Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft: Challenge X: nexus credentials as part of a project pushed (#810) #1046

Closed
wants to merge 2 commits into from

Conversation

divyanshuagarwal-23
Copy link

What kind of changes does this PR include?

-Fixes

Description

As per #810 task one was to Create a settings.xml to connect to an imaginary Nexus repo,
I have created the settings.xml file for the same
and have created a challenge reading the credential

Relations

closes #810

References

issue: #810
took ref from: https://github.com/sonatype/nexus-book-examples/blob/master/maven/settings/settings.xml

@divyanshuagarwal-23
Copy link
Author

@commjoen please review this new PR,
I will close the old one, which was causing issue due to challenge number

@commjoen commjoen changed the title #810 nexus credentials Challenge 42: #810 nexus credentials Oct 18, 2023
@commjoen commjoen changed the title Challenge 42: #810 nexus credentials Challenge 42: nexus credentials as part of a project pushed (#810) Oct 18, 2023
Comment on lines +16 to +25
<repository>
<id>central</id>
<url>http://central</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>

Check failure

Code scanning / CodeQL

Failure to use HTTPS or SFTP URL in Maven artifact upload/download High

Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://central
Comment on lines +28 to +37
<pluginRepository>
<id>central</id>
<url>http://central</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</pluginRepository>

Check failure

Code scanning / CodeQL

Failure to use HTTPS or SFTP URL in Maven artifact upload/download High

Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://central
Copy link
Collaborator

@commjoen commjoen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was not able to get it running on my system in this shape. Can you please have a look at the comments for an alternative approach?

Comment on lines +3 to +6
1. Using an online aes decryption tool like https://www.devglan.com/online-tools/aes-encryption-decryption[https://www.devglan.com/online-tools/aes-encryption-decryption]
- Copy the value of `secret` from `secrchallenge.json` and paste it into the textbox of the decryptor.
- Ensure the input format is `Base64` and the cipher mode is `ECB`.
- Use the value of `key` from `secrchallenge.json` as decryption key and click on `Decrypt` to get the secret.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this looks like a left-over from challenge41, can you remove this please?


private String getSolution() {
try {
String config = resource.getContentAsString(Charset.defaultCharset());
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am getting

java.io.FileNotFoundException: class path resource [maven/settings/settings.xml] cannot be opened because it does not exist
	at org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:211) ~[spring-core-6.0.12.jar:6.0.12]
	at org.springframework.core.io.Resource.getContentAsString(Resource.java:165) ~[spring-core-6.0.12.jar:6.0.12]

private final Resource resource;

public Challenge42(
ScoreCard scoreCard, @Value("classpath:maven/settings/settings.xml") Resource resource) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This resource does not exist (see below), can you instead have a look at the code of Challenge12.java? here you can see how a file is loaded either from test resources or from a filepath within a docker container or from the resources.

Comment on lines +76 to +82
StringReader stringReader = new StringReader(config);

XMLConfiguration xmlConfiguration = new XMLConfiguration();
xmlConfiguration.read(stringReader);

// Retrieve the Nexus password
return xmlConfiguration.getString("nexus.password");
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this gives quite a few different exceptions. Can we do it with the jdk based parser?

DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
        DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
        dbFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
        Document doc = dBuilder.parse(Paths.get(filepath "settings.xml").toFile());
        doc.getDocumentElement().normalize();
        return doc.getDocumentElement().getElementsByTagName("servers").item(0).getChildNodes().item(0).getNextSibling().getChildNodes().item(4).getNextSibling().getTextContent();

or something among these lines. And can you remove the entry from the pom.xml ?

// Retrieve the Nexus password
return xmlConfiguration.getString("nexus.password");
} catch (Exception e) {
log.warn("there was an exception with decrypting content in challenge42", e);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
log.warn("there was an exception with decrypting content in challenge42", e);
log.warn("there was an exception with retrieving and parsing the xml content for challenge42", e);

return xmlConfiguration.getString("nexus.password");
} catch (Exception e) {
log.warn("there was an exception with decrypting content in challenge42", e);
return "error_decryption";
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
return "error_decryption";
return "error_parsing";

void spoilerShouldGiveAnswer() {
var challenge = new Challenge42(scoreCard, resource);
Assertions.assertThat(challenge.spoiler().solution()).isNotEmpty();
Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
Assertions.assertThat(challenge.answerCorrect("error_parsing").isFalse();

@@ -0,0 +1,3 @@
=== Nexus credential read

Storing nexus deployment credentials in your github project hardcoded is generally considered a bad practice because it undermines the security provided by encryption.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Storing nexus deployment credentials in your github project hardcoded is generally considered a bad practice because it undermines the security provided by encryption.
A developer wanted to configure his Nexus credentials and copy-pasted the configuration from the internal Confluence documentation site, while accidentally committing it to git!
Can you find the password?

Comment on lines +3 to +7
Storing nexus deployment credentials in your github project hardcoded is generally considered a bad practice because it undermines the security provided by encryption.

In such scenarios, an attacker has the key the moment the file is in his possession.

It is always recommended to store your credentials securely.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Storing nexus deployment credentials in your github project hardcoded is generally considered a bad practice because it undermines the security provided by encryption.
In such scenarios, an attacker has the key the moment the file is in his possession.
It is always recommended to store your credentials securely.
Storing the credentials of your artifact registry in your Github project is a bad practice, as others can use these credentials to login, pull, and sometimes push artifacts in the name of the identity user of which the credentials were committed to git.
We often see the situation getting worse by just having one user hardcoded in many configurations of their projects.
Alternatively, we often see the artifact registry credentials hardcoded in the internal documentation site of an organization.
In all cases, we often end up with a compromised user used to inject payloads into the artifact registry.
This is why it is better to have service accounts and/or personal accounts and/or a federated approach for users to the artifact registry. Next, make sure that you never hardcode the credentials: instead: have them configured as part of a secrets management setup.

@commjoen commjoen closed this Nov 13, 2023
@commjoen commjoen reopened this Nov 13, 2023
@commjoen commjoen changed the title Challenge 42: nexus credentials as part of a project pushed (#810) Draft: Challenge 42: nexus credentials as part of a project pushed (#810) Nov 13, 2023
@commjoen commjoen marked this pull request as draft November 13, 2023 07:34
@commjoen commjoen changed the title Draft: Challenge 42: nexus credentials as part of a project pushed (#810) Draft: Challenge X: nexus credentials as part of a project pushed (#810) Dec 30, 2023
@bendehaan
Copy link
Collaborator

Hello @divyanshuagarwal-23,

Thank you for your contribution. We appreciate your interest in helping improve WrongSecrets. However, we've noticed that there hasn't been any activity on this PR for several months.

We'll close this PR for now to maintain an efficient and organised workflow. Please don't be discouraged! We welcome you to reopen this PR or create a new one if you wish to continue your contribution in the future.

Feel free to reach out if you have any questions or need assistance.

Thank you for your understanding.

@bendehaan bendehaan closed this Jan 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Nexus deployment credentials in settings.xml
3 participants