The latest articles on DEV Community by Philippe Arteau (@h3xstream). https://dev.to/h3xstream https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F251294%2F3c61559c-5ece-41a9-958b-8591a0f30967.jpeg https://dev.to/h3xstream en Philippe Arteau Mon, 29 Jul 2024 18:25:18 +0000 https://dev.to/h3xstream/fixing-jest-import-failure-186b https://dev.to/h3xstream/fixing-jest-import-failure-186b <p>If you are reading this post, you likely encounter this error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; 4 | import someConfig from '../config/SomeConfigs.json' with { type: 'json' }; | ^ 5 | 6 | /** Add @babel/plugin-syntax-import-attributes (https://github.com/babel/babel/tree/main/packages/babel-plugin-syntax-import-attributes) to the 'plugins' section of your Babel config to enable parsing. If you already added the plugin for this syntax to your config, it's possible that your config isn't being loaded. You can re-run Babel with the BABEL_SHOW_CONFIG_FOR environment variable to show the loaded configuration: </code></pre> </div> <p>The issue in my case was to create a babel configuration file for Jest to use when transpiling the different source files.</p> <p><strong>babel.config.js (or babel.config.cjs)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">api</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">isTest</span> <span class="o">=</span> <span class="nx">api</span><span class="p">.</span><span class="nf">env</span><span class="p">(</span><span class="dl">'</span><span class="s1">test</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">@babel/plugin-syntax-import-attributes</span><span class="dl">"</span><span class="p">,</span> <span class="p">],</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> Source </h3> <p>I took inspiration from <a href="https://saptaks.blog/posts/configuring-jest-with-react-and-babel.html" rel="noopener noreferrer">this blog post which described issues with React dependencies in Jest unit tests</a>.</p> <p>This complete example uses the <a href="https://jestjs.io/docs/getting-started#using-babel" rel="noopener noreferrer">conditional configuration suggested in Jest documentation</a>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>module.exports = api =&gt; { const isTest = api.env('test'); // You can use isTest to determine what presets and plugins to use. return { // ... }; }; </code></pre> </div> jest tooling babel Philippe Arteau Wed, 23 Feb 2022 23:01:44 +0000 https://dev.to/h3xstream/solving-flashboy-error-opening-com-port-4p6n https://dev.to/h3xstream/solving-flashboy-error-opening-com-port-4p6n <p>This is a short post to help Flash Boy ^{<a href="https://www.aliexpress.com/item/4001330749681.html">1</a> <a href="https://www.ebay.com/itm/264065747210">2</a>} users find the right software and drivers. Flash Boy is a GameBoy cartridge dumper. The manufacturer does not have any product page therefore it can be time consuming to find the software needed or documentation.</p> <p>If you are reading this, you are probably unable to use the device. Here are the error messages you could get:</p> <ul> <li>"Device not found!"</li> <li>"Check COM port connection."</li> <li>"Error opening COM port."</li> </ul> <p>After a few trials and errors, I found that FlashBoy dumpers seem to have multiple versions with different firmware and required different softwares.</p> <h2> Software options </h2> <p>Here is the list of flasher program available.</p> <h3> 1) GBX Driver 2.0 </h3> <p>This UI tool is developed by Tengu Development. Tengu is also the manufacturer shown when the device is mounting the "fake" drive (GBX).</p> <p>As of 2021, this is the software to interact with the latest hardware.</p> <p><a href="https://drive.google.com/file/d/13ferDd2TQ_dg1VdFCFZpd59U9IYZM_dU/view?usp=sharing">Download GBX Driver 2.0 for Flash Boy</a></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--E0V5pBXy--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fgkluxsw3d31vn9zy0ev.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--E0V5pBXy--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fgkluxsw3d31vn9zy0ev.png" alt="GBX Driver 2.0" width="490" height="515"></a></p> <h3> 2) GB Cart Flasher version 1.1 </h3> <p>Software release by Kraku and Chroost. It seems to support older version of the FlashBoy.</p> <p>This is the first software I tested because it appears in this <a href="https://www.youtube.com/watch?v=aaEEqqJB3Ws">Youtube Flash Boy review</a>.</p> <p><a href="https://sourceforge.net/projects/gbcf/">Download GB Cart Flasher version 1.1</a></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--cxMp0zIn--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/hlmxng0e368a7gexeqtz.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--cxMp0zIn--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/hlmxng0e368a7gexeqtz.png" alt="GB Cart Flasher version 1.1" width="786" height="473"></a></p> <h3> 3) FlashBoy Cyclone </h3> <p>This software is dedictated to the Cyclone version of the FlashBoy. I don't have this specific device to validate that its validity.</p> <p><a href="https://app.box.com/s/nvme61lnm6chn3ludccto5fyy6rdvckt?spm=a2g0o.detail.1000023.1.273a12efhMNomd">Download FlashBoy Cyclone</a></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--EcSNWmRJ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/rnblya9cgecjc89ao747.