Add more lab instructions (#501)

* Add more lab instructions

Signed-off-by: David A. Wheeler <[email protected]>

* Add UNASSIGNED markers

Signed-off-by: David A. Wheeler <[email protected]>

---------

Signed-off-by: David A. Wheeler <[email protected]>

Author: david-a-wheeler

docs/labs/README.md

@@ -25,7 +25,8 @@ We also have a [template](template.html) available.
 
 ## Please contribute labs
 
-[Please us create labs!](https://docs.google.com/document/d/1wNoNjLpdkgoXkRDvDBI32tm62rbASlfF6gxwyEkyTYs/edit)
+Please us create labs! See "[Please us create labs!](https://docs.google.com/document/d/1wNoNjLpdkgoXkRDvDBI32tm62rbASlfF6gxwyEkyTYs/edit)" for why it's
+important to help us create labs.
 
 We would love to have people contribute relevant labs to help
 people learn how to develop secure software.
@@ -43,8 +44,10 @@ In particular, that page will link to how to
 We suggest using the [template](template.html) as a start.
 
 To submit new or updated labs, create a pull request on the
-[OpenSSF Best Practices WG](https://github.com/ossf/wg-best-practices-os-developers/)
+[OpenSSF Best Practices Working Group (WG) repository](https://github.com/ossf/wg-best-practices-os-developers/)
 under the `docs/labs` directory.
+Simply fork the repository, add your proposed lab in the `docs/labs` directory,
+and create a pull request.
 
 ## Lab Roadmap
 
@@ -56,6 +59,8 @@ Below are the sections where we plan to create labs, along with
 mappings to existing labs or people who have agreed to work on one.
 The items marked "PLANNED-1" are those we intend to do first;
 "PLANNED-2" are planned in a second pass.
+The ones marked "UNASSIGNED" are ones where no one has (yet) agreed to
+work on.
 
