh +++ b/scripts/install-vault.sh @@ -52,6 +52,9 @@ kubectl exec vault-0 -n vault -- vault kv put secret/secret-challenge vaultpassw echo "Putting a challenge key in" kubectl exec vault-0 -n vault -- vault kv put secret/injected vaultinjected.value="$(openssl rand -base64 16)" +echo "Putting a challenge key in" +kubectl exec vault-0 -n vault -- vault kv put secret/codified challenge47secret.value="debugvalue" + echo "Putting a subkey issue in" kubectl exec vault-0 -n vault -- vault kv put secret/wrongsecret aaaauser."$(openssl rand -base64 8)"="$(openssl rand -base64 16)" From 1660b168569dc1898d990d7dcfb0910fdd7a2dd7 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Sun, 19 May 2024 08:22:50 +0200 Subject: [PATCH 03/16] #809: more vault love --- scripts/install-vault.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/install-vault.sh b/scripts/install-vault.sh index a07c68715..ccab34ff4 100644 --- a/scripts/install-vault.sh +++ b/scripts/install-vault.sh @@ -90,6 +90,9 @@ path "secret/data/application" { path "secret/data/injected" { capabilities = ["read"] } +path "secret/data/codified" { + capabilities = ["read"] +} EOF' kubectl exec vault-0 -n vault -- /bin/sh -c 'vault policy write standard_sre - < Date: Sun, 19 May 2024 09:43:34 +0200 Subject: [PATCH 04/16] Fixed vault policies for k8s buildout --- k8s-vault-minkube-start.sh | 3 +++ pom.xml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/k8s-vault-minkube-start.sh b/k8s-vault-minkube-start.sh index 2fa37d6ae..d6c6423ee 100755 --- a/k8s-vault-minkube-start.sh +++ b/k8s-vault-minkube-start.sh @@ -124,6 +124,9 @@ path "secret/data/application" { path "secret/data/injected" { capabilities = ["read"] } +path "secret/data/codified" { + capabilities = ["read"] +} EOF' kubectl exec vault-0 -n vault -- /bin/sh -c 'vault policy write standard_sre - <org.owasp wrongsecrets - 1.8.5-SNAPSHOT + 1.8.6A1-SNAPSHOT OWASP WrongSecrets Examples with how to not use secrets From f92092b92434a548215bcffe4e3f0327092558b3 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Tue, 21 May 2024 11:07:40 +0200 Subject: [PATCH 05/16] #809: hotwire and first texts --- src/main/resources/explanations/challenge47.adoc | 4 ++++ .../resources/explanations/challenge47_hint.adoc | 8 ++++++++ .../explanations/challenge47_reason.adoc | 16 ++++++++++++++++ .../resources/wrong-secrets-configuration.yaml | 14 ++++++++++++++ 4 files changed, 42 insertions(+) create mode 100644 src/main/resources/explanations/challenge47.adoc create mode 100644 src/main/resources/explanations/challenge47_hint.adoc create mode 100644 src/main/resources/explanations/challenge47_reason.adoc diff --git a/src/main/resources/explanations/challenge47.adoc b/src/main/resources/explanations/challenge47.adoc new file mode 100644 index 000000000..4d160776c --- /dev/null +++ b/src/main/resources/explanations/challenge47.adoc @@ -0,0 +1,4 @@ +=== HashiCorp Vault Template Injection Part 2 + +A developer tried to debug why his vault injection did not work. So he hardcoded the secrets "temporary" in the Vault template itself. +Can you find the secret hardcoded in the Vault Template? diff --git a/src/main/resources/explanations/challenge47_hint.adoc b/src/main/resources/explanations/challenge47_hint.adoc new file mode 100644 index 000000000..2bc57a63e --- /dev/null +++ b/src/main/resources/explanations/challenge47_hint.adoc @@ -0,0 +1,8 @@ +This challenge can be solved using the following steps: + +1. Run `kubectl get pods -A` and find secret-challenge-xxx pod name + +2. Run `kubectl exec secret-challenge-xxx -c secret-challenge -n default -- cat vault/secrets/challenge46` where `xxx` is the rest of the randomly generated pod name. +to print the hardcoded value used by the developer. + +Note: if you are running this on a hosted environment, where you do not have access to the Kubernetes cluster, ask the organizer of the hosted solution to execute the commands for you and return the results. diff --git a/src/main/resources/explanations/challenge47_reason.adoc b/src/main/resources/explanations/challenge47_reason.adoc new file mode 100644 index 000000000..aa606ae5f --- /dev/null +++ b/src/main/resources/explanations/challenge47_reason.adoc @@ -0,0 +1,16 @@ +*Why Vault Template Injection is not always a good idea?* + +While Vault agent injection via templates can be a convenient way to manage secrets in certain scenarios, +there are situations where it might not be the best approach. + +Templates might accidentally expose sensitive information in logs or temporary files. +If not properly configured, secrets could end up in places where they are accessible by unauthorized users or processes. + +Let's consider an example involving a template injection attack in a scripted language like PHP: + +. Imagine a scenario where PHP application uses a template with sensitive information +* where template can look like this: $password = "'; system('rm -rf /'); //" +. When the template is processed it can become: +* $connection = "password='; system('rm -rf /'); //" + +To prevent such issues its crucial to ensure that the values retrieved from Vault are properly validated. diff --git a/src/main/resources/wrong-secrets-configuration.yaml b/src/main/resources/wrong-secrets-configuration.yaml index 5a1433568..9056a8139 100644 --- a/src/main/resources/wrong-secrets-configuration.yaml +++ b/src/main/resources/wrong-secrets-configuration.yaml @@ -752,3 +752,17 @@ configurations: ctf: enabled: true missing_environment: "explanations/missing_vault.adoc" + + - name: Challenge 47 + short-name: "challenge-47" + sources: + - class-name: "org.owasp.wrongsecrets.challenges.kubernetes.Challenge47" + explanation: "explanations/challenge47.adoc" + hint: "explanations/challenge47_hint.adoc" + reason: "explanations/challenge47_reason.adoc" + environments: [ *k8s_vault, *gcp, *aws, *azure ] + difficulty: *expert + category: *vault + ctf: + enabled: true + missing_environment: "explanations/missing_vault.adoc" From ed2223fe3316d309493c27a936b6d0f16ffdb1e0 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Tue, 21 May 2024 11:16:29 +0200 Subject: [PATCH 06/16] Apply suggestions from code review Co-authored-by: Ben de Haan <53901866+bendehaan@users.noreply.github.com> --- src/main/resources/explanations/challenge47.adoc | 2 +- src/main/resources/explanations/challenge47_hint.adoc | 3 +-- src/main/resources/explanations/challenge47_reason.adoc | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/main/resources/explanations/challenge47.adoc b/src/main/resources/explanations/challenge47.adoc index 4d160776c..b6713a566 100644 --- a/src/main/resources/explanations/challenge47.adoc +++ b/src/main/resources/explanations/challenge47.adoc @@ -1,4 +1,4 @@ === HashiCorp Vault Template Injection Part 2 -A developer tried to debug why his vault injection did not work. So he hardcoded the secrets "temporary" in the Vault template itself. +A developer tried to debug why his vault injection did not