feat: Secure MongoDB and add Liquibase to project

security-c4po-angular/src/shared/modules/tutorial-dialog/tutorial-dialog.component.html

@@ -1,6 +1,6 @@
 <nb-card accent="control" status="info" class="profile-setting-dialog">
   <nb-card-header fxLayoutAlign="start center" class="dialog-header">
-    <fa-icon [icon]="fa.faJournalWhills"
+    <fa-icon [icon]="fa.faCircleInfo"
              class="header-icon fa-lg">
     </fa-icon>
     <span class="header-text"> {{ 'tutorial.header' | translate }} </span>

security-c4po-api/build.gradle.kts

@@ -77,6 +77,11 @@ dependencies {
     implementation("org.springframework.boot:spring-boot-starter-oauth2-client")
     implementation("org.modelmapper:modelmapper:2.3.2")
 
+    // Mongock
+    implementation("com.github.cloudyrock.mongock:mongock-bom:4.1.19")
+    implementation("com.github.cloudyrock.mongock:mongock-spring-v5:4.1.19")
+    implementation("com.github.cloudyrock.mongock:mongodb-springdata-v3-driver:4.1.19")
+
     api("org.springframework.boot:spring-boot-starter-test")
     api("org.springframework.security:spring-security-jwt:1.1.1.RELEASE")
     api("net.logstash.logback:logstash-logback-encoder:6.2")

security-c4po-api/src/main/kotlin/com/securityc4po/api/SecurityC4POApplication.kt

@@ -1,9 +1,11 @@
 package com.securityc4po.api
 
+import com.github.cloudyrock.spring.v5.EnableMongock
 import org.springframework.boot.autoconfigure.SpringBootApplication
 import org.springframework.boot.runApplication
 
 @SpringBootApplication
+@EnableMongock
 class SecurityC4POApplication
 
 fun main(args: Array<String>) {

security-c4po-api/src/main/kotlin/com/securityc4po/api/configuration/mongock/DatabaseChangeLog.kt

@@ -0,0 +1,44 @@
+package com.securityc4po.api.configuration.mongock
+
+import com.github.cloudyrock.mongock.ChangeLog
+import com.github.cloudyrock.mongock.ChangeSet
+import com.securityc4po.api.project.*
+import java.time.Instant
+import java.util.*
+
+
+@ChangeLog
+class DatabaseChangeLog {
+
+    @ChangeSet(order = "001", id = "seedDatabase", author = "Cel")
+    fun seedDatabase(projectRepository: ProjectRepository): Unit {
+        val projectList: MutableList<ProjectEntity> = mutableListOf<ProjectEntity>()
+        projectList.add(ProjectEntity(createNewProjectData("Juice Shop", "OWASP", "C4PO")))
+        projectRepository.insert(projectList).subscribe()
+    }
+
+    private fun createNewProjectData(titleData: String, clientData: String, testerData: String): Project {
+        return Project(
+            id = UUID.randomUUID().toString(),
+            client = clientData,
+            title = titleData,
+            createdAt = Instant.now().toString(),
+            tester = testerData,
+            summary = "",
+            state = PentestState.NEW,
+            version = "1.0",
+            projectPentests = emptyList<ProjectPentest>(),
+            createdBy = "f8aab31f-4925-4242-a6fa-f98135b4b032"
+        )
+    }
+
+    /**
+     * This method is mandatory even when transactions are enabled.
+     * They are used in the undo operation and any other scenario where transactions are not an option.
+     * However, note that when transactions are avialble and Mongock need to rollback, this method is ignored.
+     */
+/*    @RollbackExecution
+    fun rollback() {
+        mongoTemplate.deleteMany(Document())
+    }*/
+}

security-c4po-api/src/main/resources/application.properties

@@ -12,8 +12,18 @@ management.endpoint.health.enabled=true
 management.endpoints.web.exposure.include=info, health, metrics
 
 ## Database (MONGODB) Config ##
-spring.data.mongodb.database=c4po
+spring.data.mongodb.authentication-database=admin
+spring.data.mongodb.username=admin
+spring.data.mongodb.password=Test1234!
 spring.data.mongodb.auto-index-creation=true
+spring.data.mongodb.database=c4po
+spring.data.mongodb.host=localhost
+spring.data.mongodb.port=27017
+
+
+## Mongock Properties ##
+mongock.change-logs-scan-package=com.securityc4po.api.mongock
+
 
