324 lines
8.6 KiB
PowerShell
324 lines
8.6 KiB
PowerShell
#!/usr/bin/env pwsh
|
|
<#
|
|
.SYNOPSIS
|
|
Sets up the Module 05 challenge environment for git blame investigation.
|
|
|
|
.DESCRIPTION
|
|
This script creates a challenge directory with a Git repository that
|
|
contains a security vulnerability (hardcoded credentials) for students
|
|
to investigate using git blame.
|
|
#>
|
|
|
|
Write-Host "`n=== Setting up Module 05 Challenge ===" -ForegroundColor Cyan
|
|
|
|
# Remove existing challenge directory if it exists
|
|
if (Test-Path "challenge") {
|
|
Write-Host "Removing existing challenge directory..." -ForegroundColor Yellow
|
|
Remove-Item -Recurse -Force "challenge"
|
|
}
|
|
|
|
# Create fresh challenge directory
|
|
Write-Host "Creating challenge directory..." -ForegroundColor Green
|
|
New-Item -ItemType Directory -Path "challenge" | Out-Null
|
|
Set-Location "challenge"
|
|
|
|
# Initialize Git repository
|
|
Write-Host "Initializing Git repository..." -ForegroundColor Green
|
|
git init | Out-Null
|
|
|
|
# Commit 1: Initial project structure (by Alice)
|
|
Write-Host "Creating initial project structure..." -ForegroundColor Green
|
|
git config user.name "Alice Johnson"
|
|
git config user.email "alice@example.com"
|
|
|
|
$appContent = @"
|
|
# app.py - Main application file
|
|
|
|
def main():
|
|
print("Welcome to My App!")
|
|
# Application initialization code here
|
|
pass
|
|
|
|
if __name__ == "__main__":
|
|
main()
|
|
"@
|
|
Set-Content -Path "app.py" -Value $appContent
|
|
|
|
git add .
|
|
git commit -m "Initial project structure" | Out-Null
|
|
|
|
# Commit 2: Add authentication module (by Bob)
|
|
Write-Host "Adding authentication module..." -ForegroundColor Green
|
|
git config user.name "Bob Chen"
|
|
git config user.email "bob@example.com"
|
|
|
|
$authContent = @"
|
|
# auth.py - Authentication module
|
|
|
|
def login(username, password):
|
|
# Authenticate user
|
|
print(f"Logging in user: {username}")
|
|
return True
|
|
|
|
def logout(username):
|
|
# Log out user
|
|
print(f"Logging out user: {username}")
|
|
return True
|
|
"@
|
|
Set-Content -Path "auth.py" -Value $authContent
|
|
|
|
$appContent = @"
|
|
# app.py - Main application file
|
|
from auth import login, logout
|
|
|
|
def main():
|
|
print("Welcome to My App!")
|
|
# Application initialization code here
|
|
pass
|
|
|
|
if __name__ == "__main__":
|
|
main()
|
|
"@
|
|
Set-Content -Path "app.py" -Value $appContent
|
|
|
|
git add .
|
|
git commit -m "Add authentication module" | Out-Null
|
|
|
|
# Commit 3: Add database connection (by Carol)
|
|
Write-Host "Adding database connection..." -ForegroundColor Green
|
|
git config user.name "Carol Martinez"
|
|
git config user.email "carol@example.com"
|
|
|
|
$databaseContent = @"
|
|
# database.py - Database connection module
|
|
|
|
def connect():
|
|
# Connect to database
|
|
print("Connecting to database...")
|
|
return True
|
|
|
|
def disconnect():
|
|
# Disconnect from database
|
|
print("Disconnecting from database...")
|
|
return True
|
|
"@
|
|
Set-Content -Path "database.py" -Value $databaseContent
|
|
|
|
$appContent = @"
|
|
# app.py - Main application file
|
|
from auth import login, logout
|
|
from database import connect, disconnect
|
|
|
|
def main():
|
|
print("Welcome to My App!")
|
|
connect()
|
|
# Application initialization code here
|
|
pass
|
|
|
|
if __name__ == "__main__":
|
|
main()
|
|
"@
|
|
Set-Content -Path "app.py" -Value $appContent
|
|
|
|
git add .
|
|
git commit -m "Add database connection" | Out-Null
|
|
|
|
# Commit 4: Add hardcoded credentials (THE SECURITY ISSUE - by Suspicious Developer)
|
|
Write-Host "Adding suspicious change..." -ForegroundColor Green
|
|
git config user.name "Suspicious Developer"
|
|
git config user.email "guilty@email.com"
|
|
|
|
$appContent = @"
|
|
# app.py - Main application file
|
|
from auth import login, logout
|
|
from database import connect, disconnect
|
|
|
|
def main():
|
|
print("Welcome to My App!")
|
|
connect()
|
|
# Quick fix for testing - TODO: Remove before production!
|
|
if login("admin", "admin123"):
|
|
print("Admin logged in successfully")
|
|
pass
|
|
|
|
if __name__ == "__main__":
|
|
main()
|
|
"@
|
|
Set-Content -Path "app.py" -Value $appContent
|
|
|
|
git add .
|
|
git commit -m "Add quick test login for debugging" | Out-Null
|
|
|
|
# Commit 5: Add logging (by David - innocent commit after the security issue)
|
|
Write-Host "Adding logging module..." -ForegroundColor Green
|
|
git config user.name "David Lee"
|
|
git config user.email "david@example.com"
|
|
|
|
$loggingContent = @"
|
|
# logging_config.py - Logging configuration
|
|
|
|
import logging
|
|
|
|
def setup_logging():
|
|
logging.basicConfig(
|
|
level=logging.INFO,
|
|
format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
|
|
)
|
|
return logging.getLogger(__name__)
|
|
"@
|
|
Set-Content -Path "logging_config.py" -Value $loggingContent
|
|
|
|
git add .
