Public API
tobozo opened this issue ยท 19 comments
tobozo commented
Hi and thanks for that awesome platform ๐
I've been developing an HVSC-based SID Player for ESP32, it acts as the C64 and is designed to drive any type of SID Chip (preferably clones).
esp32-SID+hat.mp4
Now that everything appears to work fine with the filesystem, I would like to test with an online database, and the deepsid site appears to provide an excellent API although it seems some measures are in place.
I know this can be easily prevented by sending the extra headers, but before doing that I'd like to ask if using the site in such a way is acceptable.
Also I found that not all queries using $_GET are prepared in hvsc.php, this smells like SQL Injection waiting to happen.
Chordian commented
Hi tobozo,
Sure, you are welcome to grab the sources from GitHub and do with it as you
wish for your device.
All SQL queries should be using prepared PDO wherever issued parameters are
concerned. I've only skipped it where the SQL parameter is acquired within
the PHP itself. At least, that was the plan. I'll make a note of skimming
through hvsc.php and double-check everything.
Good luck making it work. =)
/Jens
โฆOn Wed, 28 Dec 2022 at 15:33, tobozo ***@***.***> wrote:
Hi and thanks for that awesome platform ๐
I've been developing an HVSC-based SID Player for ESP32, it acts as the
C64 and is designed to drive any type of SID Chip (preferably clones).
https://user-images.githubusercontent.com/1893754/209825781-439af650-c761-4b45-a1e5-51b0f21cb1d8.mp4
Now that everything appears to work fine with the filesystem, I would like
to test with an online database, and the deepsid site appears to provide an
excellent API although it appears some measures
<https://github.com/Chordian/deepsid/blob/master/php/hvsc.php#L20> are in
place.
I know this can be easily prevented by sending the extra headers, but
before doing that I'd like to ask if using the site in such a way is
acceptable.
Also I found that not all queries using $_GET are prepared in hvsc.php,
this smells like SQL Injection waiting to happen.
โ
Reply to this email directly, view it on GitHub
<#20>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD6SPEPA6LIKVSWCZOR4NLDWPRFSXANCNFSM6AAAAAATLJ7SBY>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
tobozo commented
Hi Jens, thanks for your quick reply
Actually I'm not planning to host/deploy, the idea is to access directly this URL by mocking XHR from my ESP32.
I figured out this isn't really a public API and no auth token is required, but since I found some limitating measures in the code I'm asking for a permission before starting to implement the client logic on my ESP32 and send queries to the actual deepsid.chordian.net website.
re: SQLI
$compoName = $isCSDbCompo && strlen($_GET['folder']) > 25 ? explode('/', $_GET['folder'])[2] : '';this $compoName variable isn't filtered and is used with unprepared query() statements.
Chordian commented
Yikes, you're right. There's a $_GET involved. I'll make a note of getting
it fixed. Thanks for pointing it out.
/Jens
โฆOn Thu, 29 Dec 2022 at 11:33, tobozo ***@***.***> wrote:
Hi Jens, thanks for your quick reply
Actually I'm not planning to host/deploy, the idea is to access directly this
URL <https://deepsid.chordian.net/php/hvsc.php> by mocking XHR from my
ESP32.
I figured out this isn't really a public API and no auth token is
required, but since I found some limitating measures in the code I'm asking
for a permission before starting to implement the client logic on my ESP32
and send queries to the actual deepsid.chordian.net website.
re: SQLI
php/hvsc.php:81
<https://github.com/Chordian/deepsid/blob/master/php/hvsc.php#L81>
$compoName = $isCSDbCompo && strlen($_GET['folder']) > 25 ? explode('/', $_GET['folder'])[2] : '';
this $compoName variable isn't filtered and is used with unprepared
query() statements.
โ
Reply to this email directly, view it on GitHub
<#20 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD6SPENYRTHVJEPMK4SCVVLWPVSHRANCNFSM6AAAAAATLJ7SBY>
.
