Hard Reset functionality for AspGoat

[Soham7-dev]

Discussed in #78

^{Originally posted by Soham7-dev September 25, 2025}

🚨 Help Wanted: Implement a Hard Reset Feature for AspGoat

Context:
AspGoat’s Unrestricted File Upload / File Overwrite lab lets learners deface the actual homepage as part of the challenge.
While that’s intentional, it means the application can be left in a broken state.
Currently, we simply display a warning and ask users to manually redeploy the container or clone the repo to restore the app.

Goal:
Create a one-click “Hard Reset” capability that restores the application to its original state.

---

Requirements & Ideas

• Reset Scope

  • Restore the entire wwwroot (or equivalent) directory to a clean snapshot.
  • Re-seed the SQLite database (users, comments, seeded labs, etc.).
  • Ensure uploaded/overwritten files are removed or replaced with pristine copies.

• Implementation Thoughts

  • Container-level approach (e.g., Docker volume snapshot, ephemeral overlay).
  • Application-level endpoint (/admin/reset) that:
    • Drops and recreates the DB schema.
    • Copies a baseline of static assets from a protected location.
  • Cross-platform: should work both in local dev and containerized environments.

• Security Considerations

  • Restricted to authorized roles (e.g., Admin or in dev mode only).
  • Prevent abuse—avoid becoming an unintended DoS vector.

---

Tech Stack

• Backend: ASP.NET Core 8 (MVC + Razor)
• Database: SQLite (seeded via EF Core)
• Deployment: Docker (multi-stage build)

---

What We’re Looking For

• .NET / DevOps / Security engineers who can:
  • Propose a clean architecture for snapshot/restore.
  • Implement and document the solution.
  • Provide automated tests to verify reset integrity.

---

💡 How to Contribute

• Start a conversation in GitHub Discussions → Ideas
• Or open a draft PR with an implementation proposal.

This feature will make AspGoat more learner-friendly while showcasing a real-world secure recovery pattern.

Recognition: Major contributors will be highlighted in the README “Hall of Fame” and future release notes.

[shresthashim]

assign this issue to me @Soham7-dev

[Soham7-dev]

Hi @shresthashim , this is an advanced feature. I recommend you put a solution proposal or POC in the Discussions tab of this project before doing any code changes.

[SachinAditya]

Hi @Soham7-dev,

I would like to work on this feature.

Proposed Approach:

I suggest implementing an application-level "Hard Reset" mechanism with the following architecture:

1. Reset Scope

• Delete and recreate the SQLite database using EF Core migrations.
• Re-run seed logic to restore initial users, labs, and comments.
• Restore the wwwroot directory from a protected baseline snapshot stored outside the writable directory.

2. Implementation Plan

• Create a secured POST endpoint (e.g., /admin/hard-reset).
• Restrict access using [Authorize(Roles = "Admin")] and optionally allow only in Development mode.
• Store a clean snapshot of static assets in a protected Baseline directory.
• On reset:
  • Drop and recreate DB schema
  • Reseed data
  • Delete modified/uploaded files
  • Restore pristine static assets

3. Security Considerations

• Anti-forgery protection
• Logging reset events
• Prevent repeated triggering (rate limiting or confirmation mechanism)

4. Testing Strategy

• Integration test that:
  • Modifies homepage
  • Uploads a malicious file
  • Calls reset endpoint
  • Verifies restoration of DB and static content integrity

Before starting implementation, I will open a short proposal in Discussions with a small POC design for feedback.

Please let me know if this direction aligns with the project's expectations.

Thank you!