How secure is devRant? <script>alert("test");</script>

I'm fixing a security exploit, and it's a goddamn mountain of fuckups.

First, some idiot (read: the legendary dev himself) decided to use a gem to do some basic fucking searching instead of writing a simple fucking query.

Second, security ... didn't just drop the ball, they shit on it and flushed it down the toilet. The gem in question allows users to search by FUCKING EVERYTHING on EVERY FUCKING TABLE IN THE DB using really nice tools, actually, that let you do fancy things like traverse all the internal associations to find the users table, then list all users whose password reset hashes begin with "a" then "ab" then "abc" ... Want to steal an account? Hell, want to automate stealing all accounts? Only takes a few hundred requests apiece! Oooh, there's CC data, too, and its encryption keys!

Third, the gem does actually allow whitelisting associations, methods, etc. but ... well, the documentation actually recommends against it for whatever fucking reason, and that whitelisting is about as fine-grained as a club. You wanna restrict it to accessing the "name" column, but it needs to access both the "site" and "user" tables? Cool, users can now access site.name AND user.name... which is PII and totally leads to hefty fines. Thanks!

Fourth. If the gem can't access something thanks to the whitelist, it doesn't catch the exception and give you a useful error message or anything, no way. It just throws NoMethodErrors because fuck you. Good luck figuring out what they mean, especially if you have no idea you're even using the fucking thing.

Fifth. Thanks to the follower mentality prevalent in this hellhole, this shit is now used in a lot of places (and all indirectly!) so there's no searching for uses. Once I banhammer everything... well, loads of shit is going to break, and I won't have a fucking clue where because very few of these brainless sheep write decent test coverage (or even fucking write view tests), so I'll be doing tons of manual fucking testing. Oh, and I only have a week to finish everything, because fucking of course.

So, in summary. The stupid and lazy (and legendary!) dev fucked up. The stupid gem's author fucked up, and kept fucking up. The stupid devs followed the first fuckup's lead and repeated his fuck up, and fucked up on their own some more. It's fuckups all the fucking way down.

So this customer wanted me to create an app using Flutter (user and admin), PHP for the backend, so I made one for him . He seems to complain he can't login to the admin account which he called me to registered for him right after the payment and weeks later.

With deeper investigation , I checked the log he drop the table where users authentication is stored and blame me about that. Which I fixed it lately by creating a table back.

Later I visit my account Shopee , he reviewed me as "THE WORST PROGRAMMER "

So I was like WHAT THE FUCK? YOU DROP THE TABLE WHICH LEAD YOU CANT LOGIN AS AN ADMIN AND BLAME FOR THAT?

'; DROP TABLE users --

"; DROP TABLE users

I just found a vulnerability in my companies software.
Anyone who can edit a specific config file could implant some SQL there, which would later be executed by another (unknowing) user from within the software.

The software in question is B2B and has a server-client model, but with the client directly connecting to the database for most operations - but what you can do should be regulated by the software. With this cute little exploit I managed to drop a table from my test environment - or worse: I could manipulate data, so when you realize it it's too late to simply restore a DB backup because there might have been small changes for who knows how long. If someone was to use this maliciously the damages could be easily several million Euros for some of our customers (think about a few hundred thousand orders per day being deleted/changed).

It could also potentially be used for data exfiltration by changing protection flags, though if we're talking industry espionage they would probably find other ways and exploit the OS or DB directly, given that this attack requires specific knowledge of the software. Also we don't promise to safely store your crabby patty recipe (or other super secret secrets).

The good thing is that an attack would only possible for someone with both write access to that file and insider knowledge (though that can be gained by user of the software fairly easily with some knowledge of SQL).

Well, so much for logging off early on Friday.

Looking through some code from a new project at my old job.

It seems they are sending off some audio files from interviews into an online transcriptions-service, and putting the result unsanitized into a string-concatenated INSERT-statement into the db.

I look forward to the demo, I’m going to yell “single quote Drop table users semicolon dash dash”

A couple of years ago, we decide to migrate our customer's data from one data center to another, this is the story of how it goes well.

The product was a Facebook canvas and mobile game with 200M users, that represent approximately 500Gibi of data to move stored in MySQL and Redis. The source was stored in Dallas, and the target was New York.

Because downtime is responsible for preventing users to spend their money on our "free" game, we decide to avoid it as much as possible.

In our MySQL main table (manually sharded 100 tables) , we had a modification TIMESTAMP column. We decide to use it to check if a user needs to be copied on the new database. The rest of the data consist of a savegame stored as gzipped JSON in a LONGBLOB column.