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--EcSNWmRJ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/rnblya9cgecjc89ao747.png" alt="FlashBoy Cyclone" width="794" height="536"></a></p> <h3> 4) FlashGBX </h3> <p>Last but not least, FlashGBX is the recommended software for the <a href="https://shop.insidegadgets.com/product/gbxcart-rw/">GBxCart RW from insidegadgets</a>. While GBxRW is not manufactured by Backlight ENG.LAB (the company behind Flash Boy), it is my recommendation if you haven't bought a dumper/flasher yet. It can read the ROM and RAM just like the previous, but it also to write the ROM and RAM of numerous cartridges types including cheap reproduction cartridge (~4 USD) found on Aliexpress or eBay.</p> <p><a href="https://github.com/lesserkuma/FlashGBX/releases">Download FlashGBX</a></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--PoxT51a6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/8scr8s9s00l4v3h0zoau.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--PoxT51a6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/8scr8s9s00l4v3h0zoau.png" alt="FlashGBX for the GBxRW" width="593" height="372"></a></p> gameboy retro backup Philippe Arteau Tue, 01 Feb 2022 16:25:47 +0000 https://dev.to/h3xstream/advanced-scripting-for-orange-data-mining-49f0 https://dev.to/h3xstream/advanced-scripting-for-orange-data-mining-49f0 <p>Have you ever heard of <a href="https://orangedatamining.com/">Orange Data Mining</a>? It is a powerful data mining framework that includes Python API and a visual GUI.</p> <p>This blog post is for people looking to create add new attributes dynamically to your data set. It will also provide a good example of scripting in Orange.</p> <h2> The Problem </h2> <p>I have a CSV dataset with an attribute that has multi-values possible and I want to create a new attribute for every value present in the multi-values attribute.</p> <p><em>Here is a simple example that is easier to understand than my actual dataset.</em></p> <h4> Initial dataset </h4> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>country</th> <th>flag_colors</th> </tr> </thead> <tbody> <tr> <td>italy</td> <td>green,white,red</td> </tr> <tr> <td>united kingdom</td> <td>red,blue,white</td> </tr> <tr> <td>russia</td> <td>white,blue,red</td> </tr> <tr> <td>canada</td> <td>red,white</td> </tr> <tr> <td>brazil</td> <td>green,blue,yellow</td> </tr> <tr> <td>germany</td> <td>black,red,yellow</td> </tr> </tbody> </table></div> <h4> Target dataset </h4> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>country</th> <th>...</th> <th>green</th> <th>white</th> <th>red</th> <th>blue</th> <th>yellow</th> <th>black</th> </tr> </thead> <tbody> <tr> <td>italy</td> <td>...</td> <td>1</td> <td>1</td> <td>1</td> <td>0</td> <td>0</td> <td>0</td> </tr> <tr> <td>united kingdom</td> <td>...</td> <td>0</td> <td>1</td> <td>1</td> <td>1</td> <td>0</td> <td>0</td> </tr> <tr> <td>russia</td> <td>...</td> <td>0</td> <td>1</td> <td>1</td> <td>1</td> <td>0</td> <td>0</td> </tr> <tr> <td>canada</td> <td>...</td> <td>0</td> <td>1</td> <td>1</td> <td>0</td> <td>0</td> <td>0</td> </tr> <tr> <td>brazil</td> <td>...</td> <td>1</td> <td>0</td> <td>0</td> <td>1</td> <td>1</td> <td>0</td> </tr> <tr> <td>germany</td> <td>...</td> <td>0</td> <td>0</td> <td>1</td> <td>0</td> <td>1</td> <td>1</td> </tr> </tbody> </table></div> <h2> Custom Script Solution </h2> <p>I have annotated my solution.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">Orange.data</span> <span class="kn">import</span> <span class="n">Table</span><span class="p">,</span> <span class="n">Domain</span><span class="p">,</span> <span class="n">ContinuousVariable</span><span class="p">,</span> <span class="n">DiscreteVariable</span> <span class="kn">import</span> <span class="nn">copy</span> <span class="n">attributes_to_expand</span> <span class="o">=</span> <span class="p">[</span><span class="s">'colors'</span><span class="p">]</span> <span class="n">separator</span> <span class="o">=</span> <span class="s">"|"</span> <span class="c1">#Separator can be changed to , ; - </span> <span class="c1"># Structure used to build the new model </span><span class="n">attributes_to_keep</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">class_vars_to_keep</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">metas_to_keep</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">variables</span><span class="o">=</span><span class="p">[]</span> <span class="c1"># Old and new variables </span><span class="n">all_values</span> <span class="o">=</span> <span class="nb">dict</span><span class="p">()</span> <span class="c1">#values to keep for each multi-values columns </span> <span class="c1"># Building a list of all the known values for each column to expand </span><span class="k">for</span> <span class="n">data</span> <span class="ow">in</span> <span class="n">in_data</span><span class="p">:</span> <span class="k">for</span> <span class="n">att_exp</span> <span class="ow">in</span> <span class="n">attributes_to_expand</span><span class="p">:</span> <span class="n">values</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="n">att_exp</span><span class="p">].