Cushion Treemap npm module

Npm module for cushion treemap visualization. Treemap uses nested rectangles to display structure of hierarchical data. Size of each rectangle proportial of value (for example file or directory size in case of file system) associated with particular node.

Folder Stats App

Folder Stats App allows to visualize folder structure and file sizes in a tree map. It is useful to find out which files and folders take up the most space on your disk.

Waveform Generator

Waveform Generator is a tool for generating waveforms for audio files.

Lottie Toolbox

Lottie toolbox allows to analyze Lottie animations and preview them in different libs

Print-Friendly GTD

Allow to print forms for timetracking and for theXProject GTD method


Server-Side Applications Sandboxing

A lot of server-side applications invoke command line utilities for different tasks. One of the attack vectors to our server application could be abusing of these command line utilities vulnerabilities. For example due to <a target="_new" href="">CVE-2016-3714</a> vulnerability it is possible to prepare malicious image file execute arbitrary code by passing this file to imagemagick. Imagemagick supports dozens of file formats and specifications for some formats consist of hundreds of pages. It's very probable that new vulnerabilities will be found in future. Such vulnerabilities are not depend on language or framework used by our application. Usually imagemagick invoked not directly but with help of some intermiddiate library (gem minimagick in ruby, imagemagick module in node or Imagick class in PHP). Only the CVE-2016-3714 vulnerability compromise simultaneously plenty of applications like CMSes, forums, blogs, ecommerce sites i.e. sites that user submitted images processing required. If we could implement sandboxing for major libraries used for imagemagick wrapping we could fix similar vulnerabilities in future. Sandboxing got momentum in browsers. Chrome and later other browsers switch to model where each page processed in a sandboxed process. <a target="_new" href="">Sometimes</a> containers are used for isolation of unsafe code but it is considered <a target="_new" href="">wrong</a>. Let's take other approach. There are linux utilities for sandboxing: <a target="_new" href="" >bubblewrap</a> and <a target="_new" href="" >nsjail</a>. Both of them are very easy to build and could be used by non-previliged user. I will use nsjail application as an example. You will need c compiler and make utility for building: ```bash sudo apt-get install gcc make ``` And we will need imagemagick package: ```bash sudo apt-get install imagemagick ``` Let's clone nsjail sources and build them: ```bash git clone pushd nsjail && make && popd ``` ```bash nsjail/nsjail -Mo -R /bin/ -R /lib -R /lib64/ -R /usr/ -R /sbin/ -R /etc/alternatives/ -T /dev -B /home/andrew/out/ -R /home/andrew/in/ --keep_caps -- /usr/bin/convert /home/andrew/in/sample-large.jpg -resize 512x512 /home/andrew/out/thumbnail.jpg ``` We resize picture */home/andrew/in/sample-large.jpg* into */home/andrew/out/thumbnail.jpg* in this case. In this article I used imagemagick as an example but similar approach could be used mitigate vulnerabilities in other applications that process user supplied data such as media files, archives or documents.

© Andrey Yatsyk