A program in Go has been developed to continuously track if a user's data needs to be copied again everytime progress has been made on its savegame. The process goes like this: First the JSON was unzipped to detect bot users with no progress that we simply drop, then data was exported in a custom binary file with fast compressed data to reduce the size of the file. Next, the exported file was copied using rsync to the new servers, and a second Go program do the import on the new MySQL instances.

The 1st loop takes 1 week to copy; the 2nd takes 1 day; a couple of hours for the 3rd, and so on. At the end, copying the latest versions of all the savegame takes roughly a couple of minutes.

On the Redis side, some data were cache that we knew can be dropped without impacting the user's experience. Others were big bunch of data and we simply SCAN each Redis instances and produces the same kind of custom binary files. The process was fast enough to launch it once during migration. It takes 15 minutes because we were able to parallelise across the 22 instances.

It takes 6 months of meticulous preparation. The D day, the process goes smoothly, but we shutdowns our service for one long hour because of a typo on a domain name.

closedAt: 1; DROP TABLE `users`; --

story - u get a new job, u really like the boss and work env, have been assigned a v ambitious project.. which involves v critical deploy control, data backfills and multiple level of integrations, takes 2 quarters to complete, in the mean time ur fav boss left for a better job and new boss doesn’t seems to understand the gravity of the project and thinks u r just sitting there twinkling fingers...anyways fast forward to d-day : deploys go fine everything working great... time to run some post deploy scripts for some data consistency, a single change to another piece of code done by some one else 2 days back triggers an additional logic and damn suddenly the app users loose ownership to part of the data they owned... u run history reports, do data loads to assign them back, some data errors out, u r about to manually set that up - u drop ur laptop from ur table and it refuses to restart - and all the Prep data is gone and all the scripts are gone and it’s a weekend so no IT Sypport... u r without a laptop for next 24 hours... the struggle continues... next update on Monday

I am going to set up my own mini company and I am wondering about the name I will choose. Definitely want something strange and sarcastic like "undefined" or "null"...but these two are already taken? I was thinking about "1;DROP TABLE users" but it is too long. Any ideas out there? xD

(I'm not completely sure of what I'm saying here, so don't take this too seriously)

Settling on a language to write the api for ranterix is hard.

I'm finding a lot of things about elixir to be insanely good for a stable api.

But I'm having a lot of gripes with the most important elixir web framework, phoenix.

Take a look at this piece of code from the phoenix docs:

defmodule Hello.Repo.Migrations.CreateUsers do
use Ecto.Migration
def change do
create table(:users) do
add :name, :string
add :email, :string add :bio, :string
add :number_of_pets, :integer
timestamps()
end
end
end

Jesus christ, I hate this shit.

Wtf are create, add and timestamps. Add is somehow valid inside the create, how the fuck is that considered good code? What happens if you call timestamps twice? It's all obscure "trust me, it works" code.

It appears to be written by a child.

js may have a million problems. But one thing I like about CJS (require) or ESM (import) is that there's nothing unexplained. You know where the fuck most things come from.

You default export an eatShit() function on one file and import it from another, and what do you get?
The goddamn actual eatShit function.

require is a function the same way toString is a function and it returns whatever the fuck you had exported in the target file.

Meanwhile some dynamic langs are like "oh, I'll just export only some lang construct that i expect you to specify and put that shit in fucking global of the importing file".

Js is about the fucking freedom. It won't decide for you what things will files export, you can export whatever the fuck you want, strings, functions, classes, objects or even nothing at all, thanks to module.exports object or export statement.

And in js, you can spy on anything external, for example with (...args) => debugger; fnToSpyOn(...args)

You can spoof console.log this way to see what the fuck is calling it (note: monkey patching for debugging = GOOD, for actual programming = DOGSHIT)

To be fair though, that is possible because of being a dynamic lang and elixir is kind of a hybrid typed lang, fair enough.

But here's where i drop the shit.

Phoenix takes it one step further by following the braindead ruby style of code and pretty DSLs.

I fucking hate DSLs, I fucking hate abstraction addiction.

Get this, we're not writing fucking poetry here. We're writing programs for machines for them to execute.

Machines are not humans with emotions or creativity, nor feel.

We need some level of abstraction to save time understanding source code, sure.

But there has to be a balance. Languages can be ergonomic for humans, but they also need to be ergonomic for algorithms and machines.

Some of the people that write "beautiful" "zen" code are the folks that think that everyone who doesn't push the pretty code agenda is a code elitist that doesn't want "normal" people to get into programming.

Programming is hard, man, there's no fucking way around it.

Sometimes operating system or even hardware details bleed into code.

DSLs are one easy way to make code really really easy to understand, but also make it really fucking hard to debug or to lose "programming meaning".