DEV Community: Jannis Mattheis The latest articles on DEV Community by Jannis Mattheis (@jmattheis). https://dev.to/jmattheis https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F197010%2Ff363e250-19c0-4549-ad1e-eee94c8ea26d.jpeg DEV Community: Jannis Mattheis https://dev.to/jmattheis en Review of my first Project Jannis Mattheis Sun, 19 Apr 2020 12:02:40 +0000 https://dev.to/jmattheis/review-of-my-first-project-3fam https://dev.to/jmattheis/review-of-my-first-project-3fam <p>Originally posted on my website: <a href="https://jmattheis.de">jmattheis.de</a></p> <h2> Intro </h2> <p>In 2012 I (13 years old) started learing coding. I didn't read books or anything, I mostly copied stuff from YouTube tutorials. This lead to my first bigger project. A social network clone, which should be similar to facebook.</p> <p>In this blog post, I'll review my now 8 year old code. Partly to amuse myself what kind of errors I made and to maybe learn something from it.</p> <p>The project has the following features:</p> <ul> <li>post timeline with like and comment functionality</li> <li>"real-time" updates of comments and like counts for posts</li> <li>chat between two users</li> <li>friend system</li> <li>user search</li> <li>profile page</li> <li>profile picture upload</li> <li>login and register with email confirmation</li> </ul> <p>It looks like this:</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--t9XRy86R--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/9e2tbl7vqxia4ftj8qlc.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--t9XRy86R--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/9e2tbl7vqxia4ftj8qlc.png" alt=""></a></p> <p>Yes, most of the stuff is in german, but I'll rename variables and strings in code examples to english.</p> <h2> Code Style/Quality </h2> <p>Style guides define rules on how code should look like. This is mostly done to enforce consistency, maintainability and reduce common programming errors. For PHP there are code styling guidelines defined in<br> <a href="https://www.php-fig.org/psr/psr-1/">PSR-1</a> and <a href="https://www.php-fig.org/psr/psr-12/">PSR-12</a>.</p> <p>My project didn't follow any of such guidelines and it sure looks like garbage. Bad code is the only consistency in that project :). In newer projects I use linters like eslint and formatters like prettier to ensure code quality and style.</p> <p>Example of ugly code.<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="nv">$number</span> <span class="o">=</span> <span class="mi">2</span><span class="p">;</span> <span class="nv">$query</span> <span class="o">=</span> <span class="nb">mysql_query</span><span class="p">(</span><span class="s2">"SELECT * FROM post_comment WHERE post_id='"</span><span class="o">.</span><span class="nv">$post_id</span><span class="o">.</span><span class="s2">"' ORDER BY comment DESC"</span><span class="p">);</span> <span class="k">WHILE</span> <span class="p">(</span><span class="nv">$row</span> <span class="o">=</span> <span class="nb">mysql_fetch_assoc</span><span class="p">(</span><span class="nv">$query</span><span class="p">)){</span> <span class="k">if</span><span class="p">(</span><span class="nv">$zahl</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$comment</span> <span class="o">=</span> <span class="nv">$row</span><span class="p">[</span><span class="s2">"comment"</span><span class="p">];</span> <span class="nv">$name</span> <span class="o">=</span> <span class="nv">$row</span><span class="p">[</span><span class="s2">"name"</span><span class="p">];</span> <span class="nv">$date</span> <span class="o">=</span> <span class="nv">$row</span><span class="p">[</span><span class="s2">"date"</span><span class="p">];</span> <span class="k">if</span><span class="p">(</span><span class="nb">strlen</span><span class="p">(</span><span class="nv">$comment</span><span class="p">)</span><span class="o">&gt;=</span><span class="mi">47</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$comment</span> <span class="o">=</span> <span class="nb">substr</span><span class="p">(</span><span class="nv">$comment</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">47</span><span class="p">)</span><span class="o">.</span><span class="s2">"..."</span><span class="p">;</span> <span class="p">}</span> <span class="nv">$end</span> <span class="o">.=</span> <span class="s2">"&lt;hr&gt;&lt;a href='/profile/"</span><span class="o">.</span><span class="nv">$name</span><span class="o">.</span><span class="s2">"'&gt;&lt;b&gt;"</span> <span class="o">.</span><span class="nx">user_return</span><span class="p">(</span><span class="nv">$name</span><span class="p">)</span><span class="o">.</span><span class="s2">"&lt;/b&gt;&lt;/a&gt;&lt;b&gt;|&lt;/b&gt; "</span><span class="o">.</span><span class="nv">$comment</span><span class="p">;</span> <span class="nv">$number</span> <span class="o">=</span> <span class="nv">$number</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">echo</span> <span class="nv">$end</span><span class="p">;</span> </code></pre></div> <h3> Unused Code </h3> <p>Having less code greatly increases code maintainability, code complexity, reduces potential bugs, and overall simplicity of a project. New team members not only have to understand used code but also the unused code which doesn't add any benefit and is only a waste of time.