google safe browsing api url encoding (canonicalization) - google-api

In my application I am checking user-entered urls for malware by sending them to google.
To test getting a "malware found" reaction I used the url http://malware.testing.google.test/testing/malware
To my surprise this url was not marked as malware
In fiddling about I found out that when I enter a trailing slash, it does get picked up as malware.
In the documentation it says the url's need to be canonicalized.
Do any of you know of an implementation of this requirement? (preferably in c#)

Using the link ForguesR provided I have created this C# implementation.
It passes 26 out of the 33 tests from the google test suite found at: https://developers.google.com/safe-browsing/developers_guide_v3#Canonicalization
It has been deemed good enough for production since it doesnt catch the more obsure webpages.
Code: https://dotnetfiddle.net/xO9sWl

I am working on the same problem right now and the only thing I have found is a Java implementation in the jGoogleSafeBrowsing library. Unfortunately, it is stuck to v2 of the API.
Anyhow, you can have a look at the canonicalization code here. Be aware that :
this code is released as open-source under the Creative Commons NC-SA license;
this code may not pass the Google canonicalization test suit.

Related

What do protofiles represent for googles API Linter?

since google did not create extensive documentation for their API Linter and I cannot find anything from other sources, i wanted to ask here.
From what exactly am i supposed to create protofiles and what do they represent?
As I understood, these protofiles get checked for compliance to their AIPs.
I'm interested in creating a automatic prototype (Java) to check for customized API Rules and am thinking about using Protobufer for this goal. Would this be a pragmatic solution?
Thank you!
As I now understand, Googles API Linter isn't supposed to check a API or a different API specification for compliance.
It checks proto files because they are themself the API specification and can be converted to Code. But before converting them they can be checked against rules they have to comply with.
These rules are not in the protofiles (as I initially thought) but in the many GO-files under rules/ .
Please correct me if you read this and find mistakes! Thanks!

3D Secure songbird js CSP requirements

Our site uses a content security policy with Braintree's implementation of 3D Secure.
There are multiple calls made by songbird.js (CardinalCommerce implementation of 3D Secure used by Braintree) to third party sites (such as kg668dbov0.execute-api.us-east-1.amazonaws.com, touchtechpayments.com, or arcot.com) which are not documented in the CSP requirements outlined by Braintree here https://braintree.github.io/braintree-web/current/.
These calls to third party sites don't seem to be documented anywhere on the web either, and seem to change at random. Every time there is an undocumented change it breaks our 3DS integration (iFrame doesn't load as the undocumented url is blocked by the CSP).
The urls seem to vary based on the card used (touchtechpayments.com seems to be the Revolut one, arcot.com seems to be HSBC), and I can see a couple others for French banks in our CSP violation report: https://bred.wlp-acs.com for Bred, https://bnpp-3ds.wlp-acs.com for BNP Paribas).
Does anyone know where I can find an up to date list of the content security policy requirements for songbird.js ?
I've created an issue on the braintree github page:
https://github.com/braintree/braintree-web/issues/497
My list so far:
3ds-secure.cardcomplete.com
ecclients.btrl.ro
bofp.erstebank.hu
www.clicksafe.lloydstsb.com
pay.activa-card.com
3dsecure-1.wirecard.com
3dsecure-2.wirecard.com
acssv.otpbank.hu
acs.sia.eu
idcheck.acs.touchtechpayments.com
sicher-bezahlen.sparkasse.at
secure5.arcot.com

how to send a request to google home\assistant like IFTTT+webhooks

Please direct me the right way. I'm stuck with some documentation issue. Going to code a small service with Google HOME for everyone to add a new phrase and make a POST request or answer with specific "TEXT" (like IFTTT run with WEBHOOKS) (fe: "Hey Google switch my kitchen light" -> service will send POST request to my own HTTP server). I know that IFTTT works but - I would to code the target service for tiny cases with fast response.
I tried to understand all Google Assistant layers - but still no luck and didn't find the clear path.
What I learned are:
1. connect to Google Account using OAuth 2
2. .... save the phrase and action for that in my DB - it's ok and simple way
3. ...??? how to send and to where? in (json?) a specific format
4. receive the answer from google home to understand the right case and make my action.... (for example: turn on\off the kitchen light)
It should be not so hard as I can image.... anyway Please help :).
Appreciate your time and answers and have a nice day!
To learn about extending the Google Assistant, you should look into the documentation for Actions on Google: https://developers.google.com/actions/extending-the-assistant
Although it also seems like you want to use it for Smart Home: https://developers.google.com/actions/smarthome/
You can run the Smart Home sample if you want to see how it works: https://github.com/actions-on-google/actionssdk-smart-home-nodejs

