The "How to use a Python variable in an external Javascript (Django)" examples are likely vulnerable to an XSS attack, when the variable contains user supplied content.
It's important to output-encode for the correct context. By default, Django encodes template variables for an HTML context, which can allow XSS when output inside a script tag or as a JavaScript file.
Out of curiosity I've started looking in Django docs (I'm more of a flask person myself), and they seems to confirm what you're saying. More to the point, the `strings` are the main issue. The default autoescape actually encodes ' and " as HTML entities, but doesn't encode a backslash, so leaving a \ at end of a ' or " string would escape the string ending - this would be exploitable if the attacker controls two strings of the same "type' in a row.
All JSON serializers worth their salt can serialize a single string to JSON, so the simplest way is to do json.dumps(the_string) and mark the string as safe so that it doesn't get escaped twice.
Thanks @GICodeWarrior for taking time commenting on the article. Shamefully, I can already imagine a scenario on how the attack could be carried out.
Fortunately, the vulnerability can be corrected by introducing escapejs template filter. Big thanks to @gynvael.
Encoding for each scenario can be quite complex unfortunately. Django does have some template filters to help.
I recommend following the documentation carefully, and using a JSON API or other similarly standard mechanism if the documented options are insufficient.
Further, security of a marketing site tends to be lower priority than the product itself, and an install script should generally be secured similar to the product.
Yes. We're lamentably probably going to have to move it (the install script), even though it has a nice URL today.
When we picked that URL, the marketing site was created and run by the same people who built the rest of the product, so it didn't seem like a concern at the time.
You can achieve both. The only mistake you made was to half-bake the proxy (doing it for IPv6 only): proxy every http(s) request to tailscale.com. Vercel’s platform is valuable for a whole host of reasons, the networking side isn’t that important, your developers will greatly value the use of Vercel even if every request is being proxied through a web server hosting tailscale.com which responds to a request for /install.sh instead of passing it through to the marketing site.
(In Google Cloud you could do it entirely with load balancing rules, no need to even run a web server)
`curl -fsSL https://install.tailscale.com | sh` wouldn't be any less nice. Append /sh if having something human-friendly at the root is desirable (SEO, etc.), and you're still at the same overall length as today.
> Append /sh if having something human-friendly at the root is desirable
Even this isn't really necessary; curl includes a default user agent header identifying the traffic coming from curl. It's simple enough to direct traffic with the curl user agent header to the script and all other traffic to a static website with directions for how to quick-install.
Very nifty, but I'd argue against it due to possible confusion in various atypical scenarios, such as:
* The user wants to read the script before executing it, and their preferred reader (perhaps due to browser extension or something) is a standard browser.
* The user has `curl` aliased to `curl-impersonate` in order to avoid things like Cloudflare's bot detection (a captcha that triggers on things beyond the HTTP request, like the less fancy TLS handshake of regular curl) -- https://github.com/lwthiker/curl-impersonate
* The user doesn't have curl installed, but has wget / lynx / some headless browser / etc. and expects any of those to work the same as curl.
Not to mention, if a site encouraged users to execute an HTTP response by piping curl into sh, and the response for curl was different than the response otherwise, that just might make the top of HN for being sketchy as hell.
> The user wants to read the script before executing it, and their preferred reader (perhaps due to browser extension or something) is a standard browser.
I mean, the point of wanting to read the script before executing it is to try and protect yourself from malicious scripts that abuse the curl | sh pattern. So since it would be simple enough for a malicious actor to return something different when the user agent indicates the usage of curl, the only responsible thing to do, anyway, is to use curl to download the script to a file, read the file, then execute the file.
> `curl` aliased to `curl-impersonate`
So when the user uses a tool to impersonate a browser, they'll see exactly what they'll see in a browser... which are the quick-install instructions anyway, which can include a note about the user agent, if anyone actually hits this in the real world?
> wget / lynx / some headless browser
Which would provide the quick-install instructions to use curl :)
That's great that DevOps (or whatever their title) owns both product and marketing sites. Far too many companies (and DevOps teams) think the www site is "not important" or "not their core job" and outsource it to either a less qualified team, or out of the company altogether.
From an external perspective no one cares if www going down isn't "your fault" or of "direct impact to the product". It's a corporate blackeye either way.
