Forem: Brhane

Ain't bad to say hi, after sometime.

Brhane — Mon, 18 Nov 2024 14:45:18 +0000

Just decided to be back and say hi. I am gonna drop some learning experience on security. It ain't hurt,right 👍 . If you can, just give me a follow, I would highly appreciate it.

appsec #Security #Vulnerability #OpenSource

Docker vs Kubernetes

Brhane — Fri, 24 Feb 2023 14:05:42 +0000

Docker and Kubernetes are both popular containerization technologies used for managing and deploying applications, but they serve different purposes.

Docker is a containerization platform that allows developers to package an application and its dependencies into a container, making it easier to deploy and run the application on any environment. Docker containers can run on any operating system, and they are lightweight and fast to deploy. Docker uses a client-server architecture and consists of a Docker daemon, a Docker CLI, and a Docker registry. The Docker daemon is responsible for building and running containers, while the Docker CLI allows users to interact with the daemon. The Docker registry is a centralized location where Docker images can be stored and shared.

Kubernetes, on the other hand, is a container orchestration platform that automates the deployment, scaling, and management of containerized applications. Kubernetes allows users to deploy and manage containers across a cluster of nodes, ensuring that applications are always available and scalable. Kubernetes uses a declarative API to manage resources, which allows users to define their desired state and let Kubernetes handle the rest. Kubernetes also includes features such as service discovery, load balancing, and rolling updates, which makes it easier to manage and deploy applications at scale.

To understand the difference between Docker and Kubernetes, consider the following example:

Suppose you have a web application that consists of multiple microservices, each running in its own Docker container. You want to deploy this application on a cluster of servers, and you want to ensure that the application is always available and scalable.

Using Docker, you can package each microservice into a Docker container, and then use Docker Compose to define and manage the application stack. Docker Compose allows you to specify how the containers should be linked and configured, and it can deploy the entire application stack on a single server. However, if you want to deploy the application on multiple servers and ensure that it is always available, you need to use a tool like Kubernetes.

With Kubernetes, you can create a deployment object that defines the desired state of the application. The deployment object specifies the number of replicas of each microservice, the resource requirements, and other configuration details. Kubernetes then schedules the containers across the cluster of nodes, and monitors their health to ensure that they are always available. If a container fails or becomes unresponsive, Kubernetes automatically replaces it with a new one, ensuring that the application remains available.

In summary, Docker is a containerization platform that makes it easier to package and deploy applications, while Kubernetes is a container orchestration platform that automates the deployment, scaling, and management of containerized applications. Docker is a lower-level technology that is used to create containers, while Kubernetes is a higher-level technology that is used to manage and deploy containers at scale.

Let me demonstrate using a simple code:

Let's say we have a simple Node.js application that consists of a web server that serves a "Hello, World!" message on port 3000. We want to package this application into a Docker container and deploy it on a Kubernetes cluster.

First, let's create a Dockerfile that specifies the Docker image we want to build:


# Dockerfile

FROM node:14-alpine
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000
CMD [ "npm", "start" ]

This Dockerfile uses a Node.js base image and sets up the working directory, installs dependencies, copies the application files, exposes port 3000, and runs the npm start command to start the web server.

To build the Docker image, we can run the following command:

docker build -t my-app:1.0 .

This command builds the Docker image and tags it with the name my-app and version 1.0.

Kubernetes

Now, let's deploy the Docker container on a Kubernetes cluster. First, we need to create a Kubernetes deployment object that specifies the desired state of the application:

# deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: my-app:1.0
        ports:
        - containerPort: 3000

This YAML file specifies a deployment object named my-app that creates three replicas of the application, and it uses the Docker image my-app:1.0. The YAML file also specifies that the application listens on port 3000.

To deploy the application on the Kubernetes cluster, we can run the following command:

kubectl apply -f deployment.yaml

This command creates the deployment object and schedules the containers across the cluster of nodes.

With Kubernetes, we can also use a service object to expose the application to the outside world:

# service.yaml

apiVersion: v1
kind: Service
metadata:
  name: my-app
spec:
  selector:
    app: my-app
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: 3000
  type: LoadBalancer

This YAML file specifies a service object named my-app that exposes the application on port 80, and it uses a load balancer to distribute traffic across the replicas.