work. So, he hardcoded the secrets "temporarily" in the Vault template itself. Can you find the secret hardcoded in the Vault Template? diff --git a/src/main/resources/explanations/challenge47_hint.adoc b/src/main/resources/explanations/challenge47_hint.adoc index 2bc57a63e..402f68bab 100644 --- a/src/main/resources/explanations/challenge47_hint.adoc +++ b/src/main/resources/explanations/challenge47_hint.adoc @@ -2,7 +2,6 @@ This challenge can be solved using the following steps: 1. Run `kubectl get pods -A` and find secret-challenge-xxx pod name -2. Run `kubectl exec secret-challenge-xxx -c secret-challenge -n default -- cat vault/secrets/challenge46` where `xxx` is the rest of the randomly generated pod name. -to print the hardcoded value used by the developer. +2. Run `kubectl exec secret-challenge-xxx -c secret-challenge -n default -- cat vault/secrets/challenge46` where `xxx` is the rest of the randomly generated pod name to print the hardcoded value used by the developer. Note: if you are running this on a hosted environment, where you do not have access to the Kubernetes cluster, ask the organizer of the hosted solution to execute the commands for you and return the results. diff --git a/src/main/resources/explanations/challenge47_reason.adoc b/src/main/resources/explanations/challenge47_reason.adoc index aa606ae5f..ab2b4ef06 100644 --- a/src/main/resources/explanations/challenge47_reason.adoc +++ b/src/main/resources/explanations/challenge47_reason.adoc @@ -13,4 +13,4 @@ Let's consider an example involving a template injection attack in a scripted la . When the template is processed it can become: * $connection = "password='; system('rm -rf /'); //" -To prevent such issues its crucial to ensure that the values retrieved from Vault are properly validated. +To prevent such issues it is crucial to ensure that the values retrieved from Vault are properly validated. From ee5c57fe4485b591dc713ca942246b52286ad934 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Tue, 21 May 2024 12:00:19 +0200 Subject: [PATCH 07/16] added missing component annotation and test coverage --- k8s/secret-challenge-vault-deployment.yml | 2 +- .../owasp/wrongsecrets/challenges/kubernetes/Challenge47.java | 3 +++ src/main/resources/wrong-secrets-configuration.yaml | 2 +- .../ChallengesControllerWithPresetKubernetesValuesTest.java | 3 ++- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/k8s/secret-challenge-vault-deployment.yml b/k8s/secret-challenge-vault-deployment.yml index a5b433dac..f6f5fbac0 100644 --- a/k8s/secret-challenge-vault-deployment.yml +++ b/k8s/secret-challenge-vault-deployment.yml @@ -52,7 +52,7 @@ spec: type: RuntimeDefault serviceAccountName: vault containers: - - image: jeroenwillemsen/wrongsecrets:1.8.5-k8s-vault + - image: jeroenwillemsen/wrongsecrets:1.8.6A2-k8s-vault imagePullPolicy: IfNotPresent name: secret-challenge securityContext: diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge47.java b/src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge47.java index 5bf5dea8b..d2b87499a 100644 --- a/src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge47.java +++ b/src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge47.java @@ -2,11 +2,14 @@ import org.owasp.wrongsecrets.challenges.FixedAnswerChallenge; import org.springframework.beans.factory.annotation.Value; +import org.springframework.stereotype.Component; +@Component public class Challenge47 extends FixedAnswerChallenge { private final String secret; + /** This challenge is about having a secrets injected via Vault template. */ public Challenge47(@Value("${challenge47secret}") String secret) { this.secret = secret; } diff --git a/src/main/resources/wrong-secrets-configuration.yaml b/src/main/resources/wrong-secrets-configuration.yaml index 9056a8139..5c399cf65 100644 --- a/src/main/resources/wrong-secrets-configuration.yaml +++ b/src/main/resources/wrong-secrets-configuration.yaml @@ -761,7 +761,7 @@ configurations: hint: "explanations/challenge47_hint.adoc" reason: "explanations/challenge47_reason.adoc" environments: [ *k8s_vault, *gcp, *aws, *azure ] - difficulty: *expert + difficulty: *normal category: *vault ctf: enabled: true diff --git a/src/test/java/org/owasp/wrongsecrets/challenges/kubernetes/ChallengesControllerWithPresetKubernetesValuesTest.java b/src/test/java/org/owasp/wrongsecrets/challenges/kubernetes/ChallengesControllerWithPresetKubernetesValuesTest.java index d79e2bb55..a86bccfe6 100644 --- a/src/test/java/org/owasp/wrongsecrets/challenges/kubernetes/ChallengesControllerWithPresetKubernetesValuesTest.java +++ b/src/test/java/org/owasp/wrongsecrets/challenges/kubernetes/ChallengesControllerWithPresetKubernetesValuesTest.java @@ -57,7 +57,8 @@ void shouldNotShowDisabledChallengeAnywhere() throws Exception { || shortname.contains("11") || shortname.contains("44") || shortname.contains("45") - || shortname.contains("46")) { + || shortname.contains("46") + || shortname.contains("47")) { continue; } mvc.perform(get("/challenge/%s".formatted(challenge.name().shortName()))) From 9545a94684dff575d5957b7ad3c9322416cf1228 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Tue, 21 May 2024 12:11:13 +0200 Subject: [PATCH 08/16] updated test version for latest vault challenge --- k8s/secret-challenge-vault-deployment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/secret-challenge-vault-deployment.yml b/k8s/secret-challenge-vault-deployment.yml index f6f5fbac0..183d184fe 100644 --- a/k8s/secret-challenge-vault-deployment.yml +++ b/k8s/secret-challenge-vault-deployment.yml @@ -52,7 +52,7 @@ spec: type: RuntimeDefault serviceAccountName: vault containers: - - image: jeroenwillemsen/wrongsecrets:1.8.6A2-k8s-vault + - image: jeroenwillemsen/wrongsecrets:1.8.6A3-k8s-vault imagePullPolicy: IfNotPresent name: secret-challenge securityContext: From d874431415cf3d0e827e4e74f3ce1ff2f168bfb1 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Tue, 21 May 2024 13:54:14 +0200 Subject: [PATCH 09/16] added todos to k8s template --- k8s/secret-challenge-vault-deployment.