Kristian Jaeger's developer musings: 2015

Friday, October 16, 2015

AWS CloudFormation WaitCondition example

CloudFormation is a great tool for spinning up EC2 instances and the like.

Here is an example of using a wait condition for waiting until a Windows 2012 R2 Base service has started. Please excuse the designer JSON. I was using it to validate the JSON correctness.

{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"YourInstanceId": {
"Type": "AWS::EC2::Instance",
"Properties": {
"DisableApiTermination": "false",
"InstanceInitiatedShutdownBehavior": "stop",
"ImageId": "ami-dfccd1ef",
"KeyName": "YourKeyName",
"Monitoring": "false",
"Tags": [
{
"Key": "Name",
"Value": "NameOfYourInstance"
}
],
"NetworkInterfaces": [
{
"DeleteOnTermination": "true",
"DeviceIndex": 0,
"SubnetId": "yourSubnetId",
"GroupSet": [
"yourSecurityGroupId"
],
"AssociatePublicIpAddress": "true"
}
],
"UserData": {
"Fn::Base64": {
"Fn::Join": [
"",
[
"<powershell>\n",
"Start-Service BITS \n",
"$arrService = Get-Service BITS \n",
"$returnCode = 1 \n",
"if ($arrService.Status -eq 'running'){ $returnCode = 0 } \n",
"while($arrService.Status -ne 'running') \n",
"{ \n",
"Start-Sleep -s 5 \n",
"$arrService = Get-Service BITS \n",
"if ($arrService.Status -eq 'running'){ $returnCode = 0 } \n",
"} \n",
"cfn-signal.exe -e $returnCode ",
{
"Fn::Base64": {
"Ref": "WaitHandle"
}
},
"\n",
"</powershell> \n",
"<persist>true</persist>"
]
]
}
}
}
},
"WaitCondition": {
"Type": "AWS::CloudFormation::WaitCondition",
"DependsOn" : "instancei1c92e0da",
"Properties": {
"Handle" : { "Ref" : "WaitHandle" },
"Timeout" : "300"
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "b0f248b8-89a7-4b6b-881a-ef79dd677322"
}
}
},
"WaitHandle": {
"Type": "AWS::CloudFormation::WaitConditionHandle",
"Properties": {},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "1f0d4b0b-1971-4e5d-9b2c-5472c764dc92"
}
}
}
},
"Description": ""
}

The BITS service was used here since it's a built-in Windows service. It could be whatever service that you would like to start and verify that it started.

CloudFormation seems good overall. It would be nice to have a local validator for it and / or a way to test the templates locally first.

I'd like to explore the Vagrant AWS provider when I have time (heard that there might be bugs though regarding Windows). Please feel free to comment and share your experiences. Cheers.

Friday, October 9, 2015

WPF path data for plus and minus signs

WPF path data seems not so straight-forward when you first look at it.

There are tools out there to edit it though.

Here are some examples of plus and minus signs if you're interested in something for prototypes and the like. I didn't see a lot on the web so I thought that I'd share.

Minus (used within a canvas):
<Canvas.LayoutTransform>
<RotateTransform Angle="90"></RotateTransform>
</Canvas.LayoutTransform>
<Path Width="25" Height="25" Stretch="Uniform" Fill="DarkGray"
Data="M0,0 L8,0 L8,47 L0,47 z"

Plus (again used within a canvas):
<Path Width="25" Height="25" Stretch="Uniform" Fill="DarkGray"
Data="M3.875,0 L5.125,0 5.125,3.875 9,3.875 9,5.125 5.125,5.125 5.125,9 3.875,9 3.875,5.125 0,5.125 0,3.875 3.875,3.875 3.875,0 z"

Cheers.

Sunday, January 18, 2015

Enhance your Web API 2 project's security using the Microsoft AntiXssEncoder

It's fairly straight-forward to add anti-XSS security to your Web API 2 project. You might be wondering why you would though. Out of the box, Web API 2 does not automatically encode and decode for you.

There is a potential problem in that the web API project could be receiving untrusted input from a HTML5 and JavaScript client. If that input gets persisted, or displayed elsewhere, and then displayed later you could have persistant XSS on your hands.

The solution is fairly simple though believe it or not.

1) Nuget packages can be installed for use with the Web API project's models

2) An attribute can be added to the models for the first package above (uses the AntiXssEncoder under the covers)

Add this to models:

[AntiXss]

3) Next you need to secure data coming in via query string or posts other than models (query string data example here)

For Web.config:

==================

For WebApiConfig.cs (in Register)

RequestValidator.Create<ValidationError>()

.MapPropertyName(x => x.Property)

.FlattenErrorMessages()

.Map(x => x.Message).ToErrorMessage()

.Init(config);

==================

Then create a class that extends ActionFilterAttribute and in OnActionExecuting add the following

// Check query string data for XSS using Microsoft's AntiXssEncoder

var queryStringDataForRequest = actionContext.Request.GetQueryNameValuePairs();

if (QueryDataContainsXss(queryStringDataForRequest))

{

var response = actionContext.Request.CreateErrorResponse(HttpStatusCode.BadRequest,

new HttpResponseException(new HttpResponseMessage()));

actionContext.Response = response;

}

It's up to you to define QueryDataContainsXss(). The simplest, and perhaps safest implementation is to compare the input to encoded input using the AntiXssEncoder with default settings. If you find that they are not equal then break and return false.

Then you can add the attribute to the controllers.

Add this to controllers:

[AntiXssActionFilter]

It's a good idea to add tests for your implementation too. RestSharp is an easy way to add REST client abilities to your tests. I hope that this is helpful to others. Cheers.

Kristian