Rack::Cors Configuration Tricks

2020-01-16

cyu’s Rack::Cors middleware is rather handy if want to control your CORS (Cross-Origin Resource Sharing) settings in a Ruby-on-Rails project. Previously, there was a fairly major issue where :credentials => true was the default (which you generally do not want), but there were also some more complicated tweaks that I wanted to make.

One problem I recently had to deal with was wanting to:

Allow CORS connections from arbitrary domains (this site functions as an API)
Do not allow CORS from http domains at all
Only allow cookies (Access-Control-Allow-Credentials) to be sent for sibling subdomains
Prevent cookies from being sent from specific sibling subdomains (that are actually run by a third party)
On development (non-production) versions of the site, allow credentials from localhost

work-on: A Quick Script for Context Switching

2019-05-07

I work on a lot of projects.

$ ls ~/Projects/ | wc -l
      29

$ ls ~/Projects/work/ | wc -l
      67

And that’s just what I have checked out at the moment. 😇

Prevent JavaScript links by parsing URLs

2019-05-02

If you have a website that allows users to submit URLs, one of the (many many) things people will try to do to break your site is to submit URLs that use the javascript: protocol (rather than the more expected http: or https:). This is almost never something that you want, since it allows users to submit essentially arbitrary code that other users will run on click in the context of your domain (same origin policy).

So how do you fix it?

First thought would be to try to check the protocol:

> safe_url = (url) => !url.match(/^javascript:/)
[Function: safe_url]

> safe_url('http://www.example.com')
true

> safe_url('javascript:alert(1)')
false

Forcing Secure Cookies Behind an ELB in Ruby/Rails

2019-04-30

As part of general security good practices, you should always (whenever possible):

use HTTPS to serve all requests
serve redirects to upgrade HTTP requests to HTTPS
set session cookies to secure and http_only
enable HTTP Strict Transport Security (HSTS)

Tiny Helper Scripts for Command Line MySQL

2019-04-27

Quite often, I’ll find myself wanting to query and manipulate MySQL data entirely on the command line. I could be building up a pipeline or working on a task that I’m going to eventually automate but haven’t quite gotten to yet. Whenver I have to do something like that, I have a small pile of scripts I’ve written over time that help out:

skiphead: Skip the first line of output, used to skip over headers in a query response
skipuntil: Skip all lines until we see one matching a pattern, used to resume partial tasks
commaify: Take a list of single values on the command line and turn them into a comma separated list (for use in IN clauses)
csv2json: a previously posted script for converting csv/tab delimited output to json
jq: not my script, but used to take the output of csv2json and query it further in ways that would be complicated to do with SQL

Admitedly, the first two of those are one liners and I could easily remember them, but the advantage of a single command that does it is tab completion. sk<tab>, arrow to select which one I want, and off we go. I could put them as an alias, but I don’t always use the same shell (mostly fish, but sometimes Bash or Zsh).

Listing and Downloading S3 Versions

2019-01-04

Today I found the need to look through all old versions of a file in S3 that had versioning turned on. You can do it through the AWS Console, but I prefer command line tools. You can do it with awscli, but the flags are long and I can never quite remember them. So let’s write up a quick script using boto3 (and as a bonus, try out click)!

AoC 2018 Day 14: Functionally Circular Elfs

2018-12-14

Source: Chocolate Charts

Part 1: Create an infinite stream of numbers, by starting with [3, 7] with two pointers: 0 and 1. To add values to the list:

Add the current values of the two pointers

If the value is less than ten, add that value to the end of the list

If the value is greater or equal to ten, add 1 and then the ones digits to the end of the list

Update each pointer by adding the value it is pointing at to its current index plus one

With that algorithm, find the ten digits after a given index.

AoC 2018 Day 13: Mine Cart Madness

2018-12-13

Source: Mine Cart Madness

Part 1: Load a minecart track that looks like this:
/->-\        
|   |  /----\
| /-+--+-\  |
| | |  | v  |
\-+-/  \-+--/
  \------/
Assuming minecarts follow the tracks and alternate turning left, going straight, and turning right on each intersection (+), where does the first collision occur?

NOTE: Update carts top to bottom, left to right. Carts can collide mid update.

AoC 2018 Day 12: Fat Cellular Automaton

2018-12-12

Source: Subterranean Sustainability

Part 1: Create an infinite 2D cellular automaton with transition rules based on two points to each side, starting with initial state at index 0 to the right.

After 20 generations, what is the sum of indexes of points turned on?

AoC 2018 Day 11: Gridlocked Fuel

2018-12-11

Source: Chronal Charge

Part 1: Define a grid as follows (x,y coordinates + a constant C):

r(x) = x + 10

G(x, y) = hundreds(r(x) * (r(x) * y + C)) - 5

Find the 3x3 area in a 300x300 grid with the highest total G(x, y) .