From 38b362dbc852891769048d1b888a8e1c488f9a77 Mon Sep 17 00:00:00 2001 From: Correl Date: Tue, 19 Oct 2021 17:02:47 -0400 Subject: [PATCH] updates --- 20210218134000-how_i_work.org | 1 + 20211014151652-cross_site_scripting.org | 5 ++++ 20211014151808-sql_injection.org | 4 +++ 20211019164846-how_i_manage_my_projects.org | 8 +++++ aweber/20210813142844-projects.org | 16 +++++----- ..._progress_of_moving_pages_out_of_sites.org | 6 ++-- ...3161201-validating_and_sanitizing_tags.org | 6 ++-- ...019140007-cp_leads_and_product_sync_up.org | 6 ++++ aweber/20211019142241-manager_one_on_one.org | 4 +++ ...g_services_to_use_the_new_list_service.org | 4 +++ ...019163502-deploy_coreapi_to_kubernetes.org | 7 +++++ ...ng_prevention_owasp_cheat_sheet_series.org | 8 +++++ daily/2021-10-14.org | 20 +++++++++++++ daily/2021-10-19.org | 30 +++++++++++++++++++ daily/2021-10-20.org | 9 ++++++ don_t_try_to_sanitize_input_escape_output.org | 7 +++++ input_filtering_by_chris_shiflett.org | 7 +++++ sanitize_your_inputs_kevin_smith.org | 9 ++++++ ...on_prevention_owasp_cheat_sheet_series.org | 8 +++++ the_basics_of_web_application_security.org | 8 +++++ 20 files changed, 160 insertions(+), 13 deletions(-) create mode 100644 20211014151652-cross_site_scripting.org create mode 100644 20211014151808-sql_injection.org create mode 100644 20211019164846-how_i_manage_my_projects.org create mode 100644 aweber/20211019140007-cp_leads_and_product_sync_up.org create mode 100644 aweber/20211019142241-manager_one_on_one.org create mode 100644 aweber/20211019163438-migrating_services_to_use_the_new_list_service.org create mode 100644 aweber/20211019163502-deploy_coreapi_to_kubernetes.org create mode 100644 cross_site_scripting_prevention_owasp_cheat_sheet_series.org create mode 100644 daily/2021-10-14.org create mode 100644 daily/2021-10-19.org create mode 100644 daily/2021-10-20.org create mode 100644 don_t_try_to_sanitize_input_escape_output.org create mode 100644 input_filtering_by_chris_shiflett.org create mode 100644 sanitize_your_inputs_kevin_smith.org create mode 100644 sql_injection_prevention_owasp_cheat_sheet_series.org create mode 100644 the_basics_of_web_application_security.org diff --git a/20210218134000-how_i_work.org b/20210218134000-how_i_work.org index 45c34b6..b4931cf 100644 --- a/20210218134000-how_i_work.org +++ b/20210218134000-how_i_work.org @@ -23,3 +23,4 @@ screen. * Tracking things to do - Capturing /and scheduling/ tasks - Using the [[id:4d7dffe3-4af4-41d0-85a2-270a20593c8d][Org Mode]] agenda view to plan my day +- [[id:038c58e9-2fe9-495a-8dfb-bc3c1c538ad1][Managing projects]] diff --git a/20211014151652-cross_site_scripting.org b/20211014151652-cross_site_scripting.org new file mode 100644 index 0000000..462a537 --- /dev/null +++ b/20211014151652-cross_site_scripting.org @@ -0,0 +1,5 @@ +:PROPERTIES: +:ID: 65fa9de5-afa9-406c-8576-d94380cc3bec +:ROAM_ALIASES: XSS +:END: +#+title: Cross Site Scripting diff --git a/20211014151808-sql_injection.org b/20211014151808-sql_injection.org new file mode 100644 index 0000000..288af6d --- /dev/null +++ b/20211014151808-sql_injection.org @@ -0,0 +1,4 @@ +:PROPERTIES: +:ID: e4a20390-fecb-46ff-8949-4f456abdbb09 +:END: +#+title: SQL Injection diff --git a/20211019164846-how_i_manage_my_projects.org b/20211019164846-how_i_manage_my_projects.org