DEV Community: Philipp

Qu’est-ce que tu feras après un attack cyber

Philipp — Fri, 09 Jul 2021 20:05:09 +0000

Introduction

J’ai utilisé Cockpit CMS un logiciel avec plusieurs de problèmes sécurité. Il y a deux ans j’ai pensé il est le meilleur logiciel pour moi parce que il est simple pour utiliser est il fonctionne avec plusieurs langues aussi. J’ai lis le code et j’ai connu le problème sécurité.

Il y a deux semaines j’ai reçu un émail de un spécialiste sécurité qui piraté mon installation cockpit et demande récompense. J’ai utilisé le récent logiciel encore.
Le piratage utilisé un « NoSQL injection » bug avec le champ d’entree pour mod de passe.

Qu’est-ce que j’ai fais

Bloque accès sous mod de pass avec « basic auth » dans Apache.
Change tout des jeton accès et mod de pass pour tout les utilisateurs.
Utilise sauvegarde parce que je ne sais pas si quelques informations être changé avec le piratage.
Change tout le logiciel que j’ai crée de utiliser le nouveau « basic auth » et un Access Token de Cockpit.
Crée security.txt fiches pour tout mon site de web.

Et maintenant?

Je recherché des option de change cette système avec un logiciel plus sécurité.

Memorize Keyboard shortcuts for every editor you use

Philipp — Tue, 27 Apr 2021 20:45:23 +0000

As coders we use our editors a lot. If we want to type faster wouldn’t learning the editors keyboard shortcuts help? Let’s see. We change our coding tools a lot if you’ve been programming for a few years I bet you don’t use the editor you learned coding in.

Learning your current editors shortcuts just sets you up for learning it all over again once a better editor comes around or your preferred editor doesn’t support a platform you are programming for. Sure sometimes you can import your old editors shortcuts and change the key mappings.
Wouldn’t it be great though if there were shortcuts that worked almost out of the box for all your editors — current and future?

There is, meet vim. Not vim itself. After all we want to get work done and not show off how nerdy we are.
There is a vim extension for most editors and the best news is the shortcuts you learned once work everywhere.

Granted vim looks pretty intimidating and like a tool only the uber nerd would use. At least that’s what I thought until I dug deeper into it and found it pretty helpful. You don’t have to master it for it to be useful. 15 or 20 out of hundreds of possible shortcuts will give you a boost you wouldn’t want to miss ever again.

It took me about two weeks to getting used to it and now I don’t want to miss it.

I learned it on https://vim-adventures.com sure there are books I even bought some but I would recommend against using books to learn vim. Once you know your way around vim https://vimtricks.com has nice tips for every experience level to get your game to the next level.

Links

Adding an Apple Watch App or Widget to Cordova

Philipp — Fri, 16 Apr 2021 19:31:14 +0000

Intro

If you want to add native code to Cordova you’re pretty much on your own because the framework won’t help you with it.
Trying to add an iOS 14 widget and an Apple Watch app cost me 2 weeks of digging around in Cordovas source code and figuring out the Xcode project file. This article hopes to save you those 2 weeks.

The method

So obviously the first thing you would try when doing anything that has to do with a native feature in Cordova is you wold look for a plugin that does it for you. Unfortunately the few plugins that exist don’t work anymore. So we need to get our hands dirty ourselves.

The biggest pain point when integrating native features in Cordova is that the Xcode project file is created on every build overwriting any change you did manually.

The birds eye view of what I did is:

Build the Cordova app to generate the Xcode config
Add the iOS 14 widget and the Apple Watch target
See what parts of the Xcode config step 2 changed
Write a script to make those changes on every build

Build the Cordova app to generate the Xcode config

This part is very simple. Just build your app the way you always do. After you build the app, Cordova will have regenerated the Xcode project file at platforms/ios/yourapp.xcodeproj/project.pbxproj. Store this file at a different location or check it in to git, you will compare it with a later version.

Add the iOS 14 widget and the Apple Watch target

Now add your iOS 14 or Apple Watch target. If you have both I would recommend doing them one by one.
Since there are plenty of tutorials on this part I won’t go into detail here.

