We Keep Coding

How to identify that uploaded image is malicious (using SailsJS and Skipper)?

I faced an interesting question about uploading images at the SailsJS application. I want to upload images from the frontend side to the backend side (NodeJs, SailsJS), validate the image (images), to be sure that images are doesn't include malicious data (like hidden scripts inside image content), and then send this images to AWS storage (S3 bucket)).
On the front end side, everything is done in accordance with SailsJS requirements (text fields are on the top of the form, file on the bottom).
Tools for upload:
For images upload, I use skipper (skipper-better-S3) which is a built-in module in SailsJS. Skipper extends the HTTP body parser used in Sails and Express.
To implement this, I use the code mentioned below:
Vault.read((err, result) => {
if (err) {
console.log('Vault S3 Error', err);
} else {
request.file('logo').upload({
adapter: require('skipper-better-s3'),
key: result.access_key,
secret: result.secret_key,
bucket: sails.config.s3.bucket,
maxBytes: sails.config.globals.multipleMaxLogoSize,
dirname: `some-directory/${client.id}/logo`,
s3config: {
signatureVersion: 'v4',
sslEnabled: true,
sessionToken: result.security_token
},
s3params: {
ACL: 'private',
SSEKMSKeyId: process.env.AWS_S3_KMS_KEY_ARN,
ServerSideEncryption: 'aws:kms',
}
}, (error, uploadedFiles) => {
if (uploadedFiles.length === 0 ? true : Utility.isValidImage(uploadedFiles[0].filename)) {
if (error) {
sails.log.error(error);
return response.serverError();
}
if (uploadedFiles.length > 0) {
uploadedFiles.forEach(uploadedFile => { client.logo = `/logo/${client.id}/${uploadedFile[0].fd.split('/').pop()}`;
client.displayName = request.body.displayName ? request.body.displayName : client.displayName;
client.save().then(() => {
return response.ok({});
}, (error) => {
sails.log.error(error);
return response.serverError(error);
}
)})
} else if (conditionForBadRequest) {
return response.badRequest();
}
} else {
sails.log.error('Invalid Image Type');
return response.badRequest('Invalid Image Type');
}
});
}
})
This code snippet can check if the image has the correct extension (ending), but it doesn't allow us to check if the image includes malicious scripts (Cross-Site Scripting, Persistent XSS).
Based on the mentioned above I have two questions:
How it is possible to check if the uploaded image (it content) includes malicious scripts as we know that image content can be intercepted with the help of some tools (Burp Suite)?
What is the best place for the validation of the image? Maybe it's better to do at saveAs property of request.file('logo').upload() function?
Any help appreciated.

How to detect Google places AutoComplete load issues?

I'm using the API successfully but encountered an error this morning with "OOPS! Something went wrong" sitting in the textbox and the user cannot type into it. I found the issue to be key related and fixed, however, this brought to light that some issue may arise and the user cannot complete because of this blocking. I'd like to be able to detect in javascript if there is some issue with the google.maps.places.Autocomplete object and not bind it to the textbox.

For anyone else wanting to do this.
Thanks to the folks for the idea over at:
Capturing javascript console.log?
// error filter to capture the google error
(function () {
var oldError = console.error;
console.error = function (message) {
if (message.toLowerCase().includes("google maps api error")) {
document.getElementById('<%=hdnGoogleSelected.ClientID %>').value = "DISABLE";
triggerUpdatePanel();
//alert(message);
}
oldError.apply(console, arguments);
};
})();
Mine is in an update panel so I triggered the update which sets the onfocus back to this.select(); for the textbox which effectively disables the autocomplete attempts.
tbAddress1.Attributes["onfocus"] = "javascript:this.select();";