This hasn't been my experience. In my experience, the reason why your ops teams divest themselves from the marketing side is because marketing decides to contract some firm to design their site for them, and the firm decides to deploy to Vercel or WP-Engine or whatever. Then, Marketing comes to ops and says "hey, I need you to change this DNS thing" weeks/months into their engagement, with no understanding of the ramifications. Ops/product team pushes back, because the change would fundamentally break the application. Marketing gets defensive, "we've spent all this time and money on this, you just need to make it work", a broken halfway solution is implemented, and ops/product, in protest, divests themselves from the solution. Bingo bango, shadow IT is ratified, the kludgy hackjob lives in production forever, and no one thinks about it until the next time something breaks.
Reminds me of the time marketing decided to change the logo on the marketing site for the product team I was on without being aware that the site was scraped and redeployed on a different domain (by hand). When the logo changed, the CSS for the image element wasn't updated, truncating part of the logo, proudly displaying the word "ass" as a part of the logo in an unfortunate cropping incident.
"Far too many companies (and DevOps teams) think the www site is "not important" or "not their core job" and outsource it to either a less qualified team, or out of the company altogether"
It's impossible to know because they won't admit it publicly. You are guessing based on some anecdotal experience.
But then again... here's mine! I worked at a very successful SaaS that had (really not kidding) the most incompetent, lazy dope running the www site. He live-edited a "staging" version of the site on the fly (no, it wasn't private, you could access this thing from the internet, and he didn't know or care about that). When he was happy with his changes he'd destroy the live instances behind the load balancer and clone his staging instance without taking it down or running any extra checks. This staging instance was around for years and I don't think he ever bothered doing a system update. Since he didn't use git, I I'll bet that at least once he cloned a live instance back to staging to undo a bunch of bork.
I lost count of the incidents. He never detected them himself, was never available to troubleshoot them and was generally a big "durrrr" when you'd finally get him on the call. Example: one time we had a "slow, intermittent errors" customer support ticket surfaced to us, not because it was our job, but because dopey was being an absolute ass to the helpdesk guys. He ran his crap in another AWS account we didn't have access to. About a day later the www site went down completely, so we got hold of the AWS account and dug in. All 5 of the instances behind the load balance were "unhealthy" for various reasons. Certs expired, disks full, apache stopped. We bounced them, restarted them and sshed in. They all had different versions of the site. It was a complete mess. Turns out dopey wasn't very good at killing the old instances and cloning staging. He was probably live-editing the instances for smaller changes if that seemed easier than a bunch of AWS console work.
Unbelievably he wasn't fired and continued to mismanage the site, and we could do nothing because the head of marketing didn't listen to the head of engineering. They hated each other. The way Marketing saw it "your SRE guys couldn't fix it, they had to wait for <dopey> to get on the call". I'm not even kidding.
Just more anecdotal evidence from me. You might be right.
> We do have a commercial license that overrides the AGPL license. This commercial license allows organizations to make changes to ToolJet and provide it as a service.
Does the hosted ToolJet service include unreleased code, leveraging this commercial license?
Every volunteer contributor would need to agree to relicensing and/or would need to have previously agreed to assign their copyright to ToolJet, right?
NPTv6 is different from IPv4 NAT and doesn't really have the same issues.
A different solution I've seen proposed for networks with multiple ISPs is to advertise both public prefixes to the network and let each client endpoint figure out which egress to use. This seems like a worse idea though.
The most official approach is to get your own public IPv6 prefix and work with your ISPs to BGP route that to you on both links. However, home and small business ISPs generally don't offer this.
Have you implemented NPTv6 before? What routing product(s) have you implemented this with? Do you happen to have some documentation links handy?
In my experience, this capability is missing from most off-the-shelf solutions, and in the cases where it is available, the documentation of this feature is missing or incomplete.
If you put your webcam behind your video chat window, you can achieve better eye contact with your remote participants. I wonder how well a webcam can see through these screens and/or how much of a hole would be required in the rendered image to avoid obstructing the camera.
With the right level of integration the camera could subtract the image that is in front of it. That would requires having a pretty good model of the point spread function, perfect synchronization etc.
OLEDs have a fast response... I wonder if it would be possible to put the camera shutter and the oled out of phase enough to substantially dim it.
Perhaps polarization could be used to get better isolation.
