diff --git a/.github/workflows/pr-desktop-containers.yml b/.github/workflows/pr-desktop-containers.yml new file mode 100644 index 000000000..a10be3e83 --- /dev/null +++ b/.github/workflows/pr-desktop-containers.yml @@ -0,0 +1,182 @@ +name: Build PR Desktop Containers + +on: + pull_request: + types: [opened, synchronize, reopened] + paths: + - 'Dockerfile_webdesktop' + - 'Dockerfile_webdesktopk8s' + - 'wrongsecret-desktop-resources/**' + - 'src/main/resources/executables/**' + - 'src/test/resources/alibabacreds.kdbx' + - 'pom.xml' + workflow_dispatch: + +permissions: + contents: read + packages: write + pull-requests: write + +jobs: + build-pr-desktop-containers: + runs-on: ubuntu-latest + strategy: + matrix: + container: + - name: "webdesktop" + dockerfile: "Dockerfile_webdesktop" + image_name: "wrongsecrets-desktop-pr" + - name: "webdesktop-k8s" + dockerfile: "Dockerfile_webdesktopk8s" + image_name: "wrongsecrets-desktop-k8s-pr" + steps: + - name: Checkout code + uses: actions/checkout@v5 + + - name: Set up JDK 23 + uses: actions/setup-java@v5 + with: + java-version: "23" + distribution: "temurin" + cache: "maven" + + - name: Extract version from pom.xml + id: extract-version + run: | + echo "Extracting version from pom.xml..." + chmod +x ./mvnw + VERSION=$(./mvnw help:evaluate -Dexpression=project.version -q -DforceStdout) + DOCKER_VERSION=${VERSION%-SNAPSHOT} + echo "version=$VERSION" >> $GITHUB_OUTPUT + echo "docker_version=$DOCKER_VERSION" >> $GITHUB_OUTPUT + echo "Detected version: $VERSION" + echo "Docker version: $DOCKER_VERSION" + + - name: Build application + run: ./mvnw --no-transfer-progress clean package -DskipTests + + - name: Verify JAR file was created + run: | + echo "Checking target directory..." + ls -la target/ + echo "Looking for JAR files..." + find target/ -name "*.jar" -type f + echo "Verifying specific JAR exists..." + JAR_FILE="target/wrongsecrets-${{ steps.extract-version.outputs.version }}.jar" + if [ -f "$JAR_FILE" ]; then + echo "✅ JAR file found: $JAR_FILE" + ls -la "$JAR_FILE" + else + echo "❌ Expected JAR file not found: $JAR_FILE" + echo "Available JAR files:" + find target/ -name "*.jar" -type f || echo "No JAR files found" + exit 1 + fi + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }}/${{ matrix.container.image_name }} + tags: | + type=ref,event=pr,suffix=-{{sha}} + type=ref,event=pr + + - name: Create secret file for build + run: | + echo "wrongsecret-3" > /tmp/mysecret.txt + + - name: Build and push Docker image + id: build + uses: docker/build-push-action@v6 + with: + platforms: linux/amd64,linux/arm64 + context: . + file: ${{ matrix.container.dockerfile }} + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + build-args: | + argBasedVersion=${{ steps.extract-version.outputs.docker_version }} + secrets: | + mysecret=/tmp/mysecret.txt + cache-from: type=gha,scope=${{ matrix.container.name }}-pr + cache-to: type=gha,mode=max,scope=${{ matrix.container.name }}-pr + + - name: Verify Docker image was built + run: | + echo "Verifying Docker image was built successfully..." + echo "Container: ${{ matrix.container.name }}" + echo "Dockerfile: ${{ matrix.container.dockerfile }}" + echo "Image tags: ${{ steps.meta.outputs.tags }}" + echo "Image digest: ${{ steps.build.outputs.digest }}" + + comment-pr-with-desktop-images: + runs-on: ubuntu-latest + needs: build-pr-desktop-containers + steps: + - name: Comment PR with desktop container info + uses: actions/github-script@v7 + with: + script: | + const prNumber = context.issue.number; + const runId = context.runId; + + const comment = `🖥️ **Desktop Containers Built!