Zip Slip

While looking into something else I came across the Zip Slip vulnerability. Kind of annoying since it’s nearly a year old and I’ve only heard of it now. Every now and then I keep thinking a neat tool would be something that would run over a project, track every dependancy it has and then alert you when there’s a a security issue. However it seems like one of those things people would want but not pay for.

Secrets in git repos

One issue with infrastructure sorts of repositories is what to do with sensitive data. Keys, tokens and other secrets shouldn’t be committed to git repos, but they have to go somewhere. In some cases you can put them in your CI/CD system and import them as variables. But that gets complicated quickly. One way to address it is to use git crypt. It’s not a standard git extension, but it’s been around for a fair bit of time.

The Less Scary Guide To Google Authenticator and PAM

Modifying low level authentication is a worrisome thing. If you do it wrong the fear is that you can’t log back in to fix it. So unlike some other guides out there I’ll point out the danger points here and some ideas on how to address them. This is kind of long so a high level overview is this: install client software, install server software, activate server software, generate key, done!

SRI hashes for CDN js and css files

Subresource Integrity is a nifty idea to use SRI hashes to verify external resources your web app depends on haven’t been compromised. Using content delivery networks (CDNs) for common web resources (javascript and css) makes pages load faster since chances are those things have been loaded by other sites and are cached by the browser. It also means bandwidth gets used better generally which is a good thing. But it does mean you’re trusting the CDN.

Wiping disks

I’m returning a server to a hoster. I generally trust them and have no reason to believe that they’d go snooping through my disk but it’s always nice to clean things up. There are a lot of tools for this: wipe, secure-delete and several others. But none really fit my use case. I was trying to clean up free space as I backed up and deleted personal data on the server.