Fork me on GitHub
#off-topic
<
2023-11-19
>
DrLjótsson07:11:06

Hey! Anyone have a suggestion for a malware/virus scanning application that can be easily integrated with a clojure app. It will be used to scan user uploaded files.

p-himik08:11:49

I think you'd be better off not with an application but with a service, e.g. https://developers.virustotal.com/v3.0/reference

🙏 1
DrLjótsson08:11:52

The files that need to be analyzed are protected by EU privacy laws so if it is possible to have something local that would be preferable.

DrLjótsson09:11:26

Or an external service that guarantees that data is only stored within the EU and will sign a DPA. I can’t find such information on VirusTotal’s website.

Nundrum15:11:34

@UGDTSFM4M I actually worked at a place that used Clojure + VT for this purpose. You can submit the file's hash instead of the file. That might go a long way towards what you need to achieve.

🙏 1
DrLjótsson07:11:10

Hey again! I have an app that should serve requests for the same user from different domains. The requests are backed by the same session though. We have domain a that is the main domain where users login and perform their main work. Then we have domain b where users view potentially dangerous dynamically generated content, so it’s on another domain to prevent it from making malicious requests to domain a. My question is how to make the transation to domain b easy and secure. My idea is the following. 1. User logs into a. 2. They want to view potentially malicious content and click link that opens content viewer in domain b in a separate browser tab 3. There is no session cookie for domain b so it automatically redirects back to a with a request for an uid 4. Domain a recognizes the user and creates an uid, and redirects back to b 5. Domain b checks what session-id the uid corresponds to, and creates a session cookie for that session 6. User is directed to the content viewer on domain b Now the user has a session cookie on b that is backed by the same session as a. When user logs out from a, the b session also becomes invalid.

DrLjótsson08:11:21

One could create a secondary session id, which is used by domain b. So that knowledge about that session id will not give access to the session within domain a.

DrLjótsson08:11:07

The uid is backed by an atom that maps the uid to the (secondary) session id. The uid is created in step 4 and consumed in step 5.

DrLjótsson08:11:07

The request in step 4 includes what domain (`b`). and path to redirect back to. Domain a checks that the redirect domain is valid before redirecting. So that the uid is not sent to some other domain.

DrLjótsson08:11:11

All requests are GET requests. So they are not protected by CSRF tokens or similar.

DenisMc21:11:12

Hi, I’m using Datadog for log analysis and alerting, works great. One problem though - datadog automated browser synthetic tests are pricey. I’m using this service to run browser tests every 5 minutes on various flows that I have recorded within Datadog, and it alerts me if it breaks for whatever reason. I would be perfectly happy to rewrite these in etaoin or playwright, but I’m not sure if there’s a free/cheap service i could use to trigger these tests - anyone have any recommendations in this space?

Luke Zeitlin12:11:52

I use gitlab jobs on a schedule with UI tests written with nbb / playwright. Free tier gives you 400 compute minutes a month so not enough for your every 5 minute schedule. "premium" (30 bucks a month) gives you 10,000 so maybe enough depending on how long your tests take

DenisMc22:11:17

Thanks, might go that route. I’m already using GitHub actions and I suspect using them in this way would be more cost effective than DD’s synthetic tests.

jumar05:11:28

We use github actions for that