 ## IdentityProvider (Keycloak) ##
 spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8080/auth/realms/c4po_realm_local

security-c4po-api/src/test/resources/collections/comments.json

@@ -54,4 +54,46 @@
     "attachments": []
   },
   "_class": "com.securityc4po.api.pentest.comment.CommentEntity"
+},{
+  "_id": {
+    "$oid": "6440085a1f4ed15ba9666309"
+  },
+  "lastModified": {
+    "$date": "2023-04-19T15:27:22.756Z"
+  },
+  "data": {
+    "_id": "f4901f6b-6814-450c-8734-7ff1b3eed9b0",
+    "title": "Deprecated MIME Types",
+    "description": "When looking through the main.js file of the webserver we can search for \"allowedMimeType\" and get presented with the following:\n- application/pdf\n- application/xml\n- text/xml\n- application/zip\n- application/x-zip-compressed\n- multipart/x-zip\n\nEspecially the upload of xml files can result in a XXE Attack or in a RCE.",
+    "attachments": []
+  },
+  "_class": "com.securityc4po.api.pentest.comment.CommentEntity"
+},{
+  "_id": {
+    "$oid": "644008e81f4ed15ba966630a"
+  },
+  "lastModified": {
+    "$date": "2023-04-19T15:29:44.718Z"
+  },
+  "data": {
+    "_id": "0dd84537-6be7-468f-a4ad-6cf30d8fb7dc",
+    "title": "Webserver Type",
+    "description": "When looking at \"Server\" property of the repsonse header we can see that the application is running on a Cowboy HTTP Server.",
+    "attachments": []
+  },
+  "_class": "com.securityc4po.api.pentest.comment.CommentEntity"
+},{
+  "_id": {
+    "$oid": "645a23e989feac5618c3a83e"
+  },
+  "lastModified": {
+    "$date": "2023-05-09T10:43:53.712Z"
+  },
+  "data": {
+    "_id": "eb31f820-0f7b-4b70-98e2-ed8624d56824",
+    "title": "Juice Shop Application Structure",
+    "description": "In the frontend the popular Angular framework is used to create a so-called Single Page Application.\nJavaScript is also used in the backend as the exclusive programming language: An Express application hosted in a Node.js server delivers the client-side code to the browser. It also provides the necessary backend functionality to the client via a RESTful API.\nAs an underlying database a light-weight SQLite was chosen, because of its file-based nature. Sequelize and finale-rest are used as an abstraction layer from the database.\nAs an additional data store, a MarsDB is part of the OWASP Juice Shop.\nThe application also offers user registration via OAuth 2.0 so users can sign in with their Google accounts.",
+    "attachments": []
+  },
+  "_class": "com.securityc4po.api.pentest.comment.CommentEntity"
 }]

security-c4po-api/src/test/resources/collections/findings.json

@@ -177,4 +177,46 @@
     "attachments": []
   },
   "_class": "com.securityc4po.api.pentest.finding.FindingEntity"
+},{
+  "_id": {
+    "$oid": "6440041a1f4ed15ba9666307"
+  },
+  "lastModified": {
+    "$date": "2023-04-19T15:48:58.169Z"
+  },
+  "data": {
+    "_id": "ac45159b-4108-4ec2-b6aa-d3bfc5d597d2",
+    "severity": "LOW",
+    "title": "Enumuration of Webserver",
+    "description": "Running nmap against the Webserver we can find the following information about the installed services.\nInteresting ports on 54.78.134.111:\n- 993/tcp is running imaps\n- 995/tcp is running pop3s\n- 3128/tcp is runnung squid-http\n- 8080/tcp is running http-proxy",
+    "impact": "Webserver",
+    "affectedUrls": [
+      "https://juice-shop.herokuapp.com/"
+    ],
+    "reproduction": "Step 1:\nResolve IP-Address of Webserver (https://juice-shop.herokuapp.com/) through nslookup.\n\nStep 2:\nScan the address that got returned from the DNS via nmap (nmap -sC -sV 54.78.134.111).\n\nStep 3:\nSee what service runs on which port.",
+    "mitigation": "",
+    "attachments": []
+  },
+  "_class": "com.securityc4po.api.pentest.finding.FindingEntity"
+},{
+  "_id": {
+    "$oid": "64400afd1f4ed15ba966630c"
+  },
+  "lastModified": {
+    "$date": "2023-04-19T15:40:06.007Z"
+  },
+  "data": {
+    "_id": "972b0cee-13e5-4267-ab5c-5b00c9657578",
+    "severity": "HIGH",
+    "title": "Admin Useraccount",
+    "description": "When looking through the application it is possible to find the censored e-mail of an user with an juice-shop mail (***der@juice.sh.op) that can be found on the \"About Us\" page by the customer feedback section. \n\nUpon further investigating the product reviews the complete admin e-mail (admin@juice-sh.op) can be found in the review for the Apple Juice.\n\nThis account can now be used by an attacker to try to bruteforce into the account since the username is now known.",
+    "impact": "Webserver only.",
+    "affectedUrls": [
+      "https://juice-shop.herokuapp.com/#/about"
+    ],
+    "reproduction": "Step 1:\nLook at the hompage.\n\nStep 2:\nClick on the \"Apple Juice (1000ml)\" Item.\n\nStep 3:\nOpen the reviews.\n\nYou can now directly see the e-mail of the admin user.",
+    "mitigation": "Censor important usernames of accounts with high priveldges like seen on the \"About Us\" page by the customer feedback section.",
+    "attachments": []
+  },
+  "_class": "com.securityc4po.api.pentest.finding.FindingEntity"
 }]

