Merge branch 'develop'

Author: bkimminich

Dockerfile

@@ -16,7 +16,7 @@ LABEL maintainer="Bjoern Kimminich <[email protected]>" \
     org.opencontainers.image.vendor="Open Web Application Security Project" \
     org.opencontainers.image.documentation="https://help.owasp-juice.shop/part1/ctf.html" \
     org.opencontainers.image.licenses="MIT" \
-    org.opencontainers.image.version="11.0.0" \
+    org.opencontainers.image.version="11.1.0" \
     org.opencontainers.image.url="https://owasp-juice.shop" \
     org.opencontainers.image.source="https://github.com/juice-shop/juice-shop-ctf.git" \
     org.opencontainers.image.revision=$VCS_REF \

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors
+Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors
 
 Permission is hereby granted, free of charge, to any person
 obtaining a copy of this software and associated documentation

README.md

@@ -170,6 +170,6 @@ please visit our [HALL_OF_FAME.md](HALL_OF_FAME.md).
 This program is free software: you can redistribute it and/or modify it
 under the terms of the [MIT license](LICENSE). OWASP Juice Shop CTF
 Extension and any contributions are Copyright © by Bjoern Kimminich &
-the OWASP Juice Shop contributors 2016-2024.
+the OWASP Juice Shop contributors 2016-2025.
 
 ![Juice Shop CTF Logo](https://raw.githubusercontent.com/juice-shop/juice-shop-ctf/develop/images/JuiceShopCTF_Logo_400px.png)

SECURITY.md

@@ -6,8 +6,8 @@ We provide security patches for the latest released minor version.
 
 | Version | Supported          |
 |:--------|:-------------------|
-| 10.x    | :white_check_mark: |
-| < 10.0  | :x:                |
+| 11.1.x  | :white_check_mark: |
+| < 11.1  | :x:                |
 
 ## Reporting a Vulnerability
 

bin/juice-shop-ctf.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

hooks/build

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+# Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
 # SPDX-License-Identifier: MIT
 #
 

index.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/calculateHintCost.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/calculateScore.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/fetchChallenges.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/fetchCodeSnippets.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/fetchCountryMapping.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/fetchSecretKey.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/generators/ctfd.js

@@ -1,11 +1,11 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 
 const Promise = require('bluebird')
 const calculateScore = require('../calculateScore')
-// const calculateHintCost = require('../calculateHintCost')
+const calculateHintCost = require('../calculateHintCost')
 const hmacSha1 = require('../hmac')
 const options = require('../options')
 
@@ -21,10 +21,9 @@ function createCtfdExport (challenges, { insertHints, insertHintUrls, insertHint
     if (vulnSnippets[challenge.key] && insertHintSnippets !== options.noHintSnippets) {
       hints.push('<pre><code>' + vulnSnippets[challenge.key].replaceAll('"', '""').replaceAll(',', '٬') + '</code></pre>')
     }
-    return (hints.length === 0 ? '' : `"${hints.join(',')}"`)
+    return hints
   }
 
-  /*
   function insertChallengeHintCosts (challenge) {
     const hintCosts = []
     if (challenge.hint && insertHints !== options.noTextHints) {
@@ -36,9 +35,8 @@ function createCtfdExport (challenges, { insertHints, insertHintUrls, insertHint
     if (vulnSnippets[challenge.key] && insertHintSnippets !== options.noHintSnippets) {
       hintCosts.push(calculateHintCost(challenge, insertHintSnippets))
     }
-    return (hintCosts.length === 0 ? '' : `"${hintCosts.join(',')}"`)
+    return hintCosts
   }
-*/
 
