Skip to content

Commit 68508df

Browse files
commjoencommjoen
authored
Merge pull request #2470 from OWASP/copilot/add-swift-binary-to-wrongsecrets
Add Swift binary challenge (Challenge 64)
2 parents e00abb4 + 552bedc commit 68508df

24 files changed

Lines changed: 186 additions & 2 deletions

.github/scripts/docker-create.sh

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -354,12 +354,51 @@ build_update_pom() {
354354
cd ../.. && ./mvnw clean && ./mvnw --batch-mode release:update-versions -DdevelopmentVersion=${tag}-SNAPSHOT && ./mvnw spotless:apply && ./mvnw install -DskipTests
355355
cd .github/scripts
356356
echo "Removing unnecessary binaries from the jar file"
357+
# macOS / non-Linux binaries (never used in the Alpine Docker container)
357358
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-golang
358359
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-golang-arm
360+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-c
361+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-c-arm
362+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-advanced-c
363+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-advanced-c-arm
364+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-advanced-c-arm-stripped
365+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-advanced-c-stripped
366+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-cplus
367+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-cplus-arm
368+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-challenge52-c
369+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-challenge52-c-arm
370+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-challenge53-c
371+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-challenge53-c-arm
372+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-rust
373+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-rust-arm
359374
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-dotnet
360375
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-dotnet-arm
376+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-swift
377+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-swift-arm
378+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-swift-ctf
379+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-swift-arm-ctf
380+
# Linux glibc (non-musl) binaries (Alpine uses musl; golang uses glibc linux binary intentionally)
381+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-c-linux
382+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-c-linux-arm
383+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-advanced-c-linux
384+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-advanced-c-linux-arm
385+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-advanced-c-linux-arm-stripped
386+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-advanced-c-linux-stripped
387+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-cplus-linux
388+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-cplus-linux-arm
389+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-challenge52-c-linux
390+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-challenge52-c-linux-arm
391+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-challenge53-c-linux
392+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-challenge53-c-linux-arm
393+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-rust-linux
394+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-rust-linux-arm
361395
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-dotnet-linux
362396
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-dotnet-linux-arm
397+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-swift-linux
398+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-swift-linux-arm
399+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-swift-linux-ctf
400+
zip -d ../../target/*.jar BOOT-INF/classes/executables/wrongsecrets-swift-linux-arm-ctf
401+
# Windows binaries
363402
zip -d ../../target/*.jar BOOT-INF/classes/executables/*.exe
364403
docker buildx create --name mybuilder
365404
docker buildx use mybuilder

Dockerfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@ COPY --chown=wrongsecrets .github/scripts/ /var/tmp/helpers
4545
COPY --chown=wrongsecrets .github/scripts/.bash_history /home/wrongsecrets/
4646
COPY --chown=wrongsecrets src/main/resources/executables/wrongsecrets*linux-musl* /home/wrongsecrets/
4747
COPY --chown=wrongsecrets src/main/resources/executables/wrongsecrets-golang-linux /home/wrongsecrets/
48+
COPY --chown=wrongsecrets src/main/resources/executables/wrongsecrets-golang-linux-arm /home/wrongsecrets/
4849
COPY --chown=wrongsecrets src/test/resources/alibabacreds.kdbx /var/tmp/helpers
4950
COPY --chown=wrongsecrets src/test/resources/RSAprivatekey.pem /var/tmp/helpers/
5051
COPY --chown=wrongsecrets .ssh/ /home/wrongsecrets/.ssh/

js/package-lock.json

Lines changed: 3 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge64.java

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
package org.owasp.wrongsecrets.challenges.docker;
2+
3+
import lombok.extern.slf4j.Slf4j;
4+
import org.owasp.wrongsecrets.challenges.FixedAnswerChallenge;
5+
import org.owasp.wrongsecrets.challenges.docker.binaryexecution.BinaryExecutionHelper;
6+
import org.owasp.wrongsecrets.challenges.docker.binaryexecution.MuslDetectorImpl;
7+
import org.springframework.stereotype.Component;
8+
9+
/** This challenge is about finding a secret hardcoded in a Swift binary. */
10+
@Slf4j
11+
@Component
12+
public class Challenge64 extends FixedAnswerChallenge {
13+
14+
@Override
15+
public String getAnswer() {
16+
BinaryExecutionHelper binaryExecutionHelper =
17+
new BinaryExecutionHelper(64, new MuslDetectorImpl());
18+
return binaryExecutionHelper.executeCommand("", "wrongsecrets-swift");
19+
}
20+
}

src/main/java/org/owasp/wrongsecrets/challenges/docker/binaryexecution/BinaryExecutionHelper.java

