NS_ERROR_FAILURE with absent property - firefox-addon

I trying to capture pageLoad event in progressListener, in onLocationChange i check URI of fresh page, and in case URI = about:blank i got
Error: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIURI.host]
As i understand this URI don't have host at all.
How can i check that host is available without raw parsing and exception catching? Is there any conventional way to check that atribute is present?

Your best bet is to filter certain protocols (filter on scheme). It's best to use a whitelist in this case of the protocols you care about.

In general there's no way to know for sure without doing a try/catch, but currently an nsIStandardURL is the only sort of URI that will have a host.

When I faced this problem my solution was:
To indicate an observer flag aWebProgress.NOTIFY_LOCATION
aWebProgress.addProgressListener(this.listener, aWebProgress.NOTIFY_LOCATION);
Before I had aWebProgress.NOTIFY_LOCATION and there was an exception you desc

Related

Why use "?" instead of ":" in URL?

We can use
'PATCH /companies/:id' : 'CompanyController.find'
to update data.
One suggested me that I can use the alternative way:
'PATCH /companies/find?key=Value'
But I do not know what it works. Please explain me why we prefer ? mark than : mark in search path.
You can use either or. The biggest reason most people chose one or the other is just how they want to present the URL to the user.
Using a path variable (:) can symbolize you're accessing a defined resource, like a user ID, where as an argument (?) can symbolize you're are dynamically changing/searching something within a defined resource, like a token or search term.
From what I can tell that's the general practice I see:
example.com/user/:username
versus
example.com/user/?search="foo"
http://en.wikipedia.org/wiki/URL
If we are firing GET request, ? symbol is used to let the server know the url parameter variables starts from there. And this is commonly used. I didn't used : symbol instead of ?
You are probably messing the things up:
According to your example, :id indicates a variable that must me replaced by an actual value in some frameworks such as Express. See the documentation for details.
And ? indicates the beginning of the query string component according to the RFC 3986.
It's a rule to design rest api
you can find 'how to design a rest api'
Assuming below code is Sails.js
'PATCH /companies/:id' : 'CompanyController.find'
It will makes REST API that be mapped onto 'CompanyController.find' by using PathParam. Like this
www.example.com/companies/100
Second one will makes REST API by using QueryParam.
It also be mapped onto 'CompanyController.find'
/companies/find?key=Value
But the API format is different. Like this
www.example.com/companies/find?key=100
PathParam or QueryParam is fine to make REST API.
If the Key is primary for company entity,
I think PathParam is more proper than QueryParam.

External Control of System or Configuration Setting

(Sorry, if this is a dumb question....)
Veracode reports my website has a security issue which relates to use connection string from web.config.
Here is my code.
Public Function ExecuteScalar(ByVal sql As String) As Object
Dim obj As Object = Nothing
Try
Dim connStr as String = ConfigurationManager.ConnectionStrings("mydatabase").ConnectionString
Using conn As New SqlConnection(connStr) '''Veracode reports the issue come from this line
conn.Open()
If conn IsNot Nothing Then
'''execute my sql
End If
End Using
Catch ex As Exception
Throw ex
End Try
Return obj
End Function
Veracode said:
This call to
system_data_dll.System.Data.SqlClient.SqlConnection.!newinit_0_1()
allows external control of system settings. The argument to the
function is constructed using user-supplied input, which can disrupt
service or cause an application to behave in unexpected ways. The
first argument to !newinit_0_1() contains tainted data from the
variable connStr. The tainted data originated from earlier calls to
system_web_dll.system.web.httprequest.get_item,
system_data_dll.system.data.common.dbdataadapter.fill,
system_data_dll.system.data.sqlclient.sqlcommand.executescalar, and
fmmobile8_dll.virtualcontroller.vc_wcfentry.
Remediation:
Never allow user-supplied or otherwise untrusted data to control
system-level settings. Always validate user-supplied input to ensure
that it conforms to the expected format, using centralized data
validation routines when possible.
The same isuse was reported by CWE: http://cwe.mitre.org/data/definitions/15.html
OK, the suggestion from Veracode said that I should check the format of connection string before using it to create SqlConnection object.
I also asked Google professor about how to check format of connection string. But the returned results said that we should create SqlConnection object, then open it.
If the response is OK, the connection string also means a valid format. Otherwise, the connection string is invalid.
Unfortunately, Veracode does not accept this answer.
So, my question is that:
Should we check the format of connection string before creating SqlConnection object (as Veracode said)? If yes, how?
The problem is not the format of the connection string, it's that it may be controlled by somebody not intended. For instance an attacker may be able to change your web.config and have your application connect to a fake database to serve fake data. Note that such an attacker might be internal to your organization (a disgruntled IT ops employee), or an external attacker that already gained some level of access.
So the question is whether you trust your web.config file according to your threat model. Probably you do for several reasons (you have good processes to mitigate risks), in which case this would be "mitigated by design" in Veracode terms.
Basically it's just a warning to raise attention that web.config is in a sense external to your application and can be changed by more people than you would initially think of, and changing it by unintended people may lead to unwanted results.
I've had a similar issue with Veracode and they told me to make sure the Web.config file was encrypted.
You can do this via some command line prompt actions on the server where the application is deployed.
aspnet_regiis -pe "connectionStrings" -app "/" -site 1
or if you wanted to expand your security to the appSettings section
aspnet_regiis -pe "appSettings" -app "/" -site 1
You get the site number by opening IIS and going to the Advanced Settings for the site. It is the field labeled "ID"
Here is a MSDN article explaining in more detail:
https://msdn.microsoft.com/en-us/library/zhhddkxy.aspx