   //  In the flags section of the returned data we iterate through the result of string splitting by comma, and compute the hash of the single flag key + challenge name.
   //  Format expected is: challenge3,challenge description,category3,100,dynamic,visible,0,"flag1,flag2,flag3","tag1,tag2,tag3","hint1,hint2,hint3","{""initial"":100, ""minimum"":10, ""decay"":10}"
@@ -49,22 +47,37 @@ function createCtfdExport (challenges, { insertHints, insertHintUrls, insertHint
       for (const key in challenges) {
         if (Object.prototype.hasOwnProperty.call(challenges, key)) {
           const challenge = challenges[key]
-          data.push(
-            {
-              name: challenge.name,
-              description: `"${challenge.description.replaceAll('"', '""')} (Difficulty Level: ${challenge.difficulty})"`,
-              category: challenge.category,
-              value: calculateScore(challenge.difficulty),
-              type: 'standard',
-              state: 'visible',
-              max_attempts: 0,
-              flags: ctfKey.split(',').length === 1 ? hmacSha1(ctfKey, challenge.name) : `"${ctfKey.split(',').map(key => `${hmacSha1(key, challenge.name)}`).join(',')}"`,
-              tags: challenge.tags ? `"${challenge.tags}"` : '',
-              hints: insertChallengeHints(challenge),
-              // hint_cost: insertChallengeHintCosts(challenge),
-              type_data: ''
+          const row = {
+            name: challenge.name,
+            description: `"${challenge.description.replaceAll('"', '""')} (Difficulty Level: ${challenge.difficulty})"`,
+            category: challenge.category,
+            value: calculateScore(challenge.difficulty),
+            type: 'standard',
+            state: 'visible',
+            max_attempts: 0,
+            flags: ctfKey.split(',').length === 1 ? hmacSha1(ctfKey, challenge.name) : `"${ctfKey.split(',').map(key => `${hmacSha1(key, challenge.name)}`).join(',')}"`,
+            tags: challenge.tags ? `"${challenge.tags}"` : '',
+            hints_raw: insertChallengeHints(challenge),
+            hint_cost: insertChallengeHintCosts(challenge),
+            type_data: ''
+          }
+          const hints = []
+          if (row.hints_raw.length !== 0) {
+            for (let index = 0; index < row.hints_raw.length; index++) {
+              const hint = {
+                content: row.hints_raw[index],
+                cost: row.hint_cost[index]
+              }
+              hints.push(hint)
             }
-          )
+            const hintsObject = JSON.stringify(hints).replace(/"/g, '""')
+            row.hints = `"${hintsObject}"`
+          } else {
+            row.hints = ''
+          }
+          delete row.hints_raw
+          delete row.hint_cost
+          data.push(row)
         }
       }
       resolve(data)

lib/generators/fbctf.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/generators/index.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/generators/rtb.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/hmac.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/options.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/readConfigStream.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/url.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/writeToCtfdCsv.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/writeToFbctfJson.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

lib/writeToRtbXml.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "juice-shop-ctf-cli",
-  "version": "11.0.0",
+  "version": "11.1.0",
   "description": "Capture-the-Flag (CTF) environment setup tools for OWASP Juice Shop",
   "keywords": [
     "web security",

package.json

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

test/e2e/juiceShopCtfCli-spec.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

test/unit/calculateHintCost-spec.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

test/unit/calculateScore-spec.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

test/unit/fetchChallenges-spec.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

test/unit/fetchCodeSnippets-spec.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

test/unit/fetchCountryMapping-spec.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 