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@
88
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
99
import java.io.*;
1010
import java.nio.charset.StandardCharsets;
11+
import java.util.ArrayList;
12+
import java.util.List;
1113
import java.util.stream.Collectors;
1214
import lombok.extern.slf4j.Slf4j;
1315
import org.apache.commons.io.FileUtils;
@@ -22,6 +24,10 @@ private enum BinaryInstructionForFile {
2224
Guess
2325
}
2426

27+
private static final String[] SWIFT_LIB_PATHS = {
28+
"/usr/share/swift/usr/lib/swift/linux", "/usr/lib/swift/linux", "/usr/local/lib/swift/linux"
29+
};
30+
2531
public static final String ERROR_EXECUTION = EXECUTION_ERROR;
2632
private final int challengeNumber;
2733

@@ -128,6 +134,9 @@ private String executeCommand(
128134
}
129135
}
130136
ps.redirectErrorStream(true);
137+
if (execFile.getPath().contains("swift")) {
138+
configureSwiftLibraryPath(ps);
139+
}
131140
Process pr = ps.start();
132141
try (BufferedReader in =
133142
new BufferedReader(new InputStreamReader(pr.getInputStream(), StandardCharsets.UTF_8))) {
@@ -272,4 +281,24 @@ private void deleteFile(File execFile) {
272281
log.info("Deleting the file {} failed...", execFile.getPath());
273282
}
274283
}
284+
285+
private void configureSwiftLibraryPath(ProcessBuilder ps) {
286+
List<String> existingPaths = new ArrayList<>();
287+
String currentLdPath = ps.environment().get("LD_LIBRARY_PATH");
288+
if (!Strings.isNullOrEmpty(currentLdPath)) {
289+
existingPaths.add(currentLdPath);
290+
}
291+
for (String path : SWIFT_LIB_PATHS) {
292+
File dir = new File(path);
293+
if (dir.exists() && dir.isDirectory()) {
294+
log.info("Found Swift library path: {}", path);
295+
existingPaths.add(path);
296+
}
297+
}
298+
if (!existingPaths.isEmpty()) {
299+
String ldPath = String.join(":", existingPaths);
300+
log.info("Setting LD_LIBRARY_PATH for Swift binary: {}", ldPath);
301+
ps.environment().put("LD_LIBRARY_PATH", ldPath);
302+
}
303+
}
275304
}

src/main/resources/challenges/challenge-64/Dockerfile_challenge64

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# syntax=docker/dockerfile:1.21
2+
# Test that the wrongsecrets-swift musl binary runs correctly on Alpine.
3+
# The musl binaries are fully statically linked (Swift runtime embedded), so they
4+
# run natively on Alpine's musl libc without any extra shared libraries.
5+
6+
FROM alpine:3.21
7+
8+
# Copy the Linux musl x86_64 binary (build context is the repo root)
9+
COPY src/main/resources/executables/wrongsecrets-swift-linux-musl /wrongsecrets-swift
10+
RUN chmod +x /wrongsecrets-swift
11+
12+
# Run the binary and verify it produces non-empty output (the hardcoded secret)
13+
CMD ["/bin/sh", "-c", "OUTPUT=$(/wrongsecrets-swift) && [ -n \"$OUTPUT\" ] && echo \"Swift binary works: $OUTPUT\" || (echo 'Swift binary failed or produced no output' && exit 1)"]

src/main/resources/executables/wrongsecrets-swift

177 KB
Binary file not shown.

src/main/resources/executables/wrongsecrets-swift-arm

177 KB
Binary file not shown.

src/main/resources/executables/wrongsecrets-swift-arm-ctf

177 KB
Binary file not shown.

src/main/resources/executables/wrongsecrets-swift-ctf

177 KB
Binary file not shown.

0 commit comments

Comments
 (0)