Filed under Research

Kernel backups for Debian security updates

Two of our most important machines, both running Debian Stable, failed to boot after a routine kernel security update. In both cases, the security update itself was not the cause of the boot failure, but merely triggered latent problems (for the full story, see below under The problem with the snapshot machine).

Also in both cases, it would have been a great help if we could have booted the old kernel/initrd. But by default, Debian does not keep backups of the kernel or initrd.

In Testing and Unstable, you might get a new kernel with a new package name; the old kernel/initrd belong to a different package from the new kernel/initrd, so they will coexist until the old package is removed. In a Stable security update however, the package name remains the same. You simply get a slightly higher version of the same package, replacing all the ...

Tagged , , , , ,

What your framework never told you about SQL injection protection

We've discovered that SQL injection is to this day not a fully solved problem, even in most popular frameworks. In this post, we'll explain how these frameworks fail at escaping parts of a query, culminating in the discovery of a critical vulnerability in the popular Laravel framework which affects a large percentage of applications.

Let's start with an innocent example, which provides the starting point of our journey. This is a typical simple use case: a filterable, sortable list.

From safe to vulnerable in one step

In FuelPHP, a (much simplified) controller action to fetch a JSON result might look like this:

<?php
public function get_products()
{
    $conditions = array('where' => array(array('deleted', '=', false)));
    $minprice = \Input::get('minprice', null);
    if (isset($minprice))
      $conditions['where'][] = array('price', '>=', $minprice);

    $result = Model_Product::find('all', $conditions);
    return $this->response($result);
}

This would return products, optionally filtered by a minimum price. It uses ...

Tagged , , , , , , ,

Just some days at the office

Customer Changes Requirement just before the deadline

devops 1

Non standardized environment

devops 2

Managers testing a new feature

devops 3

Typical Monday Morning

devops 4

Git push --force

devops 5

Fixing bugs on live production server

devops 6

The aftermath of a rushed release

devops 7

Thinking about targets for next year

devops 8

Realizing I ran the command on the wrong server

devops 9

OpenSSL::SSL::VERIFY_NONE

devops10

It is a quick change...

devops11

Pre-Coffee Deploy

devops12

Realizing that accidentally deleted code was already pushed

devops13

Tagged , , ,

Queue

In our organization we frequently need to execute some scripts that are either time consuming, or very heavy on the server. Most of the times these scripts needn't necessarily be executed synchronously. Therefore we use a queuing system to execute those scripts when the time is better. For a long time we used an old open source PHP queuing system, named fuel-queue. This was good for the basic stuff we did with it, however this system had some major drawbacks. It had no exception management whatsoever, which meant that jobs now and then just disappeared. Lately we have encountered more and more projects that would need queuing. We made the decision to create a new queuing system. We really liked the idea behind fuel-queue, and have made our new system in such a way that it kept this idea. The best thing is that we made this new queuing ...

Tagged , , , , ,

Rapid Cordova application development

Developing Apache Cordova (aka Phonegap) applications tends to be rather painful: the long waits while compiling an application for Android and uploading it to the device (or emulator) leads to unacceptable round trip times, especially for applications with lots of large content files (images, videos). In this blog post we'll explain how we develop Cordova applications directly in the desktop web browser, and announce an open source release of a RequireJS module that helps making this a little easier for us.

The main reason we've chosen Cordova over native development is portability: writing a native app for each platform you want to support is a waste of developer effort and, by extension, money. We would also like to leverage this portability to the fullest by developing applications from the browser, as much as we can. In a browser, pressing "refresh", results in an instantaneous update.

Waiting for the ...

Tagged , ,

IRC channel #CodeYellow on Freenode!

Join our IRC Channel #CodeYellow on Freenode!

