Debugging 101

Reading Time: 6 minutes

Welcome back for my second post about debugging! In this post, I’ll give you an overview of the basic capabilities of the debugger in Visual Studio 2015, and add a few tips and tricks to take your debugging skills to the next level. We will not delve into the more advanced topics yet though, like debugging multi-threaded applications for example: those topics are being reserved for later posts (either by Maarten or myself) because they are too large to handle all at once.

Now, before you think to skip this post because you’ve been programming for some years, I do suggest to glance over this post: you might see something you didn’t know, or didn’t see the benefit of that debugger feature. If you already knew everything I’ve written in this post, then you are awesome! And should you know a neat trick which I didn’t cover, then don’t hesitate to leave a comment 🙂

Let’s start with the basics, shall we? Continue reading “Debugging 101”

The History of Debugging: Part 1

Reading Time: 3 minutes

Disclaimer: there might never be a Part 2.

Together with Maarten (who already has written some content concerning debugging and monitoring software), we’re going to write some posts about the concept of debugging code. And to introduce the topic, why not start with a little bit of (mostly personal) history on the matter?

ENIAC

It’s hard to imagine nowadays, but writing software wasn’t always literally writing: on the ENIAC i.e., the programmers had to make physical connections between the different components, replacing burnt out vacuum tubes as they progressed. They did actually write the program on paper first though, and did their very best to run through it step by step before starting to program the actual computer. And even then, they went through the program again: even the ENIAC already supported step-through debugging!

Continue reading “The History of Debugging: Part 1”

SLD Injection, it’s a thing

Reading Time: 4 minutes

I’m in the middle of preparing a session about security, and one topic you regularly bump into when thinking about security and writing code is SQL Injection. Although it is the year 2016, there are still people writing code which is vulnerable against SQL Injection.

But I’m not going to focus on SQL Injection here, I’m going to take it one step further. If you want to read up on SQL Injection, Bing/Google is your friend. Or just take a look at good old Bobby Tables.

People often think: “It’s called SQL Injection, but I’m not using SQL here, so I’m safe.”

Wrong.

From the moment you’re using any type of query or filtering language construct, you can introduce some form of SQL Injection in your code:

Using (n)Hibernate with HQL? Are you using parameters in those queries or not?
You’re using Azure Table Storage or another NoSQL DB. But does NoSQL mean No SQL Injection?

Another fun example uses the System.Linq.Dynamic NuGet package. This little gem allows you to use string expressions to filter on IEnumerable’s. And because it makes our developer life easier, we could use this to filter data in a Web API, for example. Take a look at this piece of code:

public async Task<IEnumerable<User>> GetUsersAsync(string filter)
{
	// Lets say the current user can only access data with odd ID's
	var fullFilter = "(id % 2) = 1";

	if (!string.IsNullOrEmpty(filter))
	{
		fullFilter += $" && {filter}";
	}

	return (await DbContext.Users.ToListAsync()).Where(fullFilter);
}

public async Task<IEnumerable<User>> GetUsersAsync(string filter)

{

// Lets say the current user can only access data with odd ID's

var fullFilter = "(id % 2) = 1";

if (!string.IsNullOrEmpty(filter))

{

fullFilter += $" && {filter}";

}

return (await DbContext.Users.ToListAsync()).Where(fullFilter);

}

Yes, I know this is not the best code because you’re fetching all users from the database and then you reduce the result set, but bear with me. I’m making a statement here. Besides, this kind of code is still being written in production as well!

As you can see, you’re applying a filter to a list of User instances using System.Linq.Dynamic. That filter could be, for example, this:

"name.StartsWith(\"n\")"

1	"name.StartsWith(\"n\")"

This would reduce the results down to all users with an odd ID and where the surname starts with “n”. But someone could circumvent our fixed “odd ID” filter part, which would ignore our little security measure, by changing the filter a bit:

"1 = 1 || 1 = 1"

1	"1 = 1 \|\| 1 = 1"

This filter value would make fullFilter look like this:

"(id % 2) = 1 && 1 = 1 || 1 = 1"

1	"(id % 2) = 1 && 1 = 1 \|\| 1 = 1"

Because we’re missing parentheses around the user filter part, the ID filter will be ignored. One solution could be to add these parentheses.

public async Task<IEnumerable<User>> GetUsersAsync(string filter)
{
	// Lets say the current user can only access data with odd ID's
	var fullFilter = "(id % 2) = 1";

	if (!string.IsNullOrEmpty(filter))
	{
		fullFilter += $" && ({filter})";
	}

	return (await DbContext.Users.ToListAsync()).Where(fullFilter);
}

public async Task<IEnumerable<User>> GetUsersAsync(string filter)

