Monday, 10 October 2016

Override Overkill

I've spent a good couple of hours of time over the last few weeks trying to figure something out. This was not a huge issue that needed resolving quickly but it was something which would eventually need to be fixed.

I've been asked to copy the data from a live server in order to create a new test server. The data is pretty much a snap shot of the live server. It contains two databases, a bunch of .jar files and some NTP configurations. I take backups from both these databases and create test versions, I set up all the other little bits and pieces (FTP etc..) and I'm done.

I start to create the systemd files which will be used to run daemons on startup, most of them work perfectly fine...but one particular file ( a master daemon used to kick off multiple daemons) fails.

Turns out one of the daemons connects to the first database in order to grab credentials for the second database, which it then connects to and runs some stored procedures. This was failing with an SQLException wrong username or password.

This is strange because I have other daemons that follow this procedure and connect successfully. Both are getting there username and password from the same place...or are they...

Digging around in the code I release there are multiple ways in which the user can obtain the username and password, by default they look in the database, the credentials found can be overridden via
  1. config file
  2. command line arguments
The credentials are not being overridden in the config file as this would mean all daemons would have the same issue, no, it must be that someone somewhere has hard coded the credentials are arguments.

After searching around I find that within the master daemon someone has indeed done this. How massively irritating... Removing these arguments and letting the daemon get its credentials from the database solves the issue.

What grinds my gears
This seems to me to be either a lack of communication between the original developers or old code which should have been removed. Admittedly this issue wouldn't take to long to resolve for someone working on it full time, but that's not really the point here.
I can understand getting the values from the database and then also writing a override function which lets the user set there own credentials, this makes sense, but keep it in one place! In this software this is the only daemon that lets the user use command line arguments to override the credentials. Why? We have a perfectly good config file specifically for that reason...

Friday, 7 October 2016

Exploring Node

So I've been spending quite a bit of my spare time looking into node. It's actually more interesting than I first thought, Mainly because I can run it on my Raspberry Pi.

Currently I have a chat server running which uses This was incredibly easy to set up a basic chat server (when I say basic, I mean basic..). I've been customising it visually and logically for a few days now.

Visually I have decided to make it look like a Linux terminal, this is done mainly with CSS but also with a JQuery plugin called Typed.js. I've used this before for other projects and I find it easy to use and it does what it says on the tin.

Logically I have enabled it to recognise URLs using regex, this was the easy part... I wrote the sendMessage functionality so the message sent would ignore HTML and JavaScript in order to stop injection attacks. This seems like a good idea at the time. Later on I introduced the regex to spot URLs in a string and apply the <a href> tag to them. when testing this i got the following:

Karl: This is a test <a href=""></a> end of test

So my way around this was to break up the message but keep the order, each URL found would be inserted as HTML, everything else inserted as text. I'm researching into how other chat clients resolve this issue, I think my way my have some security vulnerabilities, but hey, it's a good way to learn.

I'm also looking into file sharing and possibly enabling some kind of webcam chat. I'm currently looking at socket-signaler-client which I think has the ability to give me what I want.