Merge branch 'main' into fix-command-injection

Author: Robert Haimerl

.github/workflows/docker.yml

@@ -0,0 +1,35 @@
+name: "Codacy Local Analysis"
+
+on:
+  push:
+    branches:
+      - '**'
+
+jobs:
+  analyze:
+    name: analyze
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 17
+      - uses: gradle/actions/setup-gradle@v3
+        with:
+          gradle-version: 8.9
+      - name: build
+        run: gradle build
+      - name: generate coverage report
+        run: gradle jacocoTestReport
+      - name: uploade coverage data
+        uses: codacy/[email protected]
+        with:
+          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+          coverage-reports: reports/coverage.xml
+      - name: generate and upload local analysis data
+        uses: codacy/[email protected]
+        with: 
+          tool: spotbugs
+          project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+          upload: true

.github/workflows/local-analysis.yaml

@@ -0,0 +1,44 @@
+name: "Release and Attest"
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+jobs:
+  create-release:
+    name: create-release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      attestations: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: insert newrelic key
+        run: sed -i "s|<LICENSE_KEY>|${{ secrets.NEWRELIC_LICENSE_KEY }}|g" newrelic.yml
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: codingdepot
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          tags: type=semver,pattern={{version}}
+          flavor: latest=false
+          images: codingdepot/idp-target-registry
+      - name: Build and push
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: docker.io/codingdepot/idp-target-registry
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/release.yaml

@@ -4,18 +4,12 @@ WORKDIR /home/gradle/src
 RUN gradle downloadNewrelic && gradle unzipNewrelic
 RUN gradle bootJar --no-daemon
 
-
-FROM eclipse-temurin:17
-LABEL org.opencontainers.image.source="https://github.com/DataDog/vulnerable-java-application/"
+FROM amazoncorretto:17-alpine
 EXPOSE 8000
 RUN mkdir /app
 WORKDIR /app
 COPY --from=builder /home/gradle/src/build/libs/*.jar /app/spring-boot-application.jar
 COPY --from=builder /home/gradle/src/newrelic/* /app/newrelic/
 COPY --from=builder /home/gradle/src/newrelic.yml /app/newrelic/newrelic.yml
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends iputils-ping=3:20190709-3 && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
 
 CMD ["java", "-javaagent:/app/newrelic/newrelic.jar", "-jar", "/app/spring-boot-application.jar"]

Dockerfile

@@ -1,39 +1,25 @@
 # Vulnerable Java application
 
-This repository contains a sample application, the "Websites Tester Service", that's vulnerable to a [Command Injection](https://owasp.org/www-community/attacks/Command_Injection) and [Server-Side Request Forgery (SSRF)](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/) vulnerability.
+This repository contains a sample application, the "Websites Tester Service", that's vulnerable to a [Command Injection](https://owasp.org/www-community/attacks/Command_Injection) vulnerability.
 
 > **Warning!**
 > This application is purposely vulnerable and can trivially be hacked. Don't expose it to the Internet, and don't run it in a production environment.
 > Instead, you can run it locally on your machine, or in a cloud environment on a private VPC.
 
 ## Running locally
 
-1. Build the image locally, or use `ghcr.io/datadog/vulnerable-java-application`:
+1. Build the image locally: 
+   ```
+   docker build -t vulnerable-java-application:latest .
+   ```
 2. Run:
     ```
-    docker run --rm -p 8000:8000 ghcr.io/datadog/vulnerable-java-application
+    docker run --rm -p 8000:8000 vulnerable-java-application:latest
     ```
 3. You can then access the web application at <http://127.0.0.1:8000>
 
-## Running on Kubernetes
-
-```
-kubectl run  vulnerable-application --port=8000 --expose=true --image ghcr.io/datadog/vulnerable-java-application
-kubectl port-forward pod/vulnerable-application 8000
-```
-
-You can then access the web application at <http://127.0.0.1:8000>
-
 ## Exploitation
 
