OWASP · commjoen · Oct 3, 2023 · Jul 8, 2023 · Jul 8, 2023 · Jul 17, 2023
@@ -437,7 +437,7 @@ Feel free to edit and propose changes via pull requests. Be sure to follow our g
 
 Please note that we officially only support Linux and MacOS for development. If you want to develop using a Windows machine, use WSL2 or a virtual machine running Linux. We did include Windows detection & a bunch of `exe` files for a first experiment, but are looking for active maintainers of them. Want to make sure it runs on Windows? Create PRs ;-).
 
-If, after reading this section, you still have no clue on the application code: Have a look [at some tutorials on Spring boot from Baeldung](https://www.baeldung.com/spring-boot)
+If, after reading this section, you still have no clue on the application code: Have a look [at some tutorials on Spring boot from Baeldung](https://www.baeldung.com/spring-boot).
 
 ### Automatic reload during development
 

@@ -0,0 +1,78 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import java.util.List;
+import org.owasp.wrongsecrets.RuntimeEnvironment;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.owasp.wrongsecrets.challenges.ChallengeTechnology;
+import org.owasp.wrongsecrets.challenges.Difficulty;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+
+/** This is a challenge based on leaking secrets with the misuse of Git notes */
+@Component
+@Order(38)
+public class Challenge38 extends Challenge {
+
+  public Challenge38(ScoreCard scoreCard) {
+    super(scoreCard);
+  }
+
+  @Override
+  public boolean canRunInCTFMode() {
+    return true;
+  }
+
+  @Override
+  public Spoiler spoiler() {
+    return new Spoiler(getSolution());
+  }
+
+  @Override
+  public boolean answerCorrect(String answer) {
+    return getSolution().equals(answer);
+  }
+
+  /** {@inheritDoc} */
+  @Override
+  public int difficulty() {
+    return Difficulty.EASY;
+  }
+
+  /** {@inheritDoc} Git based. */
+  @Override
+  public String getTech() {
+    return ChallengeTechnology.Tech.GIT.id;
+  }
+
+  @Override
+  public boolean isLimitedWhenOnlineHosted() {
+    return false;
+  }
+
+  @Override
+  public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
+    return List.of(RuntimeEnvironment.Environment.DOCKER);
+  }
+
+  private String getSolution() {
+    return unobfuscate("UOZFGZTLOLLXHTKEGGS");
+  }
+
+  private String unobfuscate(String obfuscatedString) {
+    final String key = "QWERTYUIOPASDFGHJKLZXCVBNM";
+    StringBuilder plainText = new StringBuilder();
+    for (char c : obfuscatedString.toCharArray()) {
+      if (Character.isLetter(c)) {
+        int index = key.indexOf(Character.toUpperCase(c));
+        char replacement = (char) ('A' + index);
+        plainText.append(replacement);
+      } else {
+        plainText.append(c);
+        System.out.println(plainText);
+      }
+    }
+    return plainText.toString();
+  }
+}
@@ -0,0 +1,9 @@
+=== Git Notes
+
+Git commit messages can be a constant pain point.
+
+It is fine to use a short message, unintelligible garble or a simple mash of the keyboard in a git message until you have the unfortunate task of reviewing. At this point these scruffy messages can be a nightmare.
+
+Git notes are here to solve this, it has been around for a long while but often gets overlooked. Add extra metadata about the commit without affecting the commit message itself.
+
+Like all Git, once information is committed, it is very very hard to remove all reference of it. What could possible go wrong?
@@ -0,0 +1,10 @@
+Unlike other Git challenges this cannot be solved by the plethora of tools that will automatically search for secrets leaked in Git repos.
+
+Try be solving the challenge by manually combing the Git metadata.
+
+Search manually using `git notes`
+- Clone the repository `git clone [email protected]:OWASP/wrongsecrets.git`
+- Navigate to the directory `cd wrongsecrets`
+- Fetch the notes `git fetch origin refs/notes/*:refs/notes/*`
+- List all notes in the repo `git notes`
+- Using the note reference that is displayed show the note `git notes show [ref]` (2 references will show for each note, the second one is the note reference)
@@ -0,0 +1,9 @@
+*Why you should be careful with Git notes?*
+
+Git notes has a couple of concerns in secret leaking:
+
+1. Like all Git repo's, once a secret is leaked it here it is very tough/impossible to remove from all history.
+
+2. Git Notes appears to be a rarely used feature of Git, therefore a lot of the secret scanners do not check notes so it can be missed in CI.*
+
+**Concern 2 is currently being researched by the team at WrongSecrets, we are sampling the biggest open source projects to understand if Git notes is used. If it is used we may try to contribute to secret scanners to accommodate this, if it is not used we may recommend simply not using this feature of Git to ensure no issues arise. Keep an eye out on the WrongSecrets Slack for the progression of this project.**
@@ -0,0 +1,23 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mock;
+import org.owasp.wrongsecrets.ScoreCard;
+
+public class Challenge38Test {
+  @Mock private ScoreCard scoreCard;
+
+  @Test
+  void spoilerShouldGiveAnswer() {
+    var challenge = new Challenge38(scoreCard);
+    Assertions.assertThat(challenge.spoiler().solution()).isNotEmpty();
+    Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
+  }
+
+  @Test
+  void incorrectAnswerShouldNotSolveChallenge() {
+    var challenge = new Challenge38(scoreCard);
+    Assertions.assertThat(challenge.solved("wrong answer")).isFalse();
+  }
+}