Releases: juice-shop/juice-shop
Releases · juice-shop/juice-shop
v12.10.0
👨💻 Coding Challenges
- Added cheat detection for coding challenges (based on solving speed in relation to code snippet length and selectable fix options)
- Added accuracy calculation for coding challenges (based on number of failed solving attempts)
- Added Prometheus metrics
juiceshop_coding_challenges_progress
andjuiceshop_coding_challenges_accuracy
- Added panels for new coding challenge metrics to Grafana dashboard template
⚙️ DevOps Automation
- #1685: Refactored CI/CD to work on repository forks without guaranteed failures or unnecessary credit consumption
- Turned off GitHub action steps that would fail on forks such as Docker, CodeClimate, Heroku and Slack (kudos to @commjoen)
- Limit matrix build
test
stage to only Node 14.x on Ubuntu for forks
- #1687: Pin GitHub action plugins to current commit hash to reduce risk for supply chain attacks (kudos to @commjoen)
🛍️ Product Inventory
- The product 20th Anniversary Celebration Ticket is no longer available
🐛 Bugfixes
- #1691: Improved fix options for "NoSQL Manipulation" coding challenge (kudos to @denkerszaf)
v12.9.3
🐛 Bugfixes
- Show "Loading code snippet..." placeholder again when snippet is retrieved for a coding challenge
- Fixed accidental lockouts from "Fit It" tab after false submissions during a coding challenge
- Fixed accidental blowup of JSON response with each subsequent call to the
/snippets
endpoint - Calls to
/snippets
endpoint now return a cached result after the first retrieval
v12.9.2
🐛 Bugfixes
- Fix It tab in coding challenges dialog no longer uses Find It label in title
v12.9.1
📘 Documentation
- Changed all GitHub repository links from https://github.com/bkimminich/juice-shop to https://github.com/juice-shop/juice-shop
👨⚖️ Copyright
- Included OWASP Juice Shop contributors into all copyright notices
v12.9.0
👨💻 Coding Challenges
- Extended Code Snippets into Coding Challenges (kudos to our Google Summer of Code 2021 student @the-pro)
- Vulnerable code snippets have been redesigned to allow selecting and submitting a vulnerable line and receiving a verdict
- Additional tab after succesful selection of vulnerable line allows to select the assumed fix from a provided list of options
- Solution status of coding challenges is persisted to the database and displayed on the Score Board
- Switch default availability of coding challenges from
always
till after corresponding hacking challenge wassolved
🎊 UI Enhancements
- Added confetti shooter animation when a hacking or coding challenge is solved (kudos to @the-pro)
⚙️ DevOps Automation
- #1660: Switched to newer GitLab Auto-Devops with additional scans (kudos to @ricardoamarilla)
🔐 Security
- 524f3be: Increase maximum password length from 20 to 40 in user registration and password change UI
🐛 Bugfixes
- #1666: Fixed occasional server crash when tampering with user feedback HTTP requests
🗺️ I18N
- Added 🇱🇰 language
- Extended translations in 🇦🇿, 🇨🇳, 🇩🇰, 🇫🇷, 🇳🇴, 🇹🇭 and 🇩🇪
v12.8.1
🛍️ Products
- Added "20th Anniversary Celebration Ticket" to product inventory to promote https://20thanniversary.owasp.org/
🐛 Bugfixes
v12.8.0
This release brings significant changes to existing challenges (:zap:) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop!
🎯 Challenges
- #1576: Added "Local File Read" challenge (kudos to @cigar-galaxy82 for implementing and @CaptainFreak for the idea)
- #1491: Removed "Login CISO" challenge due to Google no longer accepting
X-User-Email
header during OAuth login (:zap:) - Updated links in quarantine folder to point to new malware location at https://github.com/juice-shop/juicy-malware
🛍️ Products
- Added "OWASP Juice Shop Card (non-foil)" to product inventory
🐛 Bugfixes
- #1628: Fixed server crashes when accessing data export or order history endpoints without an authorization token
🗺️ I18N
- Extended 🇹🇭 and 🇩🇰 translations significantly
v12.7.2
v12.7.1
v12.7.0
This release contains experimental or prototype features (🔬) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release. Feeback on these features is particularly welcome via Gitter, Slack or by opening a GitHub issue.
👟 Runtime
- 4201a98: Added support for Node.js 15.x
👨💻 Code Snippets (🔬)
- Introduced Vulnerable Code Snippets which show the actual underlying source code for many hacking challenges
- Added new Code Snippet button to all challenges on Score Board that opens snippet in modular dialog
- Introduced code comment markers under
vuln-code-snippet
namespace to assign actual source code to challenges - Added spoiler section to code snippet where the ultimately vulnerable/responsible line(s) of code for a challenge can be revealed
🎯 Challenges
- #1576: Converted deletion request form for data subject from Angular to HBS frontend for future use in hacking challenge (kudos to @cigar-galaxy82)
- #1592: CSRF challenge no longer requires a seriously outdated browser (like Firefox from 2017) to be exploitable (kudos to @dnull & @chinggg)
👨🏫 Hacking Instructor
- #1600: Added button to cancel an ongoing tutorial script without a Browser refresh (kudos to @the-pro)
☑️ Pre-start Validations
- #1613: Added (optional) config property
exifForBlueprintChallenge
and corresponding checks during server startup for existence of EXIF data for "Retrieve Blueprint" challenge (kudos to @chinggg and @the-pro)
🐛 Bugfixes
- Fixed race condition during
node-i18n
initialization and copying of locale files that caused server startup failure (kudos to @adityaofficial10) - #1597: Added back lost EXIF data to image needed for "Retrieve Blueprint" challenge
- Fixed outdated Slack invite link on About Us page to new https://owasp.org/slack/invite self registration page