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/k8s/secret-challenge-vault-deployment.yml b/k8s/secret-challenge-vault-deployment.yml index 183d184fe..eb5e6de2a 100644 --- a/k8s/secret-challenge-vault-deployment.yml +++ b/k8s/secret-challenge-vault-deployment.yml @@ -29,13 +29,14 @@ spec: vault.hashicorp.com/agent-inject-template-challenge46: | {{ with secret "/secret/data/injected" }} {{ range $k, $v := .Data.data }} - {{ printf "%s=%s" $k $v }} + {{ printf "%s=%s" $k $v }} # now done in filecontext: todo, make it executed outside of it! {{ end }} {{ end }} vault.hashicorp.com/agent-inject-secret-challenge47: "secret/data/codified" vault.hashicorp.com/agent-inject-template-challenge47: | {{ with secret "secret/data/codified" }} - {{ range $k, $v := .Data.data }}export challenge47secret="isthiswhatweneed?" + {{ range $k, $v := .Data.data }} + export challenge47secret="isthiswhatweneed?" # todo: migrate to an env var hardcoded in context of agent and deployment! {{ end }} {{ end }} vault.hashicorp.com/role: "secret-challenge" From 296767a56ec1f89f2081321c2ea65e560072ee82 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Tue, 21 May 2024 22:43:08 +0200 Subject: [PATCH 10/16] fix for #809 deployments --- .github/scripts/.bash_history | 2 +- js/index.js | 2 +- k8s/secret-challenge-vault-deployment.yml | 9 +-- src/main/resources/templates/about.html | 92 +++++++++++------------ 4 files changed, 52 insertions(+), 53 deletions(-) diff --git a/.github/scripts/.bash_history b/.github/scripts/.bash_history index 9e71b145c..d2422796b 100644 --- a/.github/scripts/.bash_history +++ b/.github/scripts/.bash_history @@ -347,7 +347,7 @@ rm -rf jdk-18_linux-x64_bin.deb git rebase -i main git rebase -i master git stash -export tempPassword="tJ+u+3d6BlYkT0uT1KrdPqkmuimjC3LmtOm0BukRVyE=" +export tempPassword="oQ30gJfWmJUHS99NffbmxFBQZ5V7Gvo5nPD3g90l+eI=" mvn run tempPassword k6 npx k6 diff --git a/js/index.js b/js/index.js index 872ce6d91..4292196f9 100644 --- a/js/index.js +++ b/js/index.js @@ -1,5 +1,5 @@ // eslint-disable-next-line no-unused-vars function secret() { - var password = "/6BjgXY=" + 9 + "2MsE" + 6 + "Ybg=" + 2 + "u1VG" + 7; + var password = "7vaeLn0=" + 9 + "H/Aa" + 6 + "W1M=" + 2 + "QxI3" + 7; return password; } diff --git a/k8s/secret-challenge-vault-deployment.yml b/k8s/secret-challenge-vault-deployment.yml index eb5e6de2a..509e784d5 100644 --- a/k8s/secret-challenge-vault-deployment.yml +++ b/k8s/secret-challenge-vault-deployment.yml @@ -22,22 +22,19 @@ spec: annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/tls-skip-verify: "true" - vault.hashicorp.com/agent-inject-status: "update" vault.hashicorp.com/namespace: "default" vault.hashicorp.com/log-level: debug vault.hashicorp.com/agent-inject-secret-challenge46: "secret/data/injected" vault.hashicorp.com/agent-inject-template-challenge46: | {{ with secret "/secret/data/injected" }} {{ range $k, $v := .Data.data }} - {{ printf "%s=%s" $k $v }} # now done in filecontext: todo, make it executed outside of it! + {{ printf "echo %s=%s" $k $v }} {{ end }} {{ end }} vault.hashicorp.com/agent-inject-secret-challenge47: "secret/data/codified" vault.hashicorp.com/agent-inject-template-challenge47: | {{ with secret "secret/data/codified" }} - {{ range $k, $v := .Data.data }} - export challenge47secret="isthiswhatweneed?" # todo: migrate to an env var hardcoded in context of agent and deployment! - {{ end }} + export challenge47secret="isthiswhatweneed?" {{ end }} vault.hashicorp.com/role: "secret-challenge" labels: @@ -56,6 +53,8 @@ spec: - image: jeroenwillemsen/wrongsecrets:1.8.6A3-k8s-vault imagePullPolicy: IfNotPresent name: secret-challenge + command: ["/bin/sh"] + args: ["-c", "source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application.jar"] securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/src/main/resources/templates/about.html b/src/main/resources/templates/about.html index 3120c3968..f3643f008 100644 --- a/src/main/resources/templates/about.html +++ b/src/main/resources/templates/about.html @@ -129,10 +129,10 @@
  • (Apache License, Version 2.0) Apache Commons Collections (commons-collections:commons-collections:3.2.2 - http://commons.apache.org/collections/)
  • (The Apache Software License, Version 2.0) Commons Digester (commons-digester:commons-digester:2.1 - http://commons.apache.org/digester/)
  • (Apache-2.0) Apache Commons IO (commons-io:commons-io:2.14.0 - https://commons.apache.org/proper/commons-io/)
    • -
  • (The Apache Software License, Version 2.0) Apache Commons Logging (commons-logging:commons-logging:1.2 - http://commons.apache.org/proper/commons-logging/)
    • -
  • (Apache License, Version 2.0) Apache Commons Validator (commons-validator:commons-validator:1.7 - http://commons.apache.org/proper/commons-validator/)
    • +
  • (Apache-2.0) Apache Commons Logging (commons-logging:commons-logging:1.3.0 - https://commons.apache.org/proper/commons-logging/)
    • +
  • (Apache-2.0) Apache Commons Validator (commons-validator:commons-validator:1.8.0 - http://commons.apache.org/proper/commons-validator/)
  • (The Apache License, Version 2.0) jcs3-slf4j (io.github.jeremylong:jcs3-slf4j:1.0.5 - https://github.com/jeremylong/jcs3-slf4j/)
    • -
  • (The Apache License, Version 2.0) open-vulnerability-clients (io.github.jeremylong:open-vulnerability-clients:5.1.1 - https://github.com/jeremylong/vuln-tools/)
    • +
  • (The Apache License, Version 2.0) open-vulnerability-clients (io.github.jeremylong:open-vulnerability-clients:6.0.1 - https://github.com/jeremylong/vuln-tools/)
  • (Apache 2.0) io.grpc:grpc-alts (io.grpc:grpc-alts:1.62.2 - https://github.com/grpc/grpc-java)
  • (Apache 2.0) io.grpc:grpc-api (io.grpc:grpc-api:1.62.2 - https://github.com/grpc/grpc-java)
  • (Apache 2.0) io.grpc:grpc-auth (io.grpc:grpc-auth:1.62.2 - https://github.com/grpc/grpc-java)
    • @@ -213,7 +213,7 @@
  • (Apache-2.0) Apache Commons JCS :: Core (org.apache.commons:commons-jcs3-core:3.2 - http://commons.apache.org/proper/commons-jcs/commons-jcs3-core/)
  • (Apache-2.0) Apache Commons Lang (org.apache.commons:commons-lang3:3.13.0 - https://commons.apache.org/proper/commons-lang/)
  • (Apache-2.0) Apache Commons Pool (org.apache.commons:commons-pool2:2.12.0 - https://commons.apache.org/proper/commons-pool/)
    • -
  • (Apache-2.0) Apache Commons Text (org.apache.commons:commons-text:1.11.0 - https://commons.apache.org/proper/commons-text)
    • +
  • (Apache-2.0) Apache Commons Text (org.apache.commons:commons-text:1.12.0 - https://commons.apache.org/proper/commons-text)
  • (The Apache Software License, Version 2.0) Apache Groovy (org.apache.groovy:groovy:4.0.21 - https://groovy-lang.org)
  • (Apache License, Version 2.0) Apache HttpClient (org.apache.httpcomponents:httpclient:4.5.14 - http://hc.apache.org/httpcomponents-client-ga)
  • (Apache License, Version 2.0) Apache HttpCore (org.apache.httpcomponents:httpcore:4.4.16 - http://hc.apache.org/httpcomponents-core-ga)
    • @@ -222,14 +222,14 @@
  • (Apache License, Version 2.0) Apache HttpComponents Core HTTP/2 (org.apache.httpcomponents.core5:httpcore5-h2:5.2.4 - https://hc.apache.org/httpcomponents-core-5.2.x/5.2.4/httpcore5-h2/)
  • (Apache-2.0) Apache Log4j API (org.apache.logging.log4j:log4j-api:2.21.1 - https://logging.apache.org/log4j/2.x/log4j/log4j-api/)
  • (Apache-2.0) Apache Log4j to SLF4J Adapter (org.apache.logging.log4j:log4j-to-slf4j:2.21.1 - https://logging.apache.org/log4j/2.x/log4j/log4j-to-slf4j/)
    • -
  • (Apache License, Version 2.0) Lucene Common Analyzers (org.apache.lucene:lucene-analyzers-common:8.11.2 - https://lucene.apache.org/lucene-parent/lucene-analyzers-common)
    • -
  • (Apache License, Version 2.0) Lucene Core (org.apache.lucene:lucene-core:8.11.2 - https://lucene.apache.org/lucene-parent/lucene-core)
    • -