</p> <p>Without code, it is possible to write a secure and reliable application -&gt; <br> <a href="https://github.com/kelseyhightower/nocode">github.com/kelseyhightower/nocode</a></p> <p>When parts of an application will be refactored. It is likely, that code will lose its callers and be unused. That's okay as long as the code doesn't get into production. Refactorings should be done inside a branch inside version control and be reviewed for code quality before going into production.</p> <h3> Reuse Code </h3> <p>Similar code should not be copied without reasoning. Depending on the context, it maybe perfectly fine to copy things. F.ex. in tests I prefer having all the relevant test setup inside the actual test method and not extracting it to another method.</p> <p>In my project, there is alot copied code. I think the main reason was, that I really rarely used <code>return</code> in functions and rather just <code>echo</code>'ed/printed them out.</p> <p>A prime example for code that should be reused is the rendering of posts inside the timeline. In there I created two functions one for the timeline for the current user, and one for the profile page of a user. The two functions are like 80 chars each and are pretty much the same, only the SQL query for getting posts is a little different.</p> <h3> File Structure </h3> <p>Structuring a project isn't easy. While I extracted code to different files, I didn't really grouped it well. There is a file in the project called <code>action/functions.php</code>, and like the name tells, it contains nearly all business logic. Every function in that file, has a header. It looks like this:<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="c1">///////////////////////////////////////////</span> <span class="c1">///////////////////////////////////////////</span> <span class="c1">///////////////See All Posts///////////////</span> <span class="c1">///////////////////////////////////////////</span> <span class="c1">///////////////////////////////////////////</span> <span class="k">function</span> <span class="nf">See_all_post</span><span class="p">(</span><span class="nv">$id</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// content</span> <span class="p">}</span> </code></pre></div> <p>I think I knew what the problem was. But I tried to fix it the wrong way, with literally only garbage comments. It also seems like, I didn't knew <code>ctrl+f</code> existed :D. Anyway, the clear solution for that problem is properly structuring the project. Each feature should get its own folder where views, business logic and routing should stay. With this, finding function should be easy.</p> <h3> Automated Tests </h3> <p>Obviously I didn't wrote tests. Why should I? Most of the YouTube tutorials only specified how to write something, not how to write good maintainable code. Tests verify that your code <em>really</em> works. Here is a good summary why writing tests rocks! <a href="https://stackoverflow.com/a/67500/4244993">stackoverflow: Is Unit Testing worth the effort?</a></p> <p>In <a href="https://github.com/gotify/server">gotify/server</a> I've written unit, integration and end to end tests from the start. It is such a nice feeling to add a feature and still <em>know</em> that the rest still works as intended, because the code is properly tested.</p> <h2> Security </h2> <h3> SQL Injection </h3> <p>Basically every SQL statement in that project is vulnerable. Example, email verification:<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="nb">mysql_query</span><span class="p">(</span><span class="s2">"UPDATE user SET activated = '1' WHERE id='"</span><span class="o">.</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'code'</span><span class="p">]</span><span class="o">.</span><span class="s2">"'"</span><span class="p">);</span> </code></pre></div> <p><code>$_GET['code']</code> comes from an query parameter.<br> The user can type anything in it. Like f.ex. malicious SQL like <code>irrelevant' OR 1 = 1 --</code>.<br> This would lead to the following query:<br> </p> <div class="highlight"><pre class="highlight sql"><code><span class="k">UPDATE</span> <span class="k">user</span> <span class="k">SET</span> <span class="n">activated</span> <span class="o">=</span> <span class="s1">'1'</span> <span class="k">WHERE</span> <span class="n">id</span><span class="o">=</span><span class="s1">'irrelevant'</span> <span class="k">OR</span> <span class="mi">1</span> <span class="o">=</span> <span class="mi">1</span> <span class="c1">-- '</span> </code></pre></div> <p>After executing this query, every email would be verified, without actually receiving the email.</p> <p>I've found one query where I used <code>mysql_real_escape_string</code>.<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="nb">mysql_query</span><span class="p">(</span><span class="s2">"INSERT INTO post_comment ( post_id, name, comment, date) VALUES ('"</span> <span class="o">.</span><span class="nv">$post_id</span><span class="o">.</span><span class="s2">"','"</span><span class="o">.</span><span class="nv">$id</span><span class="o">.</span><span class="s2">"','"</span><span class="o">.