new file mode 100644 index 0000000..824c080 --- /dev/null +++ b/20211019164846-how_i_manage_my_projects.org @@ -0,0 +1,8 @@ +:PROPERTIES: +:ID: 038c58e9-2fe9-495a-8dfb-bc3c1c538ad1 +:END: +#+title: How I manage my projects + +I keep an [[id:0567a35c-3afb-4ed5-a9ec-47425c5d6f06][Org-roam]] file dedicated to my [[id:207560cc-7700-4d06-918d-cc01ae530146][Projects]]. Each project, once it's +fleshed out as more than just an idea, gets its own file that its heading links +to. diff --git a/aweber/20210813142844-projects.org b/aweber/20210813142844-projects.org index de06df6..fa0d76f 100644 --- a/aweber/20210813142844-projects.org +++ b/aweber/20210813142844-projects.org @@ -20,7 +20,7 @@ :LOGBOOK: - State "TODO" from [2021-09-01 Wed 13:42] :END: -** TODO [[id:6413d680-ee2e-43e6-b7c7-10f14e0873c2][Deploying Bulk Tagging to Kubernetes]] +** DONE [[id:6413d680-ee2e-43e6-b7c7-10f14e0873c2][Deploying Bulk Tagging to Kubernetes]] :PROPERTIES: :JIRA_ID: CCPANEL-11615 :END: @@ -41,26 +41,28 @@ :LOGBOOK: - State "TODO" from [2021-09-01 Wed 13:42] :END: -** TODO Recipient Service +** TODO Deploying Recipient Service to Kubernetes :LOGBOOK: - State "TODO" from [2021-10-13 Wed 16:26] :END: -** TODO Tagging Service +** TODO Deploying Tagging Service to Kubernetes :LOGBOOK: - State "TODO" from [2021-10-13 Wed 16:26] :END: -* Tracking live vs dead / removed code branches in Sites +* [[id:3cc8bd09-dd02-4950-8c89-a737f92809fd][Tracking progress of moving pages out of Sites]] * [[id:11edd6c9-b976-403b-a419-b5542ddedaae][Subscriber Search Service]] * [[id:c45881de-46f2-4f76-9579-063626c5956c][Analytics View Service]] -* Replace CAPI Services -** List API -*** TODO Set EOL date for awlists +* [[id:4df15f2f-d2e1-40f4-8acd-dbfb78fe304f][Deploy CoreAPI to Kubernetes]] +* Replacing CAPI Services +** [[id:619b6c78-7be9-4ee4-a0b7-9d1a4d7536e2][Migrating services to use the new List service]] +*** DONE Set EOL date for awlists - [2021-08-13 Fri 15:21] :: Discussed this. Also talked about separation of concerns about account status vs list status. Also discussed how an entitlements service might fit into our architecture and how we handle state transitions and reverals (e.g. cancellations). - [2021-08-17 Tue 16:44] :: Set a one-year time limit? Should the public list endpoints be in the new service as well, deprecating public api lists? +- [2021-10-18 Mon] :: The expectation is set to be migrated to the new list service exclusively by the end of Q2 2022 ** Subscribers API * Frontend Client Upgrades ** Upgrade Dashboard to React diff --git a/aweber/20211001095858-tracking_progress_of_moving_pages_out_of_sites.org b/aweber/20211001095858-tracking_progress_of_moving_pages_out_of_sites.org index 9be7242..4b0efe9 100644 --- a/aweber/20211001095858-tracking_progress_of_moving_pages_out_of_sites.org +++ b/aweber/20211001095858-tracking_progress_of_moving_pages_out_of_sites.org @@ -31,7 +31,7 @@ #+end_src #+RESULTS: -[[file:controllers-migrated-in-sites.png]] +[[file:None]] ** Controllers in Sites #+caption: Identifying the total number of public controllers in the CP @@ -51,7 +51,7 @@ #+end_src #+RESULTS: js-controller-count -: 24 +: 25 * Progress over time @@ -77,7 +77,7 @@ #+end_src #+RESULTS: -[[file:controllers-migrated-in-sites-over-time.png]] +[[file:None]] #+caption: Identifying the last tagged release each month #+name: tags diff --git a/aweber/20211013161201-validating_and_sanitizing_tags.org b/aweber/20211013161201-validating_and_sanitizing_tags.org index b8c2131..ee29c8d 100644 --- a/aweber/20211013161201-validating_and_sanitizing_tags.org +++ b/aweber/20211013161201-validating_and_sanitizing_tags.org @@ -5,7 +5,7 @@ * Sanitizing tag display -** TODO In the autocomplete of the tag input box +** DONE In the autocomplete of the tag input box Fixes [[https://jira.aweber.io/browse/CCPANEL-11654][CCPANEL-11654]]. https://gitlab.aweber.io/BoFs/FE/libraries/tagbox/-/merge_requests/29 @@ -17,5 +17,5 @@ https://gitlab.aweber.io/BoFs/FE/libraries/tagbox/-/merge_requests/29 ** TODO [[id:cd4a8a83-be53-4ec9-8cca-b6f34b59ba35][Subscriber Proxy]] ** TODO [[id:321075e7-db53-4676-b785-7c77ed9d1150][Bulk Tagging]] ** TODO [[id:7e503917-646f-4275-aab9-3a125b99cbfd][Tagging]] -*** Remove outbound sanitization -*** Add inbound validation +*** TODO Add inbound validation +*** TODO Remove outbound sanitization diff --git a/aweber/20211019140007-cp_leads_and_product_sync_up.org b/aweber/20211019140007-cp_leads_and_product_sync_up.org new file mode 100644 index 0000000..cd42370 --- /dev/null +++ b/aweber/20211019140007-cp_leads_and_product_sync_up.org @@ -0,0 +1,6 @@ +:PROPERTIES: +:ID: 0e5f578f-96a2-47d8-8dd9-d0d7f1e4fc35 +:END: +#+title: CP Leads and Product Sync-Up + +A weekly discussion on team priorities. diff --git a/aweber/20211019142241-manager_one_on_one.org b/aweber/20211019142241-manager_one_on_one.org new file mode 100644 index 0000000..57293ca --- /dev/null +++ b/aweber/20211019142241-manager_one_on_one.org @@ -0,0 +1,4 @@ +:PROPERTIES: +:ID: 0a1e48ec-e132-4ec4-81a1-124711330b5a +:END: +#+title: Manager one-on-one diff --git a/aweber/20211019163438-migrating_services_to_use_the_new_list_service.org b/aweber/20211019163438-migrating_services_to_use_the_new_list_service.org new file mode 100644 index 0000000..dfbe65a --- /dev/null +++ b/aweber/20211019163438-migrating_services_to_use_the_new_list_service.org @@ -0,0 +1,4 @@ +:PROPERTIES: +:ID: 619b6c78-7be9-4ee4-a0b7-9d1a4d7536e2 +:END: +#+title: Migrating services to use the new List service diff --git a/aweber/20211019163502-deploy_coreapi_to_kubernetes.org b/aweber/20211019163502-deploy_coreapi_to_kubernetes.org new file mode 100644 index 0000000..7d0c744 --- /dev/null +++ b/aweber/20211019163502-deploy_coreapi_to_kubernetes.org @@ -0,0 +1,7 @@ +:PROPERTIES: +:ID: 4df15f2f-d2e1-40f4-8acd-dbfb78fe304f +:END: +#+title: Deploy CoreAPI to Kubernetes + +- Merge the sub-projects into CAPI? +- API Suspenders replacement? diff --git a/cross_site_scripting_prevention_owasp_cheat_sheet_series.org b/cross_site_scripting_prevention_owasp_cheat_sheet_series.org new file mode 100644 index 0000000..2371923 --- /dev/null +++ b/cross_site_scripting_prevention_owasp_cheat_sheet_series.org @@ -0,0 +1,8 @@ +:PROPERTIES: +:ID: b4438e41-42ed-422e-a1f1-0b763da70fe6 +:ROAM_REFS: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html +:END: +#+title: Cross Site Scripting Prevention - OWASP Cheat Sheet Series + +Includes notes on performing [[id:2ba04972-f498-41c2-970e-a64c7f3f1c3b][Data sanitization]] on HTML output for the prevension +of [[id:65fa9de5-afa9-406c-8576-d94380cc3bec][Cross Site