Caleb Cushing's Blog

Beware of SQL injection with Spring Boot and Flyway

So this is a hard to accomplish exploit, and is really only accomplishable by first exploiting another exploit first, or by an employee with some level of trusted access, though this employee might not normally have actual database access. I do believe you should be aware of it, as it leaves open an avenue you may not be thinking of. A sample application So the first thing we need is an application that uses Flyway, let’s just use the Spring Boot Flyway Sample. Read more →

Log (CRLF) Injection with SLF4J

At my job we have a CIO installed policy of remediating issues found by a static analysis tool and what it finds are most targeted at finding security issues. Currently this tool is Veracode, and I don’t recommend it, it misses more problems than it finds, and what it finds, including this issue, are often false positives. Our most common issue, is CRLF (Carriage Return Line Feed) or other log injection, which we have mitigated in a custom log appender (which Veracode doesn’t recognize). Read more →

Continuous Integration with Wercker and Maven

I’m going to walk you through getting mvn test running in wercker, on the new docker based api. First let’s talk about what Wercker is and why you’d want to use it. Wercker a continuous integration and deployment web application. It will all you to run any language or stack. It currently is free for both private and public repositories; I am hopeful that once it comes out of beta it will maintain reasonable pricing for small personal private projects (Most CI’s are ridiculously priced for hobby projects). Read more →

Announcing Dist::Zilla::Plugin::Catalyst

So I just recently finished reading Restful Web Services and decided I wanted to go back and play with Catalyst and REST some. The original way to create a Catalyst skeleton is to run catalyst.pl. This creates a lot of nice files to get you started. dzil new basically does the same thing for a generic cpan module. Honestly, without any plugins dzil new isn’t that useful. However, once you add Git::Init , you remove several steps from the creation of a new module and repository. Read more →

cat that displays tabs at 4 spaces

So in the tabs vs spaces war I’m squarely on the side of use tabs. tabs have meaning. tabs allow people to set there editor’s to whatever space display width their eyes are comfortable with as opposed to what yours are (e.g. you like 2 spaces I like 4). However, I’ve heard the argument what about when you cat the file, etc. Well it is actually a bit annoying… so let’s fix it. Read more →