You are receiving this because you commented.Message ID:
***@***.***>
Chordian commented
It should now be plugged.
/Jens
โฆOn Fri, 30 Dec 2022 at 08:52, Chordian ***@***.***> wrote:
Yikes, you're right. There's a $_GET involved. I'll make a note of getting
it fixed. Thanks for pointing it out.
/Jens
On Thu, 29 Dec 2022 at 11:33, tobozo ***@***.***> wrote:
> Hi Jens, thanks for your quick reply
>
> Actually I'm not planning to host/deploy, the idea is to access directly this
> URL <https://deepsid.chordian.net/php/hvsc.php> by mocking XHR from my
> ESP32.
>
> I figured out this isn't really a public API and no auth token is
> required, but since I found some limitating measures in the code I'm asking
> for a permission before starting to implement the client logic on my ESP32
> and send queries to the actual deepsid.chordian.net website.
>
> re: SQLI
>
> php/hvsc.php:81
> <https://github.com/Chordian/deepsid/blob/master/php/hvsc.php#L81>
>
> $compoName = $isCSDbCompo && strlen($_GET['folder']) > 25 ? explode('/', $_GET['folder'])[2] : '';
>
> this $compoName variable isn't filtered and is used with unprepared
> query() statements.
>
> โ
> Reply to this email directly, view it on GitHub
> <#20 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AD6SPENYRTHVJEPMK4SCVVLWPVSHRANCNFSM6AAAAAATLJ7SBY>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***>
>
tobozo commented
whoops I was merely providing this info as a hint after quick-reading the code in just one file, but a slower read of hvsc.php brought up some other points of interest:
- possible resource exposure here
- possible stored XSS here
- these code blocks: [1] [2] [3] look suspicious and may contain more SQL Injections
I was too lazy to read the other files so I ran an audit tool (phpvuln) which found 346 potential vulns (sql injections, remote file inclusions, XSS, and a rand key).
There's no reason to panic about these numbers as many detected vulns are either false positives or impossible to reach, but reducing them would provide a better view on the true positives.
Chordian commented
Thanks, I'll check it out.
/Jens
โฆOn Fri, 30 Dec 2022 at 12:27, tobozo ***@***.***> wrote:
whoops I was merely providing this info as a hint after quick-reading the
code in just one file, but a slower read of hvsc.php brought up some other
points of interest:
- possible resource exposure here
<https://github.com/Chordian/deepsid/blob/master/php/hvsc.php#L686>
- possible stored XSS here
<https://github.com/Chordian/deepsid/blob/master/php/hvsc.php#L1109>
- these code blocks: [1
<https://github.com/Chordian/deepsid/blob/master/php/hvsc.php#L226-L258>]
[2
<https://github.com/Chordian/deepsid/blob/master/php/hvsc.php#L463-L486>]
[3
<https://github.com/Chordian/deepsid/blob/master/php/hvsc.php#L768-L779>]
look suspicious and may contain more SQL Injections
I was too lazy to read the other files so I ran an audit tool (phpvuln
<https://github.com/ecriminal/phpvuln>) which found 346 potential vulns
(sql injections, remote file inclusions, XSS, and a rand key).
There's no reason to panic about these numbers as many detected vulns are
either false positives or impossible to reach, but reducing them would
provide a better view on the true positives.
โ
Reply to this email directly, view it on GitHub
<#20 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD6SPEPSGI2FSQA5EFC3S23WP3BJ7ANCNFSM6AAAAAATLJ7SBY>
.
You are receiving this because you commented.Message ID:
***@***.***>
Chordian commented
Hi tobozo,
Regarding those vulnerabilities, do you know of a PHP function or library
that can do the same thing that PDO can do to a $_GET value?
I'm thinking it would make fixing all this a whole lot easier if I could
just wrap all $_GET in a function call.
/Jens
โฆOn Fri, 30 Dec 2022 at 12:47, Chordian ***@***.***> wrote:
Thanks, I'll check it out.