</span><span class="n">value</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="n">separator</span><span class="p">)</span> <span class="k">for</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">values</span><span class="p">:</span> <span class="k">if</span><span class="p">(</span><span class="ow">not</span><span class="p">(</span><span class="n">att_exp</span> <span class="ow">in</span> <span class="n">all_values</span><span class="p">)):</span> <span class="n">all_values</span><span class="p">[</span><span class="n">att_exp</span><span class="p">]</span> <span class="o">=</span> <span class="nb">set</span><span class="p">()</span> <span class="c1">#One new attribute per value maximum </span> <span class="n">all_values</span><span class="p">[</span><span class="n">att_exp</span><span class="p">].</span><span class="n">add</span><span class="p">(</span><span class="n">v</span><span class="p">)</span> <span class="c1"># Keeping existing metadata and class variables (target) </span><span class="k">for</span> <span class="n">orig_meta</span> <span class="ow">in</span> <span class="n">in_data</span><span class="p">.</span><span class="n">domain</span><span class="p">.</span><span class="n">metas</span><span class="p">:</span> <span class="n">metas_to_keep</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">orig_meta</span><span class="p">)</span> <span class="k">for</span> <span class="n">orig_class_var</span> <span class="ow">in</span> <span class="n">in_data</span><span class="p">.</span><span class="n">domain</span><span class="p">.</span><span class="n">class_vars</span><span class="p">:</span> <span class="n">class_vars_to_keep</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">orig_class_var</span><span class="p">)</span> <span class="c1"># Keeping non-multi-values variables </span><span class="k">for</span> <span class="n">orig_var</span> <span class="ow">in</span> <span class="n">in_data</span><span class="p">.</span><span class="n">domain</span><span class="p">.</span><span class="n">variables</span><span class="p">:</span> <span class="k">if</span><span class="p">(</span><span class="n">orig_var</span><span class="p">.</span><span class="n">name</span> <span class="ow">in</span> <span class="n">attributes_to_expand</span> <span class="ow">or</span> <span class="n">orig_var</span> <span class="ow">in</span> <span class="n">class_vars_to_keep</span><span class="p">):</span> <span class="k">continue</span> <span class="n">variables</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">copy</span><span class="p">.</span><span class="n">copy</span><span class="p">(</span><span class="n">orig_var</span><span class="p">))</span> <span class="n">attributes_to_keep</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">orig_var</span><span class="p">)</span> <span class="c1"># Adding the list of all the new variables </span><span class="k">for</span> <span class="n">att_exp</span> <span class="ow">in</span> <span class="n">attributes_to_expand</span><span class="p">:</span> <span class="k">for</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">all_values</span><span class="p">[</span><span class="n">att_exp</span><span class="p">]:</span> <span class="n">variables</span><span class="p">.</span><span class="n">append</span><span class="p">(</span><span class="n">ContinuousVariable</span><span class="p">(</span><span class="n">att_exp</span><span class="o">+</span><span class="s">"="</span><span class="o">+</span><span class="n">v</span><span class="p">))</span> <span class="c1"># Output Table construction </span> <span class="c1">## Domain describes the variables of our dataset </span><span class="n">domain</span> <span class="o">=</span> <span class="n">Domain</span><span class="p">(</span><span class="n">variables</span><span class="p">,</span><span class="n">class_vars</span><span class="o">=</span><span class="n">class_vars_to_keep</span><span class="p">,</span><span class="n">metas</span><span class="o">=</span><span class="n">metas_to_keep</span><span class="p">)</span> <span class="c1">## Table include both the domain definition and the data </span><span class="n">table</span> <span class="o">=</span> <span class="n">Table</span><span class="p">.</span><span class="n">from_domain</span><span class="p">(</span><span class="n">domain</span><span class="p">,</span><span class="nb">len</span><span class="p">(</span><span class="n">in_data</span><span class="p">))</span> <span class="c1">## Rebuilding the data line by line </span><span class="k">for</span> <span class="n">index</span><span class="p">,</span><span class="n">data</span> <span class="ow">in</span> <span class="nb">enumerate</span><span class="p">(</span><span class="n">in_data</span><span class="p">):</span> <span class="c1"># Variables that we keep as-is </span> <span class="k">for</span> <span class="n">att</span> <span class="ow">in</span> <span class="n">class_vars_to_keep</span><span class="p">:</span> <span class="n">table</span><span class="p">[</span><span class="n">index</span><span class="p">][</span><span class="n">att</span><span class="p">]</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="n">att</span><span class="p">].</span><span class="n">value</span> <span class="k">for</span> <span class="n">att</span> <span class="ow">in</span> <span class="n">attributes_to_keep</span><span class="p">:</span> <span class="n">table</span><span class="p">[</span><span class="n">index</span><span class="p">][</span><span class="n">att</span><span class="p">]</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="n">att</span><span class="p">].</span><span class="n">value</span> <span class="k">for</span> <span class="n">meta</span> <span class="ow">in</span> <span class="n">metas_to_keep</span><span class="p">:</span> <span class="n">table</span><span class="p">[</span><span class="n">index</span><span class="p">][</span><span class="n">meta</span><span class="p">]</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="n">meta</span><span class="p">].