Tagged , , ,

Passing variables from server to client using RequireJS

Introduction

It's quite common to pass variables from server to client. Common uses are bootstrapping data, syncing config setting etc. Consider the following scenario: a single page app where a user logs in and refreshes the current page. You want the user to still be logged in. The most commonly used practise is to put it in a script tag:

<script type="text/javascript">
    var userId = 1;
</script>

This way you introduce a global variable userId. What happens if the number of variables increase? Probably "namespace" it:

<script type="text/javascript">
    var config = {
        userId: 1,
        bootstrap: {
            product: {
                id: 1,
                title: 'Awesome product',
            }
        }
    };
</script>

Now there is only 1 global variable. And maybe AMD it in config.js:

define(function (require) {
    return window.config ? window.config : {};
});

Module config

RequireJS supports module configs. Lets try rewriting using module config:

1. Server generated HTML:

<!-- First define config settings. -->
<script type="text/javascript ...
Tagged ,

FuelPHP released version 1.7

FuelPHP 1.7 has been released. A pretty late post, but it's been crazy busy the past few weeks. One important feature used immediately: PATCH request are now supported.

Tagged , , ,

Using Trello for our Development Workflow

This is a repost of an article I wrote a couple of weeks ago, which featured another project as an example, but we received a request to change some aspects of the original story. We decided the quick fix was to pull the original site and rewrite it with other examples.

Trello Logo

At Code Yellow we are experimenting with Trello for structuring the development process. In essence Trello is a tool developed to manage lists in any way you want. For example you can use it for simple to-do lists, which fits nicely in a software development flow.

The biggest challenge for us was to keep track of several development tracks and feedback loops with the people involved in the development. For this post I will be using examples from one of our back-office software projects Incenova (for a closed beta preview of the project, please contact us).

Incenova teaser

Incenova is a ...

Tagged , , ,

Migration transactions

Transactions are extremely useful...except when dealing with migrations. Read about implicit commits to understand why transactions in migrations aren't that useful.

Tagged , ,

Coding style guide

test

Introduction

The 2 most used languages at Code Yellow are

  1. PHP
  2. Javascript

PHP has PHP-FIG which is becoming more commenly accepted. Javascript has idiomatic. For all projects we apply these rules:

General

  • First check:

    1. PSR-1
    2. PSR-2
  • Use single quotes for strings where possible:

    • PHP $stringA = 'this is a string'; $stringB = 'this is another string ' . $blah . ' test';
    • Javascript var stringA = 'this is a string', stringB = 'this is a string ' + blah + ' test';
  • First start with properties, then functions.

  • Prefix variables with class type where possible. Uppercase letters are classes, lowercase objects. The available prefixes are

    • M, m for model
    • V, v for view
    • T for template
    • X for mixin
    <?php
    // PHP
    $mPerson = new \Model_Person();

    class SomeSpecialClass {
        private $MPerson = '\\Model_Person';
        private $mPerson = null;

        public function __construct(\Model_Person $mPerson = null) 
        {
            if ...
Tagged ,

jQuery 1.10.1 and 2.0.2

JQuery has released not 1 but (oh joy!) 2 versions! Check out the jquery site and specifically the changelog for more details. The 2.x branch does not support IE 6, 7 or 8 (and other IE running in compatibility mode). So if you're lucky enough to drop support for those browers, grab the 2.x branch. If not, then grab the 1.10.x branch.

Tagged , ,

Marionette loading data

test

Marionette eases the use of Backbone tremendously. Using the different view types gives you more time to focus on building applications.

One key feature that you soon will come across is how to load data from the server and show a loading message during this request. Backbone does have build in events such as "request" and "sync", but a more fine grained event triggering is useful.

Backbone.sync has method as an argument which consist of 4 different type of requests: "create", "read", "update" or "delete". Consider the following helper for wrapping Backbone.sync:

---More to come---

Tagged , ,

FuelPHP released version 1.6.1

Joy to the world! FuelPHP 1.6.1 has been released FuelPHP released a new version.

Mostly minor improvements from the 1.6 with some backported functionallity from the 1.7 branch.

Tagged , , ,

Dependency managers

Using other peoples libraries saves time and effort so that you as a developer can focus on the true task at hand. A problem that quickly becomes apparent is managing dependencies on libraries. For example, if you use jQuery then you download jQuery, add it to your source folder (maybe public/js/jquery.js). Then jQuery UI, download, install. Then jQuery Tools, download, install and so on.

What happens if down the road a bugfix occurs in jQuery? First you have to check the changelog if there aren't mayor changes. You have to download, install and verify that everything still works. Same story with jQuery UI...

A dependency manager takes care of all this. You state in a file what you need and what version and the dependency manager will download and install the latest version of each library.

PHP packages (Composer)

testTagged , , , , ,