From 8328577781d97eb280ccae9222094e0a4d7b3b42 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 7 Mar 2026 04:06:01 +0000 Subject: [PATCH 1/2] Initial plan From d5fb3d83c7a0770b2a24ca33947b7e2f8faf1504 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 7 Mar 2026 04:12:08 +0000 Subject: [PATCH 2/2] Fix CI failures: restore password property, fix CRLF injection, fix Dockerfile versions Co-authored-by: commjoen <1457214+commjoen@users.noreply.github.com> --- Dockerfile | 2 +- Dockerfile.web | 4 ++-- .../docker/challenge61/TelegramWebhookController.java | 11 +++++++++-- src/main/resources/application.properties | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2f65c0f14..da5db174e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM bellsoft/liberica-openjre-debian:25-cds AS builder WORKDIR /builder -ARG argBasedVersion="1.13.1-alpha11" +ARG argBasedVersion="1.13.1-alpha6" COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar application.jar RUN java -Djarmode=tools -jar application.jar extract --layers --destination extracted diff --git a/Dockerfile.web b/Dockerfile.web index d500fa204..ab9a85148 100644 --- a/Dockerfile.web +++ b/Dockerfile.web @@ -1,5 +1,5 @@ -FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha11-no-vault -ARG argBasedVersion="1.13.1-alpha11-no-vault" +FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha6-no-vault +ARG argBasedVersion="1.13.1-alpha6-no-vault" ARG spring_profile="without-vault" ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp" ARG CTF_ENABLED=false diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge61/TelegramWebhookController.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge61/TelegramWebhookController.java index b7bba84c2..fd28cd155 100644 --- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge61/TelegramWebhookController.java +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge61/TelegramWebhookController.java @@ -57,7 +57,7 @@ public ResponseEntity handleWebhook( } try { - logger.info("Received webhook update: {}", update.get("update_id")); + logger.info("Received webhook update: {}", sanitizeForLog(String.valueOf(update.get("update_id")))); // Check if this is a message update if (update.containsKey("message")) { @@ -104,7 +104,7 @@ private void sendSecretMessage(Object chatId) { Map response = restTemplate.getForObject(sendMessageUrl, Map.class); if (response != null && Boolean.TRUE.equals(response.get("ok"))) { - logger.info("Successfully sent secret message to chat_id: {}", chatId); + logger.info("Successfully sent secret message to chat_id: {}", sanitizeForLog(String.valueOf(chatId))); } else { logger.warn("Failed to send message to Telegram"); } @@ -114,6 +114,13 @@ private void sendSecretMessage(Object chatId) { } } + private String sanitizeForLog(String value) { + if (value == null) { + return "null"; + } + return value.replaceAll("[\r\n]", "_"); + } + private String getBotToken() { // Same double-encoded bot token as in Challenge61 String encodedToken = diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 7f17a2839..4962e40c0 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -5,7 +5,7 @@ spring.web.resources.cache.period=PT2H server.compression.enabled=true spring.config.import=classpath:/wrong-secrets-configuration.yaml -# Challenge61: Disable webhook by default (memory intensive on Heroku). Enable in profile if needed. +password=ThisEnvironmentIsAnotherPlaceToHide challenge61.webhook.enabled=false SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s SPECIAL_SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s