</span><span class="n">value</span> <span class="c1"># New variables </span> <span class="k">for</span> <span class="n">att_exp</span> <span class="ow">in</span> <span class="n">attributes_to_expand</span><span class="p">:</span> <span class="k">for</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">all_values</span><span class="p">[</span><span class="n">att_exp</span><span class="p">]:</span> <span class="n">values_for_current_line</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="n">att_exp</span><span class="p">].</span><span class="n">value</span><span class="p">.</span><span class="n">split</span><span class="p">(</span><span class="n">separator</span><span class="p">)</span> <span class="n">value_is_present</span> <span class="o">=</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">values_for_current_line</span> <span class="n">table</span><span class="p">[</span><span class="n">index</span><span class="p">][</span><span class="n">att_exp</span><span class="o">+</span><span class="s">"="</span><span class="o">+</span><span class="n">v</span><span class="p">]</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">if</span> <span class="n">value_is_present</span> <span class="k">else</span> <span class="bp">False</span> <span class="c1"># making the new dataset available to linked widget </span><span class="n">out_data</span> <span class="o">=</span> <span class="n">table</span> </code></pre> </div> <h2> Tips for Building Scripts </h2> <ul> <li>Don't copy objects such as Domain's variable from in_data to out_data. Altering in_data can cause side effects.</li> <li>Don't forget to <em>class variables</em> and <em>metadatas</em>. The information could be helpful later in your pipeline.</li> <li> <code>print()</code> debugging is your friend. There is also an interactive console that is very helpful.</li> <li>Some shortcuts are available <code>[Ctrl]-R</code>: Run script, <code>[Ctrl]-R</code>: Save script, <code>[Ctrl]-/</code>: Comment line ... There is also a Vim mode for the purist. 😉 </li> <li>Look at existing transformations before building your own</li> </ul> <h2> Conclusion </h2> <p>Transforming multi-values columns into multiple attributes is <strong>very helpful to apply machine learning</strong> algorithm to classify and do prediction based on samples data.</p> <p>Maybe this small script will save you some time...</p> <h2> References </h2> <ul> <li> <a href="http://docs.biolab.si/orange/2/widgets/rst/data/pythonscript.html">Official Orange Documentation: Python Scripting</a> </li> </ul> datascience python orange datamining Philippe Arteau Mon, 10 Jan 2022 16:16:00 +0000 https://dev.to/h3xstream/security-puzzle-log4j-edition-465f https://dev.to/h3xstream/security-puzzle-log4j-edition-465f <p>Apache Log4J has been in the spotlight for its JNDI feature introducing a major security flaw in december.</p> <p>Here is the function for JNDI lookups modified to avoid unexpected remote class being loaded. This function was used to fix potential RCE in version 2.15.</p> <p>Can you see why the validation was <strong>insufficient</strong>?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">private</span> <span class="kd">final</span> <span class="nc">DirContext</span> <span class="n">context</span><span class="o">;</span> <span class="c1">//javax.naming.directory.DirContext</span> <span class="o">[...]</span> <span class="nd">@SuppressWarnings</span><span class="o">(</span><span class="s">"unchecked"</span><span class="o">)</span> <span class="kd">public</span> <span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="no">T</span> <span class="nf">lookup</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span> <span class="n">name</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">NamingException</span> <span class="o">{</span> <span class="kd">public</span> <span class="kd">synchronized</span> <span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="no">T</span> <span class="nf">lookup</span><span class="o">(</span><span class="kd">final</span> <span class="nc">String</span> <span class="n">name</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">NamingException</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="no">URI</span> <span class="n">uri</span> <span class="o">=</span> <span class="k">new</span> <span class="no">URI</span><span class="o">(</span><span class="n">name</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">uri</span><span class="o">.</span><span class="na">getScheme</span><span class="o">()</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(!</span><span class="n">allowedProtocols</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="n">uri</span><span class="o">.</span><span class="na">getScheme</span><span class="o">().</span><span class="na">toLowerCase</span><span class="o">(</span><span class="nc">Locale</span><span class="o">.</span><span class="na">ROOT</span><span class="o">)))</span> <span class="o">{</span> <span class="no">LOGGER</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Log4j JNDI does not allow protocol {}"</span><span class="o">,</span> <span class="n">uri</span><span class="o">.</span><span class="na">getScheme</span><span class="o">());</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="no">LDAP</span><span class="o">.