diff --git a/Dockerfile b/Dockerfile index 2f65c0f14..da5db174e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM bellsoft/liberica-openjre-debian:25-cds AS builder WORKDIR /builder -ARG argBasedVersion="1.13.1-alpha11" +ARG argBasedVersion="1.13.1-alpha6" COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar application.jar RUN java -Djarmode=tools -jar application.jar extract --layers --destination extracted diff --git a/Dockerfile.web b/Dockerfile.web index d500fa204..ab9a85148 100644 --- a/Dockerfile.web +++ b/Dockerfile.web @@ -1,5 +1,5 @@ -FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha11-no-vault -ARG argBasedVersion="1.13.1-alpha11-no-vault" +FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha6-no-vault +ARG argBasedVersion="1.13.1-alpha6-no-vault" ARG spring_profile="without-vault" ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp" ARG CTF_ENABLED=false diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge61/TelegramWebhookController.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge61/TelegramWebhookController.java index b7bba84c2..fd28cd155 100644 --- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge61/TelegramWebhookController.java +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge61/TelegramWebhookController.java @@ -57,7 +57,7 @@ public ResponseEntity handleWebhook( } try { - logger.info("Received webhook update: {}", update.get("update_id")); + logger.info("Received webhook update: {}", sanitizeForLog(String.valueOf(update.get("update_id")))); // Check if this is a message update if (update.containsKey("message")) { @@ -104,7 +104,7 @@ private void sendSecretMessage(Object chatId) { Map response = restTemplate.getForObject(sendMessageUrl, Map.class); if (response != null && Boolean.TRUE.equals(response.get("ok"))) { - logger.info("Successfully sent secret message to chat_id: {}", chatId); + logger.info("Successfully sent secret message to chat_id: {}", sanitizeForLog(String.valueOf(chatId))); } else { logger.warn("Failed to send message to Telegram"); } @@ -114,6 +114,13 @@ private void sendSecretMessage(Object chatId) { } } + private String sanitizeForLog(String value) { + if (value == null) { + return "null"; + } + return value.replaceAll("[\r\n]", "_"); + } + private String getBotToken() { // Same double-encoded bot token as in Challenge61 String encodedToken = diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 7f17a2839..4962e40c0 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -5,7 +5,7 @@ spring.web.resources.cache.period=PT2H server.compression.enabled=true spring.config.import=classpath:/wrong-secrets-configuration.yaml -# Challenge61: Disable webhook by default (memory intensive on Heroku). Enable in profile if needed. +password=ThisEnvironmentIsAnotherPlaceToHide challenge61.webhook.enabled=false SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s SPECIAL_SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s