</span><span class="nb">mysql_real_escape_string</span><span class="p">(</span><span class="nv">$message</span><span class="p">)</span><span class="o">.</span><span class="s2">"','"</span> <span class="o">.</span><span class="nv">$date</span><span class="o">.</span><span class="s2">"')"</span><span class="p">)</span><span class="k">or</span> <span class="k">die</span><span class="p">(</span><span class="nb">mysql_error</span><span class="p">());</span> </code></pre></div> <p>Escaping the message is good, but <code>$id</code> is also user supplied. I think I can safely say, that nearly all inputs on that website are vulnerable.</p> <p>SQL Injection is on place 1 on the <a href="https://owasp.org/www-project-top-ten/">OWASP top ten security risks</a>. Without knowledge it is pretty easy to allow SQL injection and with little knowledge it is also easy to prevent it.</p> <p>The cure are prepared statements. These statements prevent the injection of sql.</p> <p>In PHP prepared statements can be used via <a href="https://www.php.net/manual/en/book.pdo.php">PDO</a>. The above <code>mysql_query</code> can be fixed like this.<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="nv">$pdo</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">PDO</span><span class="p">(</span><span class="s1">'mysql:host=myhost;dbname=social'</span><span class="p">,</span> <span class="s1">'root'</span><span class="p">,</span> <span class="s1">'password'</span><span class="p">);</span> <span class="nv">$statement</span> <span class="o">=</span> <span class="nv">$pdo</span><span class="o">-&gt;</span><span class="na">prepare</span><span class="p">(</span><span class="s2">"UPDATE user SET activated='1' WHERE id=?"</span><span class="p">);</span> <span class="nv">$statement</span><span class="o">-&gt;</span><span class="na">execute</span><span class="p">([</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'code'</span><span class="p">]]);</span> </code></pre></div> <h3> Cross-Site Request Forgery (CSRF) </h3> <p>In a CSRF attack, the attacker tries to let the victim submit a malicious web request without knowing it. This could be to gain access to administration stuff or in my case add a new post to the timeline.</p> <p>Here a vulnerable form:<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"index.php"</span> <span class="na">method=</span><span class="s">"post"</span><span class="nt">&gt;</span> <span class="nt">&lt;textarea</span> <span class="na">name=</span><span class="s">"posttext"</span><span class="nt">&gt;&lt;/textarea&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"submit"</span> <span class="na">name=</span><span class="s">"posten"</span> <span class="na">value=</span><span class="s">"Posten"</span><span class="nt">&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="cp">&lt;?php</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s2">"posten"</span><span class="p">])</span> <span class="p">{</span> <span class="nv">$text</span> <span class="o">=</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s2">"posttext"</span><span class="p">];</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$text</span> <span class="o">!=</span> <span class="s2">""</span><span class="p">)</span> <span class="p">{</span> <span class="nx">post_schreiben</span><span class="p">(</span><span class="nv">$text</span><span class="p">,</span> <span class="nv">$userid</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">echo</span> <span class="s2">"&lt;p id='falsered'&gt;Content my not be empty&lt;/p&gt;"</span><span class="p">;</span> <span class="p">}</span> <span class="cp">?&gt;</span> </code></pre></div> <p>This following website submits the malious form instantly after visiting the page, the user only have to navigate to this page, and then the message <code>INJECT MESSAGE</code> will be posted on the timeline.<br> </p> <div class="highlight"><pre class="highlight html"><code><span class="cp">&lt;!DOCTYPE html&gt;</span> <span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"http://example.org/index.php"</span> <span class="na">method=</span><span class="s">"post"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"hidden"</span> <span class="na">name=</span><span class="s">"posttext"</span> <span class="na">value=</span><span class="s">"INJECT MESSAGE"</span><span class="nt">/&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"hidden"</span> <span class="na">name=</span><span class="s">"posten"</span> <span class="na">value=</span><span class="s">"nah"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="nb">document</span><span class="p">.</span><span class="nx">forms</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">submit</span><span class="p">();</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre></div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--P-p2vApf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/vbq54jthplxedh56lcqr.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--P-p2vApf--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/vbq54jthplxedh56lcqr.gif" alt="csrf attack"></a></p> <p>Guarding against CSRF is somewhat more complicated. One way is to add an anti forgery token to the form. This token is generated on the server thus, can't be send from the malious website because it has no knowledge of it. After receiving a from post request from a client, the server then validates the anti forgery token and only then executes the request.