 * Input Validation
   * Input Validation Basics
@@ -67,55 +72,55 @@ The items marked "PLANNED-1" are those we intend to do first;
     * [Validating Text](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#validating-text)
     * Introduction to Regular Expressions - [regex0](regex0.html)
     * Using Regular Expressions for Text Input Validation - [regex1](regex1.html), [input2](input2.html)
-    * [Countering ReDoS Attacks on Regular Expressions](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#countering-redos-attacks-on-regular-expressions) - PLANNED-2
+    * [Countering ReDoS Attacks on Regular Expressions](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#countering-redos-attacks-on-regular-expressions) - PLANNED-2 UNASSIGNED
   * Input Validation: Beyond Numbers and Text
     * [Insecure Deserialization](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#insecure-deserialization) - PLANNED-2 (Tepas Jena)
-    * [Input Validation: Beyond Numbers and Text](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#input-validation-beyond-numbers-and-text) - PLANNED-2
-    * [Minimizing Attack Surface, Identification, Authentication, and Authorization](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#minimizing-attack-surface-identification-authentication-and-authorization) - PLANNED-2
-    * [Search Paths and Environment Variables (including setuid/setgid Programs)](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#search-paths-and-environment-variables-including-setuidsetgid-programs) - PLANNED-2
-    * [Special Inputs: Secure Defaults and Secure Startup](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#special-inputs-secure-defaults-and-secure-startup) - PLANNED-2
+    * [Input Validation: Beyond Numbers and Text](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#input-validation-beyond-numbers-and-text) - PLANNED-2 UNASSIGNED
+    * [Minimizing Attack Surface, Identification, Authentication, and Authorization](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#minimizing-attack-surface-identification-authentication-and-authorization) - PLANNED-2 UNASSIGNED
+    * [Search Paths and Environment Variables (including setuid/setgid Programs)](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#search-paths-and-environment-variables-including-setuidsetgid-programs) - PLANNED-2 UNASSIGNED
+    * [Special Inputs: Secure Defaults and Secure Startup](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#special-inputs-secure-defaults-and-secure-startup) - PLANNED-2 UNASSIGNED
   * Consider Availability on All Inputs
-    * [Consider Availability on All Inputs Introduction](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#consider-availability-on-all-inputs-introduction) - PLANNED-2
+    * [Consider Availability on All Inputs Introduction](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#consider-availability-on-all-inputs-introduction) - PLANNED-2 UNASSIGNED
 * Processing Data Securely
   * Processing Data Securely: General Issues
-    * [Prefer Trusted Data. Treat Untrusted Data as Dangerous](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#prefer-trusted-data-treat-untrusted-data-as-dangerous) - PLANNED-2
+    * [Prefer Trusted Data. Treat Untrusted Data as Dangerous](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#prefer-trusted-data-treat-untrusted-data-as-dangerous) - PLANNED-2 UNASSIGNED
     * [Avoid Default & Hardcoded Credentials](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#avoid-default--hardcoded-credentials) - PLANNED-1 (Tepas Jena)
-    * [Avoid Incorrect Conversion or Cast](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#avoid-incorrect-conversion-or-cast) - PLANNED-2
+    * [Avoid Incorrect Conversion or Cast](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#avoid-incorrect-conversion-or-cast) - PLANNED-2 UNASSIGNED
   * Processing Data Securely: Undefined Behavior / Memory Safety
     * Countering Out-of-Bounds Reads and Writes (Buffer Overflow) - [oob1](oob1.html)
     * [Double-free, Use-after-free, and Missing Release](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#double-free-use-after-free-and-missing-release) - PLANNED-1 (Bennett Pursell)
-    * [Avoid Undefined Behavior](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#avoid-undefined-behavior) - PLANNED-2
+    * [Avoid Undefined Behavior](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#avoid-undefined-behavior) - PLANNED-2 UNASSIGNED
   * Processing Data Securely: Calculate Correctly
-    * [Avoid Integer Overflow, Wraparound, and Underflow](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#avoid-integer-overflow-wraparound-and-underflow) - PLANNED-2
+    * [Avoid Integer Overflow, Wraparound, and Underflow](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#avoid-integer-overflow-wraparound-and-underflow) - PLANNED-2 UNASSIGNED
 * Calling Other Programs
   * Introduction to Securely Calling Programs
     * Introduction to Securely Calling Programs - The Basics
   * Calling Other Programs: Injection and Filenames
     * [SQL Injection](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#sql-injection) - PLANNED-1 (Tepas Jena)
     * OS Command (Shell) injection - PLANNED-1 (Marta Rybczynska)
-    * [Other Injection Attacks](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#other-injection-attacks) - PLANNED-2
-    * Filenames (Including Path Traversal and Link Following) - PLANNED-2
+    * [Other Injection Attacks](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#other-injection-attacks) - PLANNED-2 UNASSIGNED
+    * Filenames (Including Path Traversal and Link Following) - PLANNED-2 UNASSIGNED
   * Calling Other Programs: Other Issues
-    * [Call APIs for Programs and Check What Is Returned](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#call-apis-for-programs-and-check-what-is-returned) - PLANNED-2
-    * [Handling Errors](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#handling-errors) - PLANNED-2
-    * [Logging](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#logging) - PLANNED-2
+    * [Call APIs for Programs and Check What Is Returned](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#call-apis-for-programs-and-check-what-is-returned) - PLANNED-2 UNASSIGNED
+    * [Handling Errors](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#handling-errors) - PLANNED-2 UNASSIGNED
+    * [Logging](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#logging) - PLANNED-2 UNASSIGNED
     * [Debug and Assertion Code](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#debug-and-assertion-code) - PLANNED-1 (Jason Shepherd)
-    * Countering Denial-of-Service (DoS) Attacks - PLANNED-2
+    * Countering Denial-of-Service (DoS) Attacks - PLANNED-2 UNASSIGNED
 * Sending Output
-  * [Introduction to Sending Output](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#introduction-to-sending-output) - PLANNED-2
+  * [Introduction to Sending Output](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#introduction-to-sending-output) - PLANNED-2 UNASSIGNED
   * Countering Cross-Site Scripting (XSS) - PLANNED-1 (Tepas Jena)
   * Content Security Policy (CSP) - [csp1](csp1.html)
-  * Other HTTP Hardening Headers - (probably continue csp1) PLANNED-2
-  * [Cookies Cookies & Login Sessions Login Sessions](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#cookies--login-sessions) - PLANNED-2
-  * [CSRF / XSRF](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#csrf--xsrf) - PLANNED-2
-  * [Open Redirects and Forwards](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#open-redirects-and-forwards) - PLANNED-2
-  * HTML **target** and JavaScript **window.open()** - PLANNED-2
-  * Using Inadequately Checked URLs / Server-Side Request Forgery (SSRF) - PLANNED-2
-  * Same-Origin Policy and Cross-Origin Resource Sharing (CORS) - PLANNED-2
+  * Other HTTP Hardening Headers - (probably continue csp1) PLANNED-2 UNASSIGNED
+  * [Cookies Cookies & Login Sessions Login Sessions](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#cookies--login-sessions) - PLANNED-2 UNASSIGNED
+  * [CSRF / XSRF](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#csrf--xsrf) - PLANNED-2 UNASSIGNED
+  * [Open Redirects and Forwards](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#open-redirects-and-forwards) - PLANNED-2 UNASSIGNED
+  * HTML **target** and JavaScript **window.open()** - PLANNED-2 UNASSIGNED
+  * Using Inadequately Checked URLs / Server-Side Request Forgery (SSRF) - PLANNED-2 UNASSIGNED
+  * Same-Origin Policy and Cross-Origin Resource Sharing (CORS) - PLANNED-2 UNASSIGNED
   * [Format Strings and Templates](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#format-strings-and-templates) - PLANNED-1 (Jason Shepherd)
-  * [Minimize Feedback / Information Exposure](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#minimize-feedback--information-exposure) - PLANNED-2
-  * [Avoid caching sensitive information](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#avoid-caching-sensitive-information) - PLANNED-2
-  * [Side-Channel Attacks](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#side-channel-attacks) - PLANNED-2
+  * [Minimize Feedback / Information Exposure](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#minimize-feedback--information-exposure) - PLANNED-2 UNASSIGNED
+  * [Avoid caching sensitive information](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#avoid-caching-sensitive-information) - PLANNED-2 UNASSIGNED
+  * [Side-Channel Attacks](https://github.com/ossf/secure-sw-dev-fundamentals/blob/main/secure_software_development_fundamentals.md#side-channel-attacks) - PLANNED-2 UNASSIGNED
 
