From 22f1b21f2985a626cbd8e642ff4836face9dc5e9 Mon Sep 17 00:00:00 2001 From: Shubham-Patel07 Date: Fri, 13 Dec 2024 18:12:01 +0530 Subject: [PATCH 1/9] Added: --secret flag so that the hardcoded secret is injected in container as env variable --- .github/scripts/docker-create.sh | 55 +++++++++++++------------------- Dockerfile | 9 ++++++ Dockerfile_webdesktop | 7 ++++ Dockerfile_webdesktopk8s | 7 ++++ 4 files changed, 46 insertions(+), 32 deletions(-) diff --git a/.github/scripts/docker-create.sh b/.github/scripts/docker-create.sh index dd0e27e55..219b8e147 100755 --- a/.github/scripts/docker-create.sh +++ b/.github/scripts/docker-create.sh @@ -352,34 +352,35 @@ build_update_pom() { create_containers() { echo "Creating containers" + SECRET_VALUE="youCantHandleThisSecret" if [[ "$script_mode" == "publish" ]]; then - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:latest-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. cd ../.. - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:$tag -f Dockerfile_webdesktop --push . - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:latest -f Dockerfile_webdesktop --push . - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:$tag -f Dockerfile_webdesktopk8s --push . - docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:latest -f Dockerfile_webdesktopk8s --push . + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:$tag -f Dockerfile_webdesktop --secret id=mysecret,env=SECRET_VALUE --push . + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop:latest -f Dockerfile_webdesktop --secret id=mysecret,env=SECRET_VALUE --push . + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:$tag -f Dockerfile_webdesktopk8s --secret id=mysecret,env=SECRET_VALUE --push . + docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets-desktop-k8s:latest -f Dockerfile_webdesktopk8s --secret id=mysecret,env=SECRET_VALUE --push . cd .github/scripts elif [[ "$script_mode" == "test" ]]; then - docker buildx build -t jeroenwillemsen/wrongsecrets:$tag --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --load ./../../. + docker buildx build -t jeroenwillemsen/wrongsecrets:$tag --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --load --secret id=mysecret,env=SECRET_VALUE ./../../. else if [[ "$springProfile" != "All" ]]; then - docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-$springProfile --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=$springProfile" --load ./../../. + docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-$springProfile --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=$springProfile" --load --secret id=mysecret,env=SECRET_VALUE ./../../. else - docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --load ./../../. - docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --load ./../../. - docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --load ./../../. + docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --load --secret id=mysecret,env=SECRET_VALUE ./../../. + docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --load --secret id=mysecret,env=SECRET_VALUE ./../../. + docker buildx build -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --load --secret id=mysecret,env=SECRET_VALUE ./../../. fi fi } @@ -452,14 +453,4 @@ test() { } local_extra_info -check_correct_launch_location -check_os -check_required_install -download_dot_net_binaries -generate_test_data -build_update_pom -create_containers -restore_temp_change -commit_and_tag -echo_next_steps -test +check_co \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 81883f0ff..1144ceb1c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,15 @@ RUN echo "$argBasedPassword" RUN apk add --no-cache libstdc++ icu-libs +# Create the /app directory +RUN mkdir -p /app + +# Use a separate RUN command for --mount +RUN --mount=type=secret,id=mysecret \ + cat /run/secrets/mysecret > /app/secret.txt + +RUN ls -l /app && cat /app/secret.txt + #RUN useradd -u 2000 -m wrongsecrets RUN adduser -u 2000 -D wrongsecrets USER wrongsecrets diff --git a/Dockerfile_webdesktop b/Dockerfile_webdesktop index ba3dfc9e4..1bf54c443 100644 --- a/Dockerfile_webdesktop +++ b/Dockerfile_webdesktop @@ -28,6 +28,13 @@ RUN \ export PATH="$PATH:/config/.dotnet/tools" &&\ dotnet tool install ilspycmd --version 9.0.0.7660-preview2 --tool-path /etc/dotnet/tools +# Add secret handling for Kubernetes-specific Docker builds +# Create the /app directory to store the secret +RUN mkdir -p /app +# The secret will be written to a file for the challenge +RUN --mount=type=secret,id=mysecret \ + cat /run/secrets/mysecret > /var/tmp/wrongsecrets/secret.txt + WORKDIR /config/Desktop COPY src/main/resources/executables/*linux-mus* /var/tmp/wrongsecrets/ diff --git a/Dockerfile_webdesktopk8s b/Dockerfile_webdesktopk8s index 179c3fde1..f44623918 100644 --- a/Dockerfile_webdesktopk8s +++ b/Dockerfile_webdesktopk8s @@ -33,6 +33,13 @@ RUN \ export PATH="$PATH:/config/.dotnet/tools" &&\ dotnet tool install ilspycmd --version 9.0.0.7660-preview2 --tool-path /etc/dotnet/tools +# Add a secret using --mount and write it to a specific file path for the challenge +# Create the /app directory to store the secret +RUN mkdir -p /app +# This demonstrates how secrets can be mishandled during Docker builds +RUN --mount=type=secret,id=mysecret \ + cat /run/secrets/mysecret > /var/tmp/wrongsecrets/secret.txt + WORKDIR /config/Desktop COPY src/main/resources/executables/*linux-mus* /var/tmp/wrongsecrets/ From f0ed8fc7cd08eb43dc0aa78c434f39e5f1e97ec1 Mon Sep 17 00:00:00 2001 From: Shubham-Patel07 Date: Fri, 13 Dec 2024 18:13:44 +0530 Subject: [PATCH 2/9] Fix: Updated Dockerfile --- Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1144ceb1c..888a9d8ad 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,8 +24,6 @@ RUN mkdir -p /app RUN --mount=type=secret,id=mysecret \ cat /run/secrets/mysecret > /app/secret.txt -RUN ls -l /app && cat /app/secret.txt - #RUN useradd -u 2000 -m wrongsecrets RUN adduser -u 2000 -D wrongsecrets USER wrongsecrets From 2721de2c9a364b79ba0c03f7b7afec4fa462b9bc Mon Sep 17 00:00:00 2001 From: Shubham-Patel07 Date: Fri, 13 Dec 2024 18:29:36 +0530 Subject: [PATCH 3/9] Fix: Updated Dockerfile and docker-create.sh --- .github/scripts/docker-create.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/scripts/docker-create.sh b/.github/scripts/docker-create.sh index 219b8e147..5aba18763 100755 --- a/.github/scripts/docker-create.sh +++ b/.github/scripts/docker-create.sh @@ -453,4 +453,14 @@ test() { } local_extra_info -check_co \ No newline at end of file +check_correct_launch_location +check_os +check_required_install +download_dot_net_binaries +generate_test_data +build_update_pom +create_containers +restore_temp_change +commit_and_tag +echo_next_steps +test From 8951187f4785a816af73fad234d2a29159e8af44 Mon Sep 17 00:00:00 2001 From: Shubham Patel <87226371+Shubham-Patel07@users.noreply.github.com> Date: Fri, 13 Dec 2024 22:46:37 +0530 Subject: [PATCH 4/9] Update docker-create.sh to fix env-var injection --- .github/scripts/docker-create.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/scripts/docker-create.sh b/.github/scripts/docker-create.sh index 5aba18763..3e69b84e6 100755 --- a/.github/scripts/docker-create.sh +++ b/.github/scripts/docker-create.sh @@ -352,7 +352,7 @@ build_update_pom() { create_containers() { echo "Creating containers" - SECRET_VALUE="youCantHandleThisSecret" + export SECRET_VALUE="youCantHandleThisSecret" if [[ "$script_mode" == "publish" ]]; then docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:latest-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --secret id=mysecret,env=SECRET_VALUE --push ./../../. From 8bebb50566358c5601acfbc13d38917b6d73b97d Mon Sep 17 00:00:00 2001 From: Shubham-Patel07 Date: Tue, 31 Dec 2024 00:26:03 +0530 Subject: [PATCH 5/9] Fix: Made changes in the docker file such that the secret is injected in container properly --- Dockerfile | 4 ++-- Dockerfile_webdesktop | 6 ++++-- Dockerfile_webdesktopk8s | 6 ++++-- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6973e45cb..bc851f4e7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,8 +23,8 @@ RUN mkdir -p /app # Use a separate RUN command for --mount RUN --mount=type=secret,id=mysecret \ - cat /run/secrets/mysecret > /app/secret.txt - + export SECRET_VALUE=$(cat /run/secrets/mysecret) && \ + echo $SECRET_VALUE >> /app/secret.txt RUN adduser -u 2000 -D wrongsecrets USER wrongsecrets diff --git a/Dockerfile_webdesktop b/Dockerfile_webdesktop index 1bf54c443..130c764c7 100644 --- a/Dockerfile_webdesktop +++ b/Dockerfile_webdesktop @@ -31,9 +31,11 @@ RUN \ # Add secret handling for Kubernetes-specific Docker builds # Create the /app directory to store the secret RUN mkdir -p /app -# The secret will be written to a file for the challenge + +# Use a separate RUN command for --mount RUN --mount=type=secret,id=mysecret \ - cat /run/secrets/mysecret > /var/tmp/wrongsecrets/secret.txt + export SECRET_VALUE=$(cat /run/secrets/mysecret) && \ + echo $SECRET_VALUE >> /app/secret.txt WORKDIR /config/Desktop diff --git a/Dockerfile_webdesktopk8s b/Dockerfile_webdesktopk8s index f44623918..87dd2567b 100644 --- a/Dockerfile_webdesktopk8s +++ b/Dockerfile_webdesktopk8s @@ -36,9 +36,11 @@ RUN \ # Add a secret using --mount and write it to a specific file path for the challenge # Create the /app directory to store the secret RUN mkdir -p /app -# This demonstrates how secrets can be mishandled during Docker builds + +# Use a separate RUN command for --mount RUN --mount=type=secret,id=mysecret \ - cat /run/secrets/mysecret > /var/tmp/wrongsecrets/secret.txt + export SECRET_VALUE=$(cat /run/secrets/mysecret) && \ + echo $SECRET_VALUE >> /app/secret.txt WORKDIR /config/Desktop From 5c0ead91c0619ffb16e7802df70807a3260abdf6 Mon Sep 17 00:00:00 2001 From: Shubham-Patel07 Date: Fri, 3 Jan 2025 18:10:04 +0530 Subject: [PATCH 6/9] Add: Added the challenge and also written the explanation files for this challenge --- .../challenges/docker/Challenge52.java | 45 +++++++++++++++++++ .../resources/explanations/challenge52.adoc | 7 +++ .../explanations/challenge52_hint.adoc | 30 +++++++++++++ .../explanations/challenge52_reason.adoc | 30 +++++++++++++ 4 files changed, 112 insertions(+) create mode 100644 src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge52.java create mode 100644 src/main/resources/explanations/challenge52.adoc create mode 100644 src/main/resources/explanations/challenge52_hint.adoc create mode 100644 src/main/resources/explanations/challenge52_reason.adoc diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge52.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge52.java new file mode 100644 index 000000000..742abf17e --- /dev/null +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge52.java @@ -0,0 +1,45 @@ +package org.owasp.wrongsecrets.challenges.docker; + +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; +import groovy.util.logging.Slf4j; +import org.owasp.wrongsecrets.Challenges; +import org.owasp.wrongsecrets.challenges.FixedAnswerChallenge; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.stereotype.Component; + +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Paths; + + +@Slf4j +@Component +public class Challenge52 extends FixedAnswerChallenge { + + private static final Logger log = LoggerFactory.getLogger(Challenge52.class); + private final String dockerMountsecret; + + public Challenge52(@Value("$challengedockermtsecret") String dockerMountsecret) { + this.dockerMountsecret = dockerMountsecret; + } + + @Override + public String getAnswer() { + return getActualSecret(); + } + + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The location of the dockerMountPath is based on an Env Var" + ) + private String getActualSecret(){ + try { + return Files.readString(Paths.get(dockerMountsecret,"secret.txt"), StandardCharsets.UTF_8); + } catch (Exception e) { + log.warn("Exception during file reading, defaulting to default without cloud environment", e); + return Challenges.ErrorResponses.FILE_MOUNT_ERROR; + } + } +} diff --git a/src/main/resources/explanations/challenge52.adoc b/src/main/resources/explanations/challenge52.adoc new file mode 100644 index 000000000..1931e144e --- /dev/null +++ b/src/main/resources/explanations/challenge52.adoc @@ -0,0 +1,7 @@ +=== Exposed Buildx Secrets Challenge + +Acme Inc., a rising star in the SaaS industry, prides itself on delivering cutting-edge AI analytics to its global clientele. However, amidst their rapid deployment cycles and growing customer base, a critical security oversight has come to light. + +During their Docker Buildx process, a sensitive secret, meant to remain temporary and secure during the build phase, was accidentally embedded into the container's filesystem due to a misconfiguration. This secret, now accessible within the running container, poses a significant security risk if exploited. + +As Acme Inc.'s newly hired Security Consultant, your task is clear: investigate the container, identify the exposed secret, and report it to the team. By uncovering this vulnerability, you will help Acme Inc. understand the risks and implement better practices to secure their deployment pipeline. diff --git a/src/main/resources/explanations/challenge52_hint.adoc b/src/main/resources/explanations/challenge52_hint.adoc new file mode 100644 index 000000000..6dc6ae99c --- /dev/null +++ b/src/main/resources/explanations/challenge52_hint.adoc @@ -0,0 +1,30 @@ +This challenge can be solved using the following steps: + +- *Acme Inc.