The History of Debugging: Part 1

Reading Time: 3 minutes

Disclaimer: there might never be a Part 2.

Together with Maarten (who already has written some content concerning debugging and monitoring software), we’re going to write some posts about the concept of debugging code. And to introduce the topic, why not start with a little bit of (mostly personal) history on the matter?

ENIAC

It’s hard to imagine nowadays, but writing software wasn’t always literally writing: on the ENIAC i.e., the programmers had to make physical connections between the different components, replacing burnt out vacuum tubes as they progressed. They did actually write the program on paper first though, and did their very best to run through it step by step before starting to program the actual computer. And even then, they went through the program again: even the ENIAC already supported step-through debugging!

ENIAC Continue reading “The History of Debugging: Part 1”

SLD Injection, it’s a thing

Reading Time: 4 minutes

I’m in the middle of preparing a session about security, and one topic you regularly bump into when thinking about security and writing code is SQL Injection. Although it is the year 2016, there are still people writing code which is vulnerable against SQL Injection.

But I’m not going to focus on SQL Injection here, I’m going to take it one step further. If you want to read up on SQL Injection, Bing/Google is your friend. Or just take a look at good old Bobby Tables.

People often think: “It’s called SQL Injection, but I’m not using SQL here, so I’m safe.”

Wrong.

From the moment you’re using any type of query or filtering language construct, you can introduce some form of SQL Injection in your code:

Another fun example uses the System.Linq.Dynamic NuGet package. This little gem allows you to use string expressions to filter on IEnumerable’s. And because it makes our developer life easier, we could use this to filter data in a Web API, for example. Take a look at this piece of code:

Yes, I know this is not the best code because you’re fetching all users from the database and then you reduce the result set, but bear with me. I’m making a statement here. Besides, this kind of code is still being written in production as well!

As you can see, you’re applying a filter to a list of User instances using System.Linq.Dynamic. That filter could be, for example, this:

This would reduce the results down to all users with an odd ID and where the surname starts with “n”. But someone could circumvent our fixed “odd ID” filter part, which would ignore our little security measure, by changing the filter a bit:

This filter value would make fullFilter look like this:

Because we’re missing parentheses around the user filter part, the ID filter will be ignored. One solution could be to add these parentheses.

Actually, you could solve that problem by moving the fixed filter part. That way, no matter what your user is requesting, he or she can’t get by the fixed filter anymore:

And to complete the story, you can look at using parameterized queries, which is also supported by System.Linq.Dynamic. Using parameters in your filter would take away some of the filtering power from the consumer of your API, but you could reintroduce that power by defining your own filters. This example shows a basic attempt at implementing this:

 

CSP: we’re not there, yet.

Reading Time: 3 minutes

CSP, or Content Security Policy, is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. In short, you can add this policy using either a <meta> tag or by setting additional headers in your HTTP response, and using the policy you’ll limit the origins for resources for that HTTP request. For example:

  • script-src ‘self’ allows loading scripts from the current domain
  • child-src https://youtube.com allows the use of <iframe> tags pointing towards YouTube
  • style-src ‘self’ https://maxcdn.bootstrapcdn.com allows loading CSS files from the current source and from a CDN.

If you want to read up on CSP, I suggest heading over to http://www.html5rocks.com/en/tutorials/security/content-security-policy/

Now, I was trying out some things concerning CSP and inline scripts. You could add ‘unsafe-inline’ to the script-src source list to allow all inline scripting (except eval and other bad stuff, you need ‘unsafe-eval’ in that case), but that is exactly what you would want to avoid. Instead, you can opt to do one of these things:

  1. Move all inline JavaScript into .js files and load them using <script src=””></script> tags, while adding ‘self’ to script-src if that wasn’t already the case. The easiest solution, but not always possible.
  2. Generate a nonce for each inline script. A nonce means: a unique and hard to predict stream of bytes, different for each script, each page and each request!
    A nonce could be base64 encoded and look like RJ6bGjm5EO/X8pImZjvjeAexFVei9IvzNFCGw5lQUa0=
    You would need to add that nonce to the script using the nonce attribute, and also to the script-src source list using ‘nonce-RJ6bGjm5EO/X8pImZjvjeAexFVei9IvzNFCGw5lQUa0=’
  3. Calculate the SHA256, SHA384 or SHA512 digest of each inline script (including all whitespace, but excluding the opening and closing script tags). Like the nonce, you’d need to add these digests to the script-src source list using ‘sha256-0ZMofb7eMqkB9IFHnGVZ6Z4chjplAavgi09shinNehs=’ for example.

