{"id":13666825,"url":"https://github.com/snyk-labs/java-goof","last_synced_at":"2026-02-26T11:15:12.106Z","repository":{"id":37536260,"uuid":"94013538","full_name":"snyk-labs/java-goof","owner":"snyk-labs","description":null,"archived":false,"fork":false,"pushed_at":"2024-10-19T02:23:51.000Z","size":74949,"stargazers_count":91,"open_issues_count":184,"forks_count":1186,"subscribers_count":59,"default_branch":"main","last_synced_at":"2024-11-13T10:02:35.524Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/snyk-labs.png","metadata":{"files":{"readme":"README-K8S.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2017-06-11T15:26:51.000Z","updated_at":"2024-10-17T19:57:54.000Z","dependencies_parsed_at":"2023-12-13T17:56:12.406Z","dependency_job_id":"bfa686db-9919-4a2d-a888-eca3d0386673","html_url":"https://github.com/snyk-labs/java-goof","commit_stats":null,"previous_names":["snyk/java-goof"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fjava-goof","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fjava-goof/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fjava-goof/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snyk-labs%2Fjava-goof/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/snyk-labs","download_url":"https://codeload.github.com/snyk-labs/java-goof/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250986513,"owners_count":21518529,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T06:01:25.786Z","updated_at":"2026-02-26T11:15:07.074Z","avatar_url":"https://github.com/snyk-labs.png","language":"Java","funding_links":[],"categories":["Java","Examples \u0026 Proofs of Concept"],"sub_categories":[],"readme":"# Kubernetes based Todolist + Log4Shell exploit\nTo deploy Todolist on Kubernetes along with the needed ldap backend for exploiting the Log4shell\nvulnerability:\n\n## Prerequisites\n1. A kubernetes cluster where you have permissions to create namespaces, deployments and services\n2. The `kubectl` client and credenials configuration\n3. Docker Desktop or docker-ce (for building and pushing images)\n4. A DockerHub account that you are logged in with at the command prompt (via `docker login`)\n\n## Quickstart\nAssuming you have your kubernetes cluster up and ready, from the top level of this repo you can run `./k8s-quickstart.sh` which will do the following:\n1. Builds todolist-goof image and pushes it to Docker Hub. _(see below for account/tagging info)_\n2. Deploys the todolist to the `default` namespace in your kubernetes cluster along with a LoadBalancer type service\n3. Builds the log4shell-server image and pushes to Docker Hub. _(see below for account/tagging info)_\n4. Deploys the log4shell-server and a pair of ClusterIP type services into a new namespace named `darkweb` in your Kubernetes cluster.\n\nNOTE: You will be prompted for your DockerHub account in order for the scripts to tag, push and pull the images.\nIf you set and environmental variable named `DOCKER_ACCOUNT` to that account name, the script will pre-populate that prompt with it.\n```bash\nexport DOCKER_ACCOUNT=\"yourdockeraccount\"\n```\n## Accessing the application\nOnce complete, run `kubectl get svc` and note the IP Address or hostname of the `goof` service.\n\nYou should be able to open a browser to http://{svc-ip-addr}/todolist and see the app\n\n#### EKS cluster notes\n* In order to perform NetworkPolicy egress examples, you will need to deploy the Calico CNI plugin as EKS does not implement NetworkPolicy by default.\n  The `eks-calico.sh` script in `todolist-goof/k8s` will deploy this for you. (that script is sym-linked to the top level here too)\n* You should log into the AWS console and change inbound access for the good service's ELB to only allow your home IP, otherwise you *will* have audience members trying to mess with it.\n\n#### Docker Desktop Kubernetes notes\n* Docker Desktop automatically serves the goof service loadblancer external IP to your workstation's localhost so the app will be available at http://localhost/todolist\n* Docker Desktop Kubernetes CNI does not implement Network Policy so you will not be able to demonstrate any mitigation techniques that use that.\n\n#### Kind (Kubernetes on Docker) notes\n* Kind's default CNI does not currently support Network Policy so you should deploy your own using the instructions on their website.\n* If running Kind on top of Docker Desktop, you will need to run a port-forward to access the app.  For example, use something like this: `kubectl port-forward service/goof 8000:80` and then access it via browser at http://localhost:8000/todolist\n\n## Quick cleanup\nRun the `/.k8s-quickstop.sh` script at the top level of this repo which will do the following:\n1. Deletes the todolist deployment and associated service in the `default` namespace\n2. Deletes the log4shell deployment and associated services in the `darkweb` namespace and deltes the namespace as well\n   **Note:** This will not delete any additional objects you may have deployed such as NetworkPolicies.\n\nIt is up to you to shut down your Kubernetes cluster as appropriate.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnyk-labs%2Fjava-goof","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsnyk-labs%2Fjava-goof","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnyk-labs%2Fjava-goof/lists"}