Another option:
Google will return an error after about 5 seconds from loading.
"gm-err-autocomplete" class indicates any error with the autocomplete component.
You can periodically check for the error class google returns. I do it for 10 seconds after loading:
function checkForGoogleApiErrors() {
var secCounter = 0;
var googleErrorCheckinterval = setInterval(function () {
if (document.getElementById("AddressAutocomplete").classList.contains("gm-err-autocomplete")) {
console.log("error detected");
clearInterval(googleErrorCheckinterval);
}
secCounter++;
if (secCounter === 10){
clearInterval(googleErrorCheckinterval);
}
}, 1000);
}

Ionic - one signal push notifications sent twice

I am sending push notifications with One Signal to all users from the backend that uses Laravel like this:
OneSignal::sendNotificationToAll($notification->message);
I have set it up on the frontend side like this:
angular.module('coop.services')
.service('PushService', function(
AppSettings,
$rootScope,
$q
) {
var service = {
init: function() {
if (!window.plugins || !window.plugins.OneSignal) {
return;
}
window.plugins.OneSignal
.startInit( AppSettings.oneSignalAppId)
.endInit();
},
receivePush: function(data) {
$rootScope.$broadcast('push:received', data);
},
getDeviceId: function() {
var deferred = $q.defer();
if (window.plugins) {
window.plugins.OneSignal.getIds(function(ids) {
deferred.resolve(ids.userId);
});
}
else {
deferred.reject();
}
return deferred.promise;
}
};
return service;
});
I have tested both from the backend and from the One signal dashboard and when I am sending notification I get two notifications for each I send. One with alarm icon and one without any, what I am doing wrong?

you might have enabled mozila and Chrome with wrong settings, had similar problem I couldn't disactivate the browser though, I just made a new onesignal app and solved.

Soundcloud API sc.stream (track not loading on mobile sometime) - working on desktop

We are currently using the soundcloud API SDK for streaming and it does work on desktop but not 100% on mobile. (using responsive html. same api of course)
Sometime track is not lauch ? sometime it is.
I do not have specific error but on chrome network this line is show in red ??
http://api.soundcloud.com/tracks/146926142/stream?client_id=XXXXX
Redirect
We use a function to stream the track.
function streamTrack(id) {
var defer = $q.defer();
// Stream the track
SC.stream('/tracks/' + id, {
useHTML5Audio: false,
waitForWindowLoad: true,
onfinish: _scope.next,
whileplaying: function () {
var _this = this;
// Since we are in a callback, we need to tell angularJS to apply the change
if (timeout1) $timeout.cancel(timeout1);
timeout1 = $timeout(function () {
// Update the progress bar
_scope.progress = (_this.position / currentTrackDuration * 100) + '%';
_scope.timer = moment(_this.position).format('mm:ss');
$rootScope.$broadcast('trackRunning', { timerunning: _scope.timer });
});
}
}, function (sound) {
if (sound) {
defer.resolve(sound);
} else {
defer.reject();
}
});
return defer.promise;
}
If somebody has an idea pls.
Best Regards
Xavier

How to use chrome.sockets.tcp.connect via https? if not, any other way?

When I use this method in chrome 38,it output:
Unchecked runtime.lastError while running sockets.tcp.secure: net::ERR_INVALID_ARGUMENT
at Object.callback (chrome-extension://dljefdleijndedodoomhhlajcjddenpf/main.js:66:32)
This is my code:
chrome.sockets.tcp.create({}, function (createInfo) {
var socketId = createInfo.socketId;
chrome.sockets.tcp.connect(socketId, 'www.alipay.com', 443, function (connectResult) {
if (connectResult !== 0) {
return;
}
chrome.sockets.tcp.secure(socketId,{tlsVersion:{min:"ssl3",max:"tls1.2"}},function(secureResult) {
console.log("secureResult",secureResult);
});
});
});

You might want to follow https://code.google.com/p/chromium/issues/detail?id=403076 ("Unable to use new chrome.sockets.tcp.secure API due to setPause not taking immediate effect"), which sounds similar to your issue. If it is, then please star the bug and wait for a resolution.