With all the engineering required to do it, it might be much less expensive to have three or four cameras at the edges of the display, then extract a depth map and resynthesize an view from the perspective of the centre of the screen. :)
Plus that would give you bonus features like being able to automatically blur our or heavily denoise the background. :)
> I wonder if it would be possible to put the camera shutter and the oled out of phase enough to substantially dim it.
That's a neat idea. It reminds me of the early fighter planes that fired bullets between the propeller blades by having the gun driven off the engine, timed so that the bullet passes through the plane of the propeller while the blades are not in the way.
> I wonder if it would be possible to put the camera shutter and the oled out of phase enough to substantially dim it.
That is exactly the idea, to sync the camera to capture in between OLED pulses. It's not going to be perfect, but then to use computational photography to subtract whatever bleed of pixel color is left.
In theory, it should be totally workable. In practice, I'm not sure what the tradeoffs are in terms of acceptable image quality and resolution for the camera.
I would think a teleprompter style setup should work.
I remember ages ago someone created a reverse version, basically a periscope you hang over the camera on your laptop. I think the idea was you position the window with the face behind the mirror.
Shelters are full of dogs that breeders surrender because the offspring weren't to their liking or diseased or imbred. It's quite sad and we shouldn't be supporting purebred breeders anymore. They are trading other creatures' pain for their own gain and profit :-/
Shelters are full of dogs for different reasons. I fully support adopting shelter dogs, but it is a pipe dream to think that folks are going to stop buying breeds. Not only that, but there are good reasons to choose a particular breed since they do have different temperments and so on.
Not all breeders are equal, and part of the blame is on lack of animal welfare laws, enforcement of such laws, and overly strict breed measures in some areas. Believe it or not, some of the breed regulations are different in different countries [1]. Not only that, but you can't really tell if a puppy is going to be a champion show dog. Most folks don't actually care and only want the breed. Barring physical or tempermental issues, it isn't as likely that the breeder puts them in a home.
Puppy mills are a real problem in the US - again, laws and enforcement should help. I have little hope for these laws being passed in all states since we do poorly enforcing this stuff with farm animals.
[1] Source: I've worked at the local international dog show in Norway the past couple of years. So far, worked with one judge from England and one from Canada.
Shelters are also full of dogs with severe behavioral disorders which can't be treated or managed effectively. How confident are you in selecting a shelter dog which might live with you for another 10, 12 years, versus a dog from a breeder that you know the genealogy of (and therefore the parents, grandparents behavioral traits)?
There's a difference between buying from a backyard breeder who doesn't care about the quality of dogs they're producing, and a quality breeder who vets buyers, parental lines, and has offspring contracts to prevent future unwanted litters.
> How confident are you in selecting a shelter dog which might live with you for another 10, 12 years, versus a dog from a breeder that you know the genealogy of (and therefore the parents, grandparents behavioral traits)?
Very. They put down the dogs with severe behavioral issues (e.g. biting). My local shelter is very good about providing adoption/surrender notes as well as behavioral notes. I decided against adopting a BC mix as they were clear exactly about the time/effort needed - he had been adopted out and resurrendered by a family who was exercising him 3 hours a day and they still couldn't calm his extreme (even for such herding breeds) leash reactivity. The volunteer explicitly recommended against adopting him.
Additionally, I've developed a relationship with a rescue by fostering for them over the years. They exclusively foster-to-adopt, so everyone gets several weeks (more, if they prefer) with their dog before signing papers. Most rescues at least allow you do do that, and I think people should take advantage of it.
I get what you're trying to say. I'll be the first to admit I'm a bleeding heart, and I feel awful for all the surrendered dogs in shelters - especially the ones who've endured abuse by their owners. But I place more stock in being able to live with a dog directly, instead of relying on their genetics. Sites like Petfinder mean you get a selection of dogs across the whole country. Additionally, casual pet owners aren't going to know the difference between a quality breeder and a backyard one. It's genuinely hard to tell unless you know what to look for.
My personal advice for shelters vs breeders is just "don't." People who do need to buy from breeders already know they do, and I'm not at all objecting to that. Everyone else is usually looking for a companion dog, and can find one at a local rescue/shelter.
> People who do need to buy from breeders already know they do
I'm really not a fan of this line of thinking. How do they know? What if they're just starting to get into "dogs" as a more serious hobby, e.g. IPO or rally?