-### Server-side request vulnerability
-
-1. Browse to <http://127.0.0.1:8000/website.html>
-2. Note how the input allows you to specify arbitrary URLs such as `http://google.com`, but also any internal IP such as `http://169.254.169.254/latest/meta-data/`
-3. When the applications is running in AWS, Azure or GCP, this can often be exploited to retrieve instance metadata credentials
-
-### Command injection vulnerability
-
 1. Browse to <http://127.0.0.1:8000/index.html>
 2. Note how the input allows you to specify domain names such as `google.com` and ping them
 3. Note that there is some level of input validation - entering `$(whoami)` returns `Invalid domain name: $(whoami) - don't try to hack us!`

Makefile

@@ -2,15 +2,11 @@ plugins {
 	id 'org.springframework.boot' version '2.7.3'
 	id 'io.spring.dependency-management' version '1.1.5'
 	id 'java'
-
-	//id 'com.github.spotbugs' version '6.0.11'
 	id 'jacoco'
-	//id 'org.sonarqube' version '5.0.0.4638'
 	id "de.undercouch.download" version "5.3.0"
 }
 
-group = 'com.datadoghq.workshops'
-version = '0.0.1-SNAPSHOT'
+version = '1.0.0'
 sourceCompatibility = '17'
 
 repositories {
@@ -25,26 +21,8 @@ dependencies {
 	compileOnly 'org.projectlombok:lombok:1.18.24'
 	annotationProcessor 'org.projectlombok:lombok:1.18.24'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
-
-	// Added for testing
-	//spotbugs 'com.github.spotbugs:spotbugs:4.8.4'
-	//spotbugsPlugins 'com.h3xstream.findsecbugs:findsecbugs-plugin:1.13.0'
 }
 
-/*
-tasks.spotbugsMain {
-	ignoreFailures = true
-	reports.create("sarif") {
-		required = true
-		outputLocation = file("$rootDir/reports/spotbugs.sarif")
-	}
-	reports.create("html") {
-		required = true
-		outputLocation = file("$rootDir/reports/spotbugs.html")
-	}
-}
-*/
-
 tasks.named('test') {
 	useJUnitPlatform()
 	finalizedBy jacocoTestReport
@@ -68,13 +46,3 @@ task unzipNewrelic(type: Copy) {
     from zipTree(file('newrelic/newrelic-java.zip'))
     into rootDir
 }
-
-/*
-sonar {
-	properties {
-		property("sonar.projectKey", "Vulnerable-Java-App")
-		property("sonar.projectName", "Vulnerable Java App")
-		// add host URL and TOKEN in command line
-	}
-}
-*/

README.md

@@ -1,7 +1,6 @@
 package com.datadoghq.workshops.samplevulnerablejavaapp;
 
 import com.datadoghq.workshops.samplevulnerablejavaapp.exception.InvalidDomainException;
-import com.datadoghq.workshops.samplevulnerablejavaapp.exception.UnableToTestDomainException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -17,9 +16,6 @@ public class MainController {
   @Autowired
   private DomainTestService domainTestService;
 
-  @Autowired
-  private WebsiteTestService websiteTestService;
-
   @RequestMapping(method=RequestMethod.POST, value="/test-domain", consumes="application/json")
   public ResponseEntity<String> testDomain(@RequestBody DomainTestRequest request) {
     log.info("Testing domain " + request.domainName);
@@ -28,18 +24,8 @@ public ResponseEntity<String> testDomain(@RequestBody DomainTestRequest request)
       return new ResponseEntity<>(result, HttpStatus.OK);
     } catch(InvalidDomainException e) {
       return new ResponseEntity<>(e.getMessage(), HttpStatus.BAD_REQUEST);
-    } catch (UnableToTestDomainException e) {
-      return new ResponseEntity<>(e.getMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
-    } catch(Exception e) {
+    } catch (Exception e) {
       return new ResponseEntity<>(e.getMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
     }
   }
-
-  @RequestMapping(method=RequestMethod.POST, value="/test-website", consumes="application/json")
-  public ResponseEntity<String> testWebsite(@RequestBody WebsiteTestRequest request) {
-    log.info("Testing website " + request.url);
-    String result = websiteTestService.testWebsite(request);
-    return new ResponseEntity<>(result, HttpStatus.OK);
-  }
-
 }