  • (Apache License, Version 2.0) Lucene Queries (org.apache.lucene:lucene-queries:8.11.2 - https://lucene.apache.org/lucene-parent/lucene-queries)
    • -
  • (Apache License, Version 2.0) Lucene QueryParsers (org.apache.lucene:lucene-queryparser:8.11.2 - https://lucene.apache.org/lucene-parent/lucene-queryparser)
    • -
  • (Apache License, Version 2.0) Lucene Sandbox (org.apache.lucene:lucene-sandbox:8.11.2 - https://lucene.apache.org/lucene-parent/lucene-sandbox)
    • +
  • (Apache License, Version 2.0) Lucene Common Analyzers (org.apache.lucene:lucene-analyzers-common:8.11.3 - https://lucene.apache.org/lucene-parent/lucene-analyzers-common)
    • +
  • (Apache License, Version 2.0) Lucene Core (org.apache.lucene:lucene-core:8.11.3 - https://lucene.apache.org/lucene-parent/lucene-core)
    • +
  • (Apache License, Version 2.0) Lucene Queries (org.apache.lucene:lucene-queries:8.11.3 - https://lucene.apache.org/lucene-parent/lucene-queries)
    • +
  • (Apache License, Version 2.0) Lucene QueryParsers (org.apache.lucene:lucene-queryparser:8.11.3 - https://lucene.apache.org/lucene-parent/lucene-queryparser)
    • +
  • (Apache License, Version 2.0) Lucene Sandbox (org.apache.lucene:lucene-sandbox:8.11.3 - https://lucene.apache.org/lucene-parent/lucene-sandbox)
  • (The Apache Software License, Version 2.0) Maven Aether Provider (org.apache.maven:maven-aether-provider:3.0 - http://maven.apache.org/maven-aether-provider/)
    • -
  • (Apache-2.0) Maven 4 API Meta annotations (org.apache.maven:maven-api-meta:4.0.0-alpha-7 - https://maven.apache.org/ref/4.0.0-alpha-7/api/maven-api-meta/)
    • -
  • (Apache-2.0) Maven 4 API XML (org.apache.maven:maven-api-xml:4.0.0-alpha-7 - https://maven.apache.org/ref/4.0.0-alpha-7/api/maven-api-xml/)
    • +
  • (Apache-2.0) Maven 4 API :: Meta annotations (org.apache.maven:maven-api-meta:4.0.0-alpha-9 - https://maven.apache.org/ref/4.0.0-alpha-9/api/maven-api-meta/)
    • +
  • (Apache-2.0) Maven 4 API :: XML (org.apache.maven:maven-api-xml:4.0.0-alpha-9 - https://maven.apache.org/ref/4.0.0-alpha-9/api/maven-api-xml/)
  • (The Apache Software License, Version 2.0) Maven Artifact (org.apache.maven:maven-artifact:3.0 - http://maven.apache.org/maven-artifact/)
  • (The Apache Software License, Version 2.0) Maven Core (org.apache.maven:maven-core:3.0 - http://maven.apache.org/maven-core/)
  • (The Apache Software License, Version 2.0) Maven Model (org.apache.maven:maven-model:3.0 - http://maven.apache.org/maven-model/)
    • @@ -238,7 +238,7 @@
  • (The Apache Software License, Version 2.0) Maven Repository Metadata Model (org.apache.maven:maven-repository-metadata:3.0 - http://maven.apache.org/maven-repository-metadata/)
  • (The Apache Software License, Version 2.0) Maven Settings (org.apache.maven:maven-settings:3.0 - http://maven.apache.org/maven-settings/)
  • (The Apache Software License, Version 2.0) Maven Settings Builder (org.apache.maven:maven-settings-builder:3.0 - http://maven.apache.org/maven-settings-builder/)
    • -
  • (Apache-2.0) Implementation of Maven API XML (org.apache.maven:maven-xml-impl:4.0.0-alpha-7 - https://maven.apache.org/ref/4.0.0-alpha-7/maven-xml-impl/)
    • +
  • (Apache-2.0) Implementation of Maven API XML (org.apache.maven:maven-xml-impl:4.0.0-alpha-9 - https://maven.apache.org/ref/4.0.0-alpha-9/maven-xml-impl/)
  • (Apache License, Version 2.0) Doxia :: Logging API (org.apache.maven.doxia:doxia-logging-api:1.11.1 - https://maven.apache.org/doxia/doxia/doxia-logging-api/)
  • (Apache License, Version 2.0) Doxia :: Sink API (org.apache.maven.doxia:doxia-sink-api:1.11.1 - https://maven.apache.org/doxia/doxia/doxia-sink-api/)
  • (Apache License, Version 2.0) Apache Maven Reporting API (org.apache.maven.reporting:maven-reporting-api:3.1.1 - https://maven.apache.org/shared/maven-reporting-api/)
    • @@ -264,8 +264,8 @@
  • (The Apache Software License, Version 2.0) Plexus Classworlds (org.codehaus.plexus:plexus-classworlds:2.2.3 - http://plexus.codehaus.org/plexus-classworlds/)
  • (Apache License, Version 2.0) Plexus :: Component Annotations (org.codehaus.plexus:plexus-component-annotations:2.0.0 - http://codehaus-plexus.github.io/plexus-containers/plexus-component-annotations/)
  • (The Apache Software License, Version 2.0) Plexus Interpolation API (org.codehaus.plexus:plexus-interpolation:1.14 - http://plexus.codehaus.org/plexus-components/plexus-interpolation)
    • -
  • (Apache License, Version 2.0) Plexus Common Utilities (org.codehaus.plexus:plexus-utils:4.0.0 - https://codehaus-plexus.github.io/plexus-pom/plexus-utils/)
    • -
  • (Apache License, Version 2.0) Plexus XML Utilities (org.codehaus.plexus:plexus-xml:4.0.2 - https://codehaus-plexus.github.io/plexus-xml/)
    • +
  • (Apache License, Version 2.0) Plexus Common Utilities (org.codehaus.plexus:plexus-utils:4.0.1 - https://codehaus-plexus.github.io/plexus-utils/)
    • +
  • (Apache License, Version 2.0) Plexus XML Utilities (org.codehaus.plexus:plexus-xml:4.0.3 - https://codehaus-plexus.github.io/plexus-xml/)
  • (The BSD License) Stax2 API (org.codehaus.woodstox:stax2-api:4.2.1 - http://github.com/FasterXML/stax2-api)
  • (Apache 2) org.conscrypt:conscrypt-openjdk-uber (org.conscrypt:conscrypt-openjdk-uber:2.5.2 - https://conscrypt.org/)
  • (Apache-2.0) CycloneDX Core (Java) (org.cyclonedx:cyclonedx-core-java:8.0.3 - https://github.com/CycloneDX/cyclonedx-core-java)
    • @@ -283,12 +283,12 @@
  • (EPL) Dirgra (org.jruby:dirgra:0.3 - https://github.com/jruby/dirgra)
  • (EPL-2.0) (GPL-2.0) (LGPL-2.1) JRuby Main Maven Artifact (org.jruby:jruby:9.4.6.0 - https://github.com/jruby/jruby/jruby-artifacts/jruby)
  • (EPL-2.0) (GPL-2.0) (LGPL-2.1) JRuby Base (org.jruby:jruby-base:9.4.6.0 - https://github.com/jruby/jruby/jruby-base)
    • -
  • (EPL-2.0) (GPL-2.0) (LGPL-2.1) JRuby Complete (org.jruby:jruby-complete:9.4.6.0 - https://github.com/jruby/jruby/jruby-artifacts/jruby-complete)
    • +
  • (EPL-2.0) (GPL-2.0) (LGPL-2.1) JRuby Complete (org.jruby:jruby-complete:9.4.7.0 - https://github.com/jruby/jruby/jruby-artifacts/jruby-complete)
  • (EPL-2.0) (GPL-2.0) (LGPL-2.1) JRuby Lib Setup (org.jruby:jruby-stdlib:9.4.6.0 - https://github.com/jruby/jruby/jruby-stdlib)
  • (BSD) JZlib (org.jruby:jzlib:1.1.5 - http://www.jcraft.com/jzlib/)
  • (MIT License) JCodings (org.jruby.jcodings:jcodings:1.0.58 - http://nexus.sonatype.org/oss-repository-hosting.html/jcodings)
  • (MIT License) Joni (org.jruby.joni:joni:2.2.1 - http://nexus.sonatype.org/oss-repository-hosting.html/joni)
    • -
  • (The MIT License) jsoup Java HTML Parser (org.jsoup:jsoup:1.16.2 - https://jsoup.org/)
    • +
  • (The MIT License) jsoup Java HTML Parser (org.jsoup:jsoup:1.17.2 - https://jsoup.org/)
  • (Public Domain, per Creative Commons CC0) LatencyUtils (org.latencyutils:LatencyUtils:2.0.3 - http://latencyutils.github.io/LatencyUtils/)
  • (Apache License, Version 2.0) KeePassJava2 :: All (org.linguafranca.pwdb:KeePassJava2:2.2.1 - https://github.com/jorabin/KeePassJava2/KeePassJava2)
