HackerTrans
TopNewTrendsCommentsPastAskShowJobs

pyjug

no profile record

Submissions

Sending Webhooks Securely

ameyalokare.com
1 points·by pyjug·5 ปีที่แล้ว·0 comments

Sending Webhooks Securely

ameyalokare.com
1 points·by pyjug·5 ปีที่แล้ว·0 comments

comments

pyjug
·4 ปีที่แล้ว·discuss
>you can just update the webhook URL

Fair enough, but often consumers that use multiple vendors receive webhooks in the same service; think about going from /v1/webhooks -> /v2/webhooks, they'd have to change the URL for every vendor. Easier to redirect first then update the URLs later. I think it's a reasonable expectation that a HTTP client would honor redirects as long as the usage isn't malicious (like loops etc)
pyjug
·4 ปีที่แล้ว·discuss
Disallowing redirects altogether is probably too big of a hammer. There are legit reasons to use redirects (like migration to new versions). A limit to the number of redirects seems ideal -- that's what Twilio does, for example.
pyjug
·4 ปีที่แล้ว·discuss
>Domains that resolve to private IPs: attacker could set up foo.com which resolves to a private IP

There's a clever extension to this attack; a naive way to mitigate it is to do a DNS resolution first to verify it's not a private IP and then do the actual request. An attacker can simply return a public IP on the first DNS resolution (with a 0 TTY) and then return a private IP on the second. This is called a "TOCTOU" (time-of-check time-of-use) vulnerability. I've written about this and other security best practices on my blog here - https://www.ameyalokare.com/technology/webhooks/2021/05/03/s...

I've also built an egress proxy that prevents such attacks here - https://github.com/juggernaut/webhook-sentry

Same caveat applies, use at your own risk :-)
pyjug
·5 ปีที่แล้ว·discuss
> In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file

I have a similar story . At my old job, we had a web socket gateway that authenticated using JWTs , then hit an internal service to request REST resources. The issue was that it didn’t actually validate the requested REST resource URL; a malicious user could authenticate as themselves but request a resource for any other account.

I found it as I was getting up to speed on the code base, having recently switched teams. Funnily enough, nobody on the team really understood the vulnerability - the EM marked it low priority and wanted the team to work on other things. I had to essentially go directly to the security team and convince them it was a sev 1. I sometimes wonder if it’s easier to just report security issues as an outsider through the bug bounty program; internal reports don’t seem to get taken as seriously.
pyjug
·5 ปีที่แล้ว·discuss
The FAANG have a lot more leverage over their employees than people seem to think.

Very few if any outside of these companies pay a mid level engineer 700k (yes, this number is real, can we please stop debating this fact?). So, if all FAANG force their companies back to the office, the employees have effectively no leverage.

This is similar to how the top cos colluded to keep engineer wages low in the 2000s, except they don’t need to explicitly make such a pact.
pyjug
·5 ปีที่แล้ว·discuss
> I'm not really making contortions

I would politely disagree — in any case the thread is there for all to judge.

If you sincerely believe that this is a product that should exist and will positively impact everyone involved, I can only hope you’re right [0]. In the end it’s all up to your conscience, but I do wish our leaders in tech were a bit more sensitive to seeing the broader picture.

[0]: pour one out for all the naive devs that will no doubt sink 100s of hours to be on the leaderboard for little benefit to them.
pyjug
·5 ปีที่แล้ว·discuss
You didn’t address whether engineers at Netflix would put up with this.

> I'm pretty sure that is what they are going for here with the global leaderboard

Sorry, I’m confused. This seems like a change in your position? Earlier you argued the intent is for employees to be able to showcase their skill to recruiters… you also responded to someone else who said they already have recruiter attention with “you are not their intended audience”

> paid her full time salary just to compete on Deepracer

Wait, are you seriously comparing a global competition in cutting edge tech to squashing bugs … in your own codebase? Come on.. there’s no comparison. If anything, a company would be semi embarrassed that they have so many bugs in their pre existing codebase.

I’m asking you in good faith. Why the contortions to defend such a product? I see from your profile that you are an investor and advisor. I would seriously try pushing this product to your companies and see how they react. If they do adopt it, run an anonymous survey of the devs .. then I would love to see you argue with a straight face that it “benefits developers”
pyjug
·5 ปีที่แล้ว·discuss
The structure already exists. It’s called your bug tracker. By building tools to gamify this process, it’s clearly incentivizing devs to put in more hours. I have no doubt that the global leaderboard will consist of devs that would’ve clocked 100s of hours above their regular hours. For very little benefit to the employee.

