require an hmac to generate when we want to create infrastructure as an anti-fuzzing control

Author: commjoen

wrongsecrets-balancer/src/teams/teams.js

@@ -1,5 +1,6 @@
 const express = require('express');
 const bcrypt = require('bcryptjs');
+const crypto = require('crypto');
 const cryptoRandomString = require('crypto-random-string');
 
 const Joi = require('@hapi/joi');
@@ -84,6 +85,29 @@ async function interceptAdminLogin(req, res, next) {
   return next();
 }
 
+/**
+ * @param {import("express").Request} req
+ * @param {import("express").Response} res
+ * @param {import("express").NextFunction} next
+ */
+async function validateHMAC(req, res, next) {
+  try {
+    const { team } = req.params;
+    const { hmacvalue } = req.body;
+    const validationValue = crypto
+      .createHmac('sha256', 'hardcodedkey')
+      .update(`${team}`, 'utf-8')
+      .digest('hex');
+    if (validationValue === hmacvalue) {
+      return next();
+    }
+    res.status(403).send({ message: 'Invalid validation, please stop doing this!' });
+  } catch (error) {
+    res.status(500).send({ message: 'Invalid validation, please stop doing this!' });  
+  }
+  
+}
+
 /**
  * @param {import("express").Request} req
  * @param {import("express").Response} res
@@ -506,6 +530,7 @@ const paramsSchema = Joi.object({
     .regex(/^[a-z0-9]([-a-z0-9])+[a-z0-9]$/),
 });
 const bodySchema = Joi.object({
+  hmacvalue: Joi.string().hex().length(64),
   passcode: Joi.string().alphanum().uppercase().length(8),
 });
 
@@ -518,6 +543,7 @@ router.post(
   interceptAdminLogin,
   joinIfTeamAlreadyExists,
   checkIfMaxJuiceShopInstancesIsReached,
+  validateHMAC,
   createTeam
 );
 

wrongsecrets-balancer/src/teams/teams.test.js

@@ -146,7 +146,8 @@ test('create team creates a instance for team via k8s service', async () => {
 
   await request(app)
     .post('/balancer/teams/team42/join')
-    // .expect(200)
+    .send({hmacvalue: '4c8dd1f1306727c537aa96f0c59968b719740f2a30ccda92044ea59622565564' })
+    .expect(200)
     .then(({ body }) => {
       expect(body.message).toBe('Created Instance');
       expect(body.passcode).toMatch(/[a-zA-Z0-9]{7}/);

wrongsecrets-balancer/ui/package-lock.json

@@ -5,6 +5,7 @@
   "dependencies": {
     "@formatjs/intl-utils": "^3.8.4",
     "axios": "^0.27.2",
+    "crypto-js": "^4.1.1",
     "promise-retry": "^2.0.1",
     "react": "^18.2.0",
     "react-data-table-component": "^7.5.3",

wrongsecrets-balancer/ui/package.json

@@ -2,6 +2,7 @@ import React, { useState, useEffect } from 'react';
 import axios from 'axios';
 import { useNavigate, useLocation } from 'react-router-dom';
 import { FormattedMessage, defineMessages, injectIntl } from 'react-intl';
+import cryptoJS from 'crypto-js';
 
 import styled from 'styled-components';
 
@@ -46,10 +47,13 @@ export const JoinPage = injectIntl(({ intl }) => {
 
   async function sendJoinRequest() {
     try {
+      const hmacvalue = cryptoJS
+        .HmacSHA256(`${teamname}`, 'hardcodedkey')
+        .toString(cryptoJS.enc.Hex);
       const { data } = await axios.post(`/balancer/teams/${teamname}/join`, {
         passcode,
+        hmacvalue,
       });
-
       navigate(`/teams/${teamname}/joined/`, { state: { passcode: data.passcode } });
     } catch (error) {
       if (