Fix security & quality issues from GitHub security dashboard#2512
Fix security & quality issues from GitHub security dashboard#2512
Conversation
… Slf4j import in AuditConfiguration Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/434d65db-7a37-4184-9e98-1161b21e2974 Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
…nge code; fix SSRF in Challenge62; fix Random type declarations Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/434d65db-7a37-4184-9e98-1161b21e2974 Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
…; add validation tests for Challenge62 Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/434d65db-7a37-4184-9e98-1161b21e2974 Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
| private String generateCode(ChallengeDefinition challenge) { | ||
| SecretKeySpec secretKeySpec = | ||
| new SecretKeySpec(ctfKey.getBytes(StandardCharsets.UTF_8), "HmacSHA1"); | ||
| new SecretKeySpec(ctfKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256"); |
There was a problem hiding this comment.
@copilot can you suppress this instead? It is for educational purpose
There was a problem hiding this comment.
Done in 6b59290. Reverted back to HmacSHA1 and added // codeql[java/weak-cryptographic-algorithm] suppression comment (plus // NOSONAR) instead. Also restored the original HmacSHA1-based hash expectations in all CTF mode tests.
|
🌐 GitHub Pages Preview Ready! Your static preview is now available at: 📄 What's included:
For full functionality testing: Use the Docker preview instead. 🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR. Static preview with Thymeleaf generation by GitHub Actions |
…s to original values Agent-Logs-Url: https://github.com/OWASP/wrongsecrets/sessions/dc3ddb41-38c5-4cb4-9ead-ebb777361a22 Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com>
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
🔨 Preview Build Complete! Your changes have been built and pushed to GitHub Container Registry. 🐳 Docker Image: 📦 Download & Test Locally:
# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview🚀 Alternative - Pull from Registry: docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2512-1f50725
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2512-1f50725Then visit: http://localhost:8080 📝 Changes in this PR: Visual diff screenshots will be available shortly... Preview built by GitHub Actions |
|
📸 Visual Diff Ready! Screenshots comparing your changes with the main branch are available: 📁 Download Visual Diff Artifacts 🖼️ Included screenshots:
🔍 How to review:
💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily. Visual diff generated by GitHub Actions • PR #2512 |
Ten CodeQL/quality alerts in the GitHub security dashboard — spanning weak cryptography in framework code, SSRF, wrong imports, and false-positive intentional vulnerabilities in challenge code.
Framework security fixes
ChallengesController):HmacSHA1is intentional for CTF code compatibility — added// codeql[java/weak-cryptographic-algorithm]suppression comment rather than upgrading the algorithmisValidGoogleDriveDocumentId()to reject user-supplieddocument_idvalues containing anything outside[a-zA-Z0-9_\-], preventing path injection into the Google Drive API URLQuality fixes
AuditConfiguration:groovy.util.logging.Slf4j→lombok.extern.slf4j.Slf4jChallenge8andChallenge30:private final Random secureRandom = new SecureRandom()→SecureRandom; removed unusedjava.util.RandomimportsCodeQL suppression for intentional challenge vulnerabilities
Added
// codeql[java/weak-cryptographic-algorithm]inline suppression comments on the specific flagged lines in:These suppression comments silence only the specific CodeQL alert on that line while leaving the intentionally vulnerable code intact for educational purposes.