Discussion around "should you buy from a breeder" isn't something that should be stamped out just because you think it's bad for informational hygiene or something. It should be thoughtful and honest.
Okay, lets suppose that suddenly nobody buys from a professional breeder, What we would have instead?
1) Less healthy dogs on average
Zero selection against genetical disorders. Zero surgical procedures by a licensed vet to fix bone problems at birth, why to care if "any dog is beatiful as is"?
Is a myth that mixed-breeds are free from diseases. Any health problem suffered by a pure breed, can appear in a mutt. Dogs are wolves (with a hint of other canines from all around the world, but bassically the same species as gray wolf) and anything that deviates sensibly from a wild gray wolf will have huge health problems by comparison.
2) Randomization of behavioural problems
Owners would just play lottery with this trait. A recipe for disaster when your dog must be trustable in society, specially when children or smaller pets are around. I know at least two cases of very good dogs, equilibrated, well feeded and with loving owners that suddenly go berserker and killed other pets at sight, in front of the owners of both pets. I know also a case of dogs escaping, attacking and tearing-off both arms from a old man
The solution of "just adopt because any dog can be a good dog with love" is delusional because not any dog owner is a good owner, a wrong idea of love will spoil your dog, and many breeds are notoriously difficult to manage.
Would be a big mistake to think that pure breeds "are evil by default", therefore mixed breeds "are good by default". They can combine the best of its parents, but also the worst of both. A mixed breed is unpredictable in many senses. For example, if your mutton has blood of akita inu hidden under a furry poddle facade you must be aware of this. Akita are solitary and monogamous, whereas gray wolves are more tolerant to the idea of a group.
So in the end is clearly a lose-lose situation. Bad for dogs and bad for humans. Maybe we would alleviate a little the situation of irresponsible shelters taking more animals that they can manage, but we would create several bigger and potentially serious problems in the process.
You're using the ad infinitum fallacy. At no point did anyone mention that no one should not use professional breeders. The point is, "most people don't know how to find a professional breeder". It's exceedingly easy to let 2 dogs of the same breed have puppies. It's a lot harder to screen for personality and physical issues. Additionally, there will always be people buying from professional breeders. So many fields need working dogs for protection, scentwork, hunting, servicework, farmwork, and I'm sure many other fields I'm missing. Additionally, there will always be a demand for show and sport dogs (agility, herding trials, schutzhund, dock jumping). This argument of "let's suppose there is never a purebred dog again" is very confusing for that reason.
Additionally, you would be shocked at the number of people who buy a cute puppy and then are surprised because they didn't realize their adolescent goldendoodle needs more exercise then a 20 minute walk everyday, or that their once friendly cattledog puppy is grown up and barking and lunging at every dog that walks by. Again, that's when the onus is on good breeders to ensure that the new owners know what they're getting into. Usually the facebook/craigslist breeders are not good about explaining or requiring this - they'll give away a puppy to anyone who pays. If those same people go through a rescue, they're usually informed by the rescue the amount of work involved, and can do things like foster-to-adopt to ensure the dog fits their lifestyle.
I love good breeders! They're absolutely fantastic about keeping their puppies healthy, and frequently have clauses about how the dogs must go back to them if the new owners want to give them up. They have careful screening processes and are good about making sure the owners will do the requisite work and training for the dog to be well-behaved and for everyone to be happy. Bad breeders do none of these things, and make the likelihood of genetic disorders higher, not lower. These breeders don't get their puppies checked for the 'bone issues that can be fixed at birth' as you say, and let the unaware owners deal with the fallout.
I'm also confused about your point about irresponsible shelters. Where do you think the animals would be if the shelters didn't take them? They'd be running around on the street, unvaccinated and untrained. Do you really think that's better?
That's totally fair, and I don't disagree. If someone's interested enough in the sport to purchase a dog specially bred for it, I don't think it's unreasonable to expect them do the right research and reference checks. They're probably already going to meets/trials to watch, and can ask handlers there for reputable breeders. That said, both of those sports have mixed breeds competing and thriving. I personally do agility with my mutt, although I recognize that I'd need a different dog and a lot more time/money to do really well. My point was, most dog owners aren't trying to compete at that level - in any dog sport.
