XACML Rule Subject - logic

I am writing a policy with ordered-permit-overrides for the rules.
Rule 1 permits access to all content for anyone with an appropriate security level.
Rule 2 permits access to some content (3 resources) to anyone with alternative credentials.
Rule 3 denies access to everything else. This is a failsafe if a user has neither the security level or the credentials.
My problem is that I can get my server to run the program and rule 1 works fine. For rule 2 the only result I get if I give the values required is "deny" and if I leave any blank it is "indeterminate." I think the policy isn't running my rule 2 despite using ordered-permit-overrides.
I have tried running the script with rule 3 commented out, and the result is only "indeterminate" or "not applicable."
In rule 1 I left the target empty. For rule 2 I defined resources, but not subjects. Do I need to specify subjects to get this rule to work? Is there something else that could be causing my first and third rules to function, but not my second.

It would be great if you could share your policy here so we could have a look. What are you using to write and test the policy.
As you might know indeterminate is due to an error inside the PDP e.g. you are requiring that an attribute be present but you're not sending it or you're using a string-one-and-only (or any *-one-and-only) function on a missing attribute.
By the way, why don't you use first applicable as a combining algorithm?
Check out the ALFA plugin for Eclipse (it's free) to be able to quickly write your policies without having to know the XACML syntax: http://www.axiomatics.com/axiomatics-alfa-plugin-for-eclipse.html

Related

How to set priority in Microsoft Luis Patterns?

I am using pattern recognition to catch entities with a variable size. Here are situation that i am trying to catch
1- {entity1} (has| had| have) [the] {entity2}
2.1- {entity1} (has| had| have) the {entity2}
2.2- {entity1} (has| had| have) {entity2}
i tried the 1 pattern or the 2.1 and 2.2 at the same time.
The problem is that when i enter: "Person have the properties"
the entity2 is marked as "the properties" instead of just "properties"
Is there a way to mark priority or work around this problem?
Sorry for english mistakes i hope that the question is clear enough.
There is no way you can set priority in LUIS patterns. However, given your situation above, where the entity is getting extracted incorrectly, you might want to make use of explicit lists. You can create an explicit list via the authoring API to allow the exceptions when:
Your pattern contains a Pattern.any
When that pattern syntax allows for the possibility of an incorrect entity extraction based on the utterance.
Also, make sure to refer to the best practices(https://learn.microsoft.com/en-us/azure/cognitive-services/luis/luis-concept-best-practices#do-and-dont) for LUIS apps to make sure your app behaves with improved accuracy.
Hope this helps.

MS Access email validation rule fails

I have used this rule ((Like "*?#?*.?*") And (Not Like "*[ ,;]*")) in MS Access for email validation it's working fine, but when I type this email#youdomain.com###hello it also accepts more # signs how to solve this? The rule is taken from here
You can't reliably validate e-mail addresses using an Access SQL statement or regex for that matter, see this for an example of a regex that still only works on prepared mail addresses, and Access SQL is substantially more limited than regex for text pattern matching.
However, fixing this specific issue is easy:
Just add Not Like "*#*#*" to your statement to disallow multiple # charactes:
((Like "*?#?*.?*") And (Not Like "*[ ,;]*")) And Not Like "*#*#*"

add only certain rules for sonar scanner instead of excluding

Instead of excluding or ignore rules in sonar's property file, I'd like to have only a few certain rules for sonar to analyse, so I don't need to exclude a large number of rules out of 344 rules for c++. How can I do that? (I'm not adding customized rules)
I imageine the syntax would be: (in .properties file)
sonar.issue.include.multicriteria=***
sonar.issue.include.multicriteria.***.ruleKey=cpp:S984
....
EDIT:
1, I need to configure this in a CLI environment.
2, It's about one project, two rule sets. one rule sets for local use and the other one for CI/CD use.
You need to craft a Quality Profile that contains only your rules of interest, and then either make it the default profile for C++, or explicitly assign your project to it.
BTW, correctly setting exclusions in properties (versus through the UI) is quite tricky. I'm not sure about the correctness of the ruleKey field name, and you're probably missing another field in there, but your syntax seems to be on the right track.