 ## Our thanks
 

docs/labs/create_checker.md

@@ -18,7 +18,10 @@ You can also provide patterns for various hints.
 There are three basic tasks, which can be done by different people:
 
 1. Identifying the next lab to do.
-   See the [README](./README.md) for the list of labs.
+   See the [README](./README.md) for the list of labs (pick an unassigned one).
+   Tell [David A. Wheeler](mailto:dwheeler@linuxfoundation.org).
+   which one you want to do; he'll also be happy to answer
+   any questions.
 2. [Creating the lab instructions and correct answer](#creating-the-lab-instructions-and-correct-answer).
    This is done by a subject matter expert. See below.
 3. [Creating the lab HTML file](#creating-the-lab-html-file).
@@ -79,11 +82,16 @@ Whenever a lab is loaded it automatically runs all embedded self-tests.
 At the least, it checks that the initial attempted answer does
 *not* satisfy the correct answer pattern, while the example expected answer
 *does* satisfy the correct answer pattern.
-
 We suggest including the buttons (Hint, Reset, and Give up)
 as shown in the examples.
 The code will automatically set up the buttons if they are present.
 
+To submit new or updated labs, create a pull request on the
+[OpenSSF Best Practices Working Group (WG) repository](https://github.com/ossf/wg-best-practices-os-developers/)
+under the `docs/labs` directory.
+Simply fork the repository, add your proposed lab in the `docs/labs` directory,
+and create a pull request.
+
 ### Quick aside: script tag requirements
 
 Data about the lab is embedded in the HTML in a