/Jens
On Fri, 30 Dec 2022 at 12:27, tobozo ***@***.***> wrote:
> whoops I was merely providing this info as a hint after quick-reading the
> code in just one file, but a slower read of hvsc.php brought up some other
> points of interest:
>
> - possible resource exposure here
> <https://github.com/Chordian/deepsid/blob/master/php/hvsc.php#L686>
> - possible stored XSS here
> <https://github.com/Chordian/deepsid/blob/master/php/hvsc.php#L1109>
> - these code blocks: [1
> <https://github.com/Chordian/deepsid/blob/master/php/hvsc.php#L226-L258>]
> [2
> <https://github.com/Chordian/deepsid/blob/master/php/hvsc.php#L463-L486>]
> [3
> <https://github.com/Chordian/deepsid/blob/master/php/hvsc.php#L768-L779>]
> look suspicious and may contain more SQL Injections
>
> I was too lazy to read the other files so I ran an audit tool (phpvuln
> <https://github.com/ecriminal/phpvuln>) which found 346 potential vulns
> (sql injections, remote file inclusions, XSS, and a rand key).
>
> There's no reason to panic about these numbers as many detected vulns are
> either false positives or impossible to reach, but reducing them would
> provide a better view on the true positives.
>
> โ
> Reply to this email directly, view it on GitHub
> <#20 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AD6SPEPSGI2FSQA5EFC3S23WP3BJ7ANCNFSM6AAAAAATLJ7SBY>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***>
>
tobozo commented
Hi Jens,
I'm assuming you have already enabled Varnish WAF Core Rule Set so I'll skip the server part and focus on the code part.
You're probably looking for validation and sanitizing filters.
Doing something like this is tempting, but it is wrong for several reasons:
$clean_get = array_filter($_GET, function($k, $v) {
return filter_var( $v, FILTER_VALIDATE_REGEXP, $regexp_filter_opt );
}, ARRAY_FILTER_USE_BOTH);- a higher security level can't achieved by just factorizing, it needs deconstructing first
- not all _GET variables need filtering, some can be just matched with known clean values e.g.
in_array() - a single _GET variable may have several escaping strategies depending on the output contexts
Sanitizing example:
$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
echo "You have searched for $search_html.\n";
echo "<a href='?search=$search_url'>Search again.</a>";
// will print:
// You have searched for Me & son.
// <a href='?search=Me%20%26%20son'>Search again.</a>Validating (and halting if validation fails):
$my_regexp = "/^[a-z0-9-_]{3,}$/"; // only-accept_words and numbers, no spaces, no special chars, strlen>=3
$regexp_filter_opt = ["options" => ["regexp"=> $my_regexp ] ];
$my_var = filter_var( $_GET['blah'], FILTER_VALIDATE_REGEXP, $regexp_filter_opt ) or die("Bad input, halting");Depending on the situation you should either match, validate, sanitize, or validate+sanitize.
Phpvuln can help you establish an inventory of those variables and create a table where you check boxes depending of what the variable does, if it needs validation, and what to do if the validation fails.
| file | var name | html | database | filesystem | sanitize | validate | on fail |
|---|---|---|---|---|---|---|---|
| blah.php | $_GET['blah'] |
โ | โ | โ | โ | โ | ๐ |
| index.php | $_GET['foo'] |
โ | โ | โ | โ | โ | ๐ |
| includes/something.php | $_GET['bar'] |
โ | โ | โ | โ | โ | ๐คท |
| vars.php | $folderPath |
โ | โ | โ | โ | โ | ๐ |
Building such a list produces many virtuous effects:
- it can be used to produce enforced WAF rules
- it helps you abstract away validation/sanitizing (e.g. using either php native filters or Laravel Validation class)
- items can be sorted/grouped by concerns to help define each security perimeter and reduce the logic overhead
- just add a "progress" column and you have a roadmap
Chordian commented
Wow, that was quite a response. =) Thanks a lot, I'll chew through it
soon.
