Open Redirection Attack prevention

If you've had a look at the MVC3 preview generated code you will notice the  Url.IsLocalUrl method getting called from the LogOn action.

[code:c#]

[HttpPost]
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
    if (ModelState.IsValid)
    {
        if (MembershipService.ValidateUser(model.UserName, model.Password))
        {
            FormsService.SignIn(model.UserName, model.RememberMe);
            if (Url.IsLocalUrl(returnUrl))
            {
                return Redirect(returnUrl);
            }
            else
            {
                return RedirectToAction("Index", "Home");
            }
        }
        else
        {
            ModelState.AddModelError("",
            "The user name or password provided is incorrect.");
        }
    }
 
    // If we got this far, something failed, redisplay form
    return View(model);
}

[/code]

This prevents philishing attacks by ensuring that after a successful log on the user only gets directed to the local site and not another site.

Take for example I send you a email with a link to /Account/LogOn?returnUrl=http://brainkeating.net/Account/LogOn
After you successfully enter your log on detail @ briankeating.net you would get redirected to www.brAInkeating.net if you are not quick enough to notice you could now be presented with an identical logon page at this different url, oh darn i typed my password wrong...., BrAIn Keating is a nasty piece of work, he will log your login details to his database and then use it to access briankeating.net with our credentials, not after you login @ brAInkeating.net you will get redirected back here to briankeating.net (where you've already authenticated and be none the wiser).

So what if you are still on MVC2 (most of my web apps these days are...) what can you do to avoid this attack...

That;s an easy one to answer, I've been a lazy bugger and lifted this code from www.asp.net

[code:c#]

public bool IsLocalUrl(string url) {
    return System.Web.WebPages.RequestExtensions.IsUrlLocalToHost(
        RequestContext.HttpContext.Request, url);
}

[/code]

The IsUrlLocalToHost method contains the actual validation logic below

[code:c#]

public static bool IsUrlLocalToHost(this HttpRequestBase request, string url) {
    if (url.IsEmpty()) {
        return false;
    }
 
    Uri absoluteUri;
    if (Uri.TryCreate(url, UriKind.Absolute, out absoluteUri)) {
        return String.Equals(request.Url.Host, absoluteUri.Host,
            StringComparison.OrdinalIgnoreCase);
    }
    else {
        bool isLocal = !url.StartsWith("http:", StringComparison.OrdinalIgnoreCase)
            && !url.StartsWith("https:", StringComparison.OrdinalIgnoreCase)
            && Uri.IsWellFormedUriString(url, UriKind.Relative);
        return isLocal;
    }
}

[/code]

 

Oracle Database Restore

How to create an oracle user/schema and resore an existing database to this new schema.

 

drop tablespace xxx_demo_data including contents and datafiles;


CREATE TABLESPACE xxx_demo_data
       DATAFILE 'd:\oradata\abci\xxx_demo.DBF '
       SIZE 10M
       AUTOEXTEND ON NEXT 10M
       MAXSIZE UNLIMITED;

drop user xxx_demo cascade;
 
   CREATE USER xxx_demo
       IDENTIFIED BY xxx_demo
       DEFAULT TABLESPACE xxx_demo_data
       TEMPORARY TABLESPACE temp;


GRANT CREATE SESSION TO xxx_demo;  

GRANT CREATE TABLE TO xxx_demo;
GRANT CREATE VIEW TO xxx_demo;
GRANT CREATE SEQUENCE TO xxx_demo;
GRANT CREATE TRIGGER TO xxx_demo;
GRANT RESOURCE TO xxx_demo;

ALTER USER xxx_demo QUOTA unlimited ON xxx_demo_data;

// change the passworkd.
//drop to command line

impdp xxx_demo/{passwd} DIRECTORY=expdp_dir DUMPFILE=20101220-DEMO.DMP REMAP_SCHEMA=xxx:xxx_demo  REMAP_tablespace=xxx:xxx_demo

Asyncronous WF4 activities

Anyone that's ever written UX/GUI code will know that while it once was acceptable (unavoidable) to block the UX thread with long running operations, it's now almost always done in a background thread/task etc.

Well with WF4 it's pretty much the same story, it's not the best idea to block the workflow thread while preforming longing running operations.

Take the following example, where I make a webservice call to a server for some information, webservices can take quite some time depending on network load latency etc.

public sealed class GetCurveTenor : AsyncCodeActivity

    {

        public InArgument<string> CurveUri { get; set; }

        public OutArgument<Dictionary<DateTime, double>> CurveDetail { get; set; }

 

        protected override IAsyncResult BeginExecute(

            AsyncCodeActivityContext context, AsyncCallback callback,

            object state)

        {

            Func<string, Dictionary<DateTime, double>> asyncWork =

                curveUri => RetrieveCurveDetail(curveUri);

            context.UserState = asyncWork;

            return asyncWork.BeginInvoke(

                CurveUri.Get(context), callback, state);

        }

        protected override void EndExecute(

            AsyncCodeActivityContext context, IAsyncResult result)

        {

            Dictionary<DateTime, double> curveDetail =

                ((Func<Int32, Dictionary<DateTime, double>>)

                    context.UserState).EndInvoke(result);

            if (curveDetail != null)

            {

                CurveDetail.Set(context, curveDetail);

            }

        }

 

        private Dictionary<DateTime, double> RetrieveCurveDetail(string curveUri)

        {

            Dictionary<DateTime, double> result = new Dictionary<DateTime, double>();

            // Do server stuff ...

            return result;

        }

    }

Most of the code above should be self explanatory.
If you've not seen the "Func" syntax before it's basically just a delegate defined like this (in .NET 4)

public delegate TResult Func<in T, out TResult>(T arg);  (Note the .NET 4 in modifier to indicate contravariance)

I've used lambdas to point to delegate towards the RetrieveCurveDetails function, it's this function that gets executed on the background thread.