{

// Lets say the current user can only access data with odd ID's

var fullFilter = "(id % 2) = 1";

if (!string.IsNullOrEmpty(filter))

{

fullFilter += $" && ({filter})";

}

return (await DbContext.Users.ToListAsync()).Where(fullFilter);

}

Actually, you could solve that problem by moving the fixed filter part. That way, no matter what your user is requesting, he or she can’t get by the fixed filter anymore:

public async Task<IEnumerable<User>> GetUsersAsync(string filter)
{
   // Lets say the current user can only access data with odd ID's
   var query = DbContext.Users.Where(x => x.Id % 2 == 1);

   if (!string.IsNullOrEmpty(filter))
   {
      return (await query.ToListAsync()).Where(filter);
   }

   return await query.ToListAsync();
}

public async Task<IEnumerable<User>> GetUsersAsync(string filter)

{

// Lets say the current user can only access data with odd ID's

var query = DbContext.Users.Where(x => x.Id % 2 == 1);

if (!string.IsNullOrEmpty(filter))

{

return (await query.ToListAsync()).Where(filter);

}

return await query.ToListAsync();

}

And to complete the story, you can look at using parameterized queries, which is also supported by System.Linq.Dynamic. Using parameters in your filter would take away some of the filtering power from the consumer of your API, but you could reintroduce that power by defining your own filters. This example shows a basic attempt at implementing this:

public async Task<IEnumerable<User>> GetUsersAsync(string filter)
{
	// Lets say the current user can only access data with odd ID's
	var query = DbContext.Users.Where(x => x.Id % 2 == 1);

	if (!string.IsNullOrEmpty(filter))
	{
		var parsed = ParseFilter(filter);
		return (await query.ToListAsync()).Where(parsed.Filter, parsed.ParamList.ToArray());
	}

	return await query.ToListAsync();
}

private ParsedFilter ParseFilter(string filter)
{
	var newFilter = new StringBuilder(filter.Length);
	var paramList = new List<object>();

	var filterParts = filter.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries);
	var i = 0;
	var paramIndex = 0;

	while (i < filterParts.Length)
	{
		string @operator = "", property = "";
		object literal = null;
		var parts = new[] {filterParts[i++], filterParts[i++], filterParts[i++]};

		foreach (var part in parts)
		{
			if (IsStringLiteral(part))
			{
				literal = part.Substring(1, part.Length - 2);
				continue;
			}

			if (IsBoolLiteral(part))
			{
				literal = bool.Parse(part);
				continue;
			}

			// No support for float/double/decimal/... yet
			if (IsNumericLiteral(part))
			{
				literal = int.Parse(part);
				continue;
			}

			var propOrOp = part.ToLowerInvariant();
			if (IsOperator(propOrOp))
			{
				@operator = propOrOp;
				continue;
			}

			property = propOrOp;
		}

		newFilter.Append(UseOperator(@operator, property, paramIndex++));
		paramList.Add(literal);

		// We only support "and" and "or". No ! or () allowed.
		if (i < filterParts.Length)
		{
			newFilter.Append(string.Equals(filterParts[i++], "and", StringComparison.OrdinalIgnoreCase) ? " && " : " || ");
		}
	}

	return new ParsedFilter(newFilter.ToString(), paramList);
}

private bool IsNumericLiteral(string literal)
{
	var rxNumeric = new Regex(@"^-?\d+(,\d+)*(\.\d+(e\d+)?)?$");
	return rxNumeric.IsMatch(literal);
}

private bool IsBoolLiteral(string literal)
{
	return string.Equals(literal, "true", StringComparison.OrdinalIgnoreCase) ||
		   string.Equals(literal, "false", StringComparison.OrdinalIgnoreCase);
}

private bool IsStringLiteral(string literal)
{
	return literal.StartsWith("\"", StringComparison.Ordinal) &&
		   literal.EndsWith("\"", StringComparison.Ordinal);
}

private bool IsOperator(string @operator)
{
	switch (@operator)
	{
		case "eq":
		case "ne":
		case "lt":
		case "le":
		case "gt":
		case "ge":
		case "sw":
		case "ew":
		case "co":
			return true;
	}

