golang: sftp connecting to a remote server

package main

import (

  "github.com/pkg/sftp"

  "golang.org/x/crypto/ssh"

  "log"

)

func main() {

 

  // for demo purpose only. Such config is not so secure.

  config := &ssh.ClientConfig {

    User: "myusername",

    Auth: []ssh.AuthMethod {

      ssh.Password("mypassword") },

    HostKeyCallback: ssh.InsecureIgnoreHostKey(),

  }

  // Connect to the server

  conn, err := ssh.Dial("tcp", "myhost:12345", config)

  if err != nil {

    log.Fatal(err)

  }

  defer conn.Close()

  // Open SFTP session

  session, err := sftp.NewClient(conn)

  if err != nil {

    log.Fatal(err)

  }

  defer session.Close()

  fileInfo, err := session.Lstat("my-remote-file")

  if err != nil {

    log.Fatal(err)

  }

  log.Println(fileInfo)

}

golang: compute PBKDF2 of a password

 package main

import (

  "bytes"

  "crypto/rand"

  "crypto/sha256"

  "encoding/hex"

  "fmt"

  "golang.org/x/crypto/pbkdf2"

  "golang.org/x/term"

  "log"

  "strings"

  "syscall"

)

func main() {

  fmt.Print("Input password: ")

  password, err := term.ReadPassword(int(syscall.Stdin))

  if err != nil {

    log.Fatal(err)

  }

  fmt.Print("\nConfirm password: ")

  confirmPw, err := term.ReadPassword(int(syscall.Stdin))

 

  if err != nil {

    log.Fatal(err)

  }

 

  if !bytes.Equal(password, ConfirmPw) {

    log.Fatal("Error: inputs mismatch")

  }

  salt := make([]byte, 32)

  _, err = rand.Read(salt)

  if err != nil {

    log.Fatal(err)

  }

  pwPbkdf2 := pbkdf2.Key(password, salt, 10240, 32, sha256.New)

  fmt.Println("\nSalt: ", strings.ToUpper(hex.EncodeToString(salt))

  fmt.Println("PBKDF2: ", strings.ToUpper(hex.EncodeToString(pwPbkdf2))

}

golang: example of query and update with MySQL DB

package main

 

import {

  "database/sql"

  "log"

  _ "github.com/go-sql-driver/mysql"

}

 

func dbConn() *sql.DB {

  db, err := sql.Open("mysql", 

             "myusername:mypassword@tcp(127.0.0.1:3306)/MYDB")

 

  if err != nil {

    log.Fatal(err)

  }

 

  return db

}

 

func DoQuery() (ids []int) {

  ids = nil

 

  db := dbConn()

 

  defer db.Close()

 

  res, err := db.Query("select id from mytable where name=?", "Puppy")

 

  if err != nil {

    log.Fatal(err)

  }

 

  for res.Next() {

    var id int

 

    res.Scan(&id)

 

    ids = append(ids, id)

  }

  return

}

func DoUpdate(id int) {

  db := dbConn()

 

  defer db.Close()

 

  res, err := db.Exec("update mytable set name=? where id=?", "Kitty", id)

 

  if err != nil {

    log.Fatal(err)

  }

 

  count, err := res.RowsAffected()

 

  if err != nil {

    log.Fatal(err)

  }

  log.Println(count)

}

func main() {

  ids := DoQuery()

 

  for _, id := range ids {

    DoUpdate(id)

  }

}

 

Java ldd

For a C++ library, we can use command ldd to list the dependencies. There isn't such a official tool for the Java. However, if the source code is available, we can build the JAR using javac with the verbose mode turned on. The location of all the dependent JARs will be listed during the build.

Spring Boot: escape HTML and non-ASCII characters in Json response

Create an ObjectMapper object and let Spring Boot use our ObjectMapper object with the @Bean and @Primary annotations.

In our configuration bean:

@Configuration

public class MyConfiguration {

 

  @Bean

  @Primary

  public ObjectMapper objectMapper() {

    // create our own ObjectMapper object.