See what parts of the Xcode config step 2 changed

Now that you have two Xcode config files we need to compare the contents. Since the files are sort of json (they aren’t real json and can’t be parsed as such) you could just compare them with a graphical diffing tool such as Xcode -> Open Developer Tool > FileMerge. It is helpful to have an understanding of how the Xcode config file works.
The way I found very helpful though was to convert both Xcode config files into json and then using an online tool to compare them. Apple provides a tool to convert legacy plist (which is what the Xcode config is) into json.

convert with plutil -convert json project.pbxproj
diff the json with http://jsondiff.com/

Write a script to make those changes on every build

Birds eye view:

Cordova build
Runs add watch / widget hook
Hook converts Xcode config to json
Hook adds stuf to the Xcode config as json
Hook converts the Xcode config back to the legacy plist format so Cordova is happy

Now this is the hard part. You might want to break it into steps and keep comparing the result of your script with the Xcode config you got after adding the Watch app or iOS 14 widget.

Because there are no good parsers for the Xcode config (except the one of CocaPods maybe but that’s Ruby and I don’t know Ruby yet) I opted to just convert the Xcode config in a Cordova hook to json and edit it.

Since the Xcode config is just a legacy plist file Xcode will recognize it if it is converted to json. So we just leave it as json right? Well I wish it was that easy but there is also Cordova and that has it’s own Xcode config parser that is actually quite bad cordova-node-xcode. It must have the legacy plist format and to make matters even worth it also needs the comments preserved.

What I ended up doing was converting the json back to the legacy plist format that Cordova know how to handle. Since there is no code for that already I wrote it.

Converting json Xcode config to legacy plist format

The Xcode config in legacy plist format looks like this

// !$*UTF8*$!
{
    archiveVersion = 1;
    classes = {
    };
    objectVersion = 46;
    objects = {

    // add sections here

    };
    rootObject = "...projectid..." /* Project object */;
}

The objects object holds Xcode config sections. Each object has a property named isa. For Cordova to recognize this file you need to loop through all the objects in your json and sort them by the isa. Then wrap each ISA section with the following comments.

/* Begin PBXBuildFile section */

// ...

/* End PBXBuildFile section */

Where PBXBuildFile in this example is just on ISA but you would have to do this for all the ISAs in your Xcode config.

If you’re curios why on earth we’d need to retain the comments https://github.com/apache/cordova-node-xcode/blob/master/lib/parser/pbxproj.js#L235. This is unfortunately the way the “parser” for Cordova is build.

Also see http://www.monobjc.net/xcode-project-file-format.html for information on the Xcode config file format.

Adding the script as Cordova hook

The script you just wrote needs to be run by Cordova on each build process.

In your config.xml add

    <hook src="hooks/convert.py" type="before_run" />
    <hook src="hooks/convert.py" type="before_build" />

Cordova bugs

There are plenty of bugs in Cordova making our lives harder here that we need to adress.

Cordovas ProjectFile.js has code that overwirtes the bundle id of every Xcode build target to the one defined in config.xml. This is bad because the widget and watch targets need differing bundle ids.
Some upcoming version of Cordova might include a fix but for now an easy solution is to:

Fix the file on the fly with our hook. See https://github.com/apache/cordova-ios/issues/764#issuecomment-669317730 for details on how the file needs to be patched.
If you are using the iOS 14 widget or if your Apple Watch app is written in Swift you also need to patch a line in Cordovas config that breaks Swift code.
Comment out the following line
SWIFT_OBJC_BRIDGING_HEADER = $(PROJECT_DIR)/$(PROJECT_NAME)/Bridging-Header.h in build.xcconfig. This has to do with https://issues.apache.org/jira/browse/CB-10072.
Note though that if you have a Cordova plugin that is written in swift it might break by changing that line and you’d need a different solution. Since support for most Cordova plugins was dropped long ago and are written in ObjC it wasn’t an issue for me.

There is one more bug worth mentioning although I didn’t find a way to do anything about it https://github.com/apache/cordova-ios/issues/1049 it basically prevents building the app without a real smartphone attached if you have the watch target.