/Jens
โฆOn Sat, 31 Dec 2022 at 14:22, tobozo ***@***.***> wrote:
Hi Jens,
I'm assuming you have already enabled Varnish WAF Core Rule Set
<https://docs.varnish-software.com/varnish-waf/owasp-crs/> so I'll skip
the server part and focus on the code part.
You're probably looking for validation and sanitizing filters
<https://www.php.net/manual/en/filter.filters.php>.
Doing something like this is tempting, but it is wrong for several reasons:
$clean_get = array_filter($_GET, function($k, $v) {
return filter_var( $v, FILTER_VALIDATE_REGEXP, $regexp_filter_opt );
}, ARRAY_FILTER_USE_BOTH);
- a higher security level can't achieved by just factorizing, it needs
deconstructing first
- not all _GET variables need filtering, some can be just matched with
known clean values e.g. in_array()
- a single _GET variable may have several escaping strategies
depending on the output contexts
Sanitizing <https://www.php.net/manual/en/function.filter-input.php>
example:
$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
echo "You have searched for $search_html.\n";
echo "<a href='?search=$search_url'>Search again.</a>";
// will print:
// You have searched for Me & son.
// <a href='?search=Me%20%26%20son'>Search again.</a>
Validating <https://stackoverflow.com/a/10993817> (and halting if
validation fails):
$my_regexp = "/^[a-z0-9-_]{3,}$/"; // only-accept_words and numbers, no spaces, no special chars, strlen>=3
$regexp_filter_opt = ["options" => ["regexp"=> $my_regexp ] ];
$my_var = filter_var( $_GET['blah'], FILTER_VALIDATE_REGEXP, $regexp_filter_opt ) or die("Bad input, halting");
Depending on the situation you should either match, validate, sanitize, or
validate+sanitize.
Phpvuln can help you establish an inventory of those variables and create
a table where you check boxes depending of what the variable does, if it
needs validation, and what to do if the validation fails.
file var name html database filesystem sanitize validate on fail
blah.php $_GET['blah'] โ โ โ โ โ ๐
index.php $_GET['foo'] โ โ โ โ โ ๐
includes/something.php $_GET['bar'] โ โ โ โ โ ๐คท
vars.php $folderPath โ โ โ โ โ ๐
Building such a list produces many virtuous effects:
- it can be used to produce enforced WAF rules
- it helps you abstract away validation/sanitizing (e.g. using either
php native filters or Laravel Validation class)
- items can be sorted/grouped by concerns to help define each security
perimeter and reduce the logic overhead
- just add a "progress" column and you have a roadmap
โ
Reply to this email directly, view it on GitHub
<#20 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD6SPEKNZ6MMRRLTZX3RVI3WQAXSNANCNFSM6AAAAAATLJ7SBY>
.
You are receiving this because you commented.Message ID:
***@***.***>
tobozo commented
welp I initially came here to ask permission to access the hvsc.php "API" from my ESP32-SIDPlayer's http client so it can retrieve playlists and SID files ๐คฃ
the fact that my ESP32 can do it probably means the access level to hvsc.php is "public" so I'll assume it's okay, but I'm currently coding a full client without knowing if this access level is going to change in the future, and knowing so would considerably reduce my own tech debt.
happy end of year!
Chordian commented
It's fine, go ahead. And happy new year too. =)
/Jens
โฆOn Sat, 31 Dec 2022 at 15:35, tobozo ***@***.***> wrote:
welp I initially came here to ask permission to access the hvsc.php "API"
from my ESP32-SIDPlayer's http client so it can retrieve playlists and SID
files ๐คฃ
the fact that my ESP32 can do it probably means the access level to
hvsc.php is "public" so I'll assume it's okay, but I'm currently coding a
full client without knowing if this access level is going to change in the
future, and knowing so would considerably reduce my own tech debt.
happy end of year!
โ
Reply to this email directly, view it on GitHub
<#20 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD6SPEIJLKEDL3SIX6G3WHDWQBAB3ANCNFSM6AAAAAATLJ7SBY>
.