    ObjectMapper objMapper = new ObjectMapper();

 

    // escape all non-ASCII characters

    objMapper.enable(JsonGenerator.Feature.ESCAPE_NON_ASCII);

    // definition of the HTML characters to escape
    final class HtmlCharsToEscape extends CharacterEscapes
    {
      private final int[] asciiEscapes;
    
      public HtmlCharsToEscape()
      {
        // get the set of default escaped characters (double-quote, backslash etc)
        int[] esc = CharacterEscapes.standardAsciiEscapesForJSON();
        // and force escaping of HTML special characters:
        esc['<'] = CharacterEscapes.ESCAPE_STANDARD;
        esc['>'] = CharacterEscapes.ESCAPE_STANDARD;
        esc['&'] = CharacterEscapes.ESCAPE_STANDARD;
        esc['\''] = CharacterEscapes.ESCAPE_STANDARD;
        asciiEscapes = esc;
      }

      @Override public int[] getEscapeCodesForAscii() {
        return asciiEscapes;
      }

      @Override public SerializableString getEscapeSequence(int ch) {
        // no CUSTOM escaping needed:
        return null;
      }
    }

    // Escape the HTML special characters.

    objMapper.getFactory().setCharacterEscapes(new
HtmlCharsToEscape());

 

    // This will be picked up the Spring Boot.

    return objMapper; 

  }

}

HTML dialog Tag

dialog.html:

<html>

<body>

<button onclick="openDialog()">Open Dialog</button>

<dialog id="myDialog"><iframe src="dialogbox.html"></iframe></dialog>

<script>

function openDialog() {

  document.getElementById("myDialog").showModal();

}

</script>

</body>

</html>

dialogbox.html:

<html>

<body>

<button onclick="parent.document.getElementById('myDialog').close()">

Click to close

</button>

</body>

</html>

 

ASP.NET/C#: OleDb example, reading from DB

public void example()
{

    string sql = string.Concat("SELECT f1, f2 FROM table1",
                                               " WHERE id=?");

    using (OleDbConnection connection = new OleDbConnection(AppSettings.getConnectionString()))
    {
        // The insertSQL string contains a SQL statement that
        // inserts a new row in the source table.
        OleDbCommand command = new OleDbCommand(sql, connection);
 

        command.Parameters.AddWithValue("@id", 10);

        // Open the connection and execute the command.
        try
        {
            connection.Open();

            OleDbDataReader reader = command.ExecuteReader();

            while (reader.Read())

            {

                string str1 = reader.GetString(0);

                string str2 = reader.GetString(1); 

                break;

            }
 
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }
        // The connection is automatically closed when the
        // code exits the using block.
    }
}

ASP.NET/C#: Link a config file to web.config for an extra app-Settings section

Multiple appSettings sections are not allowed in web.config. However, we can add config sections by using <configSections>.

In web.config, add <configSections> at the very beginning of <configuration> element.

<configuration>
    <configSections>
        <section name="appSettingsExtra" type="System.Configuration.NameValueFileSectionHandler, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
    </configSections>
    <appSettingsExtra configSource="webextra.config">
    </appSettingsExtra>
    ....
</configuration>

Create a new file webextra.config with the following content:

<appSettingsExtra>
     <add key="TheKey" value="TheValue"/>
</appSettingsExtra>

In the code, to read the parameter from webextra.config:

System.Collections.Specialized.NameValueCollection extraSettings = (System.Collections.Specialized.NameValueCollection)ConfigurationManager.GetSection("appSettingsExtra");
string value = extraSettings["TheKey"];

IIS Logs

To find out the IIS logs location of a site:

1. Open IIS Manager;

2. Click the Web Site;

3. Find the Logging icon and double click it;

4. Find the location of the logs in the Directory text box.

 

If you are using IIS Express of the Visual Studio, the logs location of  IIS Express is at %userprofile%\Documents\IISExpress\Logs

In C#, to add infomation to the IIS logs, use:

    Response.AppendToLog("your debug info");

or

    System.Web.HttpContext.Current.Response.AppendToLog("your debug info");

 

Spring application unit tests context refreshing

If Mockito is used to mock a Spring singleton bean in one test class, it may impact the second test class so that test cases in the 2nd test class could fail.