</span><span class="na">equalsIgnoreCase</span><span class="o">(</span><span class="n">uri</span><span class="o">.</span><span class="na">getScheme</span><span class="o">())</span> <span class="o">||</span> <span class="no">LDAPS</span><span class="o">.</span><span class="na">equalsIgnoreCase</span><span class="o">(</span><span class="n">uri</span><span class="o">.</span><span class="na">getScheme</span><span class="o">()))</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(!</span><span class="n">allowedHosts</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="n">uri</span><span class="o">.</span><span class="na">getHost</span><span class="o">()))</span> <span class="o">{</span> <span class="no">LOGGER</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Attempt to access ldap server not in allowed list"</span><span class="o">);</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="nc">Attributes</span> <span class="n">attributes</span> <span class="o">=</span> <span class="k">this</span><span class="o">.</span><span class="na">context</span><span class="o">.</span><span class="na">getAttributes</span><span class="o">(</span><span class="n">name</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">attributes</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// In testing the "key" for attributes seems to be lowercase while the attribute id is</span> <span class="c1">// camelcase, but that may just be true for the test LDAP used here. This copies the Attributes</span> <span class="c1">// to a Map ignoring the "key" and using the Attribute's id as the key in the Map so it matches</span> <span class="c1">// the Java schema.</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Attribute</span><span class="o">&gt;</span> <span class="n">attributeMap</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">HashMap</span><span class="o">&lt;&gt;();</span> <span class="nc">NamingEnumeration</span><span class="o">&lt;?</span> <span class="kd">extends</span> <span class="nc">Attribute</span><span class="o">&gt;</span> <span class="n">enumeration</span> <span class="o">=</span> <span class="n">attributes</span><span class="o">.</span><span class="na">getAll</span><span class="o">();</span> <span class="k">while</span> <span class="o">(</span><span class="n">enumeration</span><span class="o">.</span><span class="na">hasMore</span><span class="o">())</span> <span class="o">{</span> <span class="nc">Attribute</span> <span class="n">attribute</span> <span class="o">=</span> <span class="n">enumeration</span><span class="o">.</span><span class="na">next</span><span class="o">();</span> <span class="n">attributeMap</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="n">attribute</span><span class="o">.</span><span class="na">getID</span><span class="o">(),</span> <span class="n">attribute</span><span class="o">);</span> <span class="o">}</span> <span class="nc">Attribute</span> <span class="n">classNameAttr</span> <span class="o">=</span> <span class="n">attributeMap</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="no">CLASS_NAME</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">attributeMap</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="no">SERIALIZED_DATA</span><span class="o">)</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">classNameAttr</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">className</span> <span class="o">=</span> <span class="n">classNameAttr</span><span class="o">.</span><span class="na">get</span><span class="o">().</span><span class="na">toString</span><span class="o">();</span> <span class="k">if</span> <span class="o">(!</span><span class="n">allowedClasses</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="n">className</span><span class="o">))</span> <span class="o">{</span> <span class="no">LOGGER</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Deserialization of {} is not allowed"</span><span class="o">,</span> <span class="n">className</span><span class="o">);</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="no">LOGGER</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"No class name provided for {}"</span><span class="o">,</span> <span class="n">name</span><span class="o">);</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="k">else</span> <span class="k">if</span> <span class="o">(</span><span class="n">attributeMap</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="no">REFERENCE_ADDRESS</span><span class="o">)</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">||</span> <span class="n">attributeMap</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="no">OBJECT_FACTORY</span><span class="o">)</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="no">LOGGER</span><span class="o">.</span><span class="na">warn</span><span class="o">(</span><span class="s">"Referenceable class is not allowed for {}"</span><span class="o">,</span> <span class="n">name</span><span class="o">);</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">URISyntaxException</span> <span class="n">ex</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// This is OK.</span> <span class="o">}</span> <span class="k">return</span> <span class="o">(</span><span class="no">T</span><span class="o">)</span> <span class="k">this</span><span class="o">.</span><span class="na">context</span><span class="o">.