  • (Apache License, Version 2.0) KeePassJava2 :: DOM (org.linguafranca.pwdb:KeePassJava2-dom:2.2.1 - https://github.com/jorabin/KeePassJava2/KeePassJava2-dom)
    • @@ -302,12 +302,12 @@
  • (BSD-3-Clause) asm-commons (org.ow2.asm:asm-commons:9.2 - http://asm.ow2.io/)
  • (BSD-3-Clause) asm-tree (org.ow2.asm:asm-tree:9.2 - http://asm.ow2.io/)
  • (BSD-3-Clause) asm-util (org.ow2.asm:asm-util:9.2 - http://asm.ow2.io/)
    • -
  • (The Apache Software License, Version 2.0) Dependency-Check Core (org.owasp:dependency-check-core:9.0.10 - https://github.com/jeremylong/DependencyCheck.git/dependency-check-core)
    • -
  • (The Apache Software License, Version 2.0) Dependency-Check Maven Plugin (org.owasp:dependency-check-maven:9.0.10 - https://github.com/jeremylong/DependencyCheck.git/dependency-check-maven)
    • -
  • (The Apache Software License, Version 2.0) Dependency-Check Utils (org.owasp:dependency-check-utils:9.0.10 - https://github.com/jeremylong/DependencyCheck.git/dependency-check-utils)
    • +
  • (The Apache Software License, Version 2.0) Dependency-Check Core (org.owasp:dependency-check-core:9.2.0 - https://github.com/jeremylong/DependencyCheck.git/dependency-check-core)
    • +
  • (The Apache Software License, Version 2.0) Dependency-Check Maven Plugin (org.owasp:dependency-check-maven:9.2.0 - https://github.com/jeremylong/DependencyCheck.git/dependency-check-maven)
    • +
  • (The Apache Software License, Version 2.0) Dependency-Check Utils (org.owasp:dependency-check-utils:9.2.0 - https://github.com/jeremylong/DependencyCheck.git/dependency-check-utils)
  • (The MIT License) Project Lombok (org.projectlombok:lombok:1.18.32 - https://projectlombok.org)
  • (MIT-0) reactive-streams (org.reactivestreams:reactive-streams:1.0.4 - http://www.reactive-streams.org/)
    • -
  • (The MIT License) semver4j (org.semver4j:semver4j:5.2.2 - https://github.com/semver4j/semver4j)
    • +
  • (The MIT License) semver4j (org.semver4j:semver4j:5.3.0 - https://github.com/semver4j/semver4j)
  • (Apache License, Version 2.0) JCL 1.2 implemented over SLF4J (org.slf4j:jcl-over-slf4j:2.0.13 - http://www.slf4j.org)
  • (MIT License) JUL to SLF4J bridge (org.slf4j:jul-to-slf4j:2.0.13 - http://www.slf4j.org)
  • (MIT License) SLF4J API Module (org.slf4j:slf4j-api:2.0.13 - http://www.slf4j.org)
    • @@ -370,33 +370,33 @@
  • (BSD 2-Clause) github-buttons (org.webjars.npm:github-buttons:2.14.1 - https://www.webjars.org)
  • (Common Public 1.0) pecoff4j (org.whitesource:pecoff4j:0.0.2.1 - https://github.com/whitesource/pecoff4j-maven)
  • (Apache License, Version 2.0) SnakeYAML (org.yaml:snakeyaml:2.2 - https://bitbucket.org/snakeyaml/snakeyaml)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Annotations (software.amazon.awssdk:annotations:2.25.40 - https://aws.amazon.com/sdkforjava/core/annotations)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Clients :: Apache (software.amazon.awssdk:apache-client:2.25.40 - https://aws.amazon.com/sdkforjava/http-clients/apache-client)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Auth (software.amazon.awssdk:auth:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: AWS Core (software.amazon.awssdk:aws-core:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: AWS Json Protocol (software.amazon.awssdk:aws-json-protocol:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: AWS Query Protocol (software.amazon.awssdk:aws-query-protocol:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Checksums (software.amazon.awssdk:checksums:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Checksums SPI (software.amazon.awssdk:checksums-spi:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Endpoints SPI (software.amazon.awssdk:endpoints-spi:2.25.40 - https://aws.amazon.com/sdkforjava/core/endpoints-spi)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Auth (software.amazon.awssdk:http-auth:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Auth AWS (software.amazon.awssdk:http-auth-aws:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Auth SPI (software.amazon.awssdk:http-auth-spi:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Client Interface (software.amazon.awssdk:http-client-spi:2.25.40 - https://aws.amazon.com/sdkforjava/http-client-spi)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Identity SPI (software.amazon.awssdk:identity-spi:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: Json Utils (software.amazon.awssdk:json-utils:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Metrics SPI (software.amazon.awssdk:metrics-spi:2.25.40 - https://aws.amazon.com/sdkforjava/core/metrics-spi)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Clients :: Netty Non-Blocking I/O (software.amazon.awssdk:netty-nio-client:2.25.40 - https://aws.amazon.com/sdkforjava/http-clients/netty-nio-client)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Profiles (software.amazon.awssdk:profiles:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: Protocol Core (software.amazon.awssdk:protocol-core:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Regions (software.amazon.awssdk:regions:2.25.40 - https://aws.amazon.com/sdkforjava/core/regions)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: SDK Core (software.amazon.awssdk:sdk-core:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Services :: AWS Simple Systems Management (SSM) (software.amazon.awssdk:ssm:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Services :: AWS STS (software.amazon.awssdk:sts:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Third Party :: Jackson-core (software.amazon.awssdk:third-party-jackson-core:2.25.40 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Utilities (software.amazon.awssdk:utils:2.25.40 - https://aws.amazon.com/sdkforjava/utils)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Annotations (software.amazon.awssdk:annotations:2.25.42 - https://aws.amazon.com/sdkforjava/core/annotations)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Clients :: Apache (software.amazon.awssdk:apache-client:2.25.42 - https://aws.amazon.com/sdkforjava/http-clients/apache-client)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Auth (software.amazon.awssdk:auth:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: AWS Core (software.amazon.awssdk:aws-core:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: AWS Json Protocol (software.amazon.awssdk:aws-json-protocol:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: AWS Query Protocol (software.amazon.awssdk:aws-query-protocol:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Checksums (software.amazon.awssdk:checksums:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Checksums SPI (software.amazon.awssdk:checksums-spi:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Endpoints SPI (software.amazon.awssdk:endpoints-spi:2.25.42 - https://aws.amazon.com/sdkforjava/core/endpoints-spi)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Auth (software.amazon.awssdk:http-auth:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Auth AWS (software.amazon.awssdk:http-auth-aws:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Auth SPI (software.amazon.awssdk:http-auth-spi:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Client Interface (software.amazon.awssdk:http-client-spi:2.25.42 - https://aws.amazon.com/sdkforjava/http-client-spi)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Identity SPI (software.amazon.awssdk:identity-spi:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: Json Utils (software.amazon.awssdk:json-utils:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Metrics SPI (software.amazon.awssdk:metrics-spi:2.25.42 - https://aws.amazon.com/sdkforjava/core/metrics-spi)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Clients :: Netty Non-Blocking I/O (software.amazon.awssdk:netty-nio-client:2.25.42 - https://aws.amazon.com/sdkforjava/http-clients/netty-nio-client)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Profiles (software.amazon.awssdk:profiles:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: Protocol Core (software.amazon.awssdk:protocol-core:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Regions (software.amazon.awssdk:regions:2.25.42 - https://aws.amazon.com/sdkforjava/core/regions)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: SDK Core (software.amazon.awssdk:sdk-core:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Services :: AWS Simple Systems Management (SSM) (software.amazon.awssdk:ssm:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Services :: AWS STS (software.amazon.awssdk:sts:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Third Party :: Jackson-core (software.amazon.awssdk:third-party-jackson-core:2.25.42 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Utilities (software.amazon.awssdk:utils:2.25.42 - https://aws.amazon.com/sdkforjava/utils)
  • (Apache License, Version 2.0) AWS Event Stream (software.amazon.eventstream:eventstream:1.0.1 - https://github.com/awslabs/aws-eventstream-java)
    • -
  • (Apache-2.0) CPE Parser (us.springett:cpe-parser:2.0.3 - https://github.com/stevespringett/CPE-Parser)
    • +
  • (Apache-2.0) CPE Parser (us.springett:cpe-parser:2.1.0 - https://github.com/stevespringett/CPE-Parser)
    • From 22bd98b35793c858fb7ad1b1bccaaa6968ba03dc Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Wed, 22 May 2024 05:31:17 +0200 Subject: [PATCH 11/16] ported k8s challenges to cloud envs --- aws/k8s/secret-challenge-vault-deployment.yml | 21 ++++++++++++++++++- .../secret-challenge-vault-deployment.yml.tpl | 20 ++++++++++++++++++ .../secret-challenge-vault-deployment.yml.tpl | 21 ++++++++++++++++++- 3 files changed, 60 insertions(+), 2 deletions(-) diff --git a/aws/k8s/secret-challenge-vault-deployment.yml b/aws/k8s/secret-challenge-vault-deployment.yml index 6435aebc5..f05571750 100644 --- a/aws/k8s/secret-challenge-vault-deployment.yml +++ b/aws/k8s/secret-challenge-vault-deployment.yml @@ -19,7 +19,24 @@ spec: type: RollingUpdate template: metadata: - creationTimestamp: "2020-10-28T20:21:04Z" + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/tls-skip-verify: "true" + vault.hashicorp.com/namespace: "default" + vault.hashicorp.com/log-level: debug + vault.hashicorp.com/agent-inject-secret-challenge46: "secret/data/injected" + vault.hashicorp.com/agent-inject-template-challenge46: | + {{ with secret "/secret/data/injected" }} + {{ range $k, $v := .Data.data }} + {{ printf "echo %s=%s" $k $v }} + {{ end }} + {{ end }} + vault.hashicorp.com/agent-inject-secret-challenge47: "secret/data/codified" + vault.hashicorp.com/agent-inject-template-challenge47: | + {{ with secret "secret/data/codified" }} + export challenge47secret="isthiswhatweneed?" + {{ end }} + vault.hashicorp.com/role: "secret-challenge" labels: app: secret-challenge name: secret-challenge @@ -44,6 +61,8 @@ spec: - image: jeroenwillemsen/wrongsecrets:1.8.5-k8s-vault imagePullPolicy: IfNotPresent name: secret-challenge + command: [ "/bin/sh" ] + args: [ "-c", "source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application.jar" ] securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/azure/k8s/secret-challenge-vault-deployment.yml.tpl b/azure/k8s/secret-challenge-vault-deployment.yml.tpl index 8c1ea3169..3719d2eb6 100644 --- a/azure/k8s/secret-challenge-vault-deployment.yml.tpl +++ b/azure/k8s/secret-challenge-vault-deployment.yml.tpl @@ -1,6 +1,24 @@ apiVersion: apps/v1 kind: Deployment metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/tls-skip-verify: "true" + vault.hashicorp.com/namespace: "default" + vault.hashicorp.com/log-level: debug + vault.hashicorp.com/agent-inject-secret-challenge46: "secret/data/injected" + vault.hashicorp.com/agent-inject-template-challenge46: | + {{ with secret "/secret/data/injected" }} + {{ range $k, $v := .Data.data }} + {{ printf "echo %s=%s" $k $v }} + {{ end }} + {{ end }} + vault.hashicorp.com/agent-inject-secret-challenge47: "secret/data/codified" + vault.hashicorp.com/agent-inject-template-challenge47: | + {{ with secret "secret/data/codified" }} + export challenge47secret="isthiswhatweneed?" + {{ end }} + vault.hashicorp.com/role: "secret-challenge" labels: app: secret-challenge aadpodidbinding: wrongsecrets-pod-id @@ -44,6 +62,8 @@ spec: - image: jeroenwillemsen/wrongsecrets:4-k8s-vault imagePullPolicy: IfNotPresent name: secret-challenge + command: ["/bin/sh"] + args: ["-c", "source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application.jar"] securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/gcp/k8s/secret-challenge-vault-deployment.yml.tpl b/gcp/k8s/secret-challenge-vault-deployment.yml.tpl index a2311f6d9..6d162fcf3 100644 --- a/gcp/k8s/secret-challenge-vault-deployment.yml.tpl +++ b/gcp/k8s/secret-challenge-vault-deployment.yml.tpl @@ -19,7 +19,24 @@ spec: type: RollingUpdate template: metadata: - creationTimestamp: "2020-10-28T20:21:04Z" + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/tls-skip-verify: "true" + vault.hashicorp.com/namespace: "default" + vault.hashicorp.com/log-level: debug + vault.hashicorp.com/agent-inject-secret-challenge46: "secret/data/injected" + vault.hashicorp.com/agent-inject-template-challenge46: | + {{ with secret "/secret/data/injected" }} + {{ range $k, $v := .Data.data }} + {{ printf "echo %s=%s" $k $v }} + {{ end }} + {{ end }} + vault.hashicorp.com/agent-inject-secret-challenge47: "secret/data/codified" + vault.hashicorp.com/agent-inject-template-challenge47: | + {{ with secret "secret/data/codified" }} + export challenge47secret="isthiswhatweneed?" + {{ end }} + vault.hashicorp.com/role: "secret-challenge" labels: app: secret-challenge name: secret-challenge @@ -42,6 +59,8 @@ spec: - image: jeroenwillemsen/wrongsecrets:1.8.5-k8s-vault imagePullPolicy: IfNotPresent name: secret-challenge + command: ["/bin/sh"] + args: ["-c", "source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application.jar"] ports: - containerPort: 8080 protocol: TCP From d6bedcef900cb49c943f55eb7147025d77773a83 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Wed, 22 May 2024 05:42:57 +0200 Subject: [PATCH 12/16] Updated necessary explanations for #809 --- src/main/resources/explanations/challenge46.adoc | 7 +++---- src/main/resources/explanations/challenge46_hint.adoc | 11 +++++++---- src/main/resources/explanations/challenge47.adoc | 1 + src/main/resources/explanations/challenge47_hint.adoc | 10 +++++++--- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/src/main/resources/explanations/challenge46.adoc b/src/main/resources/explanations/challenge46.adoc index 561578dab..4571ca354 100644 --- a/src/main/resources/explanations/challenge46.adoc +++ b/src/main/resources/explanations/challenge46.adoc @@ -1,7 +1,6 @@ === HashiCorp Vault Template Injection -Vault template injection via agent injection typically involves injecting a sidecar container, -known as the Vault Agent, alongside your main application container. -The Vault Agent is responsible for interacting with HashiCorp Vault to retrieve secrets and inject them into the application's runtime environment. +Secrets can be retrieved from Vault using the https://developer.hashicorp.com/vault/docs/platform/k8s/injector[Vault Agent] sidecar container, which runs alongside your main application container. This sidecar can inject the secrets into your applications environment. + One way to do this, is by means of rendering the secrets as a file. The file can then be picked up by your target application. However, in this case, the developer was unsure if the file was picked up, so instead of exporting the secret as an env-var, he `echo`-ed them. -Can you find secret injected into application environment? +Can you find the secret injected into application environment? diff --git a/src/main/resources/explanations/challenge46_hint.adoc b/src/main/resources/explanations/challenge46_hint.adoc index 1e6178d10..b1a498bde 100644 --- a/src/main/resources/explanations/challenge46_hint.adoc +++ b/src/main/resources/explanations/challenge46_hint.adoc @@ -1,8 +1,11 @@ -This challenge can be solved using the following steps: +This challenge can be solved using the following ways: -1. Run `kubectl get pods -A` and find secret-challenge-xxx pod name +- Get the data of the sidecar by looking at the files created by Vault Agent sidecar: + 1. Run `kubectl get pods -A` and find secret-challenge-xxx pod name + 2. Run `kubectl exec secret-challenge-xxx -c secret-challenge -n default -- cat vault/secrets/challenge46` where `xxx` is the rest of the randomly generated pod name to print injected secrets from vault. -2. Run `kubectl exec secret-challenge-xxx -c secret-challenge -n default -- cat vault/secrets/challenge46` where `xxx` is the rest of the randomly generated pod name. -to print injected secrets from vault. +- Get the data by checking the logs of the Wrongsecrets pod as the `echo` is being sourced: + 1. Run `kubectl get pods -A` and find secret-challenge-xxx pod name + 2. Run `kubectl logs secret-challenge-xxx` where `xxx` is the rest of the randomly generated pod name to print the logs including the `echo` statement. Note: if you are running this on a hosted environment, where you do not have access to the Kubernetes cluster, ask the organizer of the hosted solution to execute the commands for you and return the results. diff --git a/src/main/resources/explanations/challenge47.adoc b/src/main/resources/explanations/challenge47.adoc index b6713a566..28fa206f2 100644 --- a/src/main/resources/explanations/challenge47.adoc +++ b/src/main/resources/explanations/challenge47.adoc @@ -1,4 +1,5 @@ === HashiCorp Vault Template Injection Part 2 +Secrets can be retrieved from Vault using the https://developer.hashicorp.com/vault/docs/platform/k8s/injector[Vault Agent] sidecar container, which runs alongside your main application container. This sidecar can inject the secrets into your applications environment. A developer tried to debug why his vault injection did not work. So, he hardcoded the secrets "temporarily" in the Vault template itself. Can you find the secret hardcoded in the Vault Template? diff --git a/src/main/resources/explanations/challenge47_hint.adoc b/src/main/resources/explanations/challenge47_hint.adoc index 402f68bab..ae936f8d1 100644 --- a/src/main/resources/explanations/challenge47_hint.adoc +++ b/src/main/resources/explanations/challenge47_hint.adoc @@ -1,7 +1,11 @@ -This challenge can be solved using the following steps: +This challenge can be solved using the following ways: -1. Run `kubectl get pods -A` and find secret-challenge-xxx pod name +- Get the data of the sidecar by looking at the files created by Vault Agent sidecar: + 1. Run `kubectl get pods -A` and find secret-challenge-xxx pod name + 2. Run `kubectl exec secret-challenge-xxx -c secret-challenge -n default -- cat vault/secrets/challenge46` where `xxx` is the rest of the randomly generated pod name to print the hardcoded value used by the developer. -2. Run `kubectl exec secret-challenge-xxx -c secret-challenge -n default -- cat vault/secrets/challenge46` where `xxx` is the rest of the randomly generated pod name to print the hardcoded value used by the developer. +- Get the data by checking the logs of the Wrongsecrets pod as the export is being sourced: + 1. Run `kubectl get pods -A` and find secret-challenge-xxx pod name + 2. Run `kubectl logs secret-challenge-xxx -c vault-agent` where `xxx` is the rest of the randomly generated pod name to print the logs from the Vault AGent sidecar, which will include logging the export statement. Note: if you are running this on a hosted environment, where you do not have access to the Kubernetes cluster, ask the organizer of the hosted solution to execute the commands for you and return the results. From aa230c9208a1d5025a5037eadaab4ad12e111340 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Wed, 22 May 2024 05:57:31 +0200 Subject: [PATCH 13/16] remove nw --- .github/workflows/minikube-vault-test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/minikube-vault-test.yml b/.github/workflows/minikube-vault-test.yml index 15071a7dd..1378ffe41 100644 --- a/.github/workflows/minikube-vault-test.yml +++ b/.github/workflows/minikube-vault-test.yml @@ -54,7 +54,6 @@ jobs: - name: test script run: | ./k8s-vault-minkube-start.sh && sleep 5 && curl http://localhost:8080/spoil/challenge-7 - - name: Run Tests run: | cd src/test/K8s-tests From 5a19b6901cd0068c73c9f07ba8dfe45696e9a106 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Wed, 22 May 2024 05:58:47 +0200 Subject: [PATCH 14/16] update minikube version in workflows --- .github/workflows/minikube-k8s-test.yml | 2 +- .github/workflows/minikube-vault-test.