</p> <p>Pseudo code for a fix.<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="nv">$token</span> <span class="o">=</span> <span class="nx">createNewCSRFToken</span><span class="p">()</span> <span class="cp">?&gt;</span> <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"index.php"</span> <span class="na">method=</span><span class="s">"post"</span><span class="nt">&gt;</span> <span class="nt">&lt;textarea</span> <span class="na">name=</span><span class="s">"posttext"</span><span class="nt">&gt;&lt;/textarea&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"hidden"</span> <span class="na">name=</span><span class="s">"csrf_token"</span> <span class="na">value=</span><span class="s">"</span><span class="cp">&lt;?=</span><span class="nv">$token</span><span class="cp">?&gt;</span><span class="s">"</span> <span class="err">&lt;</span><span class="na">input</span> <span class="na">type=</span><span class="s">"submit"</span> <span class="na">name=</span><span class="s">"posten"</span> <span class="na">value=</span><span class="s">"Posten"</span><span class="nt">&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="cp">&lt;?php</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s2">"posten"</span><span class="p">])</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">checkIfCSRFTokenIsValid</span><span class="p">(</span><span class="nv">$_POST</span><span class="p">[</span><span class="s1">'csrf_token'</span><span class="p">]))</span> <span class="p">{</span> <span class="nv">$text</span> <span class="o">=</span> <span class="nv">$_POST</span><span class="p">[</span><span class="s2">"posttext"</span><span class="p">];</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$text</span> <span class="o">!=</span> <span class="s2">""</span><span class="p">)</span> <span class="p">{</span> <span class="nx">write_post</span><span class="p">(</span><span class="nv">$text</span><span class="p">,</span> <span class="nv">$userid</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">echo</span> <span class="s2">"&lt;p id='falsered'&gt;Content my not be empty&lt;/p&gt;"</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">echo</span> <span class="s2">"&lt;p id='falsered'&gt;Something went wrong try again.&lt;/p&gt;"</span><span class="p">;</span> <span class="p">}</span> <span class="cp">?&gt;</span> </code></pre></div> <h3> Cross-Site-Scripting (XSS) </h3> <p>Cross-Site-Scripting means the attacker injects HTML/JavaScript into the website. The vulnerable part of my project is the comment section of posts.<br> The content of the actual post is secured, guess I partly knew what I was doing.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--XfyVDVYo--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/z9y50szmtu1wppnlinep.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--XfyVDVYo--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/i/z9y50szmtu1wppnlinep.gif" alt="cross site scripting"></a><br> </p> <div class="highlight"><pre class="highlight php"><code><span class="k">if</span> <span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s2">"comment"</span><span class="p">]</span> <span class="o">!=</span> <span class="s2">""</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">comment_post</span><span class="p">(</span><span class="nv">$userid</span><span class="p">,</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s2">"comment"</span><span class="p">],</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s2">"post_id"</span><span class="p">]))</span> <span class="p">{</span> <span class="k">echo</span> <span class="s2">"Success"</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">echo</span> <span class="s2">"Something went wrong"</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">echo</span> <span class="s2">"Comment may not be empty"</span><span class="p">;</span> </code></pre></div> <p>To secure the script above, we need to sanitize <code>$_GET["comment"]</code>. In this case <code>htmlentities</code> can be used. This function converts all applicable characters to HTML entities.</p> <p>F.ex. <code>&lt;script&gt;</code> will be converted to <code>&amp;lt;script&amp;gt;</code>. This prevents injecting html into the content of the comment.<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="k">if</span> <span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s2">"comment"</span><span class="p">]</span> <span class="o">!=</span> <span class="s2">""</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">comment_post</span><span class="p">(</span><span class="nv">$userid</span><span class="p">,</span> <span class="nb">htmlentities</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s2">"comment"</span><span class="p">]),</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s2">"post_id"</span><span class="p">]))</span> <span class="p">{</span> <span class="k">echo</span> <span class="s2">"Success"</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">echo</span> <span class="s2">"Something went wrong"</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">echo</span> <span class="s2">"Comment may not be empty"</span><span class="p">;</span> </code></pre></div> <h3> User Passwords </h3> <p>Passwords aren't easy. <a href="https://security.stackexchange.com/a/31846">This stackoverflow answer</a> summarizes why passwords need to be secured how to secure them properly.