Fix CI failures: restore password property, fix CRLF injection, fix Dockerfile versions

Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>

Author: Copilot

Dockerfile

@@ -1,7 +1,7 @@
 FROM bellsoft/liberica-openjre-debian:25-cds AS builder
 WORKDIR /builder
 
-ARG argBasedVersion="1.13.1-alpha11"
+ARG argBasedVersion="1.13.1-alpha6"
 
 COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar application.jar
 RUN java -Djarmode=tools -jar application.jar extract --layers --destination extracted

Dockerfile.web

@@ -1,5 +1,5 @@
-FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha11-no-vault
-ARG argBasedVersion="1.13.1-alpha11-no-vault"
+FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha6-no-vault
+ARG argBasedVersion="1.13.1-alpha6-no-vault"
 ARG spring_profile="without-vault"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ARG CTF_ENABLED=false

src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge61/TelegramWebhookController.java

@@ -57,7 +57,7 @@ public ResponseEntity<String> handleWebhook(
     }
 
     try {
-      logger.info("Received webhook update: {}", update.get("update_id"));
+      logger.info("Received webhook update: {}", sanitizeForLog(String.valueOf(update.get("update_id"))));
 
       // Check if this is a message update
       if (update.containsKey("message")) {
@@ -104,7 +104,7 @@ private void sendSecretMessage(Object chatId) {
       Map<String, Object> response = restTemplate.getForObject(sendMessageUrl, Map.class);
 
       if (response != null && Boolean.TRUE.equals(response.get("ok"))) {
-        logger.info("Successfully sent secret message to chat_id: {}", chatId);
+        logger.info("Successfully sent secret message to chat_id: {}", sanitizeForLog(String.valueOf(chatId)));
       } else {
         logger.warn("Failed to send message to Telegram");
       }
@@ -114,6 +114,13 @@ private void sendSecretMessage(Object chatId) {
     }
   }
 
+  private String sanitizeForLog(String value) {
+    if (value == null) {
+      return "null";
+    }
+    return value.replaceAll("[\r\n]", "_");
+  }
+
   private String getBotToken() {
     // Same double-encoded bot token as in Challenge61
     String encodedToken =

src/main/resources/application.properties

@@ -5,7 +5,7 @@ spring.web.resources.cache.period=PT2H
 server.compression.enabled=true
 spring.config.import=classpath:/wrong-secrets-configuration.yaml
 
-# Challenge61: Disable webhook by default (memory intensive on Heroku). Enable in profile if needed.
+password=ThisEnvironmentIsAnotherPlaceToHide
 challenge61.webhook.enabled=false
 SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s
 SPECIAL_SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s