Content Security Policy

I’ve recently been developing a WordPress replacement for https://found-art.roguelj.co.uk. WordPress is overkill for the needs of that site, and the additional functionality that I required would have had to have been provided by 3rd party plug-ins. Or I could have created the plug-ins myself, but it’s been a while since I coded any PHP.

In addition to this, I have also been wanting to test out some web app vulnerability scanners. Development of the new site for Found Art presented a perfect opportunity to test out ZAP – Zed Attack Proxy.

https://www.zaproxy.org

 

 

Now, I’ve never used ZAP before, so I just dived in and ran it using ‘Attack’ mode against the locally-running dev-site. It flagged several issues, all related to missing Content Security Policy headers.

Zed Attack Proxy Results
Zed Attack Proxy Results

A quick internet search on how to fix this for an ASP Core NET website lead me to the following page https://the-runtime.dev/articles/content-security-policy-headers. Implementing the policies was easy,  with the pertinent code being as follows:

app.Use(async (context, next) =>
{
    var nonce = Convert.ToBase64String(RandomNumberGenerator.GetBytes(16));
    context.Items["CspNonce"] = nonce;

    context.Response.Headers.Append(
        "Content-Security-Policy",
        $"default-src 'self'; script-src 'self' 'nonce-{nonce}'");

    await next();
});

The code above was specifically related to using a nonce for inline scripts. All well and good, and things worked as required once I had set the nonce in the appropriate scripts, as follows:

@{
    ViewData["Title"] = "Home Page";
    var nonce = Context.Items["CspNonce"]?.ToString();
}


I did have to tweak the code a little, because by default it didn’t include the other policies created by the CspBuilder (details on the page, go check it out)

context.Response.Headers.Append(
    Constants.Headers.CONTENT_SECURITY_POLICY_HEADER,
    $"{csp}; script-src 'nonce-{nonce}' 'self'; style-src 'nonce-{nonce}' 'self';");

A line in the middleware for the request (app.Use) caught my eye:

Convert.ToBase64String(RandomNumberGenerator.GetBytes(16)

This middleware runs for every request and therefore it should be as fast as possible. I wondered if there was a faster way to get 16 random characters, and it appears that there is:

var nonce = Random.Shared.GetString("abcdef0123456789", 16);

The documentation for GetString can be found here.

This will basically return a hex string, however we’re limiting the characters that the function can use so the available entropy is not as high as it could be. Increasing the pool of characters to draw from does come with a little quirk, stick around for part 2 for the details.

 

Crystal Report extra characters when exporting to PDF

Crystal Report Extra Characters

Crystal Report extra characters: This is a problem I have had several times. It happens on multiple workstations, and it has a habit of returning. After some investigation, it would appear that it returns after a Crystal upgrade.

The symptom:

Exporting a Crystal Report that uses the Calibri font to a Portable Document Format file (PDF) will add an extra ‘ti’ after any letter ‘t’. Oddly, if you copy & paste the word into notepad or another text editor, it is correct.

The cause:

In my previous experience the problem has been caused by a missing USP10.dll file  (Uniscribe Unicode Script Processor) in the following path:

C:\Program Files (x86)\Business Objects\BusinessObjects Enterprise 12.0\win32_x86

Either that, or it’s a different version. On my machine, the USP10.DLL file can be found in the following places, and I’ve included the MD5 of each for later reference:

d529d8f23f9c686a293203eb837b61ec

“C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\usp10.dll”

9255da3e4662edf10170e30e8b97c194

“C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win64_x64\usp10.dll”

85cea5cd92c4766ac54823011f6de43b

“C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\USP10.DLL”

1602a45f76281381dcfc88e25d889027

“C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\Packages\vwd\usp10.dll”

9870191d0f26bdaaf6d4550eee3a96ec

“C:\Program Files (x86)\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\usp10.dll”

I had to use Process Explorer (a fantastic tool) to find out exactly which one was in use – in this instance it was at the following path:

C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\usp10.dll

It is version 1.626.7601.23259, which can be found in the details screen of the file:

Crystal Report Extra Characters : USP10.DLL d529d8f23f9c686a293203eb837b61ec
USP10.DLL d529d8f23f9c686a293203eb837b61ec

So I copied over the USP10.DLL from “C:\Program Files (x86)\Business Objects\BusinessObjects Enterprise 12.0\win32_x86\usp10.dll” to “C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\usp10.dll”, and the problem was resolved. For reference, the MD5 of the one that works is 9870191d0f26bdaaf6d4550eee3a96ec, and the details are as follows (file version 1.422.3790.1830):

Crystal Report Extra Characters : USP10.DLL 9870191d0f26bdaaf6d4550eee3a96ec
UPS10.DLL: 9870191d0f26bdaaf6d4550eee3a96ec

I found the following page helpful during my investigations of this issue:

https://archive.sap.com/discussions/thread/1272660

Check out my other Crystal Report annoyances here:

https://roguelj.co.uk/tag/crystal-reports/

Processing – Preliminary Experiments

Processing

Processing

I’ve recently been playing with Processing. Here are the results. I did experiment with triggering some MIDI notes at the center threshold but it didn’t sound as good as I wanted. I’ll expand on that once I get a bit more time.

The Output

The Source

import themidibus.*; //Import the library
MidiBus myBus; // The MidiBus
float b = 20;
float d = 0;

void setup () {
  size(1280, 720);
  frameRate(30);
  MidiBus.list(); 
  myBus = new MidiBus(this, "Bus 1", "Bus 1");
}
  
void draw() {

  int icCount = 20;
  double number = Math.PI * 2 / icCount;
  background(0);
    
  for (int n=1; n<= icCount; n++) { double x = 300 + ((Math.sin(number * (17-(n/ Math.PI)) * b)) * 120); double y = (n * 60) + 20; double s = 50 * (Math.sin(b*n) +1); //if(n % 4 ==0) { double check = Math.sin(number * (17-(n/ Math.PI)) * b); if (check >=0.1 && check <=0.2) {
        //myBus.sendNoteOn(1, n + 60, 12); 
        fill(#0000ff);
      } else {
        //myBus.sendNoteOff(1, n + 60, 12); 
        fill(#ffffff);
      }
    //}
    
    ellipse((float)y,(float)x,(float)s,(float)s);
  }

  b += 0.02;
  d += 0.04;
  
}

Check out the software here: https://processing.org/
Check out other sine programming examples here (JavaScript): https://roguelj.co.uk/toybox/