The earliest memory I have of ‘programming’ is in the early/mid 90s when my father brought home a computer from work. We could play games on it … so of course I took the spreadsheet program he used (LOTUS 123, did I date myself with that?) and tried to modify it to print out a helpful message for him. It … halfway worked? At least I could undo it so he could get back to work…

After that, I picked up programming for real in QBASIC (I still have a few of those programs lying around), got my own (junky) Linux desktop from my cousin, tried to learn VBasic (without a Windows machine), and eventually made it to high school… In college, I studied computer science and mathematics, mostly programming in Java/.NET, although with a bit of everything in the mix. A few of my oldest programming posts on this blog are from that time.

After that, on to grad school! Originally, I was going to study computational linguistics, but that fell through. Then programming languages (the school’s specialty). And finally I ended up studying censorship and computer security. That’s about where I am today!

But really, I still have a habit of doing a little bit of everything. Whatever seems interesting at the time!

Prevent JavaScript links by parsing URLs

If you have a website that allows users to submit URLs, one of the (many many) things people will try to do to break your site is to submit URLs that use the javascript: protocol (rather than the more expected http: or https:). This is almost never something that you want, since it allows users to submit essentially arbitrary code that other users will run on click in the context of your domain (same origin policy).

So how do you fix it?

First thought would be to try to check the protocol:

> safe_url = (url) => !url.match(/^javascript:/)
[Function: safe_url]

> safe_url('http://www.example.com')
true

> safe_url('javascript:alert(1)')
false

read more...


Forcing Secure Cookies Behind an ELB in Ruby/Rails

As part of general security good practices, you should always (whenever possible):

  • use HTTPS to serve all requests
  • serve redirects to upgrade HTTP requests to HTTPS
  • set session cookies to secure and http_only
  • enable HTTP Strict Transport Security (HSTS)

read more...


Tiny Helper Scripts for Command Line MySQL

Quite often, I’ll find myself wanting to query and manipulate MySQL data entirely on the command line. I could be building up a pipeline or working on a task that I’m going to eventually automate but haven’t quite gotten to yet. Whenver I have to do something like that, I have a small pile of scripts I’ve written over time that help out:

  • skiphead: Skip the first line of output, used to skip over headers in a query response
  • skipuntil: Skip all lines until we see one matching a pattern, used to resume partial tasks
  • commaify: Take a list of single values on the command line and turn them into a comma separated list (for use in IN clauses)
  • csv2json: a previously posted script for converting csv/tab delimited output to json
  • jq: not my script, but used to take the output of csv2json and query it further in ways that would be complicated to do with SQL

Admitedly, the first two of those are one liners and I could easily remember them, but the advantage of a single command that does it is tab completion. sk<tab>, arrow to select which one I want, and off we go. I could put them as an alias, but I don’t always use the same shell (mostly fish, but sometimes Bash or Zsh).

read more...


Listing and Downloading S3 Versions

Today I found the need to look through all old versions of a file in S3 that had versioning turned on. You can do it through the AWS Console, but I prefer command line tools. You can do it with awscli, but the flags are long and I can never quite remember them. So let’s write up a quick script using boto3 (and as a bonus, try out click)!

read more...


AoC 2018 Day 14: Functionally Circular Elfs

Source: Chocolate Charts

Part 1: Create an infinite stream of numbers, by starting with [3, 7] with two pointers: 0 and 1. To add values to the list:

  • Add the current values of the two pointers
    • If the value is less than ten, add that value to the end of the list
    • If the value is greater or equal to ten, add 1 and then the ones digits to the end of the list
  • Update each pointer by adding the value it is pointing at to its current index plus one

With that algorithm, find the ten digits after a given index.

read more...