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/minikube-k8s-test.yml b/.github/workflows/minikube-k8s-test.yml index ce141db09..167ea8e07 100644 --- a/.github/workflows/minikube-k8s-test.yml +++ b/.github/workflows/minikube-k8s-test.yml @@ -24,7 +24,7 @@ jobs: - name: Start minikube uses: medyagh/setup-minikube@master with: - minikube-version: 1.31.2 + minikube-version: 1.33.0 driver: docker kubernetes-version: v1.28.1 - name: test script diff --git a/.github/workflows/minikube-vault-test.yml b/.github/workflows/minikube-vault-test.yml index 1378ffe41..a4bb15be3 100644 --- a/.github/workflows/minikube-vault-test.yml +++ b/.github/workflows/minikube-vault-test.yml @@ -25,7 +25,7 @@ jobs: - name: Start minikube uses: medyagh/setup-minikube@master with: - minikube-version: 1.31.2 + minikube-version: 1.33.0 driver: docker kubernetes-version: v1.28.1 - name: Setup helm @@ -45,7 +45,7 @@ jobs: - name: Start minikube uses: medyagh/setup-minikube@master with: - minikube-version: 1.31.2 + minikube-version: 1.33.0 driver: docker kubernetes-version: v1.28.1 - name: Setup helm From 7af23de53224d2fd91772b3d91cb499f0763a4fa Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Wed, 22 May 2024 06:05:59 +0200 Subject: [PATCH 15/16] update container version --- .github/scripts/.bash_history | 2 +- aws/k8s/secret-challenge-vault-deployment.yml | 2 +- gcp/k8s/secret-challenge-vault-deployment.yml.tpl | 2 +- js/index.js | 2 +- k8s/secret-challenge-deployment.yml | 2 +- k8s/secret-challenge-vault-deployment.yml | 2 +- okteto/k8s/secret-challenge-ctf-deployment.yml | 2 +- okteto/k8s/secret-challenge-deployment.yml | 2 +- pom.xml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/scripts/.bash_history b/.github/scripts/.bash_history index d2422796b..5d9da2c52 100644 --- a/.github/scripts/.bash_history +++ b/.github/scripts/.bash_history @@ -347,7 +347,7 @@ rm -rf jdk-18_linux-x64_bin.deb git rebase -i main git rebase -i master git stash -export tempPassword="oQ30gJfWmJUHS99NffbmxFBQZ5V7Gvo5nPD3g90l+eI=" +export tempPassword="pHfQ8y4y0esyeomcsed/RvNhAQFDB9ZoCnyB8UlNQJ8=" mvn run tempPassword k6 npx k6 diff --git a/aws/k8s/secret-challenge-vault-deployment.yml b/aws/k8s/secret-challenge-vault-deployment.yml index f05571750..8fe31dab9 100644 --- a/aws/k8s/secret-challenge-vault-deployment.yml +++ b/aws/k8s/secret-challenge-vault-deployment.yml @@ -58,7 +58,7 @@ spec: volumeAttributes: secretProviderClass: "wrongsecrets-aws-secretsmanager" containers: - - image: jeroenwillemsen/wrongsecrets:1.8.5-k8s-vault + - image: jeroenwillemsen/wrongsecrets:1.8.6A4-k8s-vault imagePullPolicy: IfNotPresent name: secret-challenge command: [ "/bin/sh" ] diff --git a/gcp/k8s/secret-challenge-vault-deployment.yml.tpl b/gcp/k8s/secret-challenge-vault-deployment.yml.tpl index 6d162fcf3..90658713f 100644 --- a/gcp/k8s/secret-challenge-vault-deployment.yml.tpl +++ b/gcp/k8s/secret-challenge-vault-deployment.yml.tpl @@ -56,7 +56,7 @@ spec: volumeAttributes: secretProviderClass: "wrongsecrets-gcp-secretsmanager" containers: - - image: jeroenwillemsen/wrongsecrets:1.8.5-k8s-vault + - image: jeroenwillemsen/wrongsecrets:1.8.6A4-k8s-vault imagePullPolicy: IfNotPresent name: secret-challenge command: ["/bin/sh"] diff --git a/js/index.js b/js/index.js index 4292196f9..70629c3b0 100644 --- a/js/index.js +++ b/js/index.js @@ -1,5 +1,5 @@ // eslint-disable-next-line no-unused-vars function secret() { - var password = "7vaeLn0=" + 9 + "H/Aa" + 6 + "W1M=" + 2 + "QxI3" + 7; + var password = "0MHz79A=" + 9 + "FCx5" + 6 + "KSI=" + 2 + "Sg/9" + 7; return password; } diff --git a/k8s/secret-challenge-deployment.yml b/k8s/secret-challenge-deployment.yml index 701b72c79..e939ec86a 100644 --- a/k8s/secret-challenge-deployment.yml +++ b/k8s/secret-challenge-deployment.yml @@ -28,7 +28,7 @@ spec: runAsGroup: 2000 fsGroup: 2000 containers: - - image: jeroenwillemsen/wrongsecrets:1.8.5-no-vault + - image: jeroenwillemsen/wrongsecrets:1.8.6A4-no-vault imagePullPolicy: IfNotPresent name: secret-challenge ports: diff --git a/k8s/secret-challenge-vault-deployment.yml b/k8s/secret-challenge-vault-deployment.yml index 509e784d5..840bb5598 100644 --- a/k8s/secret-challenge-vault-deployment.yml +++ b/k8s/secret-challenge-vault-deployment.yml @@ -50,7 +50,7 @@ spec: type: RuntimeDefault serviceAccountName: vault containers: - - image: jeroenwillemsen/wrongsecrets:1.8.6A3-k8s-vault + - image: jeroenwillemsen/wrongsecrets:1.8.6A4-k8s-vault imagePullPolicy: IfNotPresent name: secret-challenge command: ["/bin/sh"] diff --git a/okteto/k8s/secret-challenge-ctf-deployment.yml b/okteto/k8s/secret-challenge-ctf-deployment.yml index 42821e13c..4cd6739e5 100644 --- a/okteto/k8s/secret-challenge-ctf-deployment.yml +++ b/okteto/k8s/secret-challenge-ctf-deployment.yml @@ -28,7 +28,7 @@ spec: runAsGroup: 2000 fsGroup: 2000 containers: - - image: jeroenwillemsen/wrongsecrets:1.8.5-no-vault + - image: jeroenwillemsen/wrongsecrets:1.8.6A4-no-vault name: secret-challenge-ctf imagePullPolicy: IfNotPresent securityContext: diff --git a/okteto/k8s/secret-challenge-deployment.yml b/okteto/k8s/secret-challenge-deployment.yml index e8d5b5d0c..73092b5f4 100644 --- a/okteto/k8s/secret-challenge-deployment.yml +++ b/okteto/k8s/secret-challenge-deployment.yml @@ -28,7 +28,7 @@ spec: runAsGroup: 2000 fsGroup: 2000 containers: - - image: jeroenwillemsen/wrongsecrets:1.8.5-no-vault + - image: jeroenwillemsen/wrongsecrets:1.8.6A4-no-vault name: secret-challenge imagePullPolicy: IfNotPresent securityContext: diff --git a/pom.xml b/pom.xml index 1011eac33..7c3e3c558 100644 --- a/pom.xml +++ b/pom.xml @@ -11,7 +11,7 @@ org.owasp wrongsecrets - 1.8.6A1-SNAPSHOT + 1.8.6A4-SNAPSHOT OWASP WrongSecrets Examples with how to not use secrets From 258cbf3175667d5353a811a834de293821626df2 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Wed, 22 May 2024 06:50:28 +0200 Subject: [PATCH 16/16] update minikube versions for testing in workflows --- .github/workflows/minikube-k8s-test.yml | 2 +- .github/workflows/minikube-vault-test.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/minikube-k8s-test.yml b/.github/workflows/minikube-k8s-test.yml index 167ea8e07..662ce9235 100644 --- a/.github/workflows/minikube-k8s-test.yml +++ b/.github/workflows/minikube-k8s-test.yml @@ -24,7 +24,7 @@ jobs: - name: Start minikube uses: medyagh/setup-minikube@master with: - minikube-version: 1.33.0 + minikube-version: 1.33.1 driver: docker kubernetes-version: v1.28.1 - name: test script diff --git a/.github/workflows/minikube-vault-test.yml b/.github/workflows/minikube-vault-test.yml index a4bb15be3..0d9391cf0 100644 --- a/.github/workflows/minikube-vault-test.yml +++ b/.github/workflows/minikube-vault-test.yml @@ -25,7 +25,7 @@ jobs: - name: Start minikube uses: medyagh/setup-minikube@master with: - minikube-version: 1.33.0 + minikube-version: 1.33.1 driver: docker kubernetes-version: v1.28.1 - name: Setup helm @@ -45,7 +45,7 @@ jobs: - name: Start minikube uses: medyagh/setup-minikube@master with: - minikube-version: 1.33.0 + minikube-version: 1.33.1 driver: docker kubernetes-version: v1.28.1 - name: Setup helm