Welcome to Secure Code Game - Season 2! 👋

To get started, please follow the 🛠️ set up guide (if you haven't already) from the welcome page.

Welcome to Level 1! 🤖

Languages: yaml for GitHub Actions

The author of this level is Deniz Onur Duzgun @dduzgun-security.

You can be next! We welcome contributions for new game levels! Learn more here.

Jarvis, your trusty geek who gets really excited with automating everything, has some tips for you. He has been experimenting lately with GitHub Actions and made several great additions to our CI/CD pipeline. Among other useful additions, he suggested that it would be helpful for our project team to be getting the GitHub status page. What can go wrong? Do you have what it takes to fix the bug and progress to Level 2?

• code normally includes the vulnerable code to be reviewed. For this level, due to the nature of GitHub Actions, this file is referencing .github/workflows/jarvis-code.yml.
• hack exploits the vulnerabilities in code. For this level, this file is referencing .github/workflows/jarvis-hack.yml. Initially, it fails ❌ upon pushing and the only requirement for you to reach the next level is to get this file to pass 🟢.
• hint files offer guidance if you get stuck. We provide 2 hints for this level.
• solution offers a working solution. Remember, there are several possible solutions.

1. Review the code inside .github/workflows/jarvis-code.yml. Can you spot the bug(s)?
2. Fix the bug and push your solution so that GitHub Actions can run.
3. You successfully completed this level when .github/workflows/jarvis-hack.yml passes 🟢.
4. If you get stuck, read the hint in hint-1.txt and try again.
5. If you need more guidance, read the hint in hint-2.txt and try again.
6. Compare your solution with solution.yml. Remember, there are several possible solutions.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.

You have completed Level 1: Jarvis Gone Wrong! Welcome to Level 2: Lumberjack 🎉

Languages: go

The author of this level is Deniz Onur Duzgun @dduzgun-security.

You can be next! We welcome contributions for new game levels! Learn more here.

Welcome to the world of Lumberjack, the "clumsiest service in town", according to the online reviews! Customers have been noticing irregularities in both their site and services. We dumped a few reviews in an AI chatbot to summarize and what we've got back were a few keywords that said it all! Keywords included the words "discrepancies" and "inconsistencies". Something is clearly off here. Do you have what it takes to win this fight against "inconsistencies", "discrepancies" and "irregularities" and progress to Level 3?

• If you are playing the game inside GitHub Codespaces, the go programming language extension should be already installed. At times, this is not enough to run go files and you have to visit Go's official website and download the driver corresponding to your operating system.
• For Levels 2-4 in Season 2, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions on setting up code scanning, see "Setting up code scanning using starter workflows."

Due to the nature of file conventions in the go programming language, some file names look different compared to our usual file structure. We have the following:

• code includes the vulnerable code to be reviewed.
• code_test contains the unit tests that should still pass 🟢 after you implement your fix.
• hack_test exploits the vulnerabilities in code. Running hack_test.go will fail initially and your goal is to get this file to pass 🟢.
• hint files offer guidance if you get stuck. We provide 2 hints for this level. Remember that you can also view the CodeQL scanning alerts for guidance.
• solution provides one working solution. There are several possible solutions.
• solution_test is identical to code_test and it's used to test the solution for failing and passing payloads.
• go.mod is a go programming language convention for a module residing at the root of the module's directory hierarchy.

1. Review the code in code.go. Can you spot the bug(s)?
2. Try to fix the bug. Open a pull request to main or push your fix to a branch.
3. You successfully completed this level when you (a) resolve all related code scanning alerts and (b) when both hack_test.go and code_test.go pass 🟢.
4. If you get stuck, read the hints and try again.
5. If you need more guidance, read the CodeQL scanning alerts.
6. Compare your solution to solution/solution.go.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.

Nice work finishing Level 2: Lumberjack ! It's now time for Level 3: Space-Crossing ✨

Languages: python3

The author of this level is Viral Vaghela.

You can be next! We welcome contributions for new game levels! Learn more here.

Our solar system is 4.6 billion years old and it's constantly expanding. So does human interest around the world with local communities of enthusiasts constantly forming in an increasingly digitized world. Space enthusiasts use the internet as an information bank and to connect with their counterparts. This was exactly what drove a local community of space enthusiasts to create a public website, featuring their meetups, alongside contact information and a simple search bar where users can discover rare facts about planets. Having said that, did you know that ninety-five per cent (95%) of the Universe is invisible? What percentage of security issues is invisible though, and for how long? Do you have what it takes to secure the site and progress to Level 4?

• For Levels 2-4 in Season 2, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions on setting up code scanning, see "Setting up code scanning using starter workflows."

• code includes the vulnerable code to be reviewed.
• hack exploits the vulnerabilities in code. Running hack will fail initially and your goal is to get this file to pass 🟢.
• hint offers guidance if you get stuck. Remember that you can also view the CodeQL scanning alerts.
• solution provides one working solution. There are several possible solutions.
• templates/index.html host a simple front-end to interact with the back-end.
• tests contains the unit tests that should still pass 🟢 after you implement your fix.

1. Review the code in code.py. Can you spot the bug(s)?
2. Try to fix the bug. Open a pull request to main or push your fix to a branch.
3. You successfully completed this level when you (a) resolve all related code scanning alerts and (b) when both hack.py and tests.py pass 🟢.
4. If you get stuck, read the hint and try again.
5. If you need more guidance, read the CodeQL scanning alerts.
6. Compare your solution to solution.py.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.

Nicely done! Level 3: Space-Crossing is complete. It's time for Level 4: Planet XMLon 🥳

Languages: javascript

The author of this level is Deniz Onur Duzgun @dduzgun-security.

You can be next! We welcome contributions for new game levels! Learn more here.

Embark on your quest as a daring EXXplorer in the vibrant landscape of the newly discovered Planet XMLon. The alien inhabitants are baffled by mysterious disruptions in their data transmissions, which may have been caused by the main developer E.T. who added more features than intended. Help them decode the extraterrestrial XML signals and unveil the secrets hidden within the starry constellations of tags, attributes and .admin files. Can you secure them all?

For Levels 2-4 in Season 2, we encourage you to enable code scanning with CodeQL. For more information about CodeQL, see "About CodeQL." For instructions on setting up code scanning, see "Setting up code scanning using starter workflows."

• code includes the vulnerable code to be reviewed.
• hack exploits the vulnerabilities in code. Running hack will fail initially and your goal is to get this file to pass 🟢.
• hack.admin is a file used by administrators for debugging purposes.
• hint offers guidance if you get stuck. Remember that you can also view the CodeQL scanning alerts.
• package.json contains all the dependencies required for this level. You can install them by running npm install.
• package-lock.json ensures that the same dependencies are installed consistently across different environments.
• solution provides one working solution. There are several possible solutions.
• tests contains the unit tests that should still pass 🟢 after you implement your fix.
• .env.production is an internal server-side file containing a secret environment variable.

1. Start by installing the dependencies required for this level, by running npm install. These dependancies reside inside package.json.
2. Review the code in code.js. Can you spot the bug(s)?
3. Try to fix the bug. Open a pull request to main or push your fix to a branch.
4. You successfully completed this level when you (a) resolve all related code scanning alerts and (b) when both hack.js and tests.js pass 🟢.
5. If you get stuck, read the hint and try again.
6. If you need more guidance, read the CodeQL scanning alerts.
7. Compare your solution to solution.js.

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.

Almost there... but also, so far away! A special level is awaiting for you to complete Season 2! ❤️

Languages: javascript

The author of this level is the original creator of the game, Joseph Katsioloudes @jkcso.

You can be next! We welcome contributions for new game levels! Learn more here.

'Anarchy' (noun) is the state of disorder due to absence or non-recognition of authority or other controlling systems. This was the first word that came to mind when I finished writing code.js. Is anarchy exploitable? Can you spot the issues? Good luck, you will need it!

• code includes the vulnerable code to be reviewed.
• hack files exploit the vulnerabilities in code. For this level, the exploits couldn't be automated. To run them, follow the instructions provided inside.
• hint files offer guidance if you get stuck.
• solution provides one working solution. There are several possible solutions.
• index hosts the homepage, featuring a javascript console.

1. Review the code in code.js. Can you spot the bug(s)?
2. You successfully completed this level when the exploits inside hack.js are unsuccessful. Remember, due to the nature of the exploits, you have to run them manually.
3. If you get stuck, read the hints.
4. Compare your solution to solution.js

If you need assistance, don't hesitate to ask for help in our GitHub Discussions or on our Slack in the #secure-code-game channel.

Congratulations, you've completed the Secure Code Game!

Here's a recap of all the tasks you've accomplished:

• You practiced secure code principles by spotting and fixing vulnerable patterns in real-world code.
• You assessed your solutions against exploits developed by GitHub Security Lab experts.
• You utilized GitHub code scanning features and understood the security alerts generated against your code.

• Follow GitHub Security Lab for the latest updates and announcements about this course.
• Contribute new levels to the game in 3 simple steps! Read our Contribution Guideline.
• Share your feedback and ideas in our Discussions and join our community on Slack.
• Take another skills course.
• Read more about code security.
• To find projects to contribute to, check out GitHub Explore.

Get help: Email us at securitylab-social@github.com • Review the GitHub status page

© 2024 GitHub • Code of Conduct • MIT License