remove logging that leaks the secret

Author: commjoen

src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge11.java

@@ -137,7 +137,7 @@ private String getAWSChallenge11Value() {
                     .build();
 
                 AssumeRoleWithWebIdentityResponse tokenResponse = stsClient.assumeRoleWithWebIdentity(webIdentityRequest);
-                log.info("The token value is " + tokenResponse.credentials().sessionToken());
+                //log.debug("The token value is " + tokenResponse.credentials().sessionToken());
                 SsmClient ssmClient = SsmClient.builder()
                     .region(Region.of(awsRegion))
                     .credentialsProvider(StsAssumeRoleWithWebIdentityCredentialsProvider.builder()
@@ -150,7 +150,7 @@ private String getAWSChallenge11Value() {
                     .withDecryption(true)
                     .build();
                 GetParameterResponse parameterResponse = ssmClient.getParameter(parameterRequest);
-                log.info("The parameter value is " + parameterResponse.parameter().value());
+                //log.debug("The parameter value is " + parameterResponse.parameter().value());
                 ssmClient.close();
                 return parameterResponse.parameter().value();
             } catch (StsException e) {
@@ -188,7 +188,7 @@ private String getGCPChallenge11Value() {
 
     private String getAzureChallenge11Value() {
         if (isAzure()) {
-            log.info(String.format("Using Azure Key Vault URI: %s", azureVaultUri));
+            //log.debug(String.format("Using Azure Key Vault URI: %s", azureVaultUri));
             return azureWrongSecret3;
         }
         log.error("Fetching secret from Azure did not work, returning default");

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge12.java

@@ -39,7 +39,7 @@ public Spoiler spoiler() {
 
     @Override
     public boolean answerCorrect(String answer) {
-        log.info("challenge 12, actualdata: {}, answer: {}", getActualData(), answer);
+        //log.debug("challenge 12, actualdata: {}, answer: {}", getActualData(), answer);
         return getActualData().equals(answer);
     }
 

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge13.java

@@ -71,7 +71,7 @@ public boolean isLimittedWhenOnlineHosted() {
 
     private boolean isKeyCorrect(String base64EncodedKey) {
         if (Strings.isEmpty(base64EncodedKey) || Strings.isEmpty(plainText) || Strings.isEmpty(cipherText)) {
-            log.info("Checking secret with values {}, {}, {}", base64EncodedKey, plainText, cipherText);
+            //log.debug("Checking secret with values {}, {}, {}", base64EncodedKey, plainText, cipherText);
             return false;
         }
 

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge14.java

@@ -77,7 +77,7 @@ public boolean isLimittedWhenOnlineHosted() {
 
     private String findAnswer() {
         if (Strings.isEmpty(keepassxPassword)) {
-            log.info("Checking secret with values {}", keepassxPassword);
+            //log.debug("Checking secret with values {}", keepassxPassword);
             return defaultKeepassValue;
         }
         KdbxCreds creds = new KdbxCreds(keepassxPassword.getBytes());
@@ -95,7 +95,7 @@ private String findAnswer() {
 
     private boolean isanswerCorrectInKeeyPassx(String answer) {
         if (Strings.isEmpty(keepassxPassword) || Strings.isEmpty(answer)) {
-            log.info("Checking secret with values {}, {}", keepassxPassword, answer);
+            //log.debug("Checking secret with values {}, {}", keepassxPassword, answer);
             return false;
         }
         return answer.equals(findAnswer());

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge16.java

@@ -39,7 +39,7 @@ public Spoiler spoiler() {
 
     @Override
     public boolean answerCorrect(String answer) {
-        log.info("challenge 16, actualdata: {}, answer: {}", getActualData(), answer);
+        //log.debug("challenge 16, actualdata: {}, answer: {}", getActualData(), answer);
         return getActualData().equals(answer);
     }
 

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge17.java

@@ -39,7 +39,7 @@ public Spoiler spoiler() {
 
     @Override
     public boolean answerCorrect(String answer) {
-        log.info("challenge 17, actualdata: {}, answer: {}", getActualData(), answer);
+        //log.debug("challenge 17, actualdata: {}, answer: {}", getActualData(), answer);
         return getActualData().equals(answer);
     }
 

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge23.java

@@ -30,7 +30,7 @@ public Spoiler spoiler() {
 
     @Override
     public boolean answerCorrect(String answer) {
-        log.info("challenge 23, actualdata: {}, answer: {}", getActualData(), answer);
+        //log.debug("challenge 23, actualdata: {}, answer: {}", getActualData(), answer);
         return getActualData().equals(answer);
     }
 

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge24.java

@@ -2,6 +2,7 @@
 
 
 import lombok.extern.slf4j.Slf4j;
+import org.bouncycastle.util.encoders.Hex;
 import org.owasp.wrongsecrets.RuntimeEnvironment;
 import org.owasp.wrongsecrets.ScoreCard;
 import org.owasp.wrongsecrets.challenges.Challenge;
@@ -10,6 +11,7 @@
 import org.springframework.core.annotation.Order;
 import org.springframework.stereotype.Component;
 
+import java.nio.charset.StandardCharsets;
 import java.util.List;
 
 @Slf4j
@@ -33,7 +35,7 @@ public Spoiler spoiler() {
 
     @Override
     public boolean answerCorrect(String answer) {
-        log.info("challenge 24, actualdata: {}, answer: {}", getActualData(), answer);
+        //log.debug("challenge 24, actualdata: {}, answer: {}", getActualData(), answer);
         return getActualData().equals(answer);
     }
 
@@ -58,7 +60,7 @@ public boolean isLimittedWhenOnlineHosted() {
     }
 
     public String getActualData() {
-        return "00010203 04050607 08090A0B 0C0D0E0F 10111213 14151617 18191A1B 1C1D1E1F 20212223 24252627 28292A2B 2C2D2E2F 30313233 34353637 38393A3B 3C3D3E3F";
+        return new String(Hex.decode("3030303130323033203034303530363037203038303930413042203043304430453046203130313131323133203134313531363137203138313931413142203143314431453146203230323132323233203234323532363237203238323932413242203243324432453246203330333133323333203334333533363337203338333933413342203343334433453346".getBytes(StandardCharsets.UTF_8)));
 
     }
 }

src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge24Test.java

@@ -1,13 +1,16 @@
 package org.owasp.wrongsecrets.challenges.docker;
 
 import org.assertj.core.api.Assertions;
+import org.bouncycastle.util.encoders.Hex;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.owasp.wrongsecrets.ScoreCard;
 
+import java.nio.charset.StandardCharsets;
+
 @ExtendWith(MockitoExtension.class)
 class Challenge24Test {
 
@@ -18,7 +21,6 @@ class Challenge24Test {
     @Test
     void rightAnswerShouldSolveChallenge() {
         var challenge = new Challenge24(scoreCard);
-
         Assertions.assertThat(challenge.solved(challenge.spoiler().solution())).isTrue();
         Mockito.verify(scoreCard).completeChallenge(challenge);
     }