	return false;
}

private string UseOperator(string @operator, string property, int paramIndex)
{
	switch (@operator)
	{
		case "eq":
			return $"{property} = @{paramIndex}";
		case "ne":
			return $"{property} != @{paramIndex}";
		case "lt":
			return $"{property} < @{paramIndex}";
		case "le":
			return $"{property} <= @{paramIndex}";
		case "gt":
			return $"{property} > @{paramIndex}";
		case "ge":
			return $"{property} >= @{paramIndex}";
		case "sw":
			return $"{property}.StartsWith(@{paramIndex})";
		case "ew":
			return $"{property}.EndsWith(@{paramIndex})";
		case "co":
			return $"{property}.Contains(@{paramIndex})";
	}

	return "";
}

private struct ParsedFilter
{
	public ParsedFilter(string filter, IEnumerable<object> paramList)
	{
		Filter = filter;
		ParamList = paramList;
	}

	public string Filter { get; }
	public IEnumerable<object> ParamList { get; }
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

public async Task<IEnumerable<User>> GetUsersAsync(string filter)

{

// Lets say the current user can only access data with odd ID's

var query = DbContext.Users.Where(x => x.Id % 2 == 1);

if (!string.IsNullOrEmpty(filter))

{

var parsed = ParseFilter(filter);

return (await query.ToListAsync()).Where(parsed.Filter, parsed.ParamList.ToArray());

}

return await query.ToListAsync();

}

private ParsedFilter ParseFilter(string filter)

{

var newFilter = new StringBuilder(filter.Length);

var paramList = new List<object>();

var filterParts = filter.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries);

var i = 0;

var paramIndex = 0;

while (i < filterParts.Length)

{

string @operator = "", property = "";

object literal = null;

var parts = new[] {filterParts[i++], filterParts[i++], filterParts[i++]};

foreach (var part in parts)

{

if (IsStringLiteral(part))

{

literal = part.Substring(1, part.Length - 2);

continue;

}

if (IsBoolLiteral(part))

{

literal = bool.Parse(part);

continue;

}

// No support for float/double/decimal/... yet

if (IsNumericLiteral(part))

{

literal = int.Parse(part);

continue;

}

var propOrOp = part.ToLowerInvariant();

if (IsOperator(propOrOp))

{

@operator = propOrOp;

continue;

}

property = propOrOp;

}

newFilter.Append(UseOperator(@operator, property, paramIndex++));

paramList.Add(literal);

// We only support "and" and "or". No ! or () allowed.

if (i < filterParts.Length)

{

newFilter.Append(string.Equals(filterParts[i++], "and", StringComparison.OrdinalIgnoreCase) ? " && " : " || ");

}

return new ParsedFilter(newFilter.ToString(), paramList);

}

private bool IsNumericLiteral(string literal)

{

var rxNumeric = new Regex(@"^-?\d+(,\d+)*(\.\d+(e\d+)?)?$");

return rxNumeric.IsMatch(literal);

}

private bool IsBoolLiteral(string literal)

{

return string.Equals(literal, "true", StringComparison.OrdinalIgnoreCase) ||

string.Equals(literal, "false", StringComparison.OrdinalIgnoreCase);

}

private bool IsStringLiteral(string literal)

{

return literal.StartsWith("\"", StringComparison.Ordinal) &&

literal.EndsWith("\"", StringComparison.Ordinal);

}

private bool IsOperator(string @operator)

{

switch (@operator)

{

case "eq":

case "ne":

case "lt":

case "le":

case "gt":

case "ge":

case "sw":

case "ew":

case "co":

return true;

}

return false;

}

private string UseOperator(string @operator, string property, int paramIndex)

{

switch (@operator)

{

case "eq":

return $"{property} = @{paramIndex}";

case "ne":

return $"{property} != @{paramIndex}";

case "lt":

return $"{property} < @{paramIndex}";

case "le":

return $"{property} <= @{paramIndex}";

case "gt":

return $"{property} > @{paramIndex}";

case "ge":

return $"{property} >= @{paramIndex}";

case "sw":

return $"{property}.StartsWith(@{paramIndex})";

case "ew":

return $"{property}.EndsWith(@{paramIndex})";

case "co":

return $"{property}.Contains(@{paramIndex})";

}

return "";

}

private struct ParsedFilter

{

public ParsedFilter(string filter, IEnumerable<object> paramList)

{

Filter = filter;

ParamList = paramList;

}

public string Filter { get; }

public IEnumerable<object> ParamList { get; }

}

CSP: we’re not there, yet.