</p> <p>TL;DR: Use a cryptographic hash functions, with a salt and make it slow (:.</p> <p>My project uses md5 as hash function without any salt. This is bad because it allows the attack with <a href="https://en.wikipedia.org/wiki/Rainbow_table">Rainbow Tables</a>, this is a table with precomputed hashes, thus allowing a quick lookup of a hash.</p> <p>Adding a salt would still not be enough, because md5 is to fast and can be easily brute forced.</p> <p>PHP provides an simple api for creating and validating secure passwords hashes with good defaults.<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="nv">$pw</span> <span class="o">=</span> <span class="s2">"mypw"</span> <span class="nv">$pwHash</span> <span class="o">=</span> <span class="nb">password_hash</span><span class="p">(</span><span class="nv">$mypw</span><span class="p">,</span> <span class="nx">PASSWORD_DEFAULT</span><span class="p">);</span> <span class="c1">// $pwHash = $2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a</span> <span class="c1">// this hash contains the algorithm and other parameters</span> <span class="c1">// the php default currently is BCrypt</span> <span class="k">if</span> <span class="p">(</span><span class="nb">password_verify</span><span class="p">(</span><span class="nv">$mypw</span><span class="p">,</span> <span class="nv">$pwHash</span><span class="p">))</span> <span class="p">{</span> <span class="k">echo</span> <span class="s2">"SUCCESS"</span><span class="p">;</span> <span class="p">}</span> </code></pre></div> <h3> Hardcoded Passwords </h3> <p>An application internally uses passwords, be it the database credentials or credentials for an online storage like aws.</p> <p>Passwords like this should never be inserted plainly into the code because it is pretty easy to commit them into version control like git or make them browsable via a web server. See <a href="https://feross.org/cmsploit/">1% of CMS-Powered Sites Expose Their Database Passwords</a>.</p> <p>Passwords should either be stored in environment variables or inside config files outside of the web root.</p> <p>In this project, the credentials of the mysql database was stored plainly multiple times in different source files. There had also different passwords, tho there is a lot of unused code inside the project :D.<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="cp">&lt;?php</span> <span class="nb">mysql_connect</span><span class="p">(</span><span class="s1">'mysql'</span><span class="p">,</span> <span class="s1">'root'</span><span class="p">,</span> <span class="s1">'password'</span><span class="p">);</span> <span class="nb">mysql_select_db</span><span class="p">(</span><span class="s1">'dbname'</span><span class="p">);</span> <span class="cp">?&gt;</span> </code></pre></div> <h3> Serverside Authorization </h3> <p>Users should only be able to access/edit resources which they have permission for. F.ex. adding comments to a post from a user that isn't a friend should be prohibited.</p> <p>Code without authorization check:<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="k">if</span> <span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s2">"comment"</span><span class="p">]</span> <span class="o">!=</span> <span class="s2">""</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">comment_post</span><span class="p">(</span><span class="nv">$userid</span><span class="p">,</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s2">"comment"</span><span class="p">],</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s2">"post_id"</span><span class="p">]))</span> <span class="p">{</span> <span class="k">echo</span> <span class="s2">"Success"</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">echo</span> <span class="s2">"Something went wrong"</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">echo</span> <span class="s2">"Comment may not be empty"</span><span class="p">;</span> </code></pre></div> <p>Code with authorization:<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="k">if</span> <span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s2">"comment"</span><span class="p">]</span> <span class="o">!=</span> <span class="s2">""</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">postIsVisibleToUser</span><span class="p">(</span><span class="nv">$userid</span><span class="p">,</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s2">"post_id"</span><span class="p">]))</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">comment_post</span><span class="p">(</span><span class="nv">$userid</span><span class="p">,</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s2">"comment"</span><span class="p">],</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s2">"post_id"</span><span class="p">]))</span> <span class="p">{</span> <span class="k">echo</span> <span class="s2">"Success"</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">echo</span> <span class="s2">"Something went wrong"</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">echo</span> <span class="s2">"Unauthorized"</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="k">echo</span> <span class="s2">"Comment may not be empty"</span><span class="p">;</span> </code></pre></div> <h3> User Input </h3> <p>User input should never be trusted, and always be validated. This includes emails, dates, numbers and so on.