Scripting]] attacks. diff --git a/daily/2021-10-14.org b/daily/2021-10-14.org new file mode 100644 index 0000000..638f361 --- /dev/null +++ b/daily/2021-10-14.org @@ -0,0 +1,20 @@ +:PROPERTIES: +:ID: 4721a3f0-2f1b-446b-8fc4-dd3b7ca56a35 +:END: +#+title: 2021-10-14 + +* Catching up with Ryan M on tag processing +- Ryan is looking into a variety of issues around tags on CC + - CC-2720 (Tag triggered campaign does not trigger for some subscribers) + - CC-6944 (Tag Applied Did Not Trigger Active Campaign) + - Ryan's personal dashboard [[https://grafana.aweber.io/d/kLkwIXv7z/rules-engine-insights?orgId=1][Rules Engine Insights]] + - Rules engine gets slow from time to time + - Rule search endpoint can take up to 10s + - There is definitely some subscriber contention, but it doesn't appear to + be particularly severe + - Slowdowns seem to be best related to rule service slowness + - Rule service will be updated to get more insight into what's happening + - Needs more metrics + - Move into k8s? +- Currently, we still don't know what's going on. Ryan will be spending time in + the coming sprint to continue investigating the rule service. diff --git a/daily/2021-10-19.org b/daily/2021-10-19.org new file mode 100644 index 0000000..84327f3 --- /dev/null +++ b/daily/2021-10-19.org @@ -0,0 +1,30 @@ +:PROPERTIES: +:ID: 0a10f78a-1ac5-480c-ba18-ba4b02d99c14 +:END: +#+title: 2021-10-19 + +* [[id:0e5f578f-96a2-47d8-8dd9-d0d7f1e4fc35][CP Leads and Product Sync-Up]] +- Finding a more cohesive strategy for FE work + - Different work between David G and David R + - Need a better understanding of dependencies between projects + - Can I get more involved with the planning around frontend projects? ([[file:~/Nextcloud/org/aweber.org::*Can I get more involved with the planning around frontend projects?][TODO]] +) +- Defining deadlines for BE service work + - Set team goals on when we want to have things done + - Define dates for [[id:c45881de-46f2-4f76-9579-063626c5956c][Analytics View Service]] and [[id:11edd6c9-b976-403b-a419-b5542ddedaae][Subscriber Search Service]] ([[file:~/Nextcloud/org/aweber.org::*Define dates for analytics view and search + service][TODO]]) +- Plan an order of attack on larger KTLO [[id:207560cc-7700-4d06-918d-cc01ae530146][Projects]] (goals for end of this year + and next year) + - [[id:e4d00c11-da8a-4c91-8f38-ce939846e5cb][CAPI]] + - [[id:619b6c78-7be9-4ee4-a0b7-9d1a4d7536e2][Migrating services to use the new List service]] + - [[id:4df15f2f-d2e1-40f4-8acd-dbfb78fe304f][Deploy CoreAPI to Kubernetes]] + - API Suspenders replacement + - Remaining services in Chef + - Migrating notification bar + - Remove requirement of LDAP for notification creation? +- Moving services out of AWS + - [[id:6413d680-ee2e-43e6-b7c7-10f14e0873c2][Bulk Tagging]] + - Tagging + - Recipient + - Mapping +- List settings mockup into React diff --git a/daily/2021-10-20.org b/daily/2021-10-20.org new file mode 100644 index 0000000..986a1e2 --- /dev/null +++ b/daily/2021-10-20.org @@ -0,0 +1,9 @@ +:PROPERTIES: +:ID: 29e51b04-ce89-4934-b17f-1f64bffc2069 +:END: +#+title: 2021-10-20 +* [[id:0a1e48ec-e132-4ec4-81a1-124711330b5a][Manager one-on-one]] +- Discuss better ways of: + - Capturing new projects + - Transforming old projects as priorities shift + - Keeping the project list and priorities at