Pure Cursor generated challenge

commjoen · commjoen · commit 3363f558a52d · 2025-07-09T08:58:47.000+02:00
diff --git a/cursor/rules/project-specification.mdc b/cursor/rules/project-specification.mdc
@@ -125,3 +125,15 @@ The following areas require additional or improved tests:
 - Add tests for different Spring profiles (local, local-vault, kubernetes-vault, without-vault) to verify configuration-dependent behavior.
 - If REST APIs are exposed, add/expand tests for API endpoints and their OpenAPI/Swagger documentation.
 - Run a code coverage tool (e.g., JaCoCo) to identify and address untested classes and methods.
+
+---
+
+## Example Secret for Challenge 56
+
+To solve challenge 56, find the following secret in this file:
+
+**secret-challenge-56: S3cr3tInPr0j3ctSp3c**
+
+Use this value as the answer for challenge 56.
+
+---
diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge56.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge56.java
@@ -0,0 +1,61 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import static org.owasp.wrongsecrets.Challenges.ErrorResponses.FILE_MOUNT_ERROR;
+
+import com.google.common.base.Strings;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+/** Challenge to find a secret in the project-specification.mdc file. */
+@Slf4j
+@Component
+public class Challenge56 implements Challenge {
+
+  private final String projectSpecPath;
+  private String actualSecret;
+
+  public Challenge56(
+      @Value("${projectspecpath:cursor/rules/project-specification.mdc}") String projectSpecPath) {
+    this.projectSpecPath = projectSpecPath;
+  }
+
+  @Override
+  public Spoiler spoiler() {
+    return new Spoiler(getActualSecret());
+  }
+
+  @Override
+  public boolean answerCorrect(String answer) {
+    return !Strings.isNullOrEmpty(answer) && getActualSecret().equals(answer.trim());
+  }
+
+  private String getActualSecret() {
+    if (Strings.isNullOrEmpty(actualSecret)) {
+      try {
+        Path filePath = Paths.get(projectSpecPath);
+        String content = Files.readString(filePath, StandardCharsets.UTF_8);
+        // Look for the line with the secret
+        for (String line : content.split("\n")) {
+          if (line.trim().startsWith("**secret-challenge-56:")) {
+            actualSecret = line.split(":", 2)[1].trim();
+            break;
+          }
+        }
+        if (Strings.isNullOrEmpty(actualSecret)) {
+          return FILE_MOUNT_ERROR;
+        }
+      } catch (Exception e) {
+        log.warn("Exception during file reading for Challenge56", e);
+        return FILE_MOUNT_ERROR;
+      }
+    }
+    return actualSecret;
+  }
+}
diff --git a/src/main/resources/explanations/challenge56.adoc b/src/main/resources/explanations/challenge56.adoc
@@ -0,0 +1,12 @@
+=== Challenge 56: Find the Secret in the Project Specification
+
+In this challenge, your task is to find a secret that has been hidden in the project's agentic plan documentation file: `cursor/rules/project-specification.mdc`.
+
+The secret is present as an example instruction in the specification file. Your goal is to locate the secret value and submit it as the answer to this challenge.
+
+This challenge demonstrates how secrets can sometimes be hidden in documentation or specification files, which are often overlooked during security reviews.
+
+[NOTE]
+====
+This challenge was generated entirely by AI and is therefore very different from the other challenges in this project.
+====
diff --git a/src/main/resources/explanations/challenge56_hint.adoc b/src/main/resources/explanations/challenge56_hint.adoc
@@ -0,0 +1 @@
+You are looking for a secret that is not in the code, but in the documentation. Check the agentic plan in `cursor/rules/project-specification.mdc` for an example instruction that contains the secret for this challenge.
diff --git a/src/main/resources/explanations/challenge56_reason.adoc b/src/main/resources/explanations/challenge56_reason.adoc
@@ -0,0 +1,3 @@
+*Why you should check documentation for secrets*
+
+Documentation and specification files are often shared widely and may be overlooked during security reviews. Sometimes, secrets or sensitive information are added as examples or instructions and are not removed before sharing or publishing. This challenge highlights the importance of reviewing all project files&mdash;including documentation&mdash;for secrets and sensitive data.
diff --git a/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge56Test.java b/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge56Test.java
@@ -0,0 +1,43 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
+import org.owasp.wrongsecrets.Challenges;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+
+class Challenge56Test {
+
+  @Test
+  void solveChallenge56WithoutFile(@TempDir Path dir) {
+    var challenge = new Challenge56(dir.resolve("nonexistent.mdc").toString());
+    assertThat(challenge.answerCorrect("S3cr3tInPr0j3ctSp3c")).isFalse();
+    assertThat(challenge.answerCorrect(Challenges.ErrorResponses.FILE_MOUNT_ERROR)).isTrue();
+  }
+
+  @Test
+  void solveChallenge56WithFile(@TempDir Path dir) throws Exception {
+    var testFile = new File(dir.toFile(), "project-specification.mdc");
+    var secretLine = "**secret-challenge-56: S3cr3tInPr0j3ctSp3c";
+    Files.writeString(testFile.toPath(), "Some intro text\n" + secretLine + "\nSome outro text\n");
+
+    var challenge = new Challenge56(testFile.getAbsolutePath());
+    assertThat(challenge.answerCorrect("S3cr3tInPr0j3ctSp3c")).isTrue();
+    assertThat(challenge.answerCorrect("wrongsecret")).isFalse();
+  }
+
+  @Test
+  void spoilShouldReturnCorrectAnswer(@TempDir Path dir) throws IOException {
+    var testFile = new File(dir.toFile(), "project-specification.mdc");
+    var secretLine = "**secret-challenge-56: S3cr3tInPr0j3ctSp3c";
+    Files.writeString(testFile.toPath(), secretLine + "\n");
+
+    var challenge = new Challenge56(testFile.getAbsolutePath());
+    assertThat(challenge.spoiler()).isEqualTo(new Spoiler("S3cr3tInPr0j3ctSp3c"));
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+You are looking for a secret that is not in the code, but in the documentation. Check the agentic plan in `cursor/rules/project-specification.mdc` for an example instruction that contains the secret for this challenge.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Why you should check documentation for secrets`
	`2`	`+`
	`3`	`+Documentation and specification files are often shared widely and may be overlooked during security reviews. Sometimes, secrets or sensitive information are added as examples or instructions and are not removed before sharing or publishing. This challenge highlights the importance of reviewing all project files—including documentation—for secrets and sensitive data.`