</p> <p>Not validating input can lead to bugs because some parts of the application may depend on valid inputs. A good example for this, is the registration. In there the user often adds an email address. If the users provides an invalid email address, intentionally or not the application should present the user an clear error message. Otherwise, password reset or similar functionality may not work.</p> <h2> WTF is this? </h2> <h3> Register </h3> <div class="highlight"><pre class="highlight php"><code><span class="k">function</span> <span class="nf">register</span><span class="p">(</span><span class="nv">$name</span><span class="p">,</span> <span class="nv">$npasswort</span><span class="p">,</span> <span class="nv">$email</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$id1</span> <span class="o">=</span> <span class="nb">rand</span><span class="p">(</span><span class="mi">1000000000</span><span class="p">,</span> <span class="mi">9999999999</span><span class="p">);</span> <span class="nv">$id2</span> <span class="o">=</span> <span class="nb">rand</span><span class="p">(</span><span class="mi">1000000000</span><span class="p">,</span> <span class="mi">9999999999</span><span class="p">);</span> <span class="nv">$id3</span> <span class="o">=</span> <span class="nb">rand</span><span class="p">(</span><span class="mi">1000000000</span><span class="p">,</span> <span class="mi">9999999999</span><span class="p">);</span> <span class="nv">$id4</span> <span class="o">=</span> <span class="nb">rand</span><span class="p">(</span><span class="mi">1000000000</span><span class="p">,</span> <span class="mi">9999999999</span><span class="p">);</span> <span class="nx">db</span><span class="p">();</span> <span class="nv">$sql</span> <span class="o">=</span> <span class="nb">mysql_query</span><span class="p">(</span><span class="s2">"SELECT * FROM user"</span><span class="p">);</span> <span class="nv">$row</span> <span class="o">=</span> <span class="nb">mysql_fetch_assoc</span><span class="p">(</span><span class="nv">$sql</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$row</span><span class="p">[</span><span class="s1">'email'</span><span class="p">]</span> <span class="o">!=</span> <span class="nv">$email</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$row</span><span class="p">[</span><span class="s1">'id'</span><span class="p">]</span> <span class="o">==</span> <span class="nv">$id1</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$row</span><span class="p">[</span><span class="s1">'id'</span><span class="p">]</span> <span class="o">==</span> <span class="nv">$id2</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$row</span><span class="p">[</span><span class="s1">'id'</span><span class="p">]</span> <span class="o">==</span> <span class="nv">$id3</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$row</span><span class="p">[</span><span class="s1">'id'</span><span class="p">]</span> <span class="o">==</span> <span class="nv">$id4</span><span class="p">)</span> <span class="p">{</span> <span class="p">}</span> <span class="k">else</span> <span class="nv">$id</span> <span class="o">=</span> <span class="nv">$id4</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="nv">$id</span> <span class="o">=</span> <span class="nv">$id3</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="nv">$id</span> <span class="o">=</span> <span class="nv">$id2</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="nv">$id</span> <span class="o">=</span> <span class="nv">$id1</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$id</span> <span class="o">!=</span> <span class="s2">""</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// insert user</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div> <p>Each user gets an unique id, this part tries to ensure that the id and email is unique. And well, it only checks against the first column inside the table. I say, at least one user will have a unique id. Having a duplicate email, is kinda bad, because it is used for logging in. If the ID is not unique, 4 random generated ids will be checked. If every id exists which is impossible, because only the first row will be checked, the script just does nothing.