[WIP] Improve challenge61 and optimize Heroku CDS usage

Dockerfile

@@ -1,7 +1,7 @@
 FROM bellsoft/liberica-openjre-debian:25-cds AS builder
 WORKDIR /builder
 
-ARG argBasedVersion="1.13.1-alpha11"
+ARG argBasedVersion="1.13.1-alpha6"
 
 COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar application.jar
 RUN java -Djarmode=tools -jar application.jar extract --layers --destination extracted
@@ -13,12 +13,12 @@
 ARG spring_profile=""
 ARG challenge59_webhook_url="YUhSMGNITTZMeTlvYjI5cmN5NXpiR0ZqYXk1amIyMHZjMlZ5ZG1salpYTXZWREEwVkRRd1RraFlMMEl3T1VSQlRrb3lUamRMTDJNeWFqYzFSVEUzVjFrd2NFeE5SRXRvU0RsbGQzZzBhdz09"
 ENV SPRING_PROFILES_ACTIVE=$spring_profile
 ENV ARG_BASED_PASSWORD=$argBasedPassword
 ENV APP_VERSION=$argBasedVersion
 ENV DOCKER_ENV_PASSWORD="This is it"
 ENV AZURE_KEY_VAULT_ENABLED=false
 ENV CHALLENGE59_SLACK_WEBHOOK_URL=$challenge59_webhook_url
 ENV WRONGSECRETS_MCP_SECRET=MCPStolenSecret42!
 ENV SPRINGDOC_UI=false
 ENV SPRINGDOC_DOC=false
 ENV BASTIONHOSTPATH="/home/wrongsecrets/.ssh"
@@ -71,4 +71,4 @@
 RUN adduser -u 2000 -D wrongsecrets
 USER wrongsecrets
 
 CMD java -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D application.jar

Dockerfile.web

@@ -1,5 +1,5 @@
-FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha11-no-vault
-ARG argBasedVersion="1.13.1-alpha11-no-vault"
+FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha6-no-vault
+ARG argBasedVersion="1.13.1-alpha6-no-vault"
 ARG spring_profile="without-vault"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ARG CTF_ENABLED=false

src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge61/TelegramWebhookController.java

@@ -57,7 +57,7 @@ public ResponseEntity<String> handleWebhook(
     }
 
     try {
-      logger.info("Received webhook update: {}", update.get("update_id"));
+      logger.info("Received webhook update: {}", sanitizeForLog(String.valueOf(update.get("update_id"))));
 
       // Check if this is a message update
       if (update.containsKey("message")) {
@@ -104,7 +104,7 @@ private void sendSecretMessage(Object chatId) {
       Map<String, Object> response = restTemplate.getForObject(sendMessageUrl, Map.class);
 
       if (response != null && Boolean.TRUE.equals(response.get("ok"))) {
-        logger.info("Successfully sent secret message to chat_id: {}", chatId);
+        logger.info("Successfully sent secret message to chat_id: {}", sanitizeForLog(String.valueOf(chatId)));
       } else {
         logger.warn("Failed to send message to Telegram");
       }
@@ -114,6 +114,13 @@ private void sendSecretMessage(Object chatId) {
     }
   }
 
+  private String sanitizeForLog(String value) {
+    if (value == null) {
+      return "null";
+    }
+    return value.replaceAll("[\r\n]", "_");
+  }
+
   private String getBotToken() {
     // Same double-encoded bot token as in Challenge61
     String encodedToken =

src/main/resources/application.properties

@@ -5,7 +5,7 @@ spring.web.resources.cache.period=PT2H
 server.compression.enabled=true
 spring.config.import=classpath:/wrong-secrets-configuration.yaml
 
-# Challenge61: Disable webhook by default (memory intensive on Heroku). Enable in profile if needed.
+password=ThisEnvironmentIsAnotherPlaceToHide
 challenge61.webhook.enabled=false
 SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s
 SPECIAL_SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s