Merge branch 'OWASP:main' into main

Author: gerardocanedo

.github/workflows/tests.yml

@@ -0,0 +1,32 @@
+name: "Training Portal Tests"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  tests:
+    name: Portal Unit Tests
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Repo Checkout
+      uses: actions/checkout@v2
+
+    - name: Setup Node
+      uses: actions/setup-node@v1
+      with:
+        node-version: 14
+
+    - name: Setup Portal
+      working-directory: ./trainingportal
+      run: |
+        npm install
+        cp config.json.docker config.json
+        node tools/devSetup.js
+
+    - name: Run Tests
+      working-directory: ./trainingportal
+      run: npm test

AttackGrams.pptx

@@ -1,4 +1,4 @@
 **Input Validation** is one of the basic tenets of software security. Verifying that the values provided to the application match the expected type or format, goes a long way in reducing the attack surface. Validation is a simple countermeasure with super results.
 
-It is important to note that a common mistake is to use `block lists` for validation. For example an application will prevent symbols that are known to cause trouble. The weakness of this approach is that some symbols may be overlooked.
+It is important to note that a common mistake is to use `deny lists` for validation. For example an application will prevent symbols that are known to cause trouble. The weakness of this approach is that some symbols may be overlooked.
 

codereview101/categoryInputValidation.md

@@ -15,7 +15,7 @@
                 ],
                 "answer":1,
                 "correctReasoning":"You're right! The code sample is preventing a vulnerability by using input allow listing.",
-                "incorrectReasoning": "Incorrect! While there is some validation, it is based on block listing and will still allow command injection (ex. `rm -rf /`)."
+                "incorrectReasoning": "Incorrect! While there is some validation, it is based on deny listing and will still allow command injection (ex. `rm -rf /`)."
             }
         ]
 

codereview101/definitions.json

@@ -3,6 +3,14 @@ version: "3.7"
 services:
   insecureinc:
     image: securecodingdojo/insecure.inc
+    deploy:
+      resources:
+        limits:
+          cpus: "0.9"
+          memory: 512M
+        reservations:
+          cpus: "0.9"
+          memory: 512M
     build:
       context: ./insecureinc
       dockerfile: Dockerfile.insecureinc

docker-compose.insecureinc.yml

@@ -3,6 +3,14 @@ version: "3.7"
 services:
   trainingportal:
     image: securecodingdojo/trainingportal
+    deploy:
+      resources:
+        limits:
+          cpus: "0.9"
+          memory: 512M
+        reservations:
+          cpus: "0.9"
+          memory: 512M
     restart: "always" #change to always if you want the image to auto start
     build:
       context: ./trainingportal

docker-compose.trainingportal.yml

@@ -3,6 +3,14 @@ version: "3.7"
 services:
   insecureinc:
     image: securecodingdojo/insecure.inc
+    deploy:
+      resources:
+        limits:
+          cpus: "0.3"
+          memory: 256M
+        reservations:
+          cpus: "0.3"
+          memory: 256M
     build:
       context: ./insecureinc
       dockerfile: Dockerfile.insecureinc
@@ -16,6 +24,14 @@ services:
 
   trainingportal:
     image: securecodingdojo/trainingportal
+    deploy:
+      resources:
+        limits:
+          cpus: "0.3"
+          memory: 256M
+        reservations:
+          cpus: "0.3"
+          memory: 256M
     restart: "always" #change to always if you want the image to auto start
     build:
       context: ./trainingportal
@@ -34,6 +50,14 @@ services:
 
   host1:
     image: securecodingdojo/hackerden-host1
+    deploy:
+      resources:
+        limits:
+          cpus: "0.1"
+          memory: 128M
+        reservations:
+          cpus: "0.1"
+          memory: 128M
     build:
       context: ./hackerden
       dockerfile: Dockerfile.host1
@@ -47,6 +71,14 @@ services:
 
   host2:
     image: securecodingdojo/hackerden-host2
+    deploy:
+      resources:
+        limits:
+          cpus: "0.1"
+          memory: 128M
+        reservations:
+          cpus: "0.1"
+          memory: 128M
     build:
       context: ./hackerden
       dockerfile: Dockerfile.host2
@@ -60,6 +92,14 @@ services:
 
   front:
     image: securecodingdojo/hackerden-front
+    deploy:
+      resources:
+        limits:
+          cpus: "0.2"
+          memory: 128M
+        reservations:
+          cpus: "0.2"
+          memory: 128M
     build:
       context: ./hackerden
       dockerfile: Dockerfile.front

docker-compose.yml

@@ -8,6 +8,7 @@ WORKDIR /home/node/app
 
 RUN npm install
 RUN npm install pm2@latest -g
+RUN npm test
 
 USER node
 

hackerden/Dockerfile.front

@@ -1,8 +1,9 @@
 FROM tomcat:8.5-jre8
 COPY commandproc/commandproc.war /usr/local/tomcat/webapps
-RUN echo "user=admin" > /etc/credentials.properties
-RUN echo password=$(openssl rand -hex 32) >> /etc/credentials.properties
-RUN echo "SECRET2=FLAG-xxe" >> /usr/local/tomcat/conf/catalina.properties
-RUN echo "SECRET3=FLAG-deserialization" >> /usr/local/tomcat/conf/catalina.properties
-RUN openssl rand -out /etc/commandauth.bin 128
+COPY commandproc/start-commandproc.sh /usr/local/tomcat/start-commandproc.sh 
+RUN chmod +x /usr/local/tomcat/start-commandproc.sh 
+RUN chown -R www-data:www-data /usr/local/tomcat/logs
+RUN chown -R www-data:www-data /usr/local/tomcat/webapps
+RUN chown -R www-data:www-data /usr/local/tomcat/work
 EXPOSE 8080
+ENTRYPOINT ["/bin/bash","-c","/usr/local/tomcat/start-commandproc.sh" ]

hackerden/Dockerfile.host2

@@ -0,0 +1,5 @@
+echo "user=admin" > /etc/credentials.properties
+echo password=$(openssl rand -hex 32) >> /etc/credentials.properties
+openssl rand -out /etc/commandauth.bin 128
+export JAVA_OPTS="-DSECRET2=FLAG-xxe-$FLAG_SECRET -DSECRET3=FLAG-deserialization-$FLAG_SECRET "
+su - www-data -s /bin/bash -c '/usr/local/tomcat/bin/catalina.sh run' -w JAVA_HOME,JAVA_OPTS