</p> <h3> Classes where they shouldn't be </h3> <div class="highlight"><pre class="highlight php"><code><span class="kd">class</span> <span class="nc">Login</span> <span class="p">{</span> <span class="k">protected</span> <span class="nv">$_email</span><span class="p">,</span> <span class="nv">$_password</span><span class="p">,</span> <span class="nv">$_result</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="nf">__construct</span><span class="p">(</span><span class="nv">$email</span><span class="p">,</span> <span class="nv">$password</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_email</span> <span class="o">=</span> <span class="nv">$email</span><span class="p">;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_password</span> <span class="o">=</span> <span class="nv">$password</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="nf">Login</span><span class="p">()</span> <span class="p">{</span> <span class="nv">$db</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Database</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_email</span> <span class="o">!=</span> <span class="s2">""</span> <span class="k">or</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_password</span> <span class="o">!=</span> <span class="s2">""</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_email</span> <span class="o">!=</span> <span class="s2">"E-Mail"</span> <span class="k">and</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_password</span> <span class="o">!=</span> <span class="s2">"password"</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">login</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_email</span><span class="p">,</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_password</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// set user onto session</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_result</span> <span class="o">=</span> <span class="s2">"Success"</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_result</span> <span class="o">=</span> <span class="s2">"Fields may not be empty"</span><span class="p">;</span> <span class="p">}</span> <span class="k">else</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_result</span> <span class="o">=</span> <span class="s2">"Fields may not be empty"</span><span class="p">;</span> <span class="nv">$db</span><span class="o">-&gt;</span><span class="na">disconnect</span><span class="p">();</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="nf">result</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_result</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre></div> <p>Usage:<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="nv">$Login</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Login</span><span class="p">(</span><span class="nv">$form_email</span><span class="p">,</span> <span class="nv">$form_password</span><span class="p">);</span> <span class="nv">$Login</span><span class="o">-&gt;</span><span class="na">Login</span><span class="p">();</span> <span class="k">echo</span> <span class="nv">$Login</span><span class="o">-&gt;</span><span class="na">result</span><span class="p">();</span> </code></pre></div> <p>This is just a pretty bad example of using classes. Because it give no benefit but just bloats the code. The whole class should just be an function.<br> </p> <div class="highlight"><pre class="highlight php"><code><span class="k">echo</span> <span class="nx">loginUser</span><span class="p">(</span><span class="nv">$form_email</span><span class="p">,</span> <span class="nv">$formPassword</span><span class="p">);</span> </code></pre></div> <h2> Conclusion </h2> <p>As expected my social network delivered, many security vulnerablities, bad code quality and some WTF moments. I enjoyed looking over it. It was a fun ride through the past :D. Thank you 13 year old me, for saving this project on cloud storage and even creating a sql dump from the database. Much appreciated.</p> review security Send Notifications to Android via REST-API Jannis Mattheis Sun, 11 Aug 2019 15:49:26 +0000 https://dev.to/jmattheis/send-notifications-to-android-via-rest-api-14go https://dev.to/jmattheis/send-notifications-to-android-via-rest-api-14go <p>A while ago, I wanted to get notifications when certain events occur on my servers. This could be a SSH-Login or finishing a backup. </p> <p>Back then, I started to self-host services to be less dependent on third-parties and to gain control over my data. After some research, I couldn't find any maintained open source project which had the functionality I wanted, so I started my own named <a href="https://gotify.net/">Gotify</a>.<br> Gotify is a pretty simple service written in Go that exposes a WebSocket endpoint which can be used to subscribe to newly posted messages. Gotify does not depend on <strong>any</strong> third-party service to function, thus does not use google services to deliver push notifications to your phone.</p> <p>In this blog post, I'll show you how to set up Gotify and send some messages to it.</p> <h2> Setting Up Gotify </h2> <p>Gotify can be started via binary or Docker. In this tutorial, I'll use the provided Docker images as they are pretty easy to set up.