test/unit/fetchSecretKey-spec.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 
@@ -49,10 +49,10 @@ describe('Generated CTFd data', () => {
     challenges.c3.hint = 'hint'
     return Promise.all([
       expect(generateData(challenges, { insertHints: options.freeTextHints, insertHintUrls: options.noHintUrls, ctfKey: '', vulnSnippets: {} })).to.eventually.deep.include(
-        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', category: '2', value: 450, type: 'standard', state: 'visible', max_attempts: 0, flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"hint"', type_data: '' }
+        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', category: '2', value: 450, type: 'standard', state: 'visible', max_attempts: 0, flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"[{""content"":""hint"",""cost"":0}]"', type_data: '' }
       ),
       expect(generateData(challenges, { insertHints: options.paidTextHints, insertHintUrls: options.noHintUrls, ctfKey: '', vulnSnippets: {} })).to.eventually.deep.include(
-        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', category: '2', value: 450, type: 'standard', state: 'visible', max_attempts: 0, flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"hint"', type_data: '' }
+        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', category: '2', value: 450, type: 'standard', state: 'visible', max_attempts: 0, flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"[{""content"":""hint"",""cost"":45}]"', type_data: '' }
       )
     ])
   })
@@ -61,10 +61,10 @@ describe('Generated CTFd data', () => {
     challenges.c3.hintUrl = 'hintUrl'
     return Promise.all([
       expect(generateData(challenges, { insertHints: options.noTextHints, insertHintUrls: options.freeHintUrls, ctfKey: '', vulnSnippets: {} })).to.eventually.deep.include(
-        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', category: '2', value: 450, type: 'standard', state: 'visible', max_attempts: 0, flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"hintUrl"', type_data: '' }
+        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', category: '2', value: 450, type: 'standard', state: 'visible', max_attempts: 0, flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"[{""content"":""hintUrl"",""cost"":0}]"', type_data: '' }
       ),
       expect(generateData(challenges, { insertHints: options.noTextHints, insertHintUrls: options.paidHintUrls, ctfKey: '', vulnSnippets: {} })).to.eventually.deep.include(
-        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', category: '2', value: 450, type: 'standard', state: 'visible', max_attempts: 0, flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"hintUrl"', type_data: '' }
+        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', category: '2', value: 450, type: 'standard', state: 'visible', max_attempts: 0, flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"[{""content"":""hintUrl"",""cost"":90}]"', type_data: '' }
       )
     ])
   })
@@ -74,16 +74,16 @@ describe('Generated CTFd data', () => {
     challenges.c3.hintUrl = 'hintUrl'
     return Promise.all([
       expect(generateData(challenges, { insertHints: options.freeTextHints, insertHintUrls: options.freeHintUrls, ctfKey: '', vulnSnippets: {} })).to.eventually.deep.include(
-        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', value: 450, category: '2', state: 'visible', max_attempts: 0, type: 'standard', type_data: '', flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"hint,hintUrl"' }
+        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', value: 450, category: '2', state: 'visible', max_attempts: 0, type: 'standard', type_data: '', flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"[{""content"":""hint"",""cost"":0},{""content"":""hintUrl"",""cost"":0}]"' }
       ),
       expect(generateData(challenges, { insertHints: options.paidTextHints, insertHintUrls: options.freeHintUrls, ctfKey: '', vulnSnippets: {} })).to.eventually.deep.include(
-        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', value: 450, category: '2', state: 'visible', max_attempts: 0, type: 'standard', type_data: '', flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"hint,hintUrl"' }
+        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', value: 450, category: '2', state: 'visible', max_attempts: 0, type: 'standard', type_data: '', flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"[{""content"":""hint"",""cost"":45},{""content"":""hintUrl"",""cost"":0}]"' }
       ),
       expect(generateData(challenges, { insertHints: options.freeTextHints, insertHintUrls: options.paidHintUrls, ctfKey: '', vulnSnippets: {} })).to.eventually.deep.include(
-        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', value: 450, category: '2', state: 'visible', max_attempts: 0, type: 'standard', type_data: '', flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"hint,hintUrl"' }
+        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', value: 450, category: '2', state: 'visible', max_attempts: 0, type: 'standard', type_data: '', flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"[{""content"":""hint"",""cost"":0},{""content"":""hintUrl"",""cost"":90}]"' }
       ),
       expect(generateData(challenges, { insertHints: options.paidTextHints, insertHintUrls: options.paidHintUrls, ctfKey: '', vulnSnippets: {} })).to.eventually.deep.include(
-        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', value: 450, category: '2', state: 'visible', max_attempts: 0, type: 'standard', type_data: '', flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"hint,hintUrl"' }
+        { name: 'c3', description: '"C3 (Difficulty Level: 3)"', value: 450, category: '2', state: 'visible', max_attempts: 0, type: 'standard', type_data: '', flags: 'aae3acb6eff2000c0e12af0d0d875d0bdbf4ca81', tags: '"foo"', hints: '"[{""content"":""hint"",""cost"":45},{""content"":""hintUrl"",""cost"":90}]"' }
       )
     ])
   })

test/unit/generateCtfdData-spec.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2016-2025 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */