feat: self-evaluation and updates for owasp module

Author: polvalente

modules/2-owasp.livemd

@@ -1,14 +1,14 @@
+<!-- livebook:{"persist_outputs":true} -->
+
 # ESCT: Part 2 - OWASP
 
 ```elixir
-Mix.install([
-  {:grading_client, path: "#{__DIR__}/grading_client"},
-  :bcrypt_elixir,
-  :httpoison,
-  {:absinthe, "~> 1.7.0"},
-  {:phoenix, "~> 1.0"},
-  {:plug, "~> 1.3.2"}
-])
+Mix.install(
+  [
+    {:grading_client, path: "#{__DIR__}/grading_client"}
+  ],
+  config_path: "#{__DIR__}/grading_client/config/config.exs"
+)
 
 md5_hash = :crypto.hash(:md5, "users_password")
 bcrypt_salted_hash = Bcrypt.hash_pwd_salt("users_password")
@@ -103,27 +103,56 @@ Notable CWEs included are CWE-259: Use of Hard-coded Password, CWE-327: Broken o
 
 _Please uncomment the function call that you believe is correct._
 
+<!-- livebook:{"attrs":"eyJtb2R1bGVfaWQiOm51bGwsInF1ZXN0aW9uX2lkIjpudWxsLCJzb3VyY2UiOiJkZWZtb2R1bGUgUGFzc3dvcmRDb21wYXJlIGRvXG4gIGRlZiBvcHRpb25fb25lKHBhc3N3b3JkLCBtZDVfaGFzaCkgZG9cbiAgICBjYXNlIDpjcnlwdG8uaGFzaCg6bWQ1LCBwYXNzd29yZCkgPT0gbWQ1X2hhc2ggZG9cbiAgICAgIHRydWUgLT4gOmVudHJ5X2dyYW50ZWRfb3AxXG4gICAgICBmYWxzZSAtPiA6ZW50cnlfZGVuaWVkX29wMVxuICAgIGVuZFxuICBlbmRcblxuICBkZWYgb3B0aW9uX3R3byhwYXNzd29yZCwgYmNyeXB0X3NhbHRlZF9oYXNoKSBkb1xuICAgIGNhc2UgQmNyeXB0LnZlcmlmeV9wYXNzKHBhc3N3b3JkLCBiY3J5cHRfc2FsdGVkX2hhc2gpIGRvXG4gICAgICB0cnVlIC0+IDplbnRyeV9ncmFudGVkX29wMlxuICAgICAgZmFsc2UgLT4gOmVudHJ5X2RlbmllZF9vcDJcbiAgICBlbmRcbiAgZW5kXG5lbmRcblxuIyBETyBOT1QgQ0hBTkdFIENPREUgQUJPVkUgVEhJUyBMSU5FID09PT09PT09PT09PT09PT09PT09PT09PT1cblxuIyBQYXNzd29yZENvbXBhcmUub3B0aW9uX29uZShcInVzZXJzX3Bhc3N3b3JkXCIsIG1kNV9oYXNoKVxuIyBQYXNzd29yZENvbXBhcmUub3B0aW9uX3R3byhcInVzZXJzX3Bhc3N3b3JkXCIsIGJjcnlwdF9zYWx0ZWRfaGFzaCkifQ","chunks":[[0,178],[180,859]],"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->
+
 ```elixir
-defmodule PasswordCompare do
-  def option_one(password, md5_hash) do
-    case :crypto.hash(:md5, password) == md5_hash do
-      true -> :entry_granted_op1
-      false -> :entry_denied_op1
+module_id = Kino.Input.select("Module", [{OWASP, "OWASP"}])
+question_id = Kino.Input.number("Question ID")
+Kino.render(Kino.Layout.grid([module_id, question_id], columns: 2))
+nil
+
+module_id = Kino.Input.read(module_id)
+question_id = Kino.Input.read(question_id)
+
+result =
+  defmodule PasswordCompare do
+    def option_one(password, md5_hash) do
+      case :crypto.hash(:md5, password) == md5_hash do
+        true -> :entry_granted_op1
+        false -> :entry_denied_op1
+      end
     end
-  end
 
-  def option_two(password, bcrypt_salted_hash) do
-    case Bcrypt.verify_pass(password, bcrypt_salted_hash) do
-      true -> :entry_granted_op2
-      false -> :entry_denied_op2
+    def option_two(password, bcrypt_salted_hash) do
+      case Bcrypt.verify_pass(password, bcrypt_salted_hash) do
+        true -> :entry_granted_op2
+        false -> :entry_denied_op2
+      end
     end
   end
+
+case GradingClient.check_answer(module_id, question_id, result) do
+  :correct ->
+    IO.puts([IO.ANSI.green(), "Correct!", IO.ANSI.reset()])
+
+  {:incorrect, help_text} when is_binary(help_text) ->
+    IO.puts([IO.ANSI.red(), "Incorrect: ", IO.ANSI.reset(), help_text])
+
+  _ ->
+    IO.puts([IO.ANSI.red(), "Incorrect.", IO.ANSI.reset()])
 end
+```
 
-# DO NOT CHANGE CODE ABOVE THIS LINE =========================
+<!-- livebook:{"output":true} -->
 
-# PasswordCompare.option_one("users_password", md5_hash)
-# PasswordCompare.option_two("users_password", bcrypt_salted_hash)
+```
+Incorrect: Research MD5 Rainbow Tables
+```
+
+<!-- livebook:{"output":true} -->
+
+```
+:ok
 ```
 
 <!-- livebook:{"branch_parent_index":3} -->
@@ -244,19 +273,58 @@ Notable CWE included is CWE-1104: Use of Unmaintained Third-Party Components
 
 ### <span style="color:red">QUIZ</span>
 
-**Which of the outdated components currently installed is vulnerable?**
+**Which of the outdated components listed below is vulnerable?**
 
 _Please change the atom below to the name of the vulnerable package installed in this Livebook AND update the afflicted package._
 
-_HINT: Installed dependencies can be found at the very top, it was the very first cell you ran._
+_HINT: Check the changelogs for each dependency._
+
+<!-- livebook:{"attrs":"eyJtb2R1bGVfaWQiOm51bGwsInF1ZXN0aW9uX2lkIjpudWxsLCJzb3VyY2UiOiJhbnN3ZXIgPSBcbiAgS2luby5JbnB1dC5zZWxlY3QoXCJBbnN3ZXJcIiwgW1xuICAgIHs6ZWN0bywgXCJFY3RvIHYyLjIuMlwifSxcbiAgICB7Om54LCBcIk54IHYwLjUuMFwifSxcbiAgICB7OnBsdWcsIFwiUGx1ZyB2MS4zLjJcIn1cbiAgXSlcblxuS2luby5yZW5kZXIoYW5zd2VyKVxuXG5LaW5vLklucHV0LnJlYWQoYW5zd2VyKSJ9","chunks":[[0,178],[180,631]],"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->
 
 ```elixir
-# CHANGE ME
-vulnerable_dependency = :vulnerable_dependency
+module_id = Kino.Input.select("Module", [{OWASP, "OWASP"}])
+question_id = Kino.Input.number("Question ID")
+Kino.render(Kino.Layout.grid([module_id, question_id], columns: 2))
+nil
+
+module_id = Kino.Input.read(module_id)
+question_id = Kino.Input.read(question_id)
+
+result =
+  (
+    answer =
+      Kino.Input.select("Answer",
+        ecto: "Ecto v2.2.2",
+        nx: "Nx v0.5.0",
+        plug: "Plug v1.3.2"
+      )
+
+    Kino.render(answer)
+    Kino.Input.read(answer)
+  )
+
+case GradingClient.check_answer(module_id, question_id, result) do
+  :correct ->
+    IO.puts([IO.ANSI.green(), "Correct!", IO.ANSI.reset()])
+
+  {:incorrect, help_text} when is_binary(help_text) ->
+    IO.puts([IO.ANSI.red(), "Incorrect: ", IO.ANSI.reset(), help_text])
+
+  _ ->
+    IO.puts([IO.ANSI.red(), "Incorrect.", IO.ANSI.reset()])
+end
+```
+
+<!-- livebook:{"output":true} -->
 
-# DO NOT CHANGE CODE BELOW THIS LINE ============================
-Application.spec(vulnerable_dependency)[:vsn] |> List.to_string() |> IO.puts()
-IO.puts(vulnerable_dependency)
+```
+Incorrect: Check the changelog for the next minor or major release.
+```
+
+<!-- livebook:{"output":true} -->
+
+```
+:ok
 ```
 
 <!-- livebook:{"branch_parent_index":3} -->
@@ -389,4 +457,18 @@ case HTTPoison.get(user_inputted_url) do
 end
 ```
 
+<!-- livebook:{"output":true} -->
+
+```
+This is the IP belonging to your Livebook instance:
+179.241.241.114
+
+```
+
+<!-- livebook:{"output":true} -->
+
+```
+:ok
+```
+
 [**<- Previous Module: Introduction**](./1-introduction.livemd) || [**Next Module: Secure SDLC Concepts ->**](./3-ssdlc.livemd)

modules/grading_client/config/config.exs

@@ -0,0 +1 @@
+import Config

modules/grading_client/lib/grading_client.ex

@@ -8,7 +8,7 @@ defmodule GradingClient do
   """
 
   @spec check_answer(any(), any(), any()) :: :correct | {:incorrect, String.t() | nil}
-  def check_answer(answer, module_id, question_id) do
+  def check_answer(module_id, question_id, answer) do
     GradingClient.Answers.check(module_id, question_id, answer)
   end
 end

modules/grading_client/lib/grading_client/answers.ex

@@ -21,11 +21,13 @@ defmodule GradingClient.Answers do
 
     {answers, _} = Code.eval_file(filename)
 
-    Enum.each(answers, fn answer ->
-      :ets.insert(@table, {{answer.module_id, answer.question_id}, answer})
-    end)
+    modules =
+      MapSet.new(answers, fn answer ->
+        :ets.insert(@table, {{answer.module_id, answer.question_id}, answer})
+        answer.module_id
+      end)
 
-    {:ok, nil}
+    {:ok, %{modules: modules}}
   end
 
   @doc """
@@ -36,6 +38,19 @@ defmodule GradingClient.Answers do
     GenServer.call(__MODULE__, {:check, module_id, question_id, answer})
   end
 
+  @doc """
+  Returns the list of modules.
+  """
+  @spec get_modules() :: [atom()]
+  def get_modules() do
+    GenServer.call(__MODULE__, :get_modules)
+  end
+
+  @impl true
+  def handle_call(:get_modules, _from, state) do
+    {:reply, state.modules, state}
+  end
+
   @impl true
   def handle_call({:check, module_id, question_id, answer}, _from, state) do
     result =
@@ -44,6 +59,9 @@ defmodule GradingClient.Answers do
           {:incorrect, "Question not found"}
 
         [{_id, %Answer{answer: correct_answer, help_text: help_text}}] ->
+          dbg(answer)
+          dbg(correct_answer)
+
           if answer == correct_answer do
             :correct
           else

modules/grading_client/lib/grading_client/graded_cell.ex

@@ -0,0 +1,116 @@
+defmodule GradingClient.GradedCell do
+  use Kino.JS
+  use Kino.JS.Live
+  use Kino.SmartCell, name: "Graded Cell"
+
+  @impl true
+  def init(attrs, ctx) do
+    source = attrs["source"] || ""
+
+    {:ok, assign(ctx, source: source, module_id: nil, question_id: nil),
+     editor: [source: source, language: "elixir"]}
+  end
+
+  @impl true
+  def handle_connect(ctx) do
+    {:ok, %{}, ctx}
+  end
+
+  @impl true
+  def handle_editor_change(source, ctx) do
+    {:ok, assign(ctx, source: source)}
+  end
+
+  @impl true
+  def to_attrs(ctx) do
+    %{
+      "source" => ctx.assigns.source,
+      "module_id" => ctx.assigns.module_id,
+      "question_id" => ctx.assigns.question_id
+    }
+  end
+
+  @impl true
+  def to_source(attrs) do
+    dbg(attrs)
+
+    options = Enum.map(GradingClient.Answers.get_modules(), &{&1, inspect(&1)})
+
+    inputs =
+      quote do
+        module_id = Kino.Input.select("Module", unquote(options))
+        question_id = Kino.Input.number("Question ID")
+
+        Kino.render(Kino.Layout.grid([module_id, question_id], columns: 2))
+        nil
+      end
+
+    source_ast =
+      try do
+        source = Code.string_to_quoted!(attrs["source"])
+
+        quote do
+          module_id = Kino.Input.read(module_id)
+          question_id = Kino.Input.read(question_id)
+
+          result = unquote(source)
+
+          case GradingClient.check_answer(module_id, question_id, result) do
+            :correct ->
+              IO.puts([IO.ANSI.green(), "Correct!", IO.ANSI.reset()])
+
+            {:incorrect, help_text} when is_binary(help_text) ->
+              IO.puts([IO.ANSI.red(), "Incorrect: ", IO.ANSI.reset(), help_text])
+
+            _ ->
+              IO.puts([IO.ANSI.red(), "Incorrect.", IO.ANSI.reset()])
+          end
+        end
+      rescue
+        error ->
+          IO.inspect(error)
+          {:<<>>, [delimiter: ~s["""]], [attrs["source"] <> "\n"]}
+      end
+
+    [
+      Kino.SmartCell.quoted_to_string(inputs),
+      Kino.SmartCell.quoted_to_string(source_ast)
+    ]
+  end
+
+  @impl true
+  def handle_connect(ctx) do
+    {:ok, %{}, ctx}
+  end
+
+  asset "main.js" do
+    """
+    export function init(ctx, payload) {
+      ctx.importCSS("main.css");
+
+      root.innerHTML = `
+        <div class="app header">
+          <div class="text-lg font-bold">Graded Cell</div>
+        </div>
+      `;
+    }
+    """
+  end
+
+  asset "main.css" do
+    """
+    .app {
+      padding: 8px 16px;
+      border: solid 1px #cad5e0;
+      border-radius: 0.5rem 0.5rem 0 0;
+      border-bottom: none;
+    }
+
+    .header {
+      display: grid;
+      grid-template-columns: 3fr 1fr 1fr;
+      gap: 8px;
+    }
+    """
+  end
+end