RtlCopyMemory and exception handling

Im reading in an address from user-space and using RtlCopyMemory() to copy data over to my output buffer and although I have it working, it lacks any safe guarding against invalid addresses being read which will throw a bug check in my face.
I know that I need to use SEH to do this but I am not sure what exceptions I need to be handling or if RtlCopyMemory even throws any exceptions. If not, how can I check that the address is valid before I pass it into RtlCopyMemory()?
Read about ProbeForRead and ProbeForWrite, additionally I suggest you the following reading:
http://download.microsoft.com/download/d/1/d/d1dd7745-426b-4cc3-a269-abbbe427c0ef/sys-t774_ddc08.pptx
and
http://www.codeproject.com/Articles/9575/Driver-Development-Part-Introduction-to-Implemen

Do dashes in a querystring pose a security risk for Ruby on Rails?

I got an exception in a web app I'm developing recently from a url something like:
http://domain.com/script.js?bcsi-ac-16E7C1CCF9EF6357=1C76413C00000002kmNHGZK2deV0Qz25TXynq3fMaPTrBAAAAgAAAD5tGgCEAwAACAAAAPUiAgA=
First of all - what in the world is that? From searching it sounds like maybe it's a cookie / session variable of some kind...
Second of all, the exception was about dynamic assignment of a constant. I tried a simpler url:
http://domain.com/script.js?bcsi-ac
And that gave an exception about the variable or method 'bcsi' not being defined, as if it were trying to evaluate it... WHAT!? I sure as hell hope people can't cause my Rails app to evaluate random code just by passing it to the querystring...
To provide more detail: I'm not doing anything unusual with the querystring data in the route or the controller. I just take the params and pass them into a partial as locals (admittedly not the cleanest way to do it, but simple - and that certainly shouldn't cause it to evaluate a parameter name as code?)
OKAY! Answering my own question again. It turns out passing params in as locals to a partial DOES cause it to evaluate the parameter name as code - obviously it can't use the variable name "bcsi-ac" so it tries to evaluate it.
But the question as to whether that poses a security risk still remains... I don't seem to be able to call methods on things, or actually assign things... but maybe I just haven't tried hard enough. It would seem to me that rails should just throw an exception when passing in a locals hash that includes an invalid variable name.
as a general rule of thumb, any time you allow strings from your url to be evaluated as code you are setting up a huge security risk in your application. you might not be able to call methods on locals as your methods exist server side and the code you are evaluating is client side, but this certainly opens your site up to XSS vulnerabilities among others...

Restlet - Access elements of the request URL

I'm unsure what the proper way is to access parts of the requested URL.
In this case, I want to get the requested path without the query variables. This is the only way I found to do it:
String path = getRequest().getResourceRef().getHostIdentifier() +
getRequest().getResourceRef().getPath();
The result would be the bold part of this url: https://stackoverflow.com/questions/ask?query=value
I also found about 6 different ways to get the server name (http://stackoverflow.com) but I'm worried that some of them would fail in certain cases that I am unaware of (why would there be 6 different ways to do one thing):
getRequest().getHostRef().getHostIdentifier();
getRequest().getHostRef().getIdentifier();
getRequest().getRootRef().getHostIdentifier();
getRequest().getRootRef().getIdentifier();
getRequest().getResourceRef().getHostIdentifier();
And this seems to get the complete URL with query parameters:
getRequest().getResourceRef().getIdentifier();
Any further explanation would be much appreciated.
If you're in a UniformResource (or subclass) I think you might be looking for the method getReference(), which returns the URI reference. There are a number of other convenience methods in that class you might be interested in so you don't have to go through the request. See UniformResource (Restlet 2.0).

Resources