You are receiving this because you commented.Message ID:
***@***.***>
tobozo commented
happy $7e7 ๐ฅณ
here's some progress on my deepsid client for esp32:
๐ฑ https://youtube.com/shorts/maYoC9-8GKM
๐ป https://youtu.be/maYoC9-8GKM
Chordian commented
Wonderful stuff! Weird seeing the DeepSID folders in an environment like
that. =)
/Jens
โฆOn Fri, 20 Jan 2023 at 00:30, tobozo ***@***.***> wrote:
happy $7e7 ๐ฅณ
here's some progress on my deepsid client for esp32:
๐ฑ https://youtube.com/shorts/maYoC9-8GKM
๐ป https://youtu.be/maYoC9-8GKM
โ
Reply to this email directly, view it on GitHub
<#20 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD6SPELTB7XBOZIJVG6KGKDWTHFBXANCNFSM6AAAAAATLJ7SBY>
.
You are receiving this because you commented.Message ID:
***@***.***>
tobozo commented
btw I noticed an issue with the player selector: when WebSid emulator is selected but WASM is disabled in the browser: a javascript error prevents the player selector to be rendered, and the whole deepsid app becomes unusable.
The problem is that the default player WebSid emulator is a WASM app; as a consequence any new visitor with WASM disabled will end up on a broken Deepsid site.
Detecting WASM support and using the JavaScript player as a fallback when detection fails is probably the best strategy to prevent this broken state.
Some context: recent news about possible usage of WASM by malware writers have increased an already existing awareness.
Chordian commented
Thanks for the info.
I wonder how often people disable WASM?
/Jens
On Fri, 20 Jan 2023 at 15.30, tobozo ***@***.***> wrote:
btw I noticed an issue with the player selector: when WebSid emulator is
selected but WASM is disabled in the browser: a javascript error prevents
the player selector to be rendered, and the whole deepsid app becomes
unusable.
[image: image]
<https://user-images.githubusercontent.com/1893754/213716373-b4db06ee-45cf-4ed5-a8c8-f8f014b92fa7.png>
The problem is that the default player WebSid emulator is a WASM app; as
a consequence any new visitor with WASM disabled will end up on a broken
Deepsid site.
[image: image]
<https://user-images.githubusercontent.com/1893754/213713393-ba8e1f5d-4904-4866-bc40-5b0d9d8aa7c8.png>
Detecting WASM support
<https://stackoverflow.com/questions/47879864/how-can-i-check-if-a-browser-supports-webassembly>
and use the JavaScript player as a fallback when detection fails is
probably the best strategy to prevent this broken state.
[image: image]
<https://user-images.githubusercontent.com/1893754/213713880-b1d341cf-c6da-4387-8bb4-8a7cd5139ad9.png>
Some context: recent news about possible usage of WASM by malware writers
<https://twitter.com/justinetunney/status/1613895681038770182> have
increased an already existing
<https://news.ycombinator.com/item?id=21984146> awareness.
โ
Reply to this email directly, view it on GitHub
<#20 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD6SPENA25BWGKKICULGKMLWTKOPJANCNFSM6AAAAAATLJ7SBY>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
/Jens
tobozo commented
I guess people do that when they don't like the idea that a full linux system could run in their browser.
Kroc commented
May be disabled by default with certain ad-blocking or privacy extensions. You should at least fail gracefully so that users know to allow permissions
Chordian commented
That's good to know, thanks.
/Jens
โฆOn Sun, 12 Feb 2023 at 00:17, Kroc Camen ***@***.***> wrote:
May be disabled by default with certain ad-blocking or privacy extensions.
You should at least fail gracefully so that users know to allow permissions
โ
Reply to this email directly, view it on GitHub
<#20 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD6SPEIIII2SLH7HRHJ7VEDWXAM2HANCNFSM6AAAAAATLJ7SBY>
.
You are receiving this because you commented.Message ID:
***@***.***>
Chordian commented
DeepSID now shows a message if WASM is disabled.