Hope this has been of some assistance.

 

 

 

ReHosting the workflow designer

If you've attempted to host the workflow designer in .net <= 3.5 you'll remember it's not such an easy achievement.

However doing so in wpf .net 4.0 is quite trivial.

Have a look at the Visual Studio 2010 .NET 4 training kit and you'll see for your self.

Here's my first appempt this evening that took all of 10 minutes.

 Make sure to download the training kit even if you are an experienced developer, it's got some gems in it.

SQL Server Check Constraints

Here's an easy one to get caught out on.

Say you remove a constraint on a table to do some maintainance ect.

e.g.

ALTER TABLE BANDWIDTH NOCHECK CONSTRAINT FKUserLimits;

When you wish to bring the constraint back on stream you may be surprised to find the following does not quite work...

 

ALTER TABLE BANDWIDTH CHECK CONSTRAINT FKUserLimits;

You may be be able to see this in the execution plan on SSMS if the constraint was used in query optimization.

but you can check for sure by executing the following

select name, is_not_trusted FROM sys.foreign_keys where name = 'FKUserLimits';

you'll find that is_not_trusted is 1, indicating that the constraint is not trusted, this is because someone could have modified the table while the constaint was turned off, the sql to reenable the constraint needs to be told to check it while doing so..

here's how

 

ALTER TABLE BANDWIDTH
WITH CHECK
CHECK CONSTRAINT FKUserLimits;

This option tells SQL server to verify that all rows in the table comply with the constraint prior to turning it back on. If any rows do not comply with the constraint, an error message is returned and the alter table statement is rolled back.

 

WF4 WriteLine testing using extensions

If you wish to test specific writelines on a console application: you can do so by adding a StringWriter object to the workflow extensions.
The writeline activity will use the textwriter if it exists as opposed to the console.

[TestMethod]
public void CheckWorkflowWriteLine()
{   
 var wi = new WorkflowInvoker(new HelloWorld());

        //Add string writer to extensions  
 var writer = new StringWriter();    
 wi.Extensions.Add(writer);    
 wi.Invoke();    
 Assert.AreEqual("Hello Workflow", writer.ToString());
}

HowTo: Consume WCF From WF4

Hi all.

I've discovered this is not as simple as it would appear to be.
Infact it's worse; in "order" to do this you will need to jump through a few hoops...; in a particular order!

 

1. Add an activity library project
2. Add a reference to this new project from your WF4 app (any app with workflows.. silverlight/mvc etc)
    ENSURE: this is done before step 3 or visual studio 2010 will give you a circular reference error!
3. In the activity library add the service reference to your webservice
4. Modify your webconfig file to contain the abc information for the connection (servicemodel stuff)
5. Now use the activities (from the toolbox)

I gather from crawling through google that the above sequence is already well defined as a workaround for the vs2010 bug.

 

 

It's my football and I'm going home

We've all created API libraries, and libraries by their nature encourage resuse.
However what happens if you want to be selective in who else uses your assembly?
One simplistic approach would be to ensure that the calling assembly has the same public key


private void CheckCallerAllowed()
{
var myPubKeyToken = Assembly.GetExecutingAssembly().GetName().GetPublicKeyToken();
var entryPubKeyToken = Assembly.GetEntryAssembly().GetName().GetPublicKeyToken();

if (myPubKeyToken.Length != entryPubKeyToken.Length)
    throw new ApplicationException("Assembly not licensed");

for (int idx = 0; idx < myPubKeyToken.Count(); ++idx)
   
if (myPubKeyToken[idx] != entryPubKeyToken[idx])
       
throw new ApplicationException("Assembly not licensed");
}

 

Place a call to the function above in your public interface.

Xaml gotya

Here's one I'm ashamed to admit caught me as I was finishing up work this evening, it's been a good few weeks since I've gone near wpf/silverlight given I was on holidays and spend my time playing with WF4 and MVC2.

Anyway in screenshot below.. vs2010 .net 3.5 sp1 I was binding some data to a datagrid.

 I omitted to remove the offending closing xml comment you can see in the xaml "-->"

And low and behold the binding breaks down without any prior warning,,,, infact my object collection is totally ignored and the "-->" is passed to the binding, I know this because I removed the binding paths in the columns and was presented with "-->" in my grid...

Just an interesting one to keep in mind.. If you're like me, u couldn't switch off the computer this evening until this peculiar behaviour was explained..

 

Maybe it will save you some time if you come accross it.