In this episode I answer a viewer’s question if you can use Docker Compose Watch without a Dockerfile. Actually, it’s more me checking if they are correct. Spoiler alert, they are correct and you can’t use Docker Compose Watch without a Dockerfile. You will get an error message: “can’t watch service [service-name] without a build context”.
Previous video about Docker Compose Watch:
Found this video useful? Then help others find it by liking, subscribing, and sharing.
Have question you want answered in a future video? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
May your holidays be filled with more joy then discovering a legacy project with 90% test coverage, the happiness that rivals getting a project out the door on-time and under budget, and secure from sensitive information leaks from too much Christmas cheer.
Happy holidays from SaturdayMP and all the best in 2024!
P.S. – The SaturdayMP virtual office will be closed from Dec 21st to Jan 1st. I’ll still be checking and responding to message but much slower then normal.
In this stunning conclusion to the 3 part series I finally get HTTP Basic Authentication working. Including merging my changes into the main branch in GitLab and making sure it works in staging and production in Render. The video is so long because I made dumb mistake 10 minutes in.
Spoiler: When using the Passenger Docker image it’s really important you don’t delete:
RUN rm -f /etc/service/nginx/down
Found this video useful? Then help others find it by liking, subscribing, and sharing.
Have question you want answered in a future video? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
In this episode I get the Basic Authentication NGINX configuration working using the envsubst tool to replace environment variables in the config file. Ran out of time to test the fix in actual staging. That will hopefully be done in the 3rd part of this series.
Watch the previous video in the series:
Found this video useful? Then help others find it by liking, subscribing, and sharing.
Have question you want answered in a future video? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
In this episode I explain and then start to add HTTP Basic Authentication to the Saturday MP website which is a Ruby on Rails application hosted on a Passenger Docker image. As usual I ran into some trouble and at the end of the video figured out I should use the envsubst command to dynamically set the Basic Auth, and other values, in the NGINX config.
Found this video useful? Then help others find it by liking, subscribing, and sharing.
Have question you want answered in a future video? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
In this episode I find the root flag for the Busqueda machine on Hack the Box. Took a wrong turn looking for Gitea and Git vulnerabilities but eventually found the root flag with help from the walkthrough.
Watch part 2 of me hacking the Busqueda machine:
Thanks to Hack the Box for creating a playground for myself, and others, to learn cyber security skills. Thanks to kavigihan for creating the Busqueda machine.
Found this video useful? Then help others find it by sharing it.
Have question you want answered in a future video? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
Thanks to victorajayi9056 for asking the question. Thanks to Docker for creating Docker. That sounded weird. Anyway it has been an invaluable tool for creating development environments for my clients.
Have question you want answered in a future video? A question I should ask you? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
In this episode I get a reverse shell working and make some progress on capturing the root flag. Spoiler: There is a self hosted GitHub like website.
Watch part 1 of me hacking the Busqueda machine at:
Thanks to Hack The Box for creating a playground for myself, and others, to learn cyber security skills. Thanks to kavigihan for creating the Busqueda machine:
Have question you want answered in a future video? A question I should ask you? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
One of the most common security issues I in code reviews is sensitive information, such as production credentials, API keys, etc, in the source code. The source code I just pulled from the repository. The source code all the developers before me have also pulled down to their local computers. Developers who might not work at the company anymore.
Most people are honest and won’t do anything bad with the information but there are exceptions. Even if developer is honest they might accidently expose the sensitive information such as a stolen laptop or their home network getting compromised.
Some examples of sensitive information I’ve seen:
AWS Simple Email Service (SES) key: This can be used by others to send email as if they are your company. I’ve seen it used by spammers and once AWS notices they will disable your SES account until you can prove to them the problem is fixed.
Production Database credentials: Often this is not a high priority issue because the database is usually not publicly accessible (i.e. behind a firewall) but in one case the production database was accessible on the internet.
FTP credentials to Government Services: Attackers could upload malicious files as if they where company in question.
Private SSH for Production: With this key anyone can log into to production but also pretend to be the production server.
For local development developers shouldn’t need access to the production environments. Instead they should setup the services they need access to on their local development environment such as a local development database.
For 3rd party services that can’t be installed or mimcied locally developers should be given access to a test/development copy. For example, a test S3 bucket instead of production.
Applications should read sensitive information from environment variables. Most frameworks provide a way to store environment variables in a file, usually called .env, and read this file when the application starts. This file contains key-value pairs and looks like:
The .env should never be committed to the repository and ideally added to the .gitignore or equivalent. Instead I recommended committing a .example.env file to the repository which has all the keys expected but not the values. At least not the production values, but possibly some development values. When a developer first sets up their development environment they copy the .env.example to .env and fill in the missing values that they find in the password manager:
DB_USER=devuser
DB_PASSWORD=<local db password>
DB_SERVER=localhost
DB_NAME=dev_db
AWS_S3_BUCKET=test-bucket.s3.us-east.amazonaws.com
AWS_S3_BUCKET_KEY=<get from password manager>
AWS_S3_BUCKET_SECRET=<get from password manager>
How to fix the problem?
Unfortunately you can’t just remove the sensitive information because it is still viewable in the repository history. Also, it might also exist on others that have forked the repository.
If there are multiple credentials you need to remove then pick one and do the following:
Add the sensitive information to your password or secret manager.
Setup a .env file, or something similar, if it does not exist.
Move the sensitive information to the .env file.
Do a release to test you have the sensitive information migrated correctly. You will need to add the sensitive information to the staging/production environment variables or files.
Change the sensitive information (change password, regenerate API key, etc). This should only require an update to the system and the environment variable in production.
Repeat the above steps for the next piece of sensitive information until they are all removed from the respository.
P.S. – Not related to the above post. I’m just really like the new Blink-182 album.
Do I have to die to hear you miss me Do I have to die to hear you say goodbye I don’t want to act like there’s tomorrow I don’t want to wait to do this one more time One more time, one more, one more time, one more time
Posted inSecurity|Taggedcredentials, security|Comments Off on Don’t Commit Sensitive Information to the Repository
In this episode I find the user flag for the Busqueda machine on Hack the Box. Perhaps with a little help from the walkthrough and Chat GPT to assist with my lack of Python knowledge.
Thanks to Hack the Box for creating a playground for myself, and others, to learn cyber security skills. Thanks to kavigihan for creating the Busqueda machine.
Have question you want answered in a future video? A question I should ask you? Pair on a problem? Constructive feedback? Send an email to ask@saturdaymp.com.
