Merge pull request #2400 from OWASP/copilot/add-mcp-challenge-endpoint

feat: Add Challenge 60 — insecure MCP server with prompt injection leaking env var secrets

Author: commjoen

.github/copilot-instructions.md

@@ -202,7 +202,7 @@ class Challenge[Number]Test {
 docker build -t wrongsecrets .
 
 # Run locally
-docker run -p 8080:8080 wrongsecrets
+docker run -p 8080:8080 -p 8090:8090 wrongsecrets
 ```
 
 ## Testing Guidelines

.github/scripts/.bash_history

@@ -347,7 +347,7 @@ rm -rf jdk-18_linux-x64_bin.deb
 git rebase -i main
 git rebase -i master
 git stash
-export tempPassword="Mvd9twjm41byoPqwaY66rZ8/xJ8FNQQnGW8jPMlMocw="
+export tempPassword="OeyxzcLdUbln0KxnhlQaT2wQKfpJpV/A7/ach+erH4M="
 mvn run tempPassword
 k6
 npx k6

.github/scripts/docker-create.sh

@@ -64,10 +64,11 @@ Heroku_publish_demo() {
     heroku container:login
     echo "heroku deployment to demo"
     cd ../..
-    heroku container:push --recursive --arg argBasedVersion=${tag}heroku --app arcane-scrubland-42646
+    # heroku container:push --recursive --arg argBasedVersion=${tag}heroku --app arcane-scrubland-42646
+    heroku container:push --arg argBasedVersion=${tag}heroku --app arcane-scrubland-42646
     heroku container:release web --app arcane-scrubland-42646
-    heroku container:push --recursive --arg argBasedVersion=${tag}heroku,CTF_ENABLED=true,HINTS_ENABLED=false --app wrongsecrets-ctf
-    heroku container:release web --app wrongsecrets-ctf
+    # heroku container:push --recursive --arg argBasedVersion=${tag}heroku,CTF_ENABLED=true,HINTS_ENABLED=false --app wrongsecrets-ctf
+    # heroku container:release web --app wrongsecrets-ctf
     echo "wait for contianer to come up"
     until curl --output /dev/null --silent --head --fail https://arcane-scrubland-42646.herokuapp.com/; do
         printf '.'
@@ -236,7 +237,7 @@ local_extra_info() {
     if [[ $script_mode == "local" ]] ; then
         echo ""
         echo "⚠️⚠️ This script is running in local mode, with no arguments this script will build your current code and package into a docker container for easy local testing"
-        echo "If the container gets built correctly you can run the container with the command: docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:local-test, if there are errors the script should tell you what to do ⚠️⚠️"
+        echo "If the container gets built correctly you can run the container with the command: docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:local-test, if there are errors the script should tell you what to do ⚠️⚠️"
         echo ""
     fi
 }
@@ -447,7 +448,7 @@ test() {
     if [[ "$script_mode" == "test" ]]; then
         echo "Running the tests"
         echo "Starting the docker container"
-        docker run -d -p 8080:8080 jeroenwillemsen/wrongsecrets:local-test
+        docker run -d -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:local-test
         until $(curl --output /dev/null --silent --head --fail http://localhost:8080); do
             printf '.'
             sleep 5

.github/workflows/container-alts-test.yml

@@ -19,6 +19,6 @@ jobs:
       - uses: actions/checkout@v5
       - name: run container
         run: |
-          podman run -dt -p 8080:8080 docker.io/jeroenwillemsen/wrongsecrets:latest-no-vault && \
+          podman run -dt -p 8080:8080 -p 8090:8090 docker.io/jeroenwillemsen/wrongsecrets:latest-no-vault && \
           echo "wait 20 seconds for container to come up" && sleep 20 && \
           curl localhost:8080

.github/workflows/master-container-publish.yml

@@ -116,7 +116,7 @@ jobs:
           echo "**🐳 Try the bleeding-edge version:**" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
           echo "docker pull ghcr.io/${{ github.repository }}/wrongsecrets-master:latest-master" >> $GITHUB_STEP_SUMMARY
-          echo "docker run -p 8080:8080 ghcr.io/${{ github.repository }}/wrongsecrets-master:latest-master" >> $GITHUB_STEP_SUMMARY
+          echo "docker run -p 8080:8080 -p 8090:8090 ghcr.io/${{ github.repository }}/wrongsecrets-master:latest-master" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "Then visit: http://localhost:8080" >> $GITHUB_STEP_SUMMARY