|
|
git commit -m "Add logging configuration" | Out-Null
|
|
|
|
# Reset git config
|
|
git config user.name "Workshop Student"
|
|
git config user.email "student@example.com"
|
|
|
|
# Create investigation.md template
|
|
Write-Host "Creating investigation template..." -ForegroundColor Green
|
|
$investigationTemplate = @"
|
|
# Security Investigation Report
|
|
|
|
## Incident Overview
|
|
|
|
A security vulnerability has been discovered in the codebase: hardcoded credentials in `app.py`.
|
|
|
|
**Your task:** Use git blame and related Git commands to investigate this security issue and document your findings.
|
|
|
|
---
|
|
|
|
## Question 1: What line number contains the hardcoded password?
|
|
|
|
Look at `app.py` and find the line with `"admin123"`.
|
|
|
|
**Your Answer:**
|
|
|
|
<!-- Write the line number here -->
|
|
|
|
---
|
|
|
|
## Question 2: Who added the hardcoded credentials?
|
|
|
|
Use `git blame` to find the email address of the developer who wrote the line with the hardcoded credentials.
|
|
|
|
**Suggested commands:**
|
|
``````bash
|
|
# View blame with email addresses
|
|
git blame -e app.py
|
|
|
|
# Or focus on specific lines (if you know the line range)
|
|
git blame -L 8,10 app.py
|
|
|
|
# Look for the line containing login("admin", "admin123")
|
|
``````
|
|
|
|
**Your Answer (provide the email address):**
|
|
|
|
<!-- Write the email address here -->
|
|
|
|
---
|
|
|
|
## Question 3: What was the commit message for the change that introduced the hardcoded credentials?
|
|
|
|
Once you've found the commit hash from git blame, use `git show` or `git log` to see the full commit message.
|
|
|
|
**Suggested commands:**
|
|
``````bash
|
|
# After finding the commit hash from git blame
|
|
git show <commit-hash>
|
|
git log -1 <commit-hash>
|
|
``````
|
|
|
|
**Your Answer:**
|
|
|
|
<!-- Write the commit message here -->
|
|
|
|
---
|
|
|
|
## Question 4: How many files were modified in the commit that added the hardcoded credentials?
|
|
|
|
Use `git show` with the `--stat` flag to see which files were changed.
|
|
|
|
**Suggested commands:**
|
|
``````bash
|
|
git show <commit-hash> --stat
|
|
git show <commit-hash> --name-only
|
|
``````
|
|
|
|
**Your Answer:**
|
|
|
|
<!-- Write the number or list the files here -->
|
|
|
|
---
|
|
|
|
## Question 5: When was this security vulnerability introduced?
|
|
|
|
Use the timestamp from git blame to determine when the vulnerable code was committed.
|
|
|
|
**Your Answer (date and time):**
|
|
|
|
<!-- Write the date/time here -->
|
|
|
|
---
|
|
|
|
## Recommendations
|
|
|
|
Based on your investigation, what actions should the team take?
|
|
|
|
**Your Recommendations:**
|
|
|
|
<!-- Write your recommendations here, for example:
|
|
- Remove hardcoded credentials
|
|
- Implement proper environment variables
|
|
- Add pre-commit hooks to prevent secrets
|
|
- Review with the developer who made the change
|
|
-->
|
|
|
|
---
|
|
|
|
## Quick Reference - Investigation Commands
|
|
|
|
**Finding Who Changed What:**
|
|
``````bash
|
|
git blame <file> # Show who last modified each line
|
|
git blame -e <file> # Show with email addresses
|
|
git blame -L 10,20 <file> # Blame specific line range
|
|
``````
|
|
|
|
**Getting Commit Details:**
|
|
``````bash
|
|
git show <commit-hash> # See full commit details
|
|
git show <commit-hash> --stat # See files changed
|
|
git log -1 <commit-hash> # See commit message only
|
|
git log -p <commit-hash> # See commit with diff
|
|
``````
|
|
|
|
**Searching History:**
|
|
``````bash
|
|
git log --all --grep="keyword" # Search commit messages
|
|
git log --author="name" # See commits by author
|
|
git log --since="2 weeks ago" # Recent commits
|
|
``````
|
|
|
|
---
|
|
|
|
When you're done with your investigation, run ``..\verify.ps1`` to check your answers!
|
|
"@
|
|
|
|
Set-Content -Path "investigation.md" -Value $investigationTemplate
|
|
|
|
# Return to module directory
|
|
Set-Location ..
|
|
|
|
Write-Host "`n=== Setup Complete! ===" -ForegroundColor Green
|
|
Write-Host "`nYour investigation environment is ready in the 'challenge/' directory." -ForegroundColor Cyan
|
|
Write-Host "`nScenario: Someone committed hardcoded credentials to app.py!" -ForegroundColor Yellow
|
|
Write-Host "`nNext steps:" -ForegroundColor Cyan
|
|
Write-Host " 1. cd challenge" -ForegroundColor White
|
|
Write-Host " 2. Open 'investigation.md' to see the investigation questions" -ForegroundColor White
|
|
Write-Host " 3. Use 'git blame -e app.py' to start your investigation" -ForegroundColor White
|
|
Write-Host " 4. Fill in your findings in 'investigation.md'" -ForegroundColor White
|
|
Write-Host " 5. Run '..\verify.ps1' to check your investigation" -ForegroundColor White
|
|
Write-Host ""
|