I have to upload my django project to a shared hosting provider.
How can I encrypt my code?
I want to hide my code on the server.
Thanks :)
You can't. You could upload .pyc files I suppose, but they are completely and utterly trivial to decompile.
Who are you trying to conceal it from? If it's other users on the shared system, then make sure you have directory permissions properly restricted to your user. If it's the shared hosting provider itself, then there's not much you can do since obfuscation won't buy you all that much; spend some time to find a reputable hosting provider you can trust.
If you really want to hide your code, you have to build custom python interpreter that uses different opcodes (in python bytecode). Then the server only has your hacked binary and pyc's that are not trivial to decode. You can add encryption on top of that, or at least sign your code so that your binary is not that easy to investigate.
Another possibility is to never have your code on disk, only keep it in RAM. You could start your server process via e.g. execnet.
Related
I have developed a PHP application which serves as an online code compiler (in C, Java and Python) and hosted it on AWS Elastic Beanstalk. The user can type his code and submit to execute it. Then the server will return the output of the execution of his code.
When the user type my_app_url/some_dir, the website will raise 403 error. However, the user can still list all the files and directories from /var/www/html by writing some appropriate code. I know I can process the output of the code to hide them, but is there any better way to do it?
All directories and files are owned by root:root. The permission mode is 755 for directory and 644 for file. The PHP application is running as webapp.
Let me start by saying that it's not a good idea to allow people to run arbitrary code on your server instance. Depending on who has access to your service, and how well it is controller or monitored, you may run into all kinds of trouble (i.e. people sending spam, doing DOS attacks or hosting illegal stuff on your server), as they can run any kind of code on your machine.
Coming back to your question, you need to somehow make sure the code that is uploaded only does stuff that you allow. In Java you could use a custom security policy (see http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html), for example in order to disallow file access from the code. Additionally you'd need to set some limits on memory usage and run time, and kill any program that exceeds them. I'm not that familiar with C and Python, possibly there are similar mechanisms there to control what a process is doing. Platforms like TopCoder allow running your own code on their machines, implementing such a mechanism securely is however most certainly a very complex task.
Are there any best practices on virus scanning all files being uploaded to the Sitecore media library (and ultimately stored in Sitecore's DB)?
I searched all over the web but there is too much noise caused by the word virus since many people seem to have performance issues on server that have anti-virus software installed.
I don't know if it is an established best practice, but I would probably add a processor for the uiUpload pipeline that used an API or command line process for a commercial antivirus product. Other than the fact that it is in a pipeline processor, it shouldn't really be much different from how you would do it in any other ASP.NET application. Performance will definitely be a concern, but you could create a dialog with a psuedo progress bar to give some feedback to the user.
Take a look at this post by Mike Reynolds. It may help you out:
http://sitecorejunkie.com/2013/11/09/perform-a-virus-scan-on-files-uploaded-into-sitecore/
I am not aware of any published best practices, but if you are able to add a step in the upload process, you might want to take a look at Metascan, which provides API level integration to multiple antivirus engines. Using this, you could build a workflow for those uploaded files to scan them prior to them hitting your Sitecore media library by establishing rules based on the results of the antivirus engines used in your Metascan deployment. There's also a hosted version at metascan-online(dot)com
Disclaimer /// I am an employee of OPSWAT, who produces Metascan, but it appears to be a potential solution to your issue
In one of our recent Projects, we were faced with a requirement to scan incoming files for virus. The problem in the project was that the files after begin uploaded, were made public available on the website.
The way we solved the problem was to implementing https://www.virustotal.com/. Its a free online virus scanner that has a public API. You can send files via SSL.
We implemented the solution by adding newly uploaded files to a Sitecore workflow. The workflow would handle the scanning of files, and move the files to the final stage of the workflow, if the files wasn't infected. If a file was infected, the file would be deleted.
A Scheduler is running every 5 minutes to check for new incoming files with the workflow.
This also means that the files aren't available straight away, as the scheduler has to check the file, but you should be able to implement the functionality directly when the user has uploaded the file, by adding your custom code to the upload pipeline.
Since Google NaCl is C++, will I be able to access the file system somehow? That's pretty much needed if I am to create a game or a desktop app.
Due to security restrictions, NaCl doesn't allow you to just open up any folder on the disk.
It does, however, grant the ability to access a sandboxed, obfuscated filesystem.
You can check out the PONG example in the latest SDK for examples of how to use the FileSystemAPI.
In addition, this page is a good starting point to understanding how the file system works:
https://developers.google.com/native-client/beta-docs/fileIO
~Main
Yes, but this access is supposedly secure and only able to access a sandboxed file system. Apparently you'll be able to do mmap calls, even. What could go wrong? :-)
Beyond any data files that come with the download, additional disk quota is an "app privilege" you have to "approve" when you install something. It can range from 0 to unlimited.
I use a web hosting (leadhoster.com) for my website and I use cron tab to run my PHP script on regular basis. But I need my script work much faster, as it processes images, so I want to write it in C++.
But how is it possible to create binary executable on a web hosting? I did not find CC or gcc compiler on the hosting. Should I install same version of Linux on my home computer and build my code there to prepare binary executable? How this kind of things is usually done?
They won't appreciate it, if it's even possible. Most shared hosting providers disable all this access, since it's a major security risk.
You could install the same linux they're using and compile it there. You will probably need to build a fat statically linked binary, since you probably can't install libraries either.
The only people who can help you with this as leadhoster's support group. They will most likely tell you that you can't do it on a shared server.
We've just set up a new remote access solution using Microsoft's TS Gateway, which requires a couple of somewhat fiddly steps on the end users behalf in order to get it working (installing our root ca cert, requirement of RDP 6.1 client etc).
In order to make this setup process as easy as possible (a lot of these users aren't technically minded), I'm looking to create a program to perform all these tasks automatically. I have most of it working, however I'm not entirely sure how to go about importing the Root CA cert into the Windows certificate store.
Because this can potentially be run on a wide range of computers with varying levels of patches and updates, I'm steering well clear of .NET and anything that isn't native - the tool should 'just run' without the user having to install anything extra (well, I will say windows XP, no service packs, is the bare minimum required version of windows). In saying that, I don't mind using something third party if it can be bundled in with the tool, as long as it's not huge, and doesn't introduce any interactive steps. Ideally something in the windows API would be best, however I can't seem to track down anything relevant.
Currently the tool is a C++ application, so I don't mind if it's quite low level stuff.
First you need to open the root certificate store...
HCERTSTORE hRootCertStore = CertOpenSystemStore(NULL,"ROOT");
Then add the certificate using one of the CertAdd functions, such as CertAddEncodedCertificateToStore.
CertAddEncodedCertificateToStore(hRootCertStore,X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,pCertData,cbCertData,CERT_STORE_ADD_USE_EXISTING,NULL);
pCertData and cbCertData would likely point to the certificate data that you read from a file (not sure if the certificate will be in a file, or how you will include it in your application).
Then close the store with...
CertCloseStore(hRootCertStore,0);
NOTE: This code if run as the user, installs the certificate to the user's root store, not the computer's. It also results in a warning dialog that the user must understand and select "Yes" to authorize the import. If your setup program can run this code in a system account, the import will affect the computer's root store and not warning dialog will be shown.
Have you looked at CertAddEncodedCertificateToStore ?
you could also check out CertAddEncodedCertificateToSystemStore