* has misconfigured their Docker Buildx process, leading to sensitive secrets being embedded in the container's filesystem. Your task is to uncover these vulnerabilities. + + 1. Clone the repository containing the challenge files: + ``` + git clone https://github.com/OWASP/wrongsecrets.git + cd wrongsecrets + ``` + + 2. Locate the `docker-create.sh` file in the repository. This file contains the build logic used by Acme Inc. to create the Docker container. + + 3. Build the Docker image by running the `docker-create.sh` script: + ``` + ./docker-create.sh + ``` + + 4. Start the Docker container using the built image to access its environment: + ``` + docker run -it jeroenwillemsen/wrongsecrets:local-test-no-vault sh + ``` + + 5. Investigate the container filesystem to locate the secret file: + ``` + / $ cat /app/secret.txt + ``` + + 6. The content of the `secret.txt` file is your answer. + +The misconfiguration demonstrates how secrets, passed securely during the Docker build process using `--secret`, can become exposed when improperly stored in the container. Your findings will help Acme Inc. understand and fix this critical issue. diff --git a/src/main/resources/explanations/challenge52_reason.adoc b/src/main/resources/explanations/challenge52_reason.adoc new file mode 100644 index 000000000..d734e7246 --- /dev/null +++ b/src/main/resources/explanations/challenge52_reason.adoc @@ -0,0 +1,30 @@ += Docker Buildx Secrets Misconfiguration Challenge + +*Why Improper Secret Management in Docker Build Processes Can Lead to Vulnerabilities* + +In modern DevOps workflows, Docker Buildx is a powerful tool for building multi-platform Docker images efficiently. It provides a secure way to pass sensitive information like API keys, database credentials, and certificates during the build process using the `--secret` flag. However, improper handling or storage of these secrets during or after the build process can introduce critical vulnerabilities. + +A common mistake is to write these secrets into the container filesystem or to expose them in build scripts. This approach is flawed because: + +1. **Secrets become part of the container image**: If secrets are written to the container's filesystem during the build phase, they are included in the final image. Anyone with access to the image can extract these secrets by inspecting the container layers or accessing the filesystem. +2. **Hardcoding secrets in build scripts**: Developers may hardcode secrets in scripts used to build images. When these scripts are stored in version control systems, the secrets are exposed to anyone with access to the repository. +3. **Lack of cleanup during the build process**: Even if secrets are used temporarily, failing to securely clean up or remove these secrets before finalizing the image can leave them exposed. + +*Why This Challenge?* + +The purpose of this challenge is to demonstrate the risks of improperly handling secrets in Docker Buildx workflows. Specifically, it showcases how secrets intended to be temporary during the build process can end up being permanently stored in the container's filesystem due to misconfiguration. + +This challenge simulates a scenario where: + +- A sensitive secret is passed to the Docker build process using the `--secret` flag. +- Due to misconfiguration, the secret is written to a file in the container's filesystem (`/app/secret.txt`) during the build phase. +- The resulting image contains this secret, making it accessible to anyone who can run or inspect the container. + +*Key Learning Points:* + +- **Avoid embedding secrets in container images**: Secrets should never be baked into Docker images. Use mechanisms like runtime environment variables or external secret management tools to provide secrets dynamically. +- **Secure the build process**: Even with tools like `--secret`, ensure secrets are not permanently stored in intermediate or final image layers. +- **Do not hardcode secrets in build scripts**: Build scripts should not contain sensitive information. Store sensitive values securely and reference them dynamically during the build process. +- **Implement cleanup mechanisms**: If secrets must be written to temporary files during the build process, ensure they are securely removed before the image is finalized. + +By completing this challenge, you will understand the implications of improper secret handling during Docker builds and learn best practices for managing secrets securely in containerized environments. From 7e77badbdbd3a2579f4aadadeb3fb7a15775b657 Mon Sep 17 00:00:00 2001 From: Shubham-Patel07 Date: Fri, 3 Jan 2025 18:11:03 +0530 Subject: [PATCH 7/9] Add: Updated wrong-secrets-configration.yaml --- src/main/resources/wrong-secrets-configuration.