</span><span class="na">lookup</span><span class="o">(</span><span class="n">name</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>Ref: <a href="https://github.com/apache/logging-log4j2/commit/d82b47c6fae9c15fcb183170394d5f1a01ac02d3#diff-271353c1076e53f6893261e4420de27d34588bfd782806b5c66a3465c43b7f51R209">Changeset</a></p> <h2> What is/are the weakness in the code above? </h2> <ul> <li>A) Incomplete blacklist / whitelist</li> <li>B) Improper URL parsing</li> <li>C) Unexpected Nullpointer</li> <li>D) Exception handling</li> <li>E) Time of Check, Time of Use</li> </ul> <p> Answer (SPOILER!) <blockquote> <p>It is both a <strong>TOCTOU</strong> and a <strong>URL parsing</strong> issue!</p> <ul> <li>TOCTOU explanation: <a href="https://www.gosecure.net/blog/2021/12/21/log4j-2-15-toctou-vulnerability-illustrated-by-gosecure-researchers/">https://www.gosecure.net/blog/2021/12/21/log4j-2-15-toctou-vulnerability-illustrated-by-gosecure-researchers/</a> </li> <li>DNS re-parsing issue: <a href="https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/">https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/</a> </li> </ul> <p>Did you identify either weakness?<br> </p> </blockquote> <br> <br> </p> <br> security java challenge log4j Philippe Arteau Thu, 21 Oct 2021 02:10:12 +0000 https://dev.to/h3xstream/bypassing-libinjection-waf-1jm2 https://dev.to/h3xstream/bypassing-libinjection-waf-1jm2 <p>Being able to bypass Web Application Firewall (WAF) depends on your knowledge about their behavior. Here is a cool technique that involve <strong>expressions that are ignored in MySQL SQL parser</strong> (<a href="https://bugs.mysql.com/bug.php?id=105143" rel="noopener noreferrer">MySQL &lt;= 5.7</a>). This post summarizes the impact on libinjection. The <a href="https://github.com/client9/libinjection" rel="noopener noreferrer">libinjection library</a> is used by WAF such as <a href="https://github.com/SpiderLabs/ModSecurity" rel="noopener noreferrer">ModSecurity</a> and <a href="https://docs.fastly.com/signalsciences/how-it-works/" rel="noopener noreferrer">SignalScience</a>. For more details on AWS Cloudfront impact, read the <a href="https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/" rel="noopener noreferrer">original GoSecure article</a>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs1bwt2caxl3q8m5d3rdc.jpg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs1bwt2caxl3q8m5d3rdc.jpg" alt="Image description"></a></p> <h1> Scientific expression in MySQL </h1> <p>When MySQL sees <code>1.e(abc)</code>, it will ignore the <code>1.e(</code> portion because the following characters do not form a valid numeric value.</p> <p>This behavior can be abused to fool libinjection tokenizer. Libinjection internally tokenizes the parameter and identifies contextual section types such as comments and strings. Libinjection sees the string “1.e” as an unknown SQL keyword and concludes that it is more likely to be an English sentence than code. When libinjection is <a href="https://github.com/libinjection/libinjection/blob/49904c42a6e68dc8f16c022c693e897e4010a06c/src/libinjection_sqli_data.h#L8686" rel="noopener noreferrer">unaware of an SQL function</a> the same behavior can be exhibited.</p> <h1> Attack in action </h1> <p>Here is a demonstration of modsecurity’s capability to block a malicious pattern for SQL injection. A forbidden page is returned which is the consequence of detection.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ie8vtjdsmyrvge560hn.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9ie8vtjdsmyrvge560hn.gif" alt="SQL injection blocked"></a></p> <center>*Blocked!*</center> <p>In the following image, you can see the original request being slightly modified to bypass modsecurity and libinjection.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F54colvp1kugv5i09mfzq.gif" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F54colvp1kugv5i09mfzq.gif" alt="SQL injection bypass WAF"></a></p> <center>*WAF Bypass!*</center> <h2> Complete payload </h2> <p>Now, how do we go beyond <code>or 1=1</code> payloads? The <code>NUMBER.e</code> expression can be inserted at plenty of locations without breaking the SQL query. The following payload demonstrated read on arbitrary SQL tables.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>' 1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2 </code></pre> </div> <p>The same payload was indented below for readability. <code>1.e(</code> and <code>1.e,</code> are ignored from the parser.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1.e(ascii 1.e(substring( 1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 #(first char = 70) or'1'='2 </code></pre> </div> <h1> Conclusion </h1> <p>Most bypass techniques evolve using special encoding to obfuscate the malicious requests (URL encoding, Unicode multibytes, XML entities, etc). This technique will work if the system behind the WAF is doing an unexpected decoding. This new technique is not encoding related. For this reason, it will be a versatile trick until most system upgrade their MySQL instances.</p> <center>*Full story on [GoSecure blog](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/) (More details on AWS Cloudfront)*</center> security firewall libinjection mysql Philippe Arteau Thu, 18 Feb 2021 20:21:43 +0000 https://dev.to/h3xstream/how-to-solve-symbol-is-declared-in-module-x-which-does-not-export-package-y-303g https://dev.to/h3xstream/how-to-solve-symbol-is-declared-in-module-x-which-does-not-export-package-y-303g <p>If you are here, I assume that you have encounter a message like one of these.