It appears that all test cases are successfuly if the 2 test classes are run independently, but when they are run together, the test cases in the 2nd test class would fail.

In that case, @DirtiesContext annotation can be used on the 1st test class. It indicates that the ApplicationContext associated with a test is dirty. After the test, the ApplicationContext would be closed and removed from the context cache. The test cases from the 2nd test class can be run independently from the 1st test class.

Mockito error: You cannot use argument matchers outside of verification or stubbing

There may be many reasons can cause this error. But in this case, this error was wrongly spit out when I wrote:

when(myObject.myMethod(any(), any())).thenReturn("something");

It turned out that it is because the first parameters of myObject.myMethod(int, String) is expecting an int. So that the correction is:

when(myObject.myMethod(anyInt(), any())).thenReturn("something");

Powershell Script: Write to a file

1. Append a string to the end of a file

Add-Content -Path .\theFile -Value "the string to be appended"


2. Append file_a to the end of file_b

Get-Content -Path .\file_a | Add-Content -Path .\file_b


3. Create a new file with a sting as the content

"the string to be put into the file" | Out-File -FilePath .\theFile

Powershell Script: Read input with default value

$defaultVal = 'No'

$inputVal = Read-Host -Prompt "Input something? [$defaultVal]"

if ($inputVal -eq '')
{
  $inputVal = $defaultVal
}

C# programming: Debug and trace

To generate a trace, use

System.Diagnostics.Trace.WriteLine("some trace");

This code works when TRACE is turned on during compiling. Add the compile option in web.config:

<compilation defaultLanguage="c#" debug="true" targetFramework="4.5">
  <compilers>
    <compiler language="c#" ... compilerOptions="/d:DEBUG;TRACE" />
  </compilers>
</compilation>

During the development, the trace can be found in the Visual Studio's console. If the application is deployed, the trace can be seen with the tool Debugview, which can be downloaded from:

https://docs.microsoft.com/en-us/sysinternals/downloads/debugview

OWASP Top Ten 2017 Examples and Fixes | C# Programming

1. Injection

The problem: SQL Injection

string sql = @"SELECT *  FROM Memos WHERE Id = " + idString;
using (OleDbConnection cnn = new OleDbConnection(connectionString))
{
  cnn.Open();
  OleDbCommand cmd = new OleDbCommand(sql, cnn);
  OleDbDataReader reader = cmd.ExecuteReader();

  while (read.Read())
  {
    ...
  }
}

If idString comes from the user input, it can be manipulated to create unexpected SQL commands.

The fix is to use prepared statement:

string sql = @"SELECT *  FROM Memos WHERE Id = ?";
using (OleDbConnection cnn = new OleDbConnection(connectionString))
{
  cnn.Open();
  OleDbCommand cmd = new OleDbCommand(sql, cnn);

  cmd.Parameters.AddWithValue("@Id", idString);
 
  OleDbDataReader reader = cmd.ExecuteReader();

  while (read.Read())
  {
    ...
  }
}



2. Broken Authentication

The problem: Session is kept after logout

public ActionResult LogOut()
{
  return RedirectToAction("LogOn");
}

The fix is to remove the user session from DB and server side:

public ActionResult LogOut()
{
  string userName = Session["UserName"].ToString();
  db.RemoveUserSession(userName);
  Session.Abandon();
  return RedirectToAction("LogOn");
}


3. Sensitive Data Exposure

The problem: Store password in plain text

var user = new User()
{
  Email = email,
  Login = login,
  Password = password,
  Name = name,
  Role = role
};

The fix is to store the hash so that the password won't be stolen from the memory:

var user = new User()
{
  Email = email,
  Login = login,
  Password = Argon2.Hash(password),
  Name = name,
  Role = role
};


4. XML External Entities (XXE)

var resolver = new XmlUrlResolver();

var settings = new XmlReaderSettings
{
  DtdProcessing = DtdProcessing.Parse,
  XmlResolver = resolver
};