Let me put it you this way - would an engineer at Netflix ever “play this game” to win ? Would employees at Netflix even put up with something like this? If not, why would you think employees at random tech co should?
pyjug
·5 ปีที่แล้ว·discuss
> the employee overvalues their skill, thinking that showing up on the leaderboard is a shoo-in. Maybe the employer is right, maybe the employee is right,

Come on, this is just being coy — you and I both know this is a terrible deal for employees — as you write earlier, there’s a very low chance that a random dev will appear on the global leaderboard. What’s more, the best devs won’t even play this game, so it’s left for juniors and people trying to “prove themselves” to trample over each other for peanuts.

Not to single you out, but I wish influential tech folks like you would speak up more about the cynical exploitation that’s going on here in plain sight.
pyjug
·5 ปีที่แล้ว·discuss
> The risk to the company is pretty low that their employee would show up on a global leaderboard.

This invalidates your other point that it benefits developers. Why would a dev sink countless hours for a “very low” chance at being on the global leaderboard and hence moving jobs.

You can’t simultaneously posit it’s good for both companies and developers.
pyjug
·5 ปีที่แล้ว·discuss
> For a lot of people at a lot of companies, a trip to re:invent is a huge prize

Only for cheapo companies. Companies should (and do) _pay_ their devs to attend re:invent. I get your point though. For naive devs, it’s like getting to go to a concert. But it’s quite cynical for AWS to exploit this
pyjug
·5 ปีที่แล้ว·discuss
> The companies that put up the contest benefits

> if you’re looking to make a job move,…

Why would companies allow their best developers to be poached? Unless of course there’s a way for companies to keep their developer scores private…
pyjug
·5 ปีที่แล้ว·discuss
LOL. Developers are so gullible. It would be cute if it weren’t so tragic. They’re giving out t shirts and jackets for 10s of thousands of $ worth of work and we’re lapping it up. Vogels openly said it helps AWS customers reduce “costs”, he’s not even trying to hide it
pyjug
·5 ปีที่แล้ว·discuss
It’s not surprising considering that employees and founders of ad funded companies hang out here. In this case, jedberg (correct me if I’m wrong) was an early employee at Reddit, which is almost entirely ad funded.

I’m not saying he’s being malicious - he probably genuinely believes he likes personalized ads. The “self” or “ego” is a very tricky thing. It can rationalize almost anything to maintain its world view. Everyone likes to think they’re doing good in the world. When faced with the fact that may not be the case, it’s natural to rationalize it away. It takes an extreme level of awareness to be objectively neutral whenever your “self” is involved.
pyjug
·5 ปีที่แล้ว·discuss
Heh, so many valley people microdose openly. It's not a fireable offence. Also, that incident happened in 2019. Why fire him now?
pyjug
·5 ปีที่แล้ว·discuss
> The ad would simply display some of the information collected about the viewer which the advertising platform uses. Facebook was not into that idea.

Genius! But it’s unclear to me if the examples in the blog were actual ads shown to users before their account was blocked, or the campaign never got off the ground at all. If it’s the latter, the blog should make it clearer otherwise it makes it look like those were real ads
pyjug
·5 ปีที่แล้ว·discuss
Sorry, I didn’t mean to come off condescending at all, it was a genuine question! At the end of the day, these are all just tools and people have their preferences. I try not to get too attached to any of them personally.

Also, if it wasn’t clear I was addressing programmers with experience in more than 1 language, not absolute beginners. If someone who is learning Go as their first language, I wholeheartedly endorse learning it! (Although Python would be better :-))
pyjug
·5 ปีที่แล้ว·discuss
I sympathize with the general sentiment of your argument, which is what initially drew me towards Go (in addition to the hype).

For better or worse, Go is where all the energy is in terms of OSS, so I do hope I see the light some day, but for now, the dev x for me is pretty underwhelming compared to Java
pyjug
·5 ปีที่แล้ว·discuss
Right, I wanted to have the “modern development experience” as much as possible. Most tutorials out there still recommend VSCode to get started with Go.
pyjug
·5 ปีที่แล้ว·discuss
As an experienced Java programmer , I decided to do a project in Golang to see for myself what the hype was all about. And it was...underwhelming. The Go plugin for VScode barely works - terribly slow, inconsistent autocomplete, hanging during debugging etc. I had to pay for Goland just to get a reasonable experience which is still worse than Java+IntelliJ community edition.

Language wise - you need for loops for everything, no maps or streams. Also where are the concurrent collections in the stdlib?

I wonder if all the Go love here is from people who never worked in earnest with Java ? Or only worked with dynamic languages before?