Secure coding answers - James Long by jameslong · Pull Request #102 · erlef/elixir-secure-coding · GitHub
Skip to content

Secure coding answers - James Long #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jameslong wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Secure coding answers - James Long #102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 18 additions & 14 deletions modules/2-owasp.livemd
View file
Open in desktop
4 changes: 2 additions & 2 deletions modules/3-ssdlc.livemd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,10 @@ A very easy way to prevent secrets being added to files is to access them via En

_Use `System.get_env/1` on line 2._

<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIFNETEM6MVxuc3VwZXJfc2VjcmV0X3Bhc3N3b3JkID0gXCJwQHNzdzByZFwiIn0","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->
<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIFNETEM6MVxuc3VwZXJfc2VjcmV0X3Bhc3N3b3JkID0gU3lzdGVtLmdldF9lbnYoXCJlbnZhcl9zZWNyZXRcIikifQ","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->

```elixir
result = super_secret_password = "p@ssw0rd"
result = super_secret_password = System.get_env("envar_secret")

case GradingClient.check_answer(SDLC, 1, result) do
:correct ->
Expand Down
17 changes: 10 additions & 7 deletions modules/5-elixir.livemd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,15 +50,15 @@ Beware of functions in applications/libraries that create atoms from input value

_You should get a `true` result when you successfully fix the function._

<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIEVMSVhJUl9TRUNVUklUWToxXG5tYWxpY2lvdXNfdXNlcl9pbnB1dCA9IFVVSUQudXVpZDQoKVxuXG50cnkgZG9cbiAgbWFsaWNpb3VzX3VzZXJfaW5wdXRcbiAgIyBPTkxZIENIQU5HRSBORVhUIExJTkVcbiAgfD4gU3RyaW5nLnRvX2F0b20oKVxucmVzY3VlXG4gIGUgLT4gZVxuZW5kIn0","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->
<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIEVMSVhJUl9TRUNVUklUWToxXG5tYWxpY2lvdXNfdXNlcl9pbnB1dCA9IFVVSUQudXVpZDQoKVxuXG50cnkgZG9cbiAgbWFsaWNpb3VzX3VzZXJfaW5wdXRcbiAgIyBPTkxZIENIQU5HRSBORVhUIExJTkVcbiAgfD4gU3RyaW5nLnRvX2V4aXN0aW5nX2F0b20oKVxucmVzY3VlXG4gIGUgLT4gZVxuZW5kIn0","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->

```elixir
result =
(
malicious_user_input = UUID.uuid4()

try do
malicious_user_input |> String.to_atom()
malicious_user_input |> String.to_existing_atom()
rescue
e -> e
end
Expand Down Expand Up @@ -175,13 +175,13 @@ end
password = "HASH_OF_THE_USERS_ACTUAL_PASSWORD"
# DO NOT EDIT ANY CODE ABOVE THIS LINE =====================

user_input = "HASH_OF_asdfasdf"
user_input = "HASH_OF_asdfasdflkajsdflkajsdlfkjasdlfkjaldsfkjaldskjflakdsjflaksdjflakjdsflakjsdf"

# DO NOT EDIT ANY CODE BELOW THIS LINE (you may uncomment IO.puts) =============
Benchwarmer.benchmark(fn -> Susceptible.compare(user_input, password) end)
Benchwarmer.benchmark(fn -> Constant.compare(user_input, password) end)