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Symbol is declared in module 'java.desktop' which does not export package 'sun.awt.image' Symbol is declared in module 'java.xml' which does not export package 'com.sun.org.apache.xerces.internal.xni.parser' Symbol is declared in module 'java.base' which does not export package 'sun.net.www.protocol.http' </code></pre> </div> <h1> What is happening? </h1> <p>You are accessing a class in a package that was not intended to be used by external library. The class is part of an <strong>internal package that is subject to change</strong>. When updating the library, it is likely that it will break your application.</p> <p>These modules restrictions were introduce in Java 9.</p> <h3> Option 1: Long-term fix </h3> <p>If you are working on a project that has long term stability in mind, you should look for an equivalent function that is public. This may required an additional library.</p> <p>Here is a simple example in Kotlin where <code>Strings.isNullOrEmpty</code> was use by accident. The function call can simply be replace by <code>CharSequence.isNullOrEmpty()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight kotlin"><code><span class="k">import</span> <span class="nn">jdk.internal.joptsimple.internal.Strings.isNullOrEmpty</span> <span class="k">fun</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="nf">print</span><span class="p">(</span><span class="s">"Enter your name : "</span><span class="p">)</span> <span class="kd">val</span> <span class="py">userName</span> <span class="p">=</span> <span class="nf">readLine</span><span class="p">()</span><span class="o">!!</span> <span class="k">if</span> <span class="p">(</span><span class="nf">isNullOrEmpty</span><span class="p">(</span><span class="n">userName</span><span class="p">))</span> <span class="p">{</span> <span class="c1">//FIX: userName.isNullOrEmpty()</span> <span class="nf">println</span><span class="p">(</span><span class="s">"Hello, $userName"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><em>Example taken from <a href="https://stackoverflow.com/questions/57196948/kotlin-symbol-is-declared-in-module-jdk-internal-opt-which-does-not-export-pa">stackoverflow.com</a></em></p> <h1> "I know what am doing" </h1> <p>You may still want to use internal API regardless of the recommendation from the compiler. Here are the solution for Java and Kotlin.</p> <h3> Option 2: Java fix </h3> <p>In order to still use the internal API, you will need to pass additional arguments to the compiler (<code>--add-exports ...</code>). This can be configured in your Maven or Gradle build.</p> <p>Here is an example of Maven configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;build&gt;</span> <span class="nt">&lt;plugins&gt;</span> <span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;artifactId&gt;</span>maven-compiler-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;configuration&gt;</span> <span class="nt">&lt;source&gt;</span>1.9<span class="nt">&lt;/source&gt;</span> <span class="nt">&lt;target&gt;</span>1.9<span class="nt">&lt;/target&gt;</span> <span class="nt">&lt;compilerArgs&gt;</span> <span class="c">&lt;!-- Few examples ... only pick the ones needed --&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.xml/com.sun.org.apache.xerces.internal.impl.dtd=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.xml/com.sun.org.apache.xerces.internal.xni.parser=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.base/sun.net.www.protocol.http=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>jdk.unsupported/sun.misc=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.base/sun.security.ssl=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.base/sun.security.util=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.base/com.sun.net.ssl.internal.ssl=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.base/sun.security.jca=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.base/sun.net.util=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.base/jdk.internal.misc=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.base/sun.security.internal.interfaces=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.base/sun.security.provider.certpath=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.base/sun.security.internal.spec=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.base/sun.security.validator=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.base/sun.security.action=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;arg&gt;</span>--add-exports<span class="nt">&lt;/arg&gt;&lt;arg&gt;</span>java.base/sun.security.x509=ALL-UNNAMED<span class="nt">&lt;/arg&gt;</span> <span class="nt">&lt;/compilerArgs&gt;</span> <span class="nt">&lt;/configuration&gt;</span> <span class="nt">&lt;/plugin&gt;</span> </code></pre> </div> <h3> Option 3: Kotlin fix </h3> <p>Kotlin does not have a compiler option to turn off specific module restrictions. You can however add an annotation at the beginning of your file to disable module restriction completely.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight kotlin"><code><span class="err">@</span><span class="n">file</span><span class="p">:</span><span class="nc">Suppress</span><span class="p">(</span><span class="s">"JAVA_MODULE_DOES_NOT_EXPORT_PACKAGE"</span><span class="p">)</span> <span class="k">import</span> <span class="nn">com.sun.org.apache.xerces.internal.util.SAXInputSource</span> <span class="k">import</span> <span class="nn">com.sun.org.apache.xerces.internal.xni.parser.XMLErrorHandler</span> <span class="k">import</span> <span class="nn">com.sun.org.apache.xerces.internal.xni.parser.XMLParseException</span> <span class="na">[...]