Google hasn't helped me with this:
We just started using Chef deployment. (And I'm embarrassingly new to it)
I have a web.config template that will have variables set by a data bag.
Using some free online tools, I was able to find and fix syntax problems in my data bag. JSONLint
Is there a way to check the template itself?
Online Xml validation tools like this one fail once a Ruby tag <% is found... and this makes sense because it's not valid Xml. Is there a tool/way to validate the Xml in a template so that the Ruby tags are valid?
All I want to know is if syntactically speaking, the file is valid. Logic errors would be dealt with another way... if that makes sense.
You could substitute the values that are supposed to be set by your <%=...%> tags and validate that since your final .xml file won't contain any of those tags if you did your template correct.
Related
I've been searching for a while for something that can act as a proxy that I can feed it XSDs to validate xml content within the request body of HTTP traffic.
Does anyone know if such a thing exists on Windows or Linux?
I checked out ModSecurity but I am bit lost on it - I believe SecRule XML maybe able to do it but I can't find how I would go about checking the xml against multiple xsd files to see if it passed any particular one?
validateSchema
Description: This operator requires the request body to be processed as XML.
Example:
SecDefaultAction log,deny,status:403,phase:2
SecRule REQUEST_HEADERS:Content-Type ^text/xml$ \
phase:1,t:lowercase,nolog,pass,ctl:requestBodyProcessor=XML
SecRule REQBODY_PROCESSOR "!^XML$" nolog,pass,skip:1
SecRule XML "#validateSchema /path/to/apache2/conf/xml.xsd"
This operator requires request body to be processed as XML.
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#validateSchema
I am thinking there is some way of creating Chained rule evaluation and it allows messages through IF any of the rules are met but denies the message through when none are met.
Thank you!
XML / XSD checking in ModSecurity works, but it's not used by a lot of people (unlike the core functionality of ModSec), so I would not be surprised if you found rough edges.
So use with caution and think about alternatives (-> mod_lua, use XML library, etc.).
What stops you from checking them
SecRule XML "#validateSchema /path/to/apache2/conf/xml.xsd" "phase:2,id:1,log,deny"
SecRule XML "#validateSchema /path/to/apache2/conf/xml2.xsd" "phase:2,id:2,log,deny"
If done this way, you can also branch and skip rules depending on the context. Like Header-X, then pass via id:1, if Header-Not-X, then pass via id:2.
If you lack the ModSecurity knowledge to pull this off, then you might want to buy the ModSec Handbook or look at the tutorials at https://netnea.com.
I'm using an application that is getting me some data, and then renders a config file based on a given Go Template. You basically pass a template you've made as a parameter, and app does it's job with it. The template is getting bigger and bigger, so I wanted to wrap some common stuff into sub-templates (I mean, {{ define x }}). The problem I'm occuring is that the sub-template should be passed serveral parameters, which are not a part of my 'dot', and I can't really find a way to do this in Go.
The best answer I've found is to write some 'dict' function myself, and then use it inside the template, but that would mean I basically need to fork the whole application I'm using to render the template, do like 10-15 line changes, and then use this modified versions, which is a nonsense.
I'm wondering if there's any real solution for my problem without having to do some crazy forking and writing custom methods on application side?
Edit:
I've already checked Calling a template with several pipeline parameters before, although it's not answering my question, since I need a way to do this using only template file.
I have following requirement
1. Keep responses in an external xml file.
2. Hit the API and compare the response with external response (Kept in xml file. )
3. Also while comparison, I have to ignore dynamic components like , etc.
4. Also I have to ignore sequence of parameters.
Can you please if any such utility/program to do so in JMeter
Thanks in advance
Regards
Vishal Pachpute
I believe it makes more sense to use XML Schema Assertion. This way you will validate your XML response syntax and structure, elements and attributes, number and order of attributes, data types, etc. but this assertion won't care in the slightest about the content.
You can ask the .xsd schema from the developers, most likely they have it, if not the majority of IDEs can do this, there are even online services.
References:
XML Schema Tutorial
How to Use JMeter Assertions in Three Easy Steps
I'm new to Stripe and I'd like generate a result that looks like the "Attributes" part of the Errors part : https://stripe.com/docs/api/curl#errors
It's looks like a table with two column, even though it's not a table.
I don't know how I can make this.
For information, I'm using Aglio to generate the template.
Cyril,
There is no easy way to do this in Markdown that I know of. You have two options:
Create your own layout template that manually adds this information, then tell aglio to use it.
Include some basic HTML in your API Blueprint. Here is an example. It just creates a definition list which describes the error attributes using the same CSS that already exists on the page to describe URI parameters.
You can use Markdown to create the tables of response types and codes, and if you want to use a three-column layout you can use the middle and right CSS classes.
Hope this helps!
For example, StackExchange whitelists a subset of HTML:
https://meta.stackexchange.com/questions/1777/what-html-tags-are-allowed-on-stack-exchange-sites
How could you do that in your controller to make sure user input is safe?
This approach is not identical to StackExchange, but I found the AntiXSS 4.x library to a simple way to sanitize the input to allow "safe" HTML.
http://www.microsoft.com/en-us/download/details.aspx?id=28589 You can download a version here, but I linked it for the useful DOCX file. My preferred method is to use the NuGet package manager to get the latest AntiXSS package.
You can use the HtmlSanitizationLibrary assembly found in the 4.x AntiXss library. Note that GetSafeHtml() is in the HtmlSanitizationLibrary, under Microsoft.Security.Application.Sanitizer.
content = Sanitizer.GetSafeHtml(userInput);
This can be done before saving to the database. The advantage is removing malicious content immediately, and not having to worry about it when you output it. The disadvantage is that it won't handle any existing database content, and you do have to apply this any time you're making database updates.
The alternate approach is to use this method every time you output content.
I'd love to hear what the preferred approach is.
You can try JSoup parser which along with sanitizing your HTML input will also provide many functionalities out of the box.
You can visit http://jsoup.org/ for more details on the JSoup and download the binary from there.
It provides DOM method to traverse through your HTML tree and get desired elements.
Although sanitizing your HTML generated code to prevent XSS attack is a goodd practice, but I would strongly advise to avoid using any parser to avoid XSS attach by sanitizing your HTML input.
If your HTML tree is very big then the response time would increase manifold.Instaed of sanitizing your HTML tree you should ensure that whatever user is entering in the FORM is proper and as per the expected value.
You can visit www.owasp.org to know more about how to avoid XSS attack.The site provides you possible cheat sheets to ensure your HTML tree is free from any XSS attack.
ASP.NET HttpUtility.Htmlencode() makes it for you.
But if you want to block dangerous scripts, first DO NOT insert it to your database. First, clean the HTML Text before inserting to database.
I found a class that do it for you: http://eksith.wordpress.com/2012/02/13/antixss-4-2-breaks-everything/
It works fine and you can add new tags and attributes to custom whitelist of the Sanitizer.
Note: Microsoft Sanitizer and Anti-XSS Library was not useful for me. May be you can also try them.