Continue reading “CSP: we’re not there, yet.”

Writing a custom TagHelper in ASP.NET 5

Reading Time: 6 minutes

ASP.NET 5 brings some new features to MVC. One of these features is TagHelpers, which allow us to add new attributes to HTML tags (or create custom tags altogether) to add behavior to these tags. At this moment – beta8 – we receive the following TagHelpers out of the box:

– AnchorTagHelper: allows you to write <a asp-controller=”Home” asp-action=”Index”>Back to home</a> instead of @Html.ActionLink(“Back to home”, “Index”, “Home”)
– LabelTagHelper, InputTagHelper, TextAreaTagHelper, SelectTagHelper, etc.: instead of writing Razor like @Html.LabelFor(m => m.Property1, new { @class = “control-label col-md-2”}), you can use a syntax which is much cleaner: <label asp-for=”Property1″ class=”control-label col-md-2″></label>
– EnvironmentTagHelper: adds a new tag, <environment>, giving you the possibility to include <link> or <script> tags specific for Development or Production environments.
– LinkTagHelper, ScriptTagHelper: adds attributes to <link> and <script> to allow the use of CDN’s and fallback urls.

This list is incomplete, but you can head over to GitHub to see every available TagHelper class currently available.

You can also create your own TagHelper classes. I’ll show you an example which enables you to do this:

That img tag would load a users profile image using the ProfileImage action method in a UsersController class: userful for retrieving a profile image from a blob container on Azure, for example.

Continue reading “Writing a custom TagHelper in ASP.NET 5”

Global Azure Bootcamp – Aftermath

Reading Time: 2 minutes

It’s been almost a month now since the last edition of Global Azure Bootcamp, and I wanted to share with you some of the details of my involvement in this years edition. This year, we had two labs in which you could participate: a racing and a science lab. And I helped out with some aspects behind the workings of the science lab: the Elasticsearch cluster and the dashboard website.

For this lab, all you had to do was to deploy a cloud service to Azure and scale it up to as many instances as you could spare. These instances would then crunch a lot of data concerning breast cancer research. After the results from your cloud instances were uploaded, they would eventually end up in the Elasticsearch cluster.

Continue reading “Global Azure Bootcamp – Aftermath”

A Cortana Smartwatch? Yes please!

Reading Time: 1 minutes

Smartwatches are hyping now for a while, and that hype got a big boost because of Apple announcing their Apple Watch. Which led to some people thinking: “I wouldn’t mind owning a smartwatch that is compatible with Windows Phone.”
Which got me thinking: how would I want such a watch to look like?

Now, I’m certainly not a Photoshop wizzkid, but I do have some mad Paint.Net skills (ahem).Cortana says Hi! The time Text alert

 

From GitHub to Nuget via MyGet

Reading Time: 2 minutes

For Cors.ConfigProfiles, I wanted to try something I had seen before: automatically create a NuGet package when I push a new release to GitHub. To do this, I’d need a build server that would kick off when something changes in my master branch. If the build succeeds, it should look for a nuspec file (NuGet specification to build a package) and build that too, unless my build commands already took care of that. Then, I have a nupkg file: a NuGet package. The build server should then publish this new version to NuGet for me. And while we’re at it, it would be great if it would also take care of versioning my NuGet package for me, and tag the GitHub repository.

But I didn’t want to set all of this up by myself (developers are lazy, aren’t we?), so I made use of MyGet instead 🙂

Continue reading “From GitHub to Nuget via MyGet”