To create the service object, we can run the following command:

kubectl apply -f service.yaml

This command creates the service object and exposes the application to the outside world.

In summary, Docker allows us to package the application into a container, and Kubernetes allows us to deploy and manage the container at scale. With Docker, we can build the container image and run it locally, and with Kubernetes, we can deploy the container on a cluster of nodes and ensure that it is always available and scalable.

PHP security highlights

Brhane — Fri, 10 Feb 2023 09:48:24 +0000

SQL Injection

Use prepared statements and parameterized queries.

These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.

Basically there are two options to achieve this:

Using PDO(PHP Data Object):


$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');

$stmt->execute([ 'name' => $name ]);

foreach ($stmt as $row) {
    // Do something with $row
}

Using MySQLi(improved MySQL):

$stmt = $dbconnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name);//'s' specifies the variable type => 'string'
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
  // do sth with the rows
 }

If the connection to db is different from MySQL, there is a driver-specific second option that you can refer to( for example, pg_execute and pg_prepare() for postgres). PDO is universal.

Can prepared statements be used for dynamic queries?

While you can still use prepared statements for the query parameters, the structure of the dynamic query itself cannot be parametrized and certain query features cannot be parametrized.

For these specific scenarios, the best thing to do is use a whitelist filter that restricts the possible values.

// Value whitelist
// $dir can only be 'DESC', otherwise it will be 'ASC'
if (empty($dir) || $dir !== 'DESC') {
   $dir = 'ASC';
}

Directory Traversal & Code Injection

Directory traversal (path traversal)

Refers to an attack that affects the file system. In this type of attack, an authenticated or unauthenticated user can request and view or execute files that they should not be able to access.

Insecure code sample

In the following example, the script passes an unvalidated/unsanitized HTTP request value directly to the include() PHP function. This means that the script will try to include whatever path/filename is passed as a parameter:

$file = $_GET['file'];
include($file);

For example, if you pass /etc/passwd as the argument, this file is readable for all users. Therefore, the script returns the content of the file with information about all system users:

Secure code sample

This vulnerability may be mitigated in different ways, depending on the specific case. However, the most common and generic way to do it is by using the basename() and realpath() functions.

The basename() function returns only the filename part of a given
path/filename: basename(“../../../etc/passwd”) = passwd.

The realpath() function returns the canonicalized absolute pathname but only if the file exists and if the running script has executable permissions on all directories in the hierarchy: realpath(“../../../etc/passwd”) = /etc/passwd.

$file = basename(realpath($_GET['file']));
include($file);

Now, if we request the same file as above, we get an empty response.

Code Injection/Execution In the case of PHP code injection attacks, an attacker takes advantage of a script that contains system functions/calls to read or execute malicious code on a remote server. This is synonymous to having a backdoor shell and under certain circumstances can also enable privilege escalation.

Insecure code sample

In this example, a script uses the exec() function to execute the ping command. However, the host is dynamic (passed via an HTTP GET request):

exec("ping -c 4 " . $_GET['host'], $output);
echo "&ltpre>";
print_r($output);
echo "&lt/pre>";

Passing https://example.com/file.php?host=www.google.com// returns the output of the ping google.com command.

This snippet has a code injection vulnerability. It allows an attacker to pass multiple commands to the function using a semicolon. In Linux, this delimiter is used to execute multiple commands inline. https://example.com/file.php?host=www.google.com;whoami//

Secure code sample

There are two functions that you can use in PHP applications and that can help harden command line calls such as exec(), shell_exec(), passthru(), and system(): escapeshellcmd() and escapeshellarg(). The escapeshellcmd()function escapes any characters in a string that might be used to execute arbitrary commands. The following characters are escaped by including a backslash before them: |*?~<>^()[]{}$\, \x0A, and \xFF. Single and double quotes are escaped only if they are not paired. For example,escapeshellcmd(“ping -c 4 www.google.com;ls -lah”) = ping -c 4 www.google.com\;ls -lah.`

The escapeshellarg() function adds single quotes around a string and escapes any existing single quotes. As a result, the entire string is being passed as a single argument to a shell command.

Note: The escapeshellcmd() and escapeshellarg() functions might behave unpredictably with different operating systems, especially on Windows.

