Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shriya #78

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions modules/2-owasp.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ Mix.install([
:bcrypt_elixir,
:httpoison,
{:absinthe, "~> 1.7.0"},
{:phoenix, "~> 1.0"},
{:plug, "~> 1.3.2"}
{:phoenix, "~> 1.7"},
{:plug, "~> 1.16"}
])

md5_hash = :crypto.hash(:md5, "users_password")
Expand Down Expand Up @@ -123,7 +123,7 @@ end
# DO NOT CHANGE CODE ABOVE THIS LINE =========================

# PasswordCompare.option_one("users_password", md5_hash)
# PasswordCompare.option_two("users_password", bcrypt_salted_hash)
PasswordCompare.option_two("users_password", bcrypt_salted_hash)
```

<!-- livebook:{"branch_parent_index":3} -->
Expand Down Expand Up @@ -252,7 +252,7 @@ _HINT: Installed dependencies can be found at the very top, it was the very firs

```elixir
# CHANGE ME
vulnerable_dependency = :vulnerable_dependency
vulnerable_dependency = :phoenix

# DO NOT CHANGE CODE BELOW THIS LINE ============================
Application.spec(vulnerable_dependency)[:vsn] |> List.to_string() |> IO.puts()
Expand Down
2 changes: 1 addition & 1 deletion modules/3-ssdlc.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ _Use `System.get_env/1` on line 2._

```elixir
# let's assume there is an environment variable named 'envar_secret'
super_secret_password = "p@ssw0rd"
super_secret_password = System.get_env("envar_secret")

# DO NOT CHANGE CODE BELOW THIS COMMENT
IO.puts(super_secret_password)
Expand Down
4 changes: 2 additions & 2 deletions modules/4-graphql.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ _Uncomment the line with your answer._
```elixir
# answer = :API6_2019_Mass_Assignment
# answer = :API10_2019_Insufficient_Logging_Monitoring
# answer = :API3_2019_Excessive_Data_Exposure
answer = :API3_2019_Excessive_Data_Exposure
# answer = :API4_2019_Lack_of_Resources_Rate_Limiting

IO.puts(answer)
Expand Down Expand Up @@ -92,7 +92,7 @@ _Uncomment the item number (1-4) with your answer_

```elixir
# -------------------------------------------------------------
# answer = 1
answer = 1
#
# HTTP/2 401 Unauthorized
# Date: Tues, 16 Aug 2022 21:06:42 GMT
Expand Down
21 changes: 11 additions & 10 deletions modules/5-elixir.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
```elixir
Mix.install([
{:grading_client, path: "#{__DIR__}/grading_client"},
:benchwarmer,
:benchee,
:kino,
:plug
])
Expand Down Expand Up @@ -60,7 +60,7 @@ prev_count = :erlang.system_info(:atom_count)
try do
malicious_user_input
# ONLY CHANGE LINE 8
|> String.to_atom()
|> String.to_existing_atom()
rescue
e -> {ArgumentError, e}
end
Expand Down Expand Up @@ -110,8 +110,7 @@ name = Kino.Input.text("What's your name?")

```elixir
textfield_value = Kino.Input.read(name)
{result, binding} = Code.eval_string("a", a: textfield_value)
"Hello, " <> result
"Hello, " <> textfield_value
```

**BONUS QUESTION**: How would you go about securing the code above?
Expand Down Expand Up @@ -168,13 +167,15 @@ end
password = "HASH_OF_THE_USERS_ACTUAL_PASSWORD"
# DO NOT EDIT ANY CODE ABOVE THIS LINE =====================

user_input = "HASH_OF_asdfasdf"
user_input = "HASH_OF_USERS_ACTUAL_ASDFASDFASD"

# DO NOT EDIT ANY CODE BELOW THIS LINE (you may uncomment IO.puts) =============
Benchwarmer.benchmark(fn -> Susceptible.compare(user_input, password) end)
Benchwarmer.benchmark(fn -> Constant.compare(user_input, password) end)
Benchee.run(%{
"Susceptible" => fn -> Susceptible.compare(user_input, password) end,
"Constant" => fn -> Constant.compare(user_input, password) end
}, time: 3, warmup: 2)

# IO.puts(:comparison_ran)
IO.puts(:comparison_ran)
```

## Boolean Coercion
Expand Down Expand Up @@ -223,7 +224,7 @@ user_input = "some_string_which_obviously_isnt_the_same_as_the_password"
:ok
# DO NOT EDIT ANY CODE ABOVE THIS LINE =====================

# if SecurityCheck.validate(user_input, password) or raise(SecurityCheck) do :you_let_a_baddie_in end
if SecurityCheck.validate(user_input, password) or raise(SecurityCheck) do :you_let_a_baddie_in end
# if SecurityCheck.validate(user_input, password) || raise(SecurityCheck) do :you_let_a_baddie_in end
```

Expand Down Expand Up @@ -282,7 +283,7 @@ This prevents the table from being read by other processes, such as remote shell

```elixir
# ONLY EDIT THIS LINE
secret_table = :ets.new(:secret_table, [:public])
secret_table = :ets.new(:secret_table, [:private])
:ets.info(secret_table)[:protection]
```

Expand Down
12 changes: 6 additions & 6 deletions modules/6-cookies.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -180,17 +180,17 @@ In the Phoenix Framework, you would use functionality found within the [Plug lib
_Fill out the `put_resp_cookie/4` function arguments with the settings outlined in the previous section, no other code changes should be necessary._

```elixir
cookie_name = "CHANGE_ME_TOO"
cookie_name = "__Host_PERFECT_COOKIE"

conn
|> Plug.Conn.put_resp_cookie(
cookie_name,
<<42::16>>
<<42::16>>,
# domain: ,
# path: ,
# secure: ,
# http_only: ,
# same_site:
path: "/",
secure: true,
http_only: true ,
same_site: Strict
)
```

Expand Down
2 changes: 1 addition & 1 deletion modules/7-anti-patterns.livemd
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ _Uncomment the line with your answer._
```elixir
# answer = :bubble_sort
# answer = :merge_sort
# answer = :quick_sort
answer = :quick_sort
# answer = :random_sort

IO.puts(answer)
Expand Down