# IO.puts(:comparison_ran)
IO.puts(:comparison_ran)
```

## Boolean Coercion
Expand Down Expand Up @@ -213,7 +213,7 @@ The latter will raise a `BadBooleanError` when the function returns `:ok` or `{:

_Uncomment the if statement that uses the correct boolean comparison._

<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIEVMSVhJUl9TRUNVUklUWToyXG5cbmRlZm1vZHVsZSBTZWN1cml0eUNoZWNrIGRvXG4gIGRlZiB2YWxpZGF0ZShpbnB1dCwgcGFzc3dvcmRfaGFzaCkgZG9cbiAgICBjYXNlIFBsdWcuQ3J5cHRvLnNlY3VyZV9jb21wYXJlKGlucHV0LCBwYXNzd29yZF9oYXNoKSBkb1xuICAgICAgdHJ1ZSAtPiA6b2tcbiAgICAgIGZhbHNlIC0+IDphY2Nlc3NfZGVuaWVkXG4gICAgZW5kXG4gIGVuZFxuXG4gIGRlZmV4Y2VwdGlvbiBtZXNzYWdlOiBcIlRoZXJlIHdhcyBhbiBpc3N1ZVwiXG5lbmRcblxucGFzc3dvcmQgPSBcInNvbWVfc2VjdXJlX3Bhc3N3b3JkX2hhc2hcIlxudXNlcl9pbnB1dCA9IFwic29tZV9zdHJpbmdfd2hpY2hfb2J2aW91c2x5X2lzbnRfdGhlX3NhbWVfYXNfdGhlX3Bhc3N3b3JkXCJcbjpva1xuIyBETyBOT1QgRURJVCBBTlkgQ09ERSBBQk9WRSBUSElTIExJTkUgPT09PT09PT09PT09PT09PT09PT09XG5cbnRyeSBkb1xuIyBpZiBTZWN1cml0eUNoZWNrLnZhbGlkYXRlKHVzZXJfaW5wdXQsIHBhc3N3b3JkKSBvciByYWlzZShTZWN1cml0eUNoZWNrKSBkbyA6eW91X2xldF9hX2JhZGRpZV9pbiBlbmRcbiMgaWYgU2VjdXJpdHlDaGVjay52YWxpZGF0ZSh1c2VyX2lucHV0LCBwYXNzd29yZCkgfHwgcmFpc2UoU2VjdXJpdHlDaGVjaykgZG8gOnlvdV9sZXRfYV9iYWRkaWVfaW4gZW5kXG5yZXNjdWVcbiAgZSAtPiBlXG5lbmQifQ","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->
<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIEVMSVhJUl9TRUNVUklUWToyXG5cbmRlZm1vZHVsZSBTZWN1cml0eUNoZWNrIGRvXG4gIGRlZiB2YWxpZGF0ZShpbnB1dCwgcGFzc3dvcmRfaGFzaCkgZG9cbiAgICBjYXNlIFBsdWcuQ3J5cHRvLnNlY3VyZV9jb21wYXJlKGlucHV0LCBwYXNzd29yZF9oYXNoKSBkb1xuICAgICAgdHJ1ZSAtPiA6b2tcbiAgICAgIGZhbHNlIC0+IDphY2Nlc3NfZGVuaWVkXG4gICAgZW5kXG4gIGVuZFxuXG4gIGRlZmV4Y2VwdGlvbiBtZXNzYWdlOiBcIlRoZXJlIHdhcyBhbiBpc3N1ZVwiXG5lbmRcblxucGFzc3dvcmQgPSBcInNvbWVfc2VjdXJlX3Bhc3N3b3JkX2hhc2hcIlxudXNlcl9pbnB1dCA9IFwic29tZV9zdHJpbmdfd2hpY2hfb2J2aW91c2x5X2lzbnRfdGhlX3NhbWVfYXNfdGhlX3Bhc3N3b3JkXCJcbjpva1xuIyBETyBOT1QgRURJVCBBTlkgQ09ERSBBQk9WRSBUSElTIExJTkUgPT09PT09PT09PT09PT09PT09PT09XG5cbnRyeSBkb1xuaWYgU2VjdXJpdHlDaGVjay52YWxpZGF0ZSh1c2VyX2lucHV0LCBwYXNzd29yZCkgb3IgcmFpc2UoU2VjdXJpdHlDaGVjaykgZG8gOnlvdV9sZXRfYV9iYWRkaWVfaW4gZW5kXG4jIGlmIFNlY3VyaXR5Q2hlY2sudmFsaWRhdGUodXNlcl9pbnB1dCwgcGFzc3dvcmQpIHx8IHJhaXNlKFNlY3VyaXR5Q2hlY2spIGRvIDp5b3VfbGV0X2FfYmFkZGllX2luIGVuZFxucmVzY3VlXG4gIGUgLT4gZVxuZW5kIn0","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->

```elixir
result =
Expand All @@ -234,6 +234,9 @@ result =
:ok

try do
if SecurityCheck.validate(user_input, password) or raise(SecurityCheck) do
:you_let_a_baddie_in
end
rescue
e -> e
end
Expand Down Expand Up @@ -304,12 +307,12 @@ This prevents the table from being read by other processes, such as remote shell

**We have decided that we do not want this ETS table to be read from other processes, so try making it private:**

<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIEVMSVhJUl9TRUNVUklUWTozXG5cbiMgT05MWSBFRElUIFRISVMgTElORVxuc2VjcmV0X3RhYmxlID0gOmV0cy5uZXcoOnNlY3JldF90YWJsZSwgWzpwdWJsaWNdKVxuOmV0cy5pbmZvKHNlY3JldF90YWJsZSlbOnByb3RlY3Rpb25dIn0","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->
<!-- livebook:{"attrs":"eyJzb3VyY2UiOiIjIEVMSVhJUl9TRUNVUklUWTozXG5cbiMgT05MWSBFRElUIFRISVMgTElORVxuc2VjcmV0X3RhYmxlID0gOmV0cy5uZXcoOnNlY3JldF90YWJsZSwgWzpwcml2YXRlXSlcbjpldHMuaW5mbyhzZWNyZXRfdGFibGUpWzpwcm90ZWN0aW9uXSJ9","chunks":null,"kind":"Elixir.GradingClient.GradedCell","livebook_object":"smart_cell"} -->

```elixir
result =
(
secret_table = :ets.new(:secret_table, [:public])
secret_table = :ets.new(:secret_table, [:private])
:ets.info(secret_table)[:protection]
)

Expand Down
10 changes: 8 additions & 2 deletions modules/6-cookies.livemd
View file
Open in desktop