Wednesday, May 23, 2018

CI Tip: block insecure changes to your source code

As a dev or devops person, it's pretty easy to accidentally expose AWS or other secrets by putting them into "temporary" code or environment files. Once a secret appears in version control, it should no longer be trusted, go ahead and rotate the key.

Here's how to write a checker, so that secrets won't make it into source code!  This is perfect for a Git commit hook. The important feature to use is Perl-style regular expressions, which allow you to say "match this exactly N number of times". Also, the "-w" flag to Ack lets us match word boundaries. Thus, if something is a word, and exactly some number of characters long, we flag it.


$ echo 'I love gin' | ack -w '[a-z]{3}'
I love gin

This example finds words of exactly three letters. The word "gin" is found, as it's exactly three characters. The second word "love" is not flagged, even though it has 3 characters included in it, because we added the "-w" flag to only find words. "Gin" has a non-letter on either side, so it's a word, so we match it.

To catch AWS keys, search for "words" of exactly 20 characters, uppercase letters and numbers only:

$ ack -lw '[0-9A-Z]{20}'

Ah: two local environment files have AWS keys, which is okay. These are not checked in to Git. However, a key snuck in to another file, in source code!  Now that Ack alerted me to a mislaid key, I can go fix it and make our system more secure. Win!

Monday, May 21, 2018

Sublime tips and tricks

Things I learned:

- ⌘-SHIFT-J = select everything that's similarly indented

- CTRL-⌘-UP = move selection up (vs dragging the region with the mouse)

- CTRL-SHIFT-K = delete entire current line. I used to do ⌘-L, Delete dozens of times a day. Now there's another way!

TIP: you can exclude file types when searching for stuff in Git!

Git isn't just a database, it's a comprehensive searching system XX. You can exclude file types when searching for stuff in Git!

Example: the Development branch broke some time between two Git commits. I want to find the error but don't want to look at huge piles of changes. I don’t think the front end Vue files broke the build, so let's find changes excluding those files, so I can find the error.

First, I list the files between the two commits, to see if it’s roughly what I want:

git diff --stat c7b5d2d^..2de4986 -- ':(exclude)*.vue'

Looks good. Next, I list the actual content by zapping the "--stat" argument:


Or: git diff c7b5d2d^..2de4986 -- ':(exclude)*.ts'

I found the problem! Yay, Git!

More info:
Git pathspec
- Bash "Event Designators" (the upcaret to search and replace previous line)

Friday, May 18, 2018

console.log macro in Sublime Text

Here's how to make a selection macro in Sublime Text. 

Type the word "beer", select it, then press a key to turn it into a console.log statement!

Here's how to do it:

1. Create the console.log template:

Click Tools > Developer > New Snippet...

Paste the following:


Save the above as log.sublime-snippet

2. Create a keybinding to the snippet:

Click Sublime Text > Preferences > Key Bindings

Paste this bit into the middle of the keymap:

  "keys": ["ctrl+shift+l"], 
  "command": "insert_snippet", 
  "args": { "name": "Packages/User/log.sublime-snippet" } },

Save it.

To use, type beer in your program. Double-click to select it, then hit your "log this message" keyboard command ctrl+shift+l.