I am using url rewrite controller to make custom urls. No i dont know how to secure them or if the user types some thing else then how do i show a page not found error.
Here is how i am making custom urls in my application index:
$route = new Zend_Controller_Router_Route_Regex(
'([A-Z]*(([\/][A-Z0-9\-]*([\/][A-Z]*)?)?))',
array('controller'=>'Uriprocess','action'=>'index'),
array(1 => 'URI')
);
$router->addRoute('URIPROCESS',$route);
You should check Zend_Controller_Plugin_ErrorHandler
Since the ErrorHandler plugin captures not only application errors,
but also errors in the controller chain arising from missing
controller classes and/or action methods, it can be used as a 404
handler. To do so, you will need to have your error controller check
the exception type.
Related
OpenUI5 version: 1.86
Browser/version (+device/version): Chrome Dev
Upon the authentication I validate the user session:
if (isUserSessionValid) {
const oRouter = UIComponent.getRouterFor(this);
oRouter.navTo("overview");
} else {
this.getOwnerComponent().openAuthDialog();
}
If isUserSessionValid is true, then I forward an user to the internal page, otherwise I show the login dialog.
The problem is, however, that an user can change the value of isUserSessionValid in DevTools and then getting forwarded to the UI5 app internal page. Of course, due to a lack of a valid session, no piece of the business data will be displayed, just an empty UI5 app template, but I would like to prevent even such screen.
If it would be a classical webapp, I would just send an appropriate server response with a redirect to the login page (e.g. res.redirect(403, "/login");). But, if I understand it correctly, since I'm sending am asynchronous request, a plain res.redirect won't work out and I'm required to implement a redirection logic on the UI5-client, which can be manipulated and bypassed by user.
How to prevent a manipulation of a view navigation in UI5 and ensure that unauthorized user can't get any piece of the UI5-app code?
The answer from SAP:
If you want to prevent an unauthorized user from accessing the client-side code (e.g. view/controller) you need to enforce
authorization on the server also for those static files. When bundling
the application code you also need to ensure that those files are
separate from the "public" files. One approach would be to have 2
separate components, one for the public page/auth dialog and one for
the actual application.
My nodejs application uses a basic REST communication style to allow an HTML web ui to pass commands.
For instance:
http://address/api/config/cmd1
http://address/api/config/cmd2
http://address/api/network/cmd3
...
In return, my web ui gets a JSON result of the form:
{
"success": true
}
or
{
"success": false,
"errorMsg": "Wrong parameter blabla"
}
My problem is, I now need to translate error messages on client-side (in many languages), and the english "errorMsg" is too variadic and too long to be a translation key.
So I need something like an "errorCode" (an integer, probably) and I'm searching for a strategy into my nodejs application to manage error codes. I don't really know what is usually done for that, considering I usually use throw new Error("message") to return the message directly to the web ui.
I don't know if it's better to make a list of uniq error codes for all my REST API of a contextual error list for every subset of this API.
UPDATE: finally, I opted for a string error id. For instance, "wrong argument for this command" becomes "WrongArgument" and will be used to identify the error on GUI side and thus, perform the localization process. And finally, I don't need to make the error id uniq.
Using a custom Error class in the back-end with error identifier will allow the front-end to directly use its translation module, without modifications.
From your Server, one can process the standard error by creating a custom class, throw the class, catch it in your controller and send to the front-end the response with correct http status and error id.
The reasons are:
1 - Front-end code maintanability.
2 - Keeping errors systems data on back-end logs because they might be sensitive. It should not be return to the client side.
I agree with naming identifier code instead of using a code number. This because it s hard to pre-define a range for each error type (SQL, API, Authentication...). And it s harder when the error may be found in different service.
Scope: In the front-end service, i define a scope when calling the server, so that if there is need for a global error to be more specific, it is there. The scope is just a string with the name of the page where the ressources is used, also found in JSON lang files.
If 'ld like to check this code out and give comments, it will be great:
'https://codepen.io/Aymer-El/pen/OJoRVgZ'
Also leaving place for a debug message in the response may help front-end devs. Tho, this is optional.
I know I ran across a post at some point, but I can't seem to find anything. It seems that by default, ServiceStack allows access to /auth via GET or POST. GET is not something we want in production.
I need to turn off GET access to /auth. Any ideas?
You can use the AuthenticateServices custom ValidateFn to add your own custom validation, e.g:
AuthenticateService.ValidateFn = (authService, verb, requestDto) => {
if (verb == HttpMethods.Get)
throw new NotSupportedException("GET's not allowed");
};
Otherwise you can add your own Restricting Services Attributes on services you don't own by using the fluent API for dynamically adding attributes, e.g:
typeof(Authenticate)
.AddAttributes(new RestrictAttribute(RequestAttributes.HttpPost));
The app I'm working on has a controller that issues templates to the front end (single page app). It's very basic, and simply consists of
#path = params[:path]
render template: "templates/#{#path}", layout: nil
Here my concern however is the direct use of the users input. Everything about this to me feels like it can be attacked with something as simple as path traversal. The route for this is
get "/templates/:path.html" => "templates#file", constraints: { path: /.+/ }, defaults: { format: 'html' }
I've tried multiple things to attempt a path traversal attack, such as
request /templates/path/to/../somewhere/else.html
request /templates?path=/path/to/../../something.rb
request /templates/index.html?path=/path/to/../../config/something.html
request /templates/path/../../../file.html
Fortunately, I haven't had any success with this. The requests that just start with /templates and don't specify anything after it, don't match the route thanks to the constraint so that is good.
It seems as though when that route is matched, rails doesn't allow you to override the path parameter through a url parameter, so I don't seem to be able to inject it there.
The ones that interest are the first and last examples above, where rails seems to internally be changing the requested URL before invoking the routes file. When I request /templates/path/to/../somewhere/else.html, my console output shows a request for /templates/path/somewhere/else.html. When I make a request for /templates/path/../../../file.html, the log shows a request for /file.html.
Am I missing something somewhere that will leave the app open to security issues, or is this just rails being sensible and protecting itself for me?
UPDATE
I've done some more digging, and if I try doing some URL encoding then I can cause the server to simply not respond at all. If I request /templates/%2e%2e%2f%2e%2e%2f%2e%2e%2ffresult.html then I just get an empty response with a connection: close header.
I assume that the parameter parser higher up in the rack is checking all urls for this type of attack? Regardless, my original question still stands. Am I missing something here?
I want to have a clean URL in CodeIgniter based application for User's Profile Information.
Please Take a look at URL formats below.
Actual URL : http://www.mydomain.com/index.php/users/profile/user1
I'm expecting users to have Personal URL's like
http://www.mydomain.com/user1
http://www.mydomain.com/user2
http://www.mydomain.com/user3
URL http://www.mydomain.com/user1 should process http://www.mydomain.com/index.php/users/profile/user1 in background execution.
I will be removing index.php from URL using Route library.
Thanks in advance for any sort of help.
Have a look at https://www.codeigniter.com/user_guide/general/routing.html.
$route['user(:num)'] = "users/profile/user/$1";
If you mean you want /anyusername to route to the users controller, you would have to put:
$route['(:any)'] = "users/profile/$1";
At the bottom of routes.php and every non user-URL above it. Otherwise every URL would be routed there, obviously. You will need to implement some mechanism in the users-controller to throw 404-errors, since you are routing all requests not catched in the routing rules above.
IN config/routes.php
add this line
$route['user(:num)'] = "users/profile/$1";