XmlReader reader = XmlReader.Create("items.xml", settings);

The fix:

var resolver = new XmlUrlResolver();

var settings = new XmlReaderSettings
{
  DtdProcessing = DtdProcessing.Prohibit,
  XmlResolver = null
};

XmlReader reader = XmlReader.Create("items.xml", settings);


5. Broken Access Control

The problem: Unvalidated Redirects and Forwards

private ActionResult RedirectToLocal(string retureUrl)
{
  if (!string.IsNullOrEmpty(returnUrl))
  {
    return Redirect(returnUrl);
  }
  return RedirectToAction("Index");
}

The fix is to validate the URL first before redirect:

private ActionResult RedirectToLocal(string retureUrl)
{
  if (Url.IsLocalUrl(returnUrl))
  {
    return Redirect(returnUrl);
  }
  return RedirectToAction("Index");
}


6. Security Misconfiguration

The problem: Information Exposure of Error Details

Logger.LogError(ex.Message + ex.StackTrace);

The fix is to avoid logging stack trace unless it is in debugging:

if (Debugger.IsAttached)
  Logger.LogDebug(ex.Message + ex.StackTrace);

Logger.LogError(ex.Message);


7. Cross Site Scripting (XSS)

userModel.Information = reader["Information"].ToString();

The fix:

string information = reader["Information"].ToString();
string encodedInfo = AntiXssEncoder.HtmlEncode(information, false);
userModel.Information = encodedInfo.ToString();


8. Insecure Deserialization

using (var filestream = File.Open(filename, FileMode.Open))
{
  return DeserializeObject<T>(filestream, settings);
}

The fix is to use encryption/decryption during serialization/deserialization:

using (var filestream = File.Open(filename, FileMode.Open))
{
  using (var cs = new CryptoStream(filestream,
                        CreateRijndael(password).CreateDecryptor(),
                        CryptoStreamMode.Read))
  {
    return DeserializeObject<T>(cs, settings);
  }
}

private static Rijndael CreateRijndael(string password)
{
  var rijndael = Rijndael.Create();
  var pdb = new Rfc2898DeriveBytes(password, Pepper, 1000000);
  rijndael.Key = pdb.GetBytes(32);
  rijndael.IV = pdb.GetBytes(16);
  return rijndael;
}


9. Using Components with Known Vulnerabilities

Linking a file from an untrusted website:

<link href="http://a.company.com/some.styles.css" rel="stylesheet" />

The fix:

 <link href="https://a.trustworthy.website.com/some.styles.css"
       rel="stylesheet" 
       integrity="sha256-......." 
       crossorigin="anonymous" />









10. Insufficient Logging and Monitoring

Console.WriteLine(ex.Message);

The fix:

Logger.LogError(ex.Message);

PHP: list all files and sub-directories under the current directory

Create a file index.php:

<?php
$allItems = scandir(".");
$toHide = array('.', '..', 'index.php');
$toShow = array_diff($allItems, $toHide);

foreach ($toShow as $oneItem) {
    echo "<a href='$oneItem'>$oneItem</a><br>";
}
?>

Java programming: use Matcher to replace patterns with captured groups (code example)

String str = "=123-abc=   =7890-ABCD=";
Pattern pattern = Pattern.compile("=([0-9]*)-([A-Za-z]*)=");
Matcher matcher = pattern.matcher(str);
if (matcher.find())
{
    str = matcher.replaceAll("# $2 + $1 #");
}

System.out.println(str);

The output will be:
# abc + 123 #   # ABCD + 7890 #

Python: redirect output to a file

To redirect the standard output to a file by the source code, add this in the beginning of the Python script:

import sys
sys.stdout = open('/path/to/outputfile', 'a')

Perl: Convert hex string to the character

my $hx = "41";
my $ch = chr(hex($hx));
print $ch;

The output will be:
A

C++: convert an integer to a hex string

#include <iostream>
#include <sstream>
#include <iomanip>

long i = 127;

std::ostringstream oss;

oss << "0x" << std::hex << std::uppercase << std::setfill('0') << std::setw(8) << i;

std::string result = oss.str();