In Rory Sutherland’s 2021 book Alchemy, he describes The Doorman Fallacy: The ‘doorman fallacy’, as I call it, is what happens when your strategy becomes…
Stuart 'Stevie' Leitch on Software Development, Java Technologies, Security and Testing
In Rory Sutherland’s 2021 book Alchemy, he describes The Doorman Fallacy: The ‘doorman fallacy’, as I call it, is what happens when your strategy becomes…
If you download an image from the Docker Hub library, it’s likely to be available for multiple architectures. If you pull it from an AMD / Intel 64 bit machine, you’ll get the amd64 architecture image. If you pull it from an ARM based machine (including Apple Silicon), you’ll get the arm64 based image. Typically when you build a custom image, you’ll build for your own architecture only. Docker multi-architecture builds however allow you to build for multiple target architectures.
Jackson is the standard Object to JSON mapping library for Java. It converts POJOs to JSON strings and it parses JSON strings to populate POJOs. It sits behind many JSON based REST servers in Java including Spring MVC. For basic use cases it is very simple to use. Indeed, with Spring Boot it is completely transparent – the framework leverages Jackson to do Object to JSON mapping for you. It’s feature rich and extensible so it can usually handle more complex use cases too. One such use case is returning large JSON responses with Jackson.
Many IoT devices have a UART connector somewhere on the board. It is often used to debug the device before mass production. Sometimes there will be a nice four pin header to connect to. Other devices give you just some plated through holes ready to solder. In some cases the holes exist but the traces have been disconnected in the final layout. In any case if you can connect to it you can often obtain device logs, issue commands and sometimes access the boot loader. If you’re lucky you can get full shell access over UART.
In the first part of a teardown of a D-Link DCS-932L internet enabled security camera, I looked at extracting firmware from flash memory. In this second part, I look at connecting to UART and using the root shell to have a rummage about the camera’s file system.
To analyse a device’s firmware, you’ll first need to obtain the firmware. If you’re lucky, the device manufacturer has made the firmware available for download. If it’s not available, or if you don’t trust that what’s on the website is what’s on your device, you can extract the firmware from flash memory. This post outlines how to extract firmware from flash memory on a D-Link DCS-932L internet enabled security camera.
Network File System (NFS) is a widely supported and simple protocol for accessing files over a network as if they were local. This makes it ideal for many Docker (and other container) architectures as container storage is ephemeral and limited. Attaching NFS shares in Docker allows your container to read and write files to persistent network storage.
Here’s a cautionary tale: taking shortcuts can lead to disaster! I wanted to move /home to a new partition on an SELinux protected system. I ended up locking myself out of my VM.
JPA supports eager and lazy fetch of child entities. If you’re not careful with the lazy fetch strategy it can result in excessive queries as it needs to execute a query for the parent entity and then an additional one for each child. This is the so-called n+1 problem. You’ll often want to use eager fetching so that you can pull the parent and all children with a single query.
If you use HQL/JPQL, the JPA Criteria API or queries derived from Spring Data Repository method names, JPA will convert your SQL query result set to entity objects. That’s what an Object Relational Mapping (ORM) system is for. However if you use JPA native queries (SQL), you’ll need to map the results yourself.
In this post, I’ll look at how to run eager fetches for JPQL and native queries and how to manage the results.
CVE-2023-34034 is another authorization bypass in Spring Security. Like CVE-2022-31692 it’s nasty because it allows completely unrestricted access to supposedly protected resources. Also like CVE-2022-31692 it requires very specific configuration to be vulnerable and is easily fixed.
This post demonstrates the vulnerability, the problem configuration and suggested fixes. A demonstration vulnerable application is on GitHub.
CVE-2022-31692 is a vulnerability in Spring Security that allows authorization bypass when running with specific configurations. The good news is that only very specific configurations are exploitable. However, if you’ve configured Spring Security in this way, attackers can access protected resources without authorization.