Documentation for SpamAssassin rules (HTML_30_40)

I'd like to refine the password reset mails which are sent by my web application to avoid them to be mistaken as spam; a customer forwarded a mail header to me which contains several SpamAssassin rule names.
Some of the rules I could find, e.g. BAYES_40, but others I couldn't find there; those are:
HTML_30_40
TO_NO_BRKTS_HTML_ONLY
TO_NO_BRKTS_NORDNS
TO_NO_BRKTS_NORDNS_HTML
What do these rules mean; are there documentation pages somewhere?
The SpamAssassin which reported them is version 3.3.2; the latest version as of now is 3.4.1. Do those rules still exist?
The HTML_30_40 rule is no longer included in SpamAssassin, but if I remember correctly it was some test that concluded the email consisted of 30-40% HTML codes. Why that has any relevance for spam filtering I cannot see, and probably that is why it is no longer present.. :)
Those other rules still exist in SpamAssassin version 3.4.1. There is no explicit documentation per rule, other than an occasional comment or description along the rule implementation itself:
describe TO_NO_BRKTS_HTML_ONLY To: misformatted and HTML only
describe TO_NO_BRKTS_NORDNS_HTML To: misformatted and no rDNS and HTML only
You are probably sending emails from an ip-address with no reverse-DNS name, and the To: line is poorly formatted. Things should improve significantly if you get the DNS problems fixed (or relay the emails via your ISP) and format the To: line in the email properly, e.g.
To: "J Random User" <jrnd#email>

Do you validate your URL variables?

When you're passing variables through your site using GET requests, do you validate (regular expressions, filters, etc.) them before you use them?
Say you have the URL http://www.example.com/i=45&p=custform. You know that "i" will always be an integer and "p" will always contain only letters and/or numbers. Is it worth the time to make sure that no one has attempted to manipulate the values and then resubmit the page?
Yes. Without a doubt. Never trust user input.
To improve the user experience, input fields can (and IMHO should) be validated on the client. This can pre-empt a round trip to the server that only leads to the same form and an error message.
However, input must always be validated on the server side since the user can just change the input data manually in the GET url or send crafted POST data.
In a worst case scenario you can end up with an SQL injection, or even worse, a XSS vulnerability.
Most frameworks already have some builtin way to clean the input, but even without this it's usually very easy to clean the input using a combination of regular exceptions and lookup tables.
Say you know it's an integer, use int.Parse or match it against the regex "^\d+$".
If it's a string and the choices are limited, make a dictionary and run the string through it. If you don't get a match change the string to a default.
If it's a user specified string, match it against a strict regex like "^\w+$"
As with any user input it is extremely important to check to make sure it is what you expect it is. So yes!
Yes, yes, and thrice yes.
Many web frameworks will do this for you of course, e.g., Struts 2.
One important reason is to check for sql injection.
So yes, always sanitize user input.
not just what the others are saying. Imagine a querystring variable called nc, which can be seen to have values of 10, 50 and 100 when the user selects 10, 50 and 100 results per page respectively. Now imagine someone changing this to 50000. If you are just checking that to be an integer, you will be showing 50000 results per page, affecting your pageviews, server loads, script times and so on. Plus this could be your entire database. When you have such rules (10, 50 or 100 results per page), you should additionaly check to see if the value of nr is 10, 50 or 100 only, and if not, set it to a default. This can simply be a min(nc, 100), so it will work if nc is changed to 25, 75 and so on, but will default to 100 if it sees anything above 100.
I want to stress how important this is. I know the first answer discussed SQL Injection and XSS Vulnerabilities. The latest rave in SQL Injection is passing a binary encoded SQL statement in query strings, which if it finds a SQL injection hole, it will add a http://reallybadsite.com'/> to every text field in your database.
As web developers we have to validate all input, and clean all the output.
Remember a hacker isn't going to use IE to compromise your site, so you can't rely on any validation in the web.
Yes, check them as thoroughly as you can. In PHP I always check the types (IsInt(i), IsString(p)).

Resources