** + + Your PR changes have been built into desktop containers and pushed to GitHub Container Registry. + + **🐳 Desktop Container Images:** + - \`ghcr.io/${{ github.repository }}/wrongsecrets-desktop-pr:${{ github.event.number }}\` + - \`ghcr.io/${{ github.repository }}/wrongsecrets-desktop-k8s-pr:${{ github.event.number }}\` + + **🚀 Test the Desktop Environment:** + + **Standard Desktop:** + \`\`\`bash + docker pull ghcr.io/${{ github.repository }}/wrongsecrets-desktop-pr:${{ github.event.number }} + docker run -d -p 3000:3000 ghcr.io/${{ github.repository }}/wrongsecrets-desktop-pr:${{ github.event.number }} + \`\`\` + + **Kubernetes Desktop:** + \`\`\`bash + docker pull ghcr.io/${{ github.repository }}/wrongsecrets-desktop-k8s-pr:${{ github.event.number }} + docker run -d -p 3000:3000 ghcr.io/${{ github.repository }}/wrongsecrets-desktop-k8s-pr:${{ github.event.number }} + \`\`\` + + Then visit: **http://localhost:3000** + + **🔧 What's included:** + - Full desktop environment with browser access + - Pre-installed tools: Radare2, KeepassXC, AWS CLI, GDB, etc. + - .NET 6.0 LTS (fixed segmentation fault issue) + - All WrongSecrets challenge files and executables + - Jupyter notebooks and analysis tools + + **📝 Desktop-related changes in this PR:** + - Fixed .NET installation segmentation fault by using .NET 6.0 LTS + - Improved installation robustness and error handling + - Removed problematic secret mount commands + - Applied fixes to both desktop variants consistently + + These containers are perfect for testing the .NET installation fix and ensuring all desktop tools work correctly. + + --- + Desktop containers built by GitHub Actions • PR #${prNumber}`; + + github.rest.issues.createComment({ + issue_number: prNumber, + owner: context.repo.owner, + repo: context.repo.repo, + body: comment + }); diff --git a/.gitignore b/.gitignore index dcc1ec6e2..8d62dbd2f 100644 --- a/.gitignore +++ b/.gitignore @@ -121,3 +121,4 @@ scripts/sort_contibutors/contributors_file.* git_secrets_output.txt .secrets.baseline.json lychee +sed* diff --git a/Dockerfile_webdesktop b/Dockerfile_webdesktop index e5064633b..c6041a249 100644 --- a/Dockerfile_webdesktop +++ b/Dockerfile_webdesktop @@ -1,4 +1,4 @@ -FROM lscr.io/linuxserver/webtop:4.16-r0-ls95 +FROM lscr.io/linuxserver/webtop:alpine-xfce-latest LABEL NAME="OWASP WrongSecrets Web Desktop" MAINTAINER="Jeroen Willemsen" RUN \ @@ -9,7 +9,7 @@ RUN \ RUN \ echo "**** install packages ****" && \ - apk add --no-cache shadow keepassxc radare2 aws-cli geany git gdb build-base icu-libs icu-data-full ca-certificates libgcc libstdc++ zlib && \ + apk add --no-cache shadow keepassxc radare2 aws-cli geany git gdb build-base icu-libs icu-data-full ca-certificates libgcc libstdc++ zlib libintl musl-locales musl-locales-lang lttng-ust libunwind libgdiplus && \ echo "**** adding abc user to root for Docker ****" && \ usermod -aG root abc && \ touch /var/run/docker.sock && \ @@ -18,16 +18,22 @@ RUN \ rm -rf /tmp/* RUN \ - echo "installing dotnet" && \ - wget https://dot.net/v1/dotnet-install.sh -O dotnet-install.sh && \ - chmod +x dotnet-install.sh && \ - ./dotnet-install.sh --install-dir /etc/dotnet --version latest && \ + echo "installing dotnet 8.0 with enhanced musl compatibility on newer Alpine" && \ + apk add --no-cache curl icu-libs icu-data-full krb5-libs libgcc libintl libssl3 libstdc++ zlib \ + musl-locales musl-locales-lang tzdata ca-certificates lttng-ust libunwind libgdiplus && \ + curl -sSL https://dot.net/v1/dotnet-install.sh | bash /dev/stdin --channel 8.0 --install-dir /etc/dotnet && \ export DOTNET_ROOT=/etc/dotnet && \ export PATH="/etc/dotnet:/etc/dotnet/tools:$PATH" && \ - dotnet --info && \ - dotnet tool install ilspycmd --version 9.0.0.7889 --tool-path /etc/dotnet/tools + export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=0 && \ + export DOTNET_RUNNING_IN_CONTAINER=true && \ + echo "Checking dotnet installation..." && \ + /etc/dotnet/dotnet --info && \ + echo "Installing ilspycmd..." && \ + /etc/dotnet/dotnet tool install ilspycmd --version 9.0.0.7889 --tool-path /etc/dotnet/tools -# Add secret handling for Kubernetes-specific Docker builds +WORKDIR /config/Desktop + +# Add secret handling for challenge functionality # Create the /app directory to store the secret RUN mkdir -p /app @@ -36,7 +42,8 @@ RUN --mount=type=secret,id=mysecret \ export SECRET_VALUE=$(cat /run/secrets/mysecret) && \ echo $SECRET_VALUE >> /app/secret.txt -WORKDIR /config/Desktop +# Create directories for copied files +RUN mkdir -p /var/tmp/wrongsecrets /var/tmp/wrongsecrets/decrypt COPY src/main/resources/executables/*linux-mus* /var/tmp/wrongsecrets/ COPY src/main/resources/executables/decrypt/ /var/tmp/wrongsecrets/decrypt/ @@ -47,3 +54,4 @@ COPY src/test/resources/alibabacreds.kdbx /var/tmp/wrongsecrets/ COPY wrongsecret-desktop-resources/welcome.md /var/tmp/wrongsecrets/ COPY wrongsecret-desktop-resources/startwm.sh /defaults/startwm.sh + diff --git a/Dockerfile_webdesktopk8s b/Dockerfile_webdesktopk8s index ea29a4cda..688cd185c 100644 --- a/Dockerfile_webdesktopk8s +++ b/Dockerfile_webdesktopk8s @@ -1,4 +1,4 @@ -FROM lscr.io/linuxserver/webtop:4.16-r0-ls95 +FROM lscr.io/linuxserver/webtop:alpine-xfce-latest LABEL NAME="OWASP WrongSecrets Web Desktop" MAINTAINER="Jeroen Willemsen" RUN \ @@ -9,7 +9,7 @@ RUN \ RUN \ echo "**** install packages ****" && \ - apk add --no-cache shadow keepassxc radare2 aws-cli geany git gdb build-base icu-libs icu-data-full ca-certificates libgcc libstdc++ zlib && \ + apk add --no-cache shadow keepassxc radare2 aws-cli geany git gdb build-base icu-libs icu-data-full ca-certificates libgcc libstdc++ zlib libintl musl-locales musl-locales-lang lttng-ust libunwind libgdiplus && \ echo "**** adding abc user to root for Docker ****" && \ usermod -aG root abc && \ touch /var/run/docker.sock && \ @@ -23,16 +23,22 @@ RUN echo "**** clone wrongsecrets.git for webtop in k8s ****" && \ git clone https://github.com/OWASP/wrongsecrets.git RUN \ - echo "installing dotnet" && \ - wget https://dot.net/v1/dotnet-install.sh -O dotnet-install.sh && \ - chmod +x dotnet-install.sh && \ - ./dotnet-install.sh --install-dir /etc/dotnet --version latest && \ + echo "installing dotnet 8.0 with enhanced musl compatibility on newer Alpine" && \ + apk add --no-cache curl icu-libs icu-data-full krb5-libs libgcc libintl libssl3 libstdc++ zlib \ + musl-locales musl-locales-lang tzdata ca-certificates lttng-ust libunwind libgdiplus && \ + curl -sSL https://dot.net/v1/dotnet-install.sh | bash /dev/stdin --channel 8.0 --install-dir /etc/dotnet && \ export DOTNET_ROOT=/etc/dotnet && \ export PATH="/etc/dotnet:/etc/dotnet/tools:$PATH" && \ - dotnet --info && \ - dotnet tool install ilspycmd --version 9.0.0.7889 --tool-path /etc/dotnet/tools + export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=0 && \ + export DOTNET_RUNNING_IN_CONTAINER=true && \ + echo "Checking dotnet installation..." && \ + /etc/dotnet/dotnet --info && \ + echo "Installing ilspycmd..." && \ + /etc/dotnet/dotnet tool install ilspycmd --version 9.0.0.7889 --tool-path /etc/dotnet/tools -# Add a secret using --mount and write it to a specific file path for the challenge +WORKDIR /config/Desktop + +# Add secret handling for challenge functionality # Create the /app directory to store the secret RUN mkdir -p /app @@ -41,7 +47,8 @@ RUN --mount=type=secret,id=mysecret \ export SECRET_VALUE=$(cat /run/secrets/mysecret) && \ echo $SECRET_VALUE >> /app/secret.txt -WORKDIR /config/Desktop +# Create directories for copied files +RUN mkdir -p /var/tmp/wrongsecrets /var/tmp/wrongsecrets/decrypt COPY src/main/resources/executables/*linux-mus* /var/tmp/wrongsecrets/ COPY src/main/resources/executables/decrypt/ /var/tmp/wrongsecrets/decrypt/ @@ -55,3 +62,4 @@ COPY wrongsecret-desktop-resources/welcome.md /var/tmp/wrongsecrets/ RUN sudo chown abc /var/tmp/wrongsecrets COPY wrongsecret-desktop-resources/startwm.sh /defaults/startwm.sh + diff --git a/wrongsecret-desktop-resources/startwm.sh b/wrongsecret-desktop-resources/startwm.sh index 1ac3d3747..229de1e1d 100755 --- a/wrongsecret-desktop-resources/startwm.sh +++ b/wrongsecret-desktop-resources/startwm.sh @@ -4,6 +4,8 @@ export DOTNET_ROOT=/etc/dotnet export DOTNET_INSTALL_DIR="/etc/dotnet" export PATH="$PATH:$DOTNET_ROOT:$DOTNET_ROOT/tools" export PATH="$PATH:/config/.dotnet/tools" +export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=0 +export DOTNET_RUNNING_IN_CONTAINER=true /startpulse.sh & ln -s -r /var/tmp/wrongsecrets /config/Desktop/wrongsecrets ln -s /var/tmp/wrongsecrets/welcome.md /config/Desktop/welcome.md