Reading Time: 3 minutes

CSP, or Content Security Policy, is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. In short, you can add this policy using either a <meta> tag or by setting additional headers in your HTTP response, and using the policy you’ll limit the origins for resources for that HTTP request. For example:

script-src ‘self’ allows loading scripts from the current domain
child-src https://youtube.com allows the use of <iframe> tags pointing towards YouTube
style-src ‘self’ https://maxcdn.bootstrapcdn.com allows loading CSS files from the current source and from a CDN.

If you want to read up on CSP, I suggest heading over to http://www.html5rocks.com/en/tutorials/security/content-security-policy/

Now, I was trying out some things concerning CSP and inline scripts. You could add ‘unsafe-inline’ to the script-src source list to allow all inline scripting (except eval and other bad stuff, you need ‘unsafe-eval’ in that case), but that is exactly what you would want to avoid. Instead, you can opt to do one of these things:

Move all inline JavaScript into .js files and load them using <script src=””></script> tags, while adding ‘self’ to script-src if that wasn’t already the case. The easiest solution, but not always possible.
Generate a nonce for each inline script. A nonce means: a unique and hard to predict stream of bytes, different for each script, each page and each request!
A nonce could be base64 encoded and look like RJ6bGjm5EO/X8pImZjvjeAexFVei9IvzNFCGw5lQUa0=
You would need to add that nonce to the script using the nonce attribute, and also to the script-src source list using ‘nonce-RJ6bGjm5EO/X8pImZjvjeAexFVei9IvzNFCGw5lQUa0=’
Calculate the SHA256, SHA384 or SHA512 digest of each inline script (including all whitespace, but excluding the opening and closing script tags). Like the nonce, you’d need to add these digests to the script-src source list using ‘sha256-0ZMofb7eMqkB9IFHnGVZ6Z4chjplAavgi09shinNehs=’ for example.

Continue reading “CSP: we’re not there, yet.”

Writing a custom TagHelper in ASP.NET 5

Reading Time: 6 minutes

ASP.NET 5 brings some new features to MVC. One of these features is TagHelpers, which allow us to add new attributes to HTML tags (or create custom tags altogether) to add behavior to these tags. At this moment – beta8 – we receive the following TagHelpers out of the box:

– AnchorTagHelper: allows you to write <a asp-controller=”Home” asp-action=”Index”>Back to home</a> instead of @Html.ActionLink(“Back to home”, “Index”, “Home”)
– LabelTagHelper, InputTagHelper, TextAreaTagHelper, SelectTagHelper, etc.: instead of writing Razor like @Html.LabelFor(m => m.Property1, new { @class = “control-label col-md-2”}), you can use a syntax which is much cleaner: <label asp-for=”Property1″ class=”control-label col-md-2″></label>
– EnvironmentTagHelper: adds a new tag, <environment>, giving you the possibility to include <link> or <script> tags specific for Development or Production environments.
– LinkTagHelper, ScriptTagHelper: adds attributes to <link> and <script> to allow the use of CDN’s and fallback urls.

This list is incomplete, but you can head over to GitHub to see every available TagHelper class currently available.

You can also create your own TagHelper classes. I’ll show you an example which enables you to do this:

<img asp-controller="Users" asp-action="ProfileImage" asp-route-id="@currentUserId" />

1	<img asp-controller="Users" asp-action="ProfileImage" asp-route-id="@currentUserId" />

That img tag would load a users profile image using the ProfileImage action method in a UsersController class: userful for retrieving a profile image from a blob container on Azure, for example.

Continue reading “Writing a custom TagHelper in ASP.NET 5”

Global Azure Bootcamp – Aftermath

Reading Time: 2 minutes

It’s been almost a month now since the last edition of Global Azure Bootcamp, and I wanted to share with you some of the details of my involvement in this years edition. This year, we had two labs in which you could participate: a racing and a science lab. And I helped out with some aspects behind the workings of the science lab: the Elasticsearch cluster and the dashboard website.

For this lab, all you had to do was to deploy a cloud service to Azure and scale it up to as many instances as you could spare. These instances would then crunch a lot of data concerning breast cancer research. After the results from your cloud instances were uploaded, they would eventually end up in the Elasticsearch cluster.

Continue reading “Global Azure Bootcamp – Aftermath”

A Cortana Smartwatch? Yes please!

Reading Time: 1 minutes

Smartwatches are hyping now for a while, and that hype got a big boost because of Apple announcing their Apple Watch. Which led to some people thinking: “I wouldn’t mind owning a smartwatch that is compatible with Windows Phone.”
Which got me thinking: how would I want such a watch to look like?

Now, I’m certainly not a Photoshop wizzkid, but I do have some mad Paint.Net skills (ahem).