I have repeatedly kept my confidential information in the file. But I gave the name of the file. I'm looking wrong. What will I do now? I wrote the code well but it looks wrong to me
first you have to create a file named .env,
then in this file you have to put your secret key value that you don't want to share or that is harmful to share,
then you have to call dynamically the secret key name in your main file,
and most importantly you have to add thid .env or write .env to gitignore file.
Related
Eg.: I have a file mycode.py which contains 2 secrets
myfakesecret : "ANSAJHSAKDKDMKADKAMCKSMKSMCKSCC"
MyOriginalSecret: "H%&&^DBSHDBHBBBS%^&&&DSD2343"
I want to ignore myfakesecret but not MyOriginalSecret in truffleHog scan.
If I use --exclude_paths exclude-patterns.txt where exclude-patterns.txt contains mycode.py then truffle hog scan will ignore both secrets.
Can I specify a secret hash or name or any other way to exclude secret not complete file so that it should ignore a particular secret?
Ideally, your code does not include the sensitive secret at all.
That way, truffleHog scan has nothing to ignore/exclude.
mycode.py should read that secret from a file/source outside the repository, at runtime (when you are executing the program.
I have a check.env file, in which I have some variables like
SharedAccessKey=
I want to put a value in the check.env file from my node.js code. Articles on internet are there for updating at the running time of node.js, but my requirement is to change in the file and keep the file with changes made.
How can I accomplish that.
I got this link : How to change variables in the .env file dynamically in Laravel?
but it is in some other language, how can I do in node.js.
I was unable to find out the best solution so went with another solution of mine that I took.
I am using two files now both .env extensions and I am copying main .env file to another empty .env file (like check1.env to check2.env).
Any modifications I am making is in the second file (check2.env).
And I am using string replacement in the .env file, using fs.readLine() and getting the string and the data.replace(), this worked for me.
The reason to use two .env files is that even if I change in the second file, again by copying from the first file I will get same string search and will replace with a different value.
-- Please suggest if there is an any better approach. Thanks
I've changed the workspace ID in both my env file as well as my app.js file just in case. I've installed all the necessary SDK's and have done everything according to the instructions here.
I swapped out the workspace files with my own workspace. But I made all the necessary changes including changing the workspace ID. Not quite sure why i'm still getting the error. Any help would be much appreciated!
Edited: Here are the changes I made to my code
Image
I had the same problem a few days ago. And, to solved this, you can paste the WORKSPACE_ID in this line too!
But, if you want use the .env file, make sure the are no spaces between = and the end of the line.
I will put the print of my app.js as an example to help you:
Actually, both ways work.
My example show this:
username = "<iwdiaowd-jioawjd-ioajgr-ogxgxajofa>"
password = "<xxxxxxxxxxxxxxxxxxxx>"
var workspace = "<59583409583495834590385394>"`
Try edit your .env:
WLP_SKIP_MAXPERMSIZE=true
VCAP_SERVICES={"conversation": [{"name": "conversation-service","label": "conversation","plan": "free","credentials": {"url": "https://gateway.watsonplatform.net/conversation/api","isStreaming": false,"password": "-ReplaceMe-","username": "-ReplaceMe-"}}]}
COLLECTION_NAME=workspace
WORKSPACE_ID=iwdiaowd-jioawjd-ioajgr-ogxgxajofa
LOGGING_ENABLED=false
Q1. Wanted to know how do you read the contents of a file to a variable at boot time in grub.cfg?
Q2. Could that be extended to read an .ini type file where you can read the values for various name entries?
[section]
nothisone=whatever
thisone=this is what I want to get
TIA!!
In order to do exactly what you are asking for, you would probably need to write your own GRUB module.
However, you should be able to achieve what you're after either using the configfile command, or with some clever application of the environment block feature.
Use "source" command to include another config file but unlike "configfile" which will change context.
Source is like an online macro while configfile likes a function - environment changes in configfile will not be preserved but source is expanding whatever in the source file and put in the main block, environment variable can be changed in this way.
https://www.gnu.org/software/grub/manual/grub/grub.html#source
https://www.gnu.org/software/grub/manual/grub/grub.html#configfile
I have a Java Web App running on Tomcat on which I'm supposed to exploit Path traversal vulnerability. There is a section (in the App) at which I can upload a .zip file, which gets extracted in the server's /tmp directory. The content of the .zip file is not being checked, so basically I could put anything in it. I tried putting a .jsp file in it and it extracts perfectly. My problem is that I don't know how to reach this file as a "normal" user from browser. I tried entering ../../../tmp/somepage.jsp in the address bar, but Tomcat just strips the ../ and gives me http://localhost:8080/tmp/ resource not available.
Ideal would be if I could somehow encode ../ in the path of somepage.jsp so that it gets extracted in the web riot directory of the Web App. Is this possible? Are there maybe any escape sequences that would translate to ../ after extracting?
Any ideas would be highly appreciated.
Note: This is a school project in a Security course where I'm supposed to locate vulnerabilities and correct them. Not trying to harm anyone...
Sorry about the downvotes. Security is very important, and should be taught.
Do you pass in the file name to be used?
The check that the server does is probably something something like If location starts with "/tmp" then allow it. So what you want to do is pass `/tmp/../home/webapp/"?
Another idea would be to see if you could craft a zip file that would result in the contents being moved up - like if you set "../" in the filename inside the zip, what would happen? You might need to manually modify things if your zip tools don't allow it.
To protect against this kind of vulnerability you are looking for something like this:
String somedirectory = "c:/fixed_directory/";
String file = request.getParameter("file");
if(file.indexOf(".")>-1)
{
//if it contains a ., disallow
out.print("stop trying to hack");
return;
}
else
{
//load specified file and print to screen
loadfile(somedirectory+file+".txt");
///.....
}
If you just were to pass the variable "file" to your loadfile function without checking, then someone could make a link to load any file they want. See https://www.owasp.org/index.php/Path_Traversal