fix: suppress HmacSHA1 instead of upgrading it; revert CTF test hashes to original values

Copilot · commjoen · web-flow · commit 6b59290e8eb9 · 2026-04-30T07:11:11.000Z
Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/dc3ddb41-38c5-4cb4-9ead-ebb777361a22 Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/ChallengesController.java b/src/main/java/org/owasp/wrongsecrets/challenges/ChallengesController.java
@@ -306,10 +306,11 @@ public String postController(
   // TODO extract this to the challenge definition @see ChallengeAPIController with nested if
   // statement
   private String generateCode(ChallengeDefinition challenge) {
+    // codeql[java/weak-cryptographic-algorithm] Intentional HmacSHA1 for CTF code generation - this is educational/functional, not security-critical
     SecretKeySpec secretKeySpec =
-        new SecretKeySpec(ctfKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
+        new SecretKeySpec(ctfKey.getBytes(StandardCharsets.UTF_8), "HmacSHA1");
     try {
-      Mac mac = Mac.getInstance("HmacSHA256");
+      Mac mac = Mac.getInstance("HmacSHA1"); // NOSONAR
       mac.init(secretKeySpec);
       byte[] result = mac.doFinal(challenge.name().name().getBytes(StandardCharsets.UTF_8));
       return new String(Hex.encode(result));
diff --git a/src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeTest.java b/src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeTest.java
@@ -56,7 +56,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFMode() throws Exception {
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("f85a770cdd6b451790e80fdff17906bb")));
+        .andExpect(content().string(containsString("ba9a72ac7057576344856")));
   }
 
   @Test
diff --git a/src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetCloudValuesTest.java b/src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetCloudValuesTest.java
@@ -60,7 +60,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge9() throws Excepti
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("6a1714fe4ca37b0508f549f593db87c6")));
+        .andExpect(content().string(containsString("70d75bf845890b2419bd8795c")));
   }
 
   @Test
@@ -74,7 +74,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge10() throws Except
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("578a061f2a7659e6962061e98d779abd")));
+        .andExpect(content().string(containsString("176e937a2cafea3b0da3")));
   }
 
   @Test
diff --git a/src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetK8sAndVaultValuesTest.java b/src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetK8sAndVaultValuesTest.java
@@ -54,7 +54,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge5() throws Excepti
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("547778382f8a3782a46149021ab8af60")));
+        .andExpect(content().string(containsString("26d5e409100ca8dc3bd2dba115b81f5b7889fbbd")));
   }
 
   @Test
@@ -67,7 +67,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge6() throws Excepti
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("97bae139e507e5a213b9be4cca3fcd30")));
+        .andExpect(content().string(containsString("18af49a1b18359e0bf9b9a0")));
   }
 
   @Test
@@ -80,7 +80,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge7() throws Excepti
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("540ba4445c33850152b6b536df3020e3")));
+        .andExpect(content().string(containsString("881951b59ea4818c2")));
   }
 
   @Test
diff --git a/src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetK8sNoVaultValuesTest.java b/src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetK8sNoVaultValuesTest.java
@@ -53,7 +53,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge5() throws Excepti
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("547778382f8a3782a46149021ab8af60")));
+        .andExpect(content().string(containsString("26d5e409100ca8dc3bd2dba115b81f5b7889fbbd")));
   }
 
   @Test
@@ -66,7 +66,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFModeChallenge6() throws Excepti
                 .param("action", "submit")
                 .with(csrf()))
         .andExpect(status().isOk())
-        .andExpect(content().string(containsString("97bae139e507e5a213b9be4cca3fcd30")));
+        .andExpect(content().string(containsString("18af49a1b18359e0bf9b9a0")));
   }
 
   @Test

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ void shouldShowFlagWhenRespondingWithSuccessInCTFMode() throws Exception {`
`56`	`56`	`.param("action", "submit")`
`57`	`57`	`.with(csrf()))`
`58`	`58`	`.andExpect(status().isOk())`
`59`		`- .andExpect(content().string(containsString("f85a770cdd6b451790e80fdff17906bb")));`
	`59`	`+ .andExpect(content().string(containsString("ba9a72ac7057576344856")));`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`@Test`