security-c4po-api/src/test/resources/collections/pentests.json

@@ -3,18 +3,18 @@
     "$oid": "6436890ce15faf56402f785c"
   },
   "lastModified": {
-    "$date": "2023-04-12T12:19:36.316Z"
+    "$date": "2023-04-19T15:14:54.250Z"
   },
   "data": {
     "_id": "81c113d1-f2a0-4ce1-a93d-f636ef9b4717",
     "projectId": "cb4dc4c2-180f-4b82-88bd-9e19629dfb7b",
     "category": "INFORMATION_GATHERING",
     "refNumber": "OTG-INFO-001",
-    "status": "NOT_STARTED",
+    "status": "PAUSED",
     "enabled": true,
     "findingIds": [],
     "commentIds": [],
-    "timeSpent": 0
+    "timeSpent": 2
   },
   "_class": "com.securityc4po.api.pentest.PentestEntity"
 },{
@@ -22,7 +22,7 @@
     "$oid": "6436991828fc40394ae5b622"
   },
   "lastModified": {
-    "$date": "2023-04-12T11:43:44.143Z"
+    "$date": "2023-04-21T08:39:32.760Z"
   },
   "data": {
     "_id": "e9b80890-7a44-40da-8c32-f1b4611e25c6",
@@ -35,7 +35,7 @@
     "commentIds": [
       "5514f0d3-7c80-4138-bf3e-56b515560f00"
     ],
-    "timeSpent": 84
+    "timeSpent": 134
   },
   "_class": "com.securityc4po.api.pentest.PentestEntity"
 },{
@@ -1868,18 +1868,104 @@
     "$oid": "6436a2b228fc40394ae5b691"
   },
   "lastModified": {
-    "$date": "2023-04-12T12:23:14.565Z"
+    "$date": "2023-04-19T15:29:47.451Z"
   },
   "data": {
     "_id": "fe3a2361-a23c-4a5d-8702-7b4178be3b8e",
     "projectId": "cb4dc4c2-180f-4b82-88bd-9e19629dfb7b",
     "category": "INFORMATION_GATHERING",
     "refNumber": "OTG-INFO-002",
-    "status": "NOT_STARTED",
+    "status": "PAUSED",
+    "enabled": true,
+    "findingIds": [],
+    "commentIds": [
+      "0dd84537-6be7-468f-a4ad-6cf30d8fb7dc"
+    ],
+    "timeSpent": 52
+  },
+  "_class": "com.securityc4po.api.pentest.PentestEntity"
+},{
+  "_id": {
+    "$oid": "6440021c1f4ed15ba9666306"
+  },
+  "lastModified": {
+    "$date": "2023-04-19T15:13:01.899Z"
+  },
+  "data": {
+    "_id": "64b6f349-579a-4a05-b813-b049c7dc9094",
+    "projectId": "cb4dc4c2-180f-4b82-88bd-9e19629dfb7b",
+    "category": "INFORMATION_GATHERING",
+    "refNumber": "OTG-INFO-004",
+    "status": "COMPLETED",
+    "enabled": true,
+    "findingIds": [
+      "ac45159b-4108-4ec2-b6aa-d3bfc5d597d2"
+    ],
+    "commentIds": [],
+    "timeSpent": 468
+  },
+  "_class": "com.securityc4po.api.pentest.PentestEntity"
+},{
+  "_id": {
+    "$oid": "644005481f4ed15ba9666308"
+  },
+  "lastModified": {
+    "$date": "2023-04-19T15:40:19.727Z"
+  },
+  "data": {
+    "_id": "917a5808-25b3-46fd-8c6b-68f1190479bd",
+    "projectId": "cb4dc4c2-180f-4b82-88bd-9e19629dfb7b",
+    "category": "INFORMATION_GATHERING",
+    "refNumber": "OTG-INFO-003",
+    "status": "PAUSED",
+    "enabled": true,
+    "findingIds": [],
+    "commentIds": [
+      "f4901f6b-6814-450c-8734-7ff1b3eed9b0"
+    ],
+    "timeSpent": 280
+  },
+  "_class": "com.securityc4po.api.pentest.PentestEntity"
+},{
+  "_id": {
+    "$oid": "644009311f4ed15ba966630b"
+  },
+  "lastModified": {
+    "$date": "2023-05-09T10:43:56.757Z"
+  },
+  "data": {
+    "_id": "1c8e6b39-4916-4d28-8db5-78d6d044ad2f",
+    "projectId": "cb4dc4c2-180f-4b82-88bd-9e19629dfb7b",
+    "category": "INFORMATION_GATHERING",
+    "refNumber": "OTG-INFO-005",
+    "status": "COMPLETED",
+    "enabled": true,
+    "findingIds": [
+      "972b0cee-13e5-4267-ab5c-5b00c9657578"
+    ],
+    "commentIds": [
+      "eb31f820-0f7b-4b70-98e2-ed8624d56824"
+    ],
+    "timeSpent": 532
+  },
+  "_class": "com.securityc4po.api.pentest.PentestEntity"
+},{
+  "_id": {
+    "$oid": "64465036adb26d55611502c7"
+  },
+  "lastModified": {
+    "$date": "2023-04-24T09:48:03.569Z"
+  },
+  "data": {
+    "_id": "67a70db2-1537-4a44-98a6-4ae031015962",
+    "projectId": "cb4dc4c2-180f-4b82-88bd-9e19629dfb7b",
+    "category": "INFORMATION_GATHERING",
+    "refNumber": "OTG-INFO-006",
+    "status": "PAUSED",
     "enabled": true,
     "findingIds": [],
     "commentIds": [],
-    "timeSpent": 0
+    "timeSpent": 4
   },
   "_class": "com.securityc4po.api.pentest.PentestEntity"
 }]