Customer email using .online tld is being rejected

I'm using DotNetKit 1.2.6.5 and SagePayIntegration.Validation() is rejecting a customer email that uses the new .online domain (eg: foo#bar.online) with
CustomerEMail is invalid.
Is this fixed in 1.2.6.7 or is the source code for SagePay.IntegrationKit.DotNet.dll available somewhere so I can fix it?
Despite access to the source code (many thanks to #DavidG) SagePay Support have confirmed that the actual Gateway does not support all these new domains - so even if I modified the DotNetKit it would still be rejected by the Gateway.
SagePay support were very helpful but ultimately the
"... email domain foo#bar.online is not yet supported on our gateway.
We run development sprints continuously and although there are some
domains we may not yet support, we look to in future, dependent on
impact and demand..."
The SagePay Integration Kit uses this regex to validate email addresses:
[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-zA-Z0-9!#$%&'*+/=?^_`{|}~-]+)*#(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\.)+(?:[a-zA-Z]{2,4})\b
Which does unfortunately not allow extra long TLDs. Fortunately I have the source code for the kit and I've added it to my GitHub account (along with a bug fix which is why I had to get it in the first place as SagePay are not updating it). You can find it here:
https://github.com/WiredUK/SagePay.IntegrationKit
And the Regex you need to edit is this file:
https://github.com/WiredUK/SagePay.IntegrationKit/blob/801f61cf965c391a98a025aa632949719084cef0/ApiRegex.cs
For info, you need to edit the very last part of the expression from 2,4 (which matches 2 to 4 characters in the TLD) to allow more, for example 2,30.
Edit: And just because I can, I opened an issue and fixed it.

Chasing referrals like ldp.exe in the win32 ldap API

I've been using ldp.exe to guide development of some ldap code for Active Directory. I'm using the win32 API (wldap32). ldp.exe has been extremely helpful in this regard, because in the right pane of the program it shows (more or less) the actual win32 API functions and arguments used to carry out the commands. I find this particularly helpful when crafting calls for ldap_search. If I can get the search to work in ldp.exe, I can directly translate the search to ldap_search.
This was all working as expected until I tried to query a trusted, linked base domain. For example, I login and authenticate to x.net. But I am trying to query the domain y.net which is trusted from x.net.
A search query like (SAMAccountName=mylogin) with BaseDN DC=x,DC=net works in ldp.exe immediately. If I change the BaseDN to DC=y,DC=net it will not work. However, if go to Search Options in ldp.exe and check the box for 'Chase Referrals', the query will work.
Here is the problem. I don't know what checking that box does in terms of win32 API calls. When I query BaseDN DC=y,DC=net with ldap_search directly the return code is LDAP_REFERRAL.
At first, I thought fixing it would be as simple as calling ldap_set_option with LDAP_OPT_REFERRALS, but that doesn't seem to be enough. I've tried settings various other referral related flags like LDAP_OPT_REFERRAL_HOP_LIMIT to larger numbers hoping that is my problem, but nothing seems to work.
I suppose that one possibility is that ldp.exe is actually following those referrals manually with additional function calls (but not actually showing it on the GUI). However, I have not found any good examples of how to do that. If anyone has an example of that, it would be greatly appreciated.
Additionally, I know this query can work because I have access to C# code using DirectoryEntry and DirectorySearcher that works fine in this case.
Does anyone know what is going on in ldp.exe 'Chase Referrals' and how to translate it to the win32 API?
If you see ldp.exe console output, win32 api ldap_search also get's LDAP_REFERRAL. However ldp.exe does follow referrals with additional functions which we don't see in the console as those are not api's.

Resources