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/main/resources/wrong-secrets-configuration.yaml b/src/main/resources/wrong-secrets-configuration.yaml index 0ce362d60..5b9de9aa1 100644 --- a/src/main/resources/wrong-secrets-configuration.yaml +++ b/src/main/resources/wrong-secrets-configuration.yaml @@ -814,3 +814,16 @@ configurations: category: *secrets ctf: enabled: true + + - name: Challenge 51 + short-name: "challenge-52" + sources: + - class-name: "org.owasp.wrongsecrets.challenges.docker.Challenge52" + explanation: "explanations/challenge52.adoc" + hint: "explanations/challenge52_hint.adoc" + reason: "explanations/challenge52_reason.adoc" + environments: *all_envs + difficulty: *normal + category: *secrets + ctf: + enabled: true From 8b2fd55e14f2ce530c0e4fc00064e9def9444c3a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci-lite[bot]" <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com> Date: Fri, 3 Jan 2025 12:43:11 +0000 Subject: [PATCH 8/9] [pre-commit.ci lite] apply automatic fixes --- .../challenges/docker/Challenge52.java | 53 +++++++++---------- 1 file changed, 25 insertions(+), 28 deletions(-) diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge52.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge52.java index 742abf17e..7834b1a04 100644 --- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge52.java +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge52.java @@ -2,6 +2,9 @@ import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import groovy.util.logging.Slf4j; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Paths; import org.owasp.wrongsecrets.Challenges; import org.owasp.wrongsecrets.challenges.FixedAnswerChallenge; import org.slf4j.Logger; @@ -9,37 +12,31 @@ import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Component; -import java.nio.charset.StandardCharsets; -import java.nio.file.Files; -import java.nio.file.Paths; - - @Slf4j @Component public class Challenge52 extends FixedAnswerChallenge { - private static final Logger log = LoggerFactory.getLogger(Challenge52.class); - private final String dockerMountsecret; - - public Challenge52(@Value("$challengedockermtsecret") String dockerMountsecret) { - this.dockerMountsecret = dockerMountsecret; - } - - @Override - public String getAnswer() { - return getActualSecret(); - } - - @SuppressFBWarnings( - value = "PATH_TRAVERSAL_IN", - justification = "The location of the dockerMountPath is based on an Env Var" - ) - private String getActualSecret(){ - try { - return Files.readString(Paths.get(dockerMountsecret,"secret.txt"), StandardCharsets.UTF_8); - } catch (Exception e) { - log.warn("Exception during file reading, defaulting to default without cloud environment", e); - return Challenges.ErrorResponses.FILE_MOUNT_ERROR; - } + private static final Logger log = LoggerFactory.getLogger(Challenge52.class); + private final String dockerMountsecret; + + public Challenge52(@Value("$challengedockermtsecret") String dockerMountsecret) { + this.dockerMountsecret = dockerMountsecret; + } + + @Override + public String getAnswer() { + return getActualSecret(); + } + + @SuppressFBWarnings( + value = "PATH_TRAVERSAL_IN", + justification = "The location of the dockerMountPath is based on an Env Var") + private String getActualSecret() { + try { + return Files.readString(Paths.get(dockerMountsecret, "secret.txt"), StandardCharsets.UTF_8); + } catch (Exception e) { + log.warn("Exception during file reading, defaulting to default without cloud environment", e); + return Challenges.ErrorResponses.FILE_MOUNT_ERROR; } + } } From 024973ad7d3bf4896ef9d3788bd9529052ceb44a Mon Sep 17 00:00:00 2001 From: Shubham-Patel07 Date: Fri, 3 Jan 2025 18:33:54 +0530 Subject: [PATCH 9/9] Fix: Duplicate key error --- src/main/resources/application.properties | 1 + src/main/resources/wrong-secrets-configuration.yaml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index d26b4a347..500c79a92 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -79,6 +79,7 @@ management.endpoint.health.probes.enabled=true management.health.livenessState.enabled=true management.health.readinessState.enabled=true management.endpoints.web.exposure.include=auditevents,info,health +challengedockermtsecret=/app #--- spring.config.activate.on-profile=kubernetes-vault wrongsecretvalue=wrongsecret diff --git a/src/main/resources/wrong-secrets-configuration.yaml b/src/main/resources/wrong-secrets-configuration.yaml index 5b9de9aa1..d0111b2e8 100644 --- a/src/main/resources/wrong-secrets-configuration.yaml +++ b/src/main/resources/wrong-secrets-configuration.yaml @@ -815,7 +815,7 @@ configurations: ctf: enabled: true - - name: Challenge 51 + - name: Challenge 52 short-name: "challenge-52" sources: - class-name: "org.owasp.wrongsecrets.challenges.docker.Challenge52"