Docker === Love

Docker Can Do Everything!*

Improve your process for:

  1. Testing Dev Tools & Servers WITH VIRTUALLY ZERO risk of messing up dependencies on your PC
  2. Testing your software
  3. Makes you write more idempotent, modular code… (I’ll write how to actually realize this in a follow up)

There may seem like a huge volume of new stuff to learn, don’t let that stop you from getting started.

Notes

  • If you see a docker run command with either options -d or -it:
    • -it or -i -t will run the configured command interactively
    • -d will start the docker container as a ‘daemon’ aka background service.

EXAMPLES

nginx


    # Note: using host-based, shared folders
    #(shared folders are not possible with the VOLUME Dockerfile cmd)
    sudo docker run --name web01 -d -p 8181:80 \
        -v $(NGINX_DIR)/etc:/etc/nginx \
        -v $(NGINX_DIR)/log:/var/log/nginx \
        -v $(NGINX_DIR)/www:/var/www/html \
        nginx:latest

    # Local data, isolated within instance
    sudo docker run --name web01 -d -p 8181:80 nginx:latest

    # nodejs
    sudo docker run --name nodejs01 -d -p 3300:3300 -p 4433:4433 nodejs:latest

Credits: https://dockerfile.github.io/#/nginx Docker will make your life easier throughout the entire SDLC.

  • Pretty close
Security Notes: RegEx

Denial-of-Service Regex Vulnerability

One of the most common, and yet hard-to-spot vulnerabilities I encounter relate to regular expressions. Either poorly written or poorly implemented.

Warning Signs

  1. You have multiple capture groups
  2. Global matching
  3. Expression is used with un-checked user input

Mitigation / Resolution

  1. RegEx is hard
    1. For example, here is how the really smart folks at OWASP recommend handling IP validation: ^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
    2. That’s longer than a tweet, for a 4-byte IP Address!!!
  2. Make sure user input isn’t unduly long, when I know input data is reliably less than 40 chars, I’ll make sure I prevent anything over 64 - otherwise, an attacker could overwhelm my system with a flood of 4Kb requests.
  3. This affects almost every language and platform .NET/Node/Python/PERL/Java

Reference

Regular Expression DoS and Node.js