</p> <p><a href="https://hub.docker.com/r/gotify/server">hub.docker.com/r/gotify/server</a><br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span>docker run <span class="nt">-p</span> 8080:80 <span class="se">\</span> <span class="nt">-v</span> /var/gotify/data:/app/data <span class="se">\</span> <span class="nt">-e</span> <span class="nv">GOTIFY_DEFAULTUSER_PASS</span><span class="o">=</span>secret <span class="se">\</span> gotify/server:2.0.6 </code></pre></div> <p>or as via docker-compose:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">gotify</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">gotify/server:2.0.6</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">8080:80</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/var/gotify/data:/app/data"</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">GOTIFY_DEFAULTUSER_PASS</span><span class="pi">:</span> <span class="s2">"</span><span class="s">secret"</span> </code></pre></div> <p>(start with <code>docker-compose up -d</code>)</p> <p>By default, Gotify uses SQLite as database. Thus, further simplifying the setup because no separate database is needed. SQLite should work well with a small user base, however if you have many concurrent users a different database may improve performance. Besides SQLite Gotify supports PostgreSQL and MySQL/MariaDB.</p> <p><code>/app/data</code> contains the database file (if SQLite is used), images for applications and other stuff. In this example the directory is mounted to <code>/var/gotify/data</code> this directory should be included in a backup.</p> <p><code>-e GOTIFY_DEFAULTUSER_PASS=secret</code> changes the password of the default user which will be created at startup.</p> <p>Have a look at <a href="https://gotify.net/docs/config">gotify.net/docs/config</a> for all configuration options (like different database settings).</p> <h2> First Login / Definitions </h2> <p>By default, the default username/password is <code>admin</code>, however in this tutorial we changed the password to <code>secret</code>. With these credentials it's now possible to login into the WebUI at <a href="http://localhost:8080/">http://localhost:8080/</a> (use the port you specified while starting the docker container).</p> <p>In the UI you can configure different things.</p> <p><strong>Clients</strong>: A client is a device or application that can manage other clients, messages and applications. However, a client is not allowed to send messages.</p> <p>In this case your browser would be a client.</p> <p><strong>Applications</strong>: An application is a device or application that only can send messages.</p> <p>An application could be a raspberry pi which notifies when it reboots.</p> <h2> Sending a message </h2> <p>You need an application to send messages to Gotify. Only the user who created the application is able to see its messages. An application can be added via:</p> <ul> <li>WebUI: click the <code>apps</code>-tab in the upper right corner when logged in and add an application</li> <li>REST-API: <code>curl -u admin:secret -X POST https://yourdomain.com/application -F "name=test" -F "description=tutorial"</code> See <a href="https://gotify.github.io/api-docs/">API-Docs</a> </li> </ul> <p>To authenticate as an application, you need the application token. The token is returned in the REST request and is viewable in the WebUI.</p> <p>After copying the token you can simply use curl, HTTPie or any other http-client to push messages.<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>$ curl -X POST "http://localhost/message?token=&lt;apptoken&gt;" -F "title=my title" -F "message=my message" -F "priority=5" $ http -f POST "http://localhost:8080/message?token=&lt;apptoken&gt;" title="my title" message="my message" priority="5" </code></pre></div> <p>Replace <code>&lt;apptoken&gt;</code> with your application token, it should look like this: <code>AKTlZf.InA3uZHK</code>.</p> <p><code>priority</code> currently only has an effect in the android app, 0 = not intrusive 10 = very intrusive.</p> <p>The UI will render the message as plain text, it is possible to render it as markdown with <a href="https://gotify.net/docs/msgextras">extras</a>.</p> <p>You can use <a href="https://github.com/gotify/cli">gotify/cli</a> to push messages. The CLI stores url and token in a config file.<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">$ </span>gotify push <span class="nt">-t</span> <span class="s2">"my title"</span> <span class="nt">-p</span> 10 <span class="s2">"my message"</span> <span class="nv">$ </span><span class="nb">echo </span>my message | gotify push </code></pre></div> <p><a href="https://github.com/gotify/cli">Install gotify/cli</a>.</p> <h2> Android App </h2> <p>While the WebUI already creates notifications on new messages, Gotify also has an android app named <a href="https://github.com/gotify/android">gotify/android</a>. It is available in the <a href="https://play.google.com/store/apps/details?id=com.github.gotify">Play Store</a>, on <a href="https://f-droid.org/de/packages/com.github.gotify/">F-Droid</a> and you can download the apk <a href="https://github.com/gotify/android/releases/latest">on the releases page</a>. Setup is straight forward, enter the url to your Gotify instance and login. </p> <p>Be aware: By default Android kills long-running apps as they drain the battery. With enabled battery optimization, Gotify will be killed, and you won't receive any notifications. </p> <p>Here is one way to disable battery optimization for Gotify.</p> <ul> <li>Open "Settings"</li> <li>Search for "Battery Optimization"</li> <li>Find "Gotify" and disable battery optimization</li> </ul> <p>... and that's it! Thanks for reading my first blog post (:.</p> tutorial notifications selfhosted