Breeders, even if ethical, are part of the problem. Just because they try and reduce the chance of genetic defects by avoiding direct inbreeding, it's still a minor statistical manipulation.
> (and therefore the parents, grandparents behavioral traits)?
Behavioural traits (with very few exceptions) vary more widely in between individuals within a breed than from breed to breed.
I know people can get very defensive about their best friends, but purebreds will have genetic deficiencies. That's no reason to love your current pooch any less, but do give cross-breeds some consideration for your next member of the pack.
As silly as "labradoodle" sounds, these people have the right idea.
> There is nothing to suggest this, and overwhelming evidence to the contrary.
I'm willing to read a good citation here if you have one, but the "overwhelming evidence" lies on the other side where docile and submissive specimens of fighting breeds and aggressive and dominant specimens of family-friendly breeds can be easily observed. There is plenty to suggest this.
> No, some subset of purebreds will have genetic defects. Just as some subset of mutts will.
These subsets are not equal. I'll clarify in a bit.
> Why? They are doing the same thing you are complaining about, just using a specific cross of two breeds rather than a specific single breed.
That's not how genetics work. Inbreeding increases the number of recessive genes floating around in the gene pool, increasing the number of carriers.
Say, for simplicity's sake, hip dysplasia is bound to a single recessive gene. If you cross a breed that is prone to hip dysplasia with one that isn't, none of the offspring will suffer from hip dysplasia, and it will halve the number of carriers of the recessive gene in the genetic lineup.
Do that a couple of generations with different breeds, and it starts becoming very unlikely that two recessive genes for dysplasia will match up.
Now understand that a lot of genetic diseases are the result of the interactions of many genes of which the exact mechanism is unclear, and it should become clear there is no solid way to prevent a disease from expressing itself through careful monitoring.
For now, the best way to guarantee a healthy dog is to mix in new genes and keep the gene pool healthy, which is very much the opposite of breeding for conformity.
> There's a difference between buying from a backyard breeder who doesn't care about the quality of dogs they're producing, and a quality breeder who vets buyers, parental lines, and has offspring contracts to prevent future unwanted litters.
I know it's the Telegraph. And I know it says that Crufts and the Kennel Club were being criticised. But I've seen a few German Shepherds like the one in the video walking around in Sydney. It's pretty sad. Their hind quarters visibly tremble and at a walking pace you can clearly see they have difficulty walking. So I'm not sure what good 'quality breeders' are.
A single example of a poorly bred German Shepherd (one of the breeds most hit by low quality breeders flooding a market with no regard for the dogs health) is not evidence that good breeders don’t exist.
Good breeders limit or don’t line breed, they import and export stock to maintain diversity, they maintain health records on all litters and their prodigy, they have breeding contracts to prevent future litters unvetted litters.
DoorDash (YC S13) | Security Engineers | Mountain View, San Francisco | ONSITE, Full-Time | https://www.doordash.com/
We're looking for multiple application and infrastructure Security Engineers. If you have experience securing webapps/apis -OR- experience securing infrastructure in AWS & Kubernetes, we want to hear from you!
Technologies: Kubernetes, AWS, Python, Django, Java, and more
Areas: Security Tools & Infrastructure, Code Review, Architecture Review, Penetration Testing, and more
Again, we're hiring multiple people; you don't need to excel in every technology and area.
I'm the Head of Security here at DoorDash (former head of Matasano Security's south bay office).
Our hiring process is three steps:
1. Introduction call with me personally (to learn more about DoorDash, not to "tech you out")
2. Application or infrastructure security qualifier
3. On-site interview
We recently closed our $535 million Series D, we are expanding from 600 to 1,600 cities this year, and hiring 250 more people as well. Join us now to help take our security to the next level as our systems evolve to meet and exceed our expansion plans.
Reach out to learn more about DoorDash, and tell me what you want to work on!
Formerly managing Matasano Security's south bay team, I've joined DoorDash as Head of Security to build our internal security team.
We are looking for application and infrastructure Security Engineers to work on a small team (<5) keeping DoorDash secure. If you have experience securing custom web applications and APIs -OR- experience securing infrastructure in Docker & AWS, we want to hear from you!
It's important to output-encode for the correct context. By default, Django encodes template variables for an HTML context, which can allow XSS when output inside a script tag or as a JavaScript file.