And certainly not the last Cordova bug only the last I ran into. You can’t set a version lower than iOS 14 because for Cordova you need to set every target to the same minal version and the widget (at least if you wrote it with SwiftUI) requies iOS 14.

Resources

Encrypting cron emails with GPG

Philipp — Sat, 10 Apr 2021 21:12:57 +0000

Introduction

You might have your server setup in such a way that it runs a few tasks with cron so you don’t have to worry about them. Except.. you should. That is if the scheduled tasks send mission critical information over the internet. Now assume you have some kind of security audit software running like say lynis. You sure don’t want that report in the wrong hands since an attacker could really use that information to break into your server way easier than otherwise.

Assumptions

You are familiar with GPG
You have root access to your linux web server
Your server runs on a recent Ubuntu
Cron is already configured to send emails

Encrypting

There are basically two ways of encrypting emails one is GPG and the other S/MIME. We will be using GPG. Further this article assumes you are familiar with GPG.

Upload your public key (ending in .asc) to your server /home is a good place.
that the key can actually be read by the command we will be using, it has to be slightly modified. To be precise the ASCII amor has to be removed we need the key in binary form. This is archived by the following command.

gpg --dearmor < /home/YOURPUBLICKEY.asc > /home/YOURPUBLICKEY.asc.gpg

Add this line at the top of your /etc/crontab just after MAILTO=you@example.de. You need to replace the email address and the public key path.

GPG_CMD = "ifne /usr/bin/gpg --batch --armor --trust-model always --no-default-keyring --keyring /home/YOURPUBLICKEY.asc.gpg --recipient you@example.de --encrypt"

For this command to work we need the program ifne installed. Usually if a command has no output to /dev/stdout or /dev/stderr gpg would encrypt an empty string and you would receive an encrypted email that has no content once decrypted. This would be annoying ifne prevents this. To install it run.

apt-get install moreutils

Now in /etc/crontab you can simply pipe the output to gpg and enjoy encrypted emails.

* * * * * root /bin/echo "gpg test" | $GPG_CMD

I got the inspiration for this from this a site that is unfortunately offline for a few days now (checked April 2021).

Server Authentication With Client Certificate X.509

Philipp — Sat, 03 Apr 2021 03:43:07 +0000

Introduction

Basics of setting up certificate based authentication on Apache.

Assumptions

Your Server is already configured to use SSL/TLS. This is required because the browser refuses to use its certificate for authentication on an insecure connection.

Creating all the files we need

Note: The key sizes and expiration dates must be adjusted to suite your need.

Create the CA

openssl genrsa -out CA.key 2048
openssl req -x509 -new -nodes -key CA.key -days 7300 -out CA.pem

Create a signing request and signing it with the CA private key

openssl genrsa -out alice.key 2028
openssl req -new -key alice.key -out alice.csr
openssl x509 -sha256 -req -in alice.csr -out alice.crt -CA CA.pem -CAkey CA.key -CAcreateserial -days 1095

Convert the alice.crt to alice.p12 so a browser knows what to do with it. (Note: On safari the .p12 file has to have a password for the import to work)

openssl pkcs12 -export -clcerts -in alice.crt -inkey alice.key -out alice.p12

Convert the .p12 to .pam so tools like curl can use it

openssl pkcs12 -in alice.p12 -out alice.pem -clcerts

Configuring Apache

copy your CA.pem in a file readable by apache. In my case it is /home/CA.pem but this might differ for your server.

in your virtual hosts configuration file add SSLCACertificateFile and SSLVerifyClient like shown below.

<IfModule mod_ssl.c>
<VirtualHost *:443>

    SSLCACertificateFile /home/CA.pem
    SSLVerifyClient require


# ..... your additional configuration here
# .....

</VirtualHost>
</IfModule>

Finally… we can use it

To use the certificate with curl

curl -E alice.pem https://restricted.example.de

To install in Safari on a Mac just double click the .p12 file and follow the instructions

To install on iOS the file can be send by email (messengers don’t work) and installed by tapping on it and following the instructions. If the file is considered a production file it should NOT be send over the internet instead plug in a usb cord and transfer via iTunes.