`
//#1 Restrict multiple commands//
exec(escapeshellcmd("ping -c 4 " . $_GET['host']), $output);

// #2 Restrict multiple commands and multiple arguments//

exec(escapeshellcmd("ping -c 4 " . escapeshellarg($_GET['host'])), $output);
`
Note: Version one guarantees that the user cannot run multiple commands. However, the user can still use multiple arguments of the same command. In version two, the user cannot pass multiple commands or arguments.

To avoid security issues, we recommend that you disable exec(), shell_exec(), passthru(), and system() functions in PHP configuration unless it is absolutely necessary to use them. You can also create a whitelist of accepted commands/arguments.

PHP8.2: the modern PHP

Brhane — Thu, 08 Dec 2022 22:15:26 +0000

PHP8.2 adds a lot of new features and improvements such as readonly classes, stand-alone types(null, true, false), Disjunctive Normal Form(DNF) types, new random extension, new classes, interfaces, and functions, and also deprecations some functions and classes.

Readonly Classes

PHP 8.1 added support for readonly properties. A readonly property can only be set once, and PHP actively prevents the value from being modified even from within the scope of the class.

PHP 8.2 takes readonly properties a step further with readonly classes. When a class is declared as readonly, all of its properties are automatically declared readonly. Further, it prevents dynamic properties on readonly classes, and ensures that all properties are typed.

Prevents dynamic properties on Readonly classes

readonly class Blog {
    public string $title;
}

$blog = new Blog();
$blog->subtitle = 'Hello';

The above will result in:
Error: Cannot create dynamic property Blog::$blog...

Ensures all properties are typed

readonly class Blog {
    public $title;
}

Fatal error: Readonly property Blog::$title must have type...

Example

readonly class ExampleBlog {
    public string $myTitle;
}

N.B: Abstract classes and final classes can also be readonly.

Disjunctive Normal From(DNF) Types

DNF types allow us to combine union and intersection types, following a strict rule:

when combining union and intersection types, intersection types must be grouped with brackets.

Previously, in PHP < 8.2:

class Blog {
    public function checkEntity(mixed $entity) {
        if ((($entity instanceof BlogA) && ($entity instanceof BlogB)) || ($entity === null)) {
            return $entity;
        }

        throw new Exception('Invalid entity');
    }
}

The above snippet in PHP8.2 with the introduction of DNF becomes:

class Blog {
    public function checkEntity((BlogA&BlogB)|null $entity) {
        return $entity;
    }
}

How beautiful is this( specially if you are lazy like me :))

Stand-alone types( null, false, and true)

PHP 8.0 added support for Union Types, which made it possible to declare a type as a union of two or more types. If you are familiar with Typescript, this is the same concept. It allowed false and null as possible types for a Union Type, but disallowed their use as standalone types.

Typescript exampel:

function printId(id: number | string) {
  console.log("Your ID is: " + id);
}

PHP8.0 union types example:

class Example {
    private int|float $foo;
    public function squareAndAdd(float|int $bar): int|float {
        return $bar ** 2 + $foo;
    }
}

And now in PHP8.2, we can return either null, true, or false as in:

public function isAuthenticated(): true { return true; }
The above function is a function that returns true.
we can also use, null and false as return type.

Constants in Traits

Traits helps us to overcome the multiple inheritance, and now with PHP8.2, it is possible to define constants in traits.

trait NodeFunctions
{
    public const CONSTANT = 1;
}

class BlogType
{
    use NodeFunctions;
}

var_dump(NodeFunctions::CONSTANT); // Error
var_dump(BlogType::CONSTANT); // 1

We can't access the constant through the name of the trait, but it is possible to it via the class that uses the trait.

Some of the new functions and attributes introduced are:

New mysqli_execute_query function and mysqli::execute_query method.
New #[\AllowDynamicProperties] and #[\SensitiveParameter] attributes.

This is just a tip of an iceberg, more can be found at the official PHP8.2 release notes.

Thanks so for reading this far, and you are welcome to put your comments down and I would really appreciate if you give me a follow.

Controlled vs uncontrolled inputs

Brhane — Sat, 26 Nov 2022 20:46:08 +0000

I know there are a lot of articles regarding react forms. But, it doesn't hurt if I say something again in a very short explanation about react form input types.
We all know that there two kinds of form inputs in react namely: controlled and uncontrolled inputs.