</span> </code></pre> </div> <h1> Conclusion </h1> <p>While those new module restrictions may seems drastic, they are great safe guard that will help long term maintainability. Before adding exception, take the time to investigate if you really need the internal API.</p> java module build kotlin Philippe Arteau Tue, 04 Aug 2020 20:40:58 +0000 https://dev.to/h3xstream/weird-unicode-behaviors-lcc https://dev.to/h3xstream/weird-unicode-behaviors-lcc <p>So you know about Unicode codepoint and encoding (UTF-8, UTF-16), but are you aware that few standard conversions have surprising outcomes? In this short post, I'll list some of the most surprising behaviors.</p> <h2> Case Mapping </h2> <p>Case mapping is the behavior behind the uppercase and lowercase functions in your favorite language. Unexpected behaviors can sometimes lead to bugs, some of them affecting software security. </p> <p>While the strings <code>“go\u017Fecure”</code> and <code>“gosecure”</code> are not equal, a code that applies the uppercase transformation to both strings could mistakenly interpret both strings as being equal.</p> <p>Here is a demonstration in Python.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="o">&gt;&gt;&gt;</span> <span class="s">"GO</span><span class="se">\u017F</span><span class="s">ECURE"</span> <span class="o">==</span> <span class="s">"GOSECURE"</span> <span class="bp">False</span> <span class="o">&gt;&gt;&gt;</span> <span class="s">"GO</span><span class="se">\u017F</span><span class="s">ECURE"</span><span class="p">.</span><span class="n">upper</span><span class="p">()</span> <span class="o">==</span> <span class="s">"GOSECURE"</span> <span class="bp">True</span> </code></pre> </div> <p>The same behavior applies to Java<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="o">&gt;&gt;&gt;</span><span class="s">"ADM\u0131N"</span><span class="o">.</span><span class="na">toUpperCase</span><span class="o">().</span><span class="na">equals</span><span class="o">(</span><span class="s">"ADMIN"</span><span class="o">)</span> <span class="err">$</span><span class="mi">1</span> <span class="o">==&gt;</span> <span class="kc">true</span> </code></pre> </div> <p>This behavior occurs because the characters <code>ı (U+0131)</code> and <code>ſ (U+017F)</code> are converted to an ASCII characters as part of Unicode specification. Aside from a few exceptions, you can assume that your language apply these transformation by default.</p> <h2> Normalization </h2> <p>The purpose of normalization is to simplify expressions to allow matching equal or equivalent “meaning”.</p> <p>Here is a demonstration using normalization functions in Ruby. The five unicode characters become six unicode characters (ASCII only).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">irb</span><span class="p">(</span><span class="n">main</span><span class="p">):</span><span class="mo">003</span><span class="p">:</span><span class="mi">0</span><span class="o">&gt;</span> <span class="s2">"</span><span class="se">\u</span><span class="s2">216E</span><span class="se">\u</span><span class="s2">32CE</span><span class="se">\u</span><span class="s2">FF0E</span><span class="se">\u</span><span class="s2">209C</span><span class="se">\u</span><span class="s2">2134"</span><span class="p">.</span><span class="nf">unicode_normalize</span><span class="p">(</span><span class="ss">:nfkc</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">"DeV.to"</span> </code></pre> </div> <p>API can sometimes hide those transformations. For example in C#, the class Uri normalize the hostname from URI entered.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="p">&gt;</span> <span class="n">Console</span><span class="p">.</span><span class="nf">Write</span><span class="p">(</span><span class="k">new</span> <span class="nf">Uri</span><span class="p">(</span><span class="s">"https://faceboo\u212A.com"</span><span class="p">).</span><span class="n">Host</span> <span class="p">==</span> <span class="s">"facebook.com"</span><span class="p">);</span> <span class="n">True</span> </code></pre> </div> <p>Here is a <a href="https://www.gosecure.net/blog/2020/08/04/unicode-for-security-professionals/">list of APIs with such behavior (see Section <strong>Auditing Source Code</strong>)</a>.</p> <h2> Testing your application </h2> <p>If you have an application that susceptible to issues related to Unicode, you can use <a href="https://gosecure.github.io/unicode-pentester-cheatsheet/">this simple cheat sheet</a>.<br> This cheat sheet can be used by developers to build regression test cases to make sure no characters are being misinterpreted.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--n8u12vQz--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/wlbocnjj5ong7hg41z2l.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--n8u12vQz--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/wlbocnjj5ong7hg41z2l.png" alt="Unicode Cheat sheet" width="880" height="618"></a></p> <p>If you are curious, you can read the <a href="https://www.gosecure.net/blog/2020/08/04/unicode-for-security-professionals/">full article</a> with a security focus.</p> unicode testing security