.github/workflows/minikube-k8s-test.yml

@@ -62,7 +62,7 @@ jobs:
           kubectl expose deployment secret-challenge --type=LoadBalancer --port=8080
           kubectl port-forward \
               $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
-              8080:8080 \
+              8080:8080 8090:8090 \
               &
           echo "Do minikube delete to stop minikube from running and cleanup to start fresh again"
           echo "wait 20 seconds so we can check if vault-k8s-container works"

.github/workflows/pr-preview.yml

@@ -178,13 +178,13 @@ jobs:
             \`\`\`bash
             # Download the artifact, extract it, then:
             docker load < wrongsecrets-preview.tar
-            docker run -p 8080:8080 wrongsecrets-preview
+            docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview
             \`\`\`
 
             **🚀 Alternative - Pull from Registry:**
             \`\`\`bash
             docker pull ${imageTag}
-            docker run -p 8080:8080 ${imageTag}
+            docker run -p 8080:8080 -p 8090:8090 ${imageTag}
             \`\`\`
 
             Then visit: http://localhost:8080
@@ -318,8 +318,8 @@ jobs:
 
       - name: Start both versions
         run: |
-          docker run -d -p 8080:8080 --name pr-version wrongsecrets-pr
-          docker run -d -p 8081:8080 --name main-version wrongsecrets-main
+          docker run -d -p 8080:8080 -p 8090:8090 --name pr-version wrongsecrets-pr
+          docker run -d -p 8081:8080 -p 8091:8090 --name main-version wrongsecrets-main
 
           # Wait for services to start
           echo "Waiting for services to start..."

.github/workflows/visual-diff.yml

@@ -79,8 +79,8 @@ jobs:
 
       - name: Start both versions
         run: |
-          docker run -d -p 8080:8080 --name pr-version wrongsecrets-pr
-          docker run -d -p 8081:8080 --name main-version wrongsecrets-main
+          docker run -d -p 8080:8080 -p 8090:8090 --name pr-version wrongsecrets-pr
+          docker run -d -p 8081:8080 -p 8091:8090 --name main-version wrongsecrets-main
 
           # Wait for containers to start
           echo "Waiting for containers to start..."

Dockerfile

@@ -1,7 +1,7 @@
 FROM bellsoft/liberica-openjre-debian:25-cds AS builder
 WORKDIR /builder
 
-ARG argBasedVersion="1.12.11"
+ARG argBasedVersion="1.13.1-alpha5"
 
 COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar application.jar
 RUN java -Djarmode=tools -jar application.jar extract --layers --destination extracted
@@ -18,6 +18,7 @@ ENV APP_VERSION=$argBasedVersion
 ENV DOCKER_ENV_PASSWORD="This is it"
 ENV AZURE_KEY_VAULT_ENABLED=false
 ENV CHALLENGE59_SLACK_WEBHOOK_URL=$challenge59_webhook_url
+ENV WRONGSECRETS_MCP_SECRET=MCPStolenSecret42!
 ENV SPRINGDOC_UI=false
 ENV SPRINGDOC_DOC=false
 ENV BASTIONHOSTPATH="/home/wrongsecrets/.ssh"
@@ -70,4 +71,5 @@ RUN rm -rf /var/run/secrets/kubernetes.io
 RUN adduser -u 2000 -D wrongsecrets
 USER wrongsecrets
 
-CMD java --add-modules=jdk.unsupported -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D application.jar
+CMD java -Xms128m -Xmx128m -Xss512k -jar -Dserver.port=$PORT -XX:MaxRAMPercentage=75 -XX:MinRAMPercentage=25 -Dspring.profiles.active=without-vault -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} application.jar
+# CMD java -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D application.jar

Dockerfile.web

@@ -1,5 +1,5 @@
-FROM jeroenwillemsen/wrongsecrets:1.12.11-no-vault
-ARG argBasedVersion="1.12.11-no-vault"
+FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha5-no-vault
+ARG argBasedVersion="1.13.1-alpha5"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ARG CTF_ENABLED=false
 ARG HINTS_ENABLED=true
@@ -40,4 +40,4 @@ COPY .github/scripts/ /var/helpers
 COPY src/test/resources/alibabacreds.kdbx /var/helpers
 COPY src/test/resources/RSAprivatekey.pem /var/helpers
 COPY .ssh/ /home/wrongsecrets/.ssh/
-CMD java -Xms128m -Xmx128m -Xss512k -jar -Dserver.port=$PORT -XX:MaxRAMPercentage=75 -XX:MinRAMPercentage=25 -Dspring.profiles.active=without-vault -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} application.jar
+CMD java -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D  application.jar