Controlled inputs

Controlled inputs accept their current value as a prop and a callback to change that value. That implies that the value of the input has to live in the React state somewhere. Typically, the component that renders the input (like a form component) saves that in its state:

const Form = () => { 
 const [value, setValue] = useState(""); 

 const handleChange = (e) => { 
   setValue(e.target.value) 
 } 

 return ( 
   <form> 
     <input 
       value={value} 
       onChange={handleChange} 
       type="text" 
     /> 
   </form> 
 ); 
};

Every time you type a new character, the handleChange function is executed. It receives the new value of the input, and then it sets it in the state. So, the Form component always has the input's current value without needing to ask for it explicitly.

As a result, your data (React state) and UI (input tags) are always in sync. Another implication is that forms can respond to input changes immediately, for example, by:

Instant validation per field
Disabling the submit button unless all fields have valid data
Enforcing a specific input format, like phone or credit card numbers

Sometimes you will find yourself not needing any of that. In that case uncontrolled could be a more straightforward choice.

Uncontrolled inputs

Unlike the controlled inputs where data is handled by the react component, in uncontrolled component, data is handled by the DOM itself.
So, if we don't have controlled over its state, how do we access its value?
To access the value of an uncontrolled input, we use the React Ref hook. For example, in the code below we use, the Ref hook to access the current value of the input

const Form = () => { 
 const inputRef = useRef(null); 

 const handleSubmit = () => { 
   const inputValue = inputRef.current.value; 
   // Do something with the value 
 } 
 return ( 
   <form onSubmit={handleSubmit}> 
     <input ref={inputRef} type="text" /> 
   </form> 
 ); 
};

Let me wrap up my little article, by mentioning that there are some specific form inputs that are always uncontrolled, like the file input tag.

In React, an is always an uncontrolled component because its value is read-only and can't be set programmatically.

const Form = () => { 
 const fileInput = useRef(null); 

 const handleSubmit = (e) => { 
   e.preventDefault(); 
   const files = fileInput.current.files; 
   // Do something with the files here 
 } 

 return ( 
   <form onSubmit={handleSubmit}> 
     <input 
       ref={fileInput} 
       type="file" 
     /> 
   </form> 
 ); 
};

React recommends using controlled inputs over uncontrolled inputs, but let me summarise in the table below.

References:
React docs
React forms by Gosha

List, dictionary and set comprehension

Brhane — Sun, 20 Nov 2022 20:48:21 +0000

List comprehension

Python list data types are one of the fundamental elements of data structure. With the list comprehension feature, we can generate a series of lists from a list.
For example, the simplest form of list comprehension is to perform a shallow copy of a list as follows:

a_list = [1, 2, 3, 4, 5]
b_list = a_list[:]

What we are saying here is that hey Python just performs copies of all the elements by value or member by member. So, a change in the new list won't change the original list. For example

In the above python shell, we see that the two variables contain equal values but refer to different objects.

By the way Python **is** operator compares two variables and returns True if they reference the same object. If the two variables reference different objects, the is operator returns False as in the above example. In other words, the **is** operator compares the identity of two variables and returns True if they reference the same object.

Here is another way to achieve the same result using for loop:

b_list = []
for i in a_list:
    b_list.append(i)

The general syntax for list comprehension is:

new_list = [value for_statement if_expression]

value aka expression: takes a value directly from the list
for_statement: one or more for statements with conditions on the member
if clauses: for evaluating some conditions
Let's see the following example:

>>>[(x, y) for x in [1,2,3] for y in [3,1,4] if x != y]
[(1, 3), (1, 4), (2, 3), (2, 1), (2, 4), (3, 1), (3, 4)]

The above code snipper two for loops to check conditions of two values in different lists which in turn produces a tuple of lists based on the if clauses.

Set comprehension

A set is an unordered collection with no duplicate elements. The same concept as list comprehension will be used except that the syntax for the set is {}. For example, let's create a set from a given list with the following set comprehension.

>>> a_list = [1, 2, -2, 1, -1, 2, 3]
>>> new_set = {i for i in a_list if i > 0}
>>> new_set
>>> {1, 2, 3}

You may have noticed already that there are no duplicate values because the elimination of duplicates happens automatically as we are creating a set via {}.

Dictionary comprehension

We are going to use a similar approach but with a little complexity. In a dictionary comprehension, it is necessary to create a loop that generates key-value pairs, using the syntax:

key:value
Assume we have a list of tuples that we'd like to be the basis for our newly generated dictionary.

>>> list_tuples = [('Netherlands', 'Amsterdam'), ('Germany', 'Berlin')]
>>> new_dict = { i[0] : i[1] for i in list_tuples }

Note the use of the colon (:) in the key-value expression. Then if we want to check, let's evaluate the following:

>>> new_dict['Netherlands']
'Amsterdam'
>>>

Let's see one more example of how to create a dictionary from two given lists.

>>> countries = ['China', 'India', 'U.S.A', 'Indonesia']
>>> population = [1_452_661_848, 1_413_052_163, 335_683_841, 280_581_836]
>>> four_largest_countries_by_population = { countries[i]: population[i] for i in range(len(keys)) }
>>> four_largest_countries_by_population
{'China': 1452661848, 'India': 1413052163, 'U.S.A': 335683841, 'Indonesia': 280581836}
>>>

Note: in the above, we assume both lists have the same length.

We can even improve the performance of the code in the above example by using the built-in zip function to merge the lists. If the passed iterators have different lengths,
the iterator with the least items decides the length of the new iterator.

Final words

Hope this sheds some light on those who begin to learn python, and a refresher to those who have solid knowledge. As usual, you are welcome to drop your comments even for some broken sentences, ideas or concepts. Thanks for reading this far.

Python script to automate the installation of several cms in Devilbox

Brhane — Sun, 20 Nov 2022 17:47:54 +0000

I won't explain in detail as the repo is simple to use but I will just write the structure of the repo, and you are welcome to try and give your suggestions or contributions.

Installation script
-
Installation steps

clone this repository: https://github.com/bashebr/cms-installation-script.git
create virtualenv: virtualenv venv --python=3.6( or any python3 version)
Follow the instruction to install python3 in devilbox written in the wiki
Your devilbox directory name should be devilbox

The instruction script has the following directories

Applicaitons
Config
Core

Finally, the script that runs the application

install_script.py

Applications

This directory consists of all applications that need to be installed, such as

Drupal
Magento
plugins
Prestashop
WordPress

Each of the above directories contains a python script that installs the application.

Config

The config directory consists of the following config files

general_config.py
- Method: grep_container returns both mysql_container && php_container
versions.py
- This file contains versions that need to be installed
- Here in this file you can see, the version you want to install
- Only set the version of the Application you want to install

Core
--

The core directory has the following files

db.py: This file creates the database

Some Extra config

Some installations may complain about the PHP memory unit limit, so we should set to all containers default as unlimited by the following.

Goto devilbox/cfg/php-ini-phpversion(eg 4.5)
then create a new file, that with ini extension, as devilbox-php.ini, then paste the following code
Then you need to restart your container once
code is

; Memory
; Note: "memory_limit" should be larger than "post_max_size"
memory_limit            = -1

Changes to script on how to install python3 in devilbox

Copy and paste( actually replace it with) the following script to the former script in devilbox, //python3.sh//


#!/usr/bin/env bash

root="/shared/httpd"

cd ${root}

apt-get update
apt-get install -y python3
apt-get install -y python3-pip
apt-get install python3-distutils

PYTHON3="/usr/bin/python3"
PIP3="/usr/bin/pip3"
if [ ! -L ${PYTHON3} ] && [ ! -L ${PIP3}]; then
  ln -s /usr/bin/python3 ${PYTHON3}
  ln -s /usr/bin/pip3 ${PIP3}
fi

NOTE REGARDING Magento 2.4.2 FATAL ERROR

During Magento 2.4.2 installation the following fatal error occurred. According to the GitHub link

https://github.com/jbboehr/php-psr/issues/78#issuecomment-722290110

Then, I create the following workaround:

In your .env file inside the devilbox, search for PHP_MODULES_DISABLE and add psr to the list and save and restart docker.
so, finally, it will be:

Note
The phalcon module is also added because it depends on psr

PHP_MODULES_DISABLE=oci8,PDO_OCI,pdo_sqlsrv,sqlsrv,rdkafka,swoole,psr,phalcon