the forefront diff --git a/don_t_try_to_sanitize_input_escape_output.org b/don_t_try_to_sanitize_input_escape_output.org new file mode 100644 index 0000000..18ac75c --- /dev/null +++ b/don_t_try_to_sanitize_input_escape_output.org @@ -0,0 +1,7 @@ +:PROPERTIES: +:ID: 5ca2142d-35b2-4230-9268-7c693cb392a5 +:ROAM_REFS: https://benhoyt.com/writings/dont-sanitize-do-escape/ +:END: +#+title: Don’t try to sanitize input. Escape output. +Promotes the use of [[id:9914d09e-99fe-46a6-95be-676c5b78ed90][Input validation]] over [[id:2ba04972-f498-41c2-970e-a64c7f3f1c3b][Data sanitization]] on input data, +advocating that data be sanitized on output only ([[id:05698e38-65b2-496c-b02b-1db376ae734c][Validation vs Sanitization]]). diff --git a/input_filtering_by_chris_shiflett.org b/input_filtering_by_chris_shiflett.org new file mode 100644 index 0000000..4ad0bef --- /dev/null +++ b/input_filtering_by_chris_shiflett.org @@ -0,0 +1,7 @@ +:PROPERTIES: +:ID: e1e28807-b3fe-4de8-b2e4-443ac604827c +:ROAM_REFS: https://shiflett.org/articles/input-filtering +:END: +#+title: Input Filtering, by Chris Shiflett + +Chris defines what he means by "Input Filtering" ([[id:9914d09e-99fe-46a6-95be-676c5b78ed90][Input validation]]) diff --git a/sanitize_your_inputs_kevin_smith.org b/sanitize_your_inputs_kevin_smith.org new file mode 100644 index 0000000..8c1b533 --- /dev/null +++ b/sanitize_your_inputs_kevin_smith.org @@ -0,0 +1,9 @@ +:PROPERTIES: +:ID: 1383ec6f-39bb-40c5-8316-6b77d1a25232 +:ROAM_REFS: https://kevinsmith.io/sanitize-your-inputs/ +:END: +#+title: Sanitize Your Inputs? | Kevin Smith + +An article on the viability of using [[id:2ba04972-f498-41c2-970e-a64c7f3f1c3b][Data sanitization]] on input data versus +[[id:9914d09e-99fe-46a6-95be-676c5b78ed90][Input validation]] ([[id:05698e38-65b2-496c-b02b-1db376ae734c][Validation vs Sanitization]]). References [[id:4a7f50e1-2f2b-4bf5-b684-151a48af0281][The Basics of Web +Application Security]] and [[id:e1e28807-b3fe-4de8-b2e4-443ac604827c][Input Filtering, by Chris Shiflett]]. diff --git a/sql_injection_prevention_owasp_cheat_sheet_series.org b/sql_injection_prevention_owasp_cheat_sheet_series.org new file mode 100644 index 0000000..bd8e54d --- /dev/null +++ b/sql_injection_prevention_owasp_cheat_sheet_series.org @@ -0,0 +1,8 @@ +:PROPERTIES: +:ID: 2bcfcaa9-2d38-41c4-994d-98f38547b943 +:ROAM_REFS: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html +:END: +#+title: SQL Injection Prevention - OWASP Cheat Sheet Series + +Includes notes on performing [[id:2ba04972-f498-41c2-970e-a64c7f3f1c3b][Data sanitization]] on SQL queries to prevent [[id:e4a20390-fecb-46ff-8949-4f456abdbb09][SQL +Injection]] attacks. diff --git a/the_basics_of_web_application_security.org b/the_basics_of_web_application_security.org new file mode 100644 index 0000000..f3a358a --- /dev/null +++ b/the_basics_of_web_application_security.org @@ -0,0 +1,8 @@ +:PROPERTIES: +:ID: 4a7f50e1-2f2b-4bf5-b684-151a48af0281 +:ROAM_REFS: https://martinfowler.com/articles/web-security-basics.html +:END: +#+title: The Basics of Web Application Security + +Martin Fowler discusses what he considers to be the basics of web application +security, including [[id:9914d09e-99fe-46a6-95be-676c5b78ed90][Input validation]] and [[id:2ba04972-f498-41c2-970e-a64c7f3f1c3b][Data sanitization]].