security-c4po-api/src/test/resources/collections/projects.json

@@ -3,7 +3,7 @@
     "$oid": "64368903e15faf56402f785b"
   },
   "lastModified": {
-    "$date": "2023-04-12T12:23:14.572Z"
+    "$date": "2023-05-09T10:43:56.770Z"
   },
   "data": {
     "_id": "cb4dc4c2-180f-4b82-88bd-9e19629dfb7b",
@@ -17,7 +17,7 @@
     "projectPentests": [
       {
         "pentestId": "81c113d1-f2a0-4ce1-a93d-f636ef9b4717",
-        "status": "NOT_STARTED"
+        "status": "PAUSED"
       },
       {
         "pentestId": "90a14259-2bf7-418a-babc-10015be84369",
@@ -53,7 +53,23 @@
       },
       {
         "pentestId": "fe3a2361-a23c-4a5d-8702-7b4178be3b8e",
-        "status": "NOT_STARTED"
+        "status": "PAUSED"
+      },
+      {
+        "pentestId": "64b6f349-579a-4a05-b813-b049c7dc9094",
+        "status": "COMPLETED"
+      },
+      {
+        "pentestId": "917a5808-25b3-46fd-8c6b-68f1190479bd",
+        "status": "PAUSED"
+      },
+      {
+        "pentestId": "1c8e6b39-4916-4d28-8db5-78d6d044ad2f",
+        "status": "COMPLETED"
+      },
+      {
+        "pentestId": "67a70db2-1537-4a44-98a6-4ae031015962",
+        "status": "PAUSED"
       }
     ],
     "createdBy": "2b4615ec-2f58-4d6a-8543-0c764d64455a"
@@ -83,15 +99,14 @@
     "$oid": "64369b7a28fc40394ae5b62f"
   },
   "lastModified": {
-    "$date": "2023-04-12T12:12:21.434Z"
+    "$date": "2023-04-12T13:18:12.868Z"
   },
   "data": {
     "_id": "953b91b8-6cc8-4cbb-97eb-dfdadf69d217",
     "client": "Dio Stonemask Inc.",
-    "title": "loq4il bizarre adventure",
+    "title": "log4jj bizarre adventure",
     "createdAt": "2023-04-12T11:52:26.624663Z",
     "tester": "Jojo",
-    "summary": "Dio Stonemask Inc. contracted Jojo to perform a Penetration Test to identify security weaknesses,\ndetermine the impact to Dio Stonemask Inc., document all findings in a clear and repeatable manner,\nand provide remediation recommendations.",
     "state": "INFORMATIVE",
     "version": "1.0",
     "projectPentests": [

security-c4po-cfg/docker-compose.yml

@@ -6,14 +6,18 @@ volumes:
 services:
   # Database
   c4po-db:
-    image: mongo:latest
+    image: mongo:5.0.0-focal
     container_name: c4po-db
+    environment:
+      - MONGO_INITDB_ROOT_USERNAME=admin
+      - MONGO_INITDB_ROOT_PASSWORD=Test1234!
+      - MONGO_INITDB_DATABASE=admin
     volumes:
       - ./volumes/mongodb/data/:/db/data
     deploy:
       resources:
         limits:
-          memory: "1G"
+          memory: "2G"
     ports:
       - 27017:27017
     networks: