|
Jabor posted:I think ivantod is mainly talking about the unnecessary inheritance you're being asked to implement. Using inheritance like this is an approach that is often tantalizingly easy to begin with, but ultimately makes programs very inflexible and difficult to maintain, and has fallen out of favour in many professional circles for that reason. Correct. Sorry for not being 100% clear, but I was upset with the fact that the people who are supposed to be teaching the OP are telling them that is a good way to do things (e.g. by inheriting from ArrayList and stuff). The criticism was not intended against the OP, who I assume is doing their best to try to pass this class as is not at all to blame here for the stupid assignment they were given. OP, I'm sorry, I absolutely was not indending to criticise you, sorry that it came across that way! I'm just angry at your teachers! ivantod fucked around with this message at 15:23 on Dec 1, 2021 |
# ? Dec 1, 2021 15:20 |
|
|
# ? May 13, 2024 04:30 |
|
Jabor posted:It sounds like you need to make CarLot extend ArrayList<Car>, delete the inventory field, and then just refer to this anywhere you were previously referring to inventory. If it sounds dumb as hell then you're right, it is, because the assignment is dumb as hell. Ok, here is the changed CarLot: code:
|
# ? Dec 1, 2021 15:27 |
|
ivantod posted:Correct. NP, didn't think you were insulting me.
|
# ? Dec 1, 2021 15:27 |
|
Mycroft Holmes posted:Getting only two errors, one in SetInventory and one in loadfromDisk. Both refer to my use of "this" and say "The left hand side of an assignment must be a variable" "This" is like a pointer to your current instance, so you can't assign a new value to "this" from within a class instance itself, because that would mean that you lose the reference to that current instance whose method is just now executing. But ArrayList has methods like clear and addAll which you can use to update the contents of "yourself". Possibly look into using one of both those in the places where you are trying to assign something to "this", which are giving you errors.
|
# ? Dec 1, 2021 15:39 |
|
Thanks for all the help, guys.
|
# ? Dec 1, 2021 16:04 |
|
Mycroft Holmes posted:Ok, here is the changed CarLot: You should know that this does not create a copy of the array. After doing this, the variable inventoryCopy is still pointing at the same array, not a copy of it. As it's written currently, this method is functionally identical to just code:
code:
chippy fucked around with this message at 18:43 on Dec 1, 2021 |
# ? Dec 1, 2021 18:33 |
|
Paul MaudDib posted:I can't figure out a way to programmatically configure a class as ControllerAdvice, only via the annotation.
|
# ? Dec 1, 2021 21:42 |
|
Any reason why you're using Double and Boolean instead of double and boolean in your loadFromDisk function?
|
# ? Dec 2, 2021 01:56 |
|
Is there an efficient way to parse large amounts of CSV data from an InputStream coming from AWS S3? I want to open a series of files, validate each line for formatting, and then merge them into a single file. Converting the stream into a BufferedReader and then performing evaluations the traditional way appears to be incredibly slow with a "small" file (~100MB) and the intent is for this to potentially run on 1+GB files. At this point all I'm doing is converting the data to lines and passing them to a multipart file upload and just the act of building the string to write is taking ages (like 10+ minutes without finishing). Obviously S3 is going to be slower than a local filesystem, but unless I'm making a very big mistake (which is very possible!) this seems slow to me. In other jobs I have streamed 100+GB files, unzipped them in memory, and written the zip contents using raw bytearray streams and that only takes 45 mins or so which is much more in-line with what I was expecting. Example: partSize is a final long of 100MB. csvLines is a class StringBuilder variable so it can continue building between files before exceeding the filepart size limit. A final call of uploadStringStream() is made after all files have been parsed to complete any remaining lines as the final filepart. Java code:
|
# ? Dec 2, 2021 17:01 |
|
Maybe experiment with a larger buffer size on your Reader? Default is 8kb which might be triggering a lot of new HTTP connections.
|
# ? Dec 2, 2021 17:26 |
|
PierreTheMime posted:
IIRC calling this repeatedly like this in a loop is very slow as it's converting the StringBuilder to a string, then to a byte array for every line you're processing in the input file. It'd be faster to get the size in bytes of each input line and increment a temp variable indicating how many bytes have been processed and then check to see if you're going to exceed your buffer size before adding more to the output. Though the most likely culprit is the S3 transfer being slow. You might temporarily change the code so it loads that data into memory before any processing is done so you can separate the download from processing while trying to figure out why it's slow.
|
# ? Dec 2, 2021 17:46 |
|
RandomBlue posted:IIRC calling this repeatedly like this in a loop is very slow as it's converting the StringBuilder to a string, then to a byte array for every line you're processing in the input file. It'd be faster to get the size in bytes of each input line and increment a temp variable indicating how many bytes have been processed and then check to see if you're going to exceed your buffer size before adding more to the output. quote:Though the most likely culprit is the S3 transfer being slow. You might temporarily change the code so it loads that data into memory before any processing is done so you can separate the download from processing while trying to figure out why it's slow. Edit: That absolutely was the issue. "calling this repeatedly like this in a loop is very slow" is an understatement of the century, the process runtime for 170MB of text is 43 seconds now. PierreTheMime fucked around with this message at 18:04 on Dec 2, 2021 |
# ? Dec 2, 2021 17:53 |
|
PierreTheMime posted:Edit: That absolutely was the issue. "calling this repeatedly like this in a loop is very slow" is an understatement of the century, the process runtime for 170MB of text is 43 seconds now. Yup, I've had to solve this exact problem before (without S3 being involved) and that was our core issue originally as well.
|
# ? Dec 2, 2021 18:53 |
Profiling the problematic code should reveal that sort of performance issue
|
|
# ? Dec 2, 2021 21:31 |
|
Uh, so this isn't great. https://twitter.com/dzikoysk/status/1469091718867951618 https://www.lunasec.io/docs/blog/log4j-zero-day/ If you don't disable the feature, log4j allows log statements like logger.info("some text") to contain placeholders which log4j will interpret. One of the placeholders allows you to invoke JNDI, which means you can get the logging system to try loading code from remote servers. This means attackers just have to get you to log some string they provide, and they can load code into your process.
|
# ? Dec 10, 2021 21:05 |
|
Thanks! I was having some trouble parsing how exactly someone would use this to breach my system. So, basically like SQL injection, but they inject a templating string instead? I guess there's no shortage of code that will log a string the user has submitted. I guess there was a reason they were ordering people at the office to stay late on a Friday to bump library versions...
|
# ? Dec 10, 2021 22:35 |
|
Hippie Hedgehog posted:I guess there's no shortage of code that will log a string the user has submitted.
|
# ? Dec 10, 2021 22:44 |
|
"Relieved" to see that the various web applications we have that need to be rewritten because they're too old to upgrade are also too old to have the vulnerability. Never mind about whatever other vulnerabilities that suggests!
|
# ? Dec 10, 2021 22:48 |
|
CPColin posted:"Relieved" to see that the various web applications we have that need to be rewritten because they're too old to upgrade are also too old to have the vulnerability. Never mind about whatever other vulnerabilities that suggests! Yeah, at my workplace, they officially consider "any version below 2.15.0" to be vulnerable. This particular jndi/ldap exploit I think only applies above .. .2.0.9-beta2? Or something. But apparently there are numerous other unpatched vulnerabilities in log4j 1.X, so...
|
# ? Dec 11, 2021 22:58 |
|
Hippie Hedgehog posted:Yeah, at my workplace, they officially consider "any version below 2.15.0" to be vulnerable. This particular jndi/ldap exploit I think only applies above .. .2.0.9-beta2? Or something. But apparently there are numerous other unpatched vulnerabilities in log4j 1.X, so... Oh, like what? We may need to upgrade at some point then. Of course I’m sure our struts version is terribly vulnerable as well, they are so afraid of change they’ll never update.
|
# ? Dec 11, 2021 23:10 |
|
Hippie Hedgehog posted:Yeah, at my workplace, they officially consider "any version below 2.15.0" to be vulnerable. This particular jndi/ldap exploit I think only applies above .. .2.0.9-beta2? Or something. But apparently there are numerous other unpatched vulnerabilities in log4j 1.X, so... The JNDI part was introduced in 2.0-beta9 (https://issues.apache.org/jira/browse/LOG4J2-313), so pretty much every 2.x version is vulnerable. 1.x is not vulnerable according to https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126, at least not in the same way, but see the discussion at https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301. Regarding other vulnerabilities in 1.x, I'm only aware of these two https://snyk.io/vuln/maven%3Alog4j%3Alog4j.
|
# ? Dec 12, 2021 00:14 |
|
Esran posted:If you don't disable the feature, log4j allows log statements like logger.info("some text") to contain placeholders which log4j will interpret. One of the placeholders allows you to invoke JNDI, which means you can get the logging system to try loading code from remote servers. code:
code:
|
# ? Dec 13, 2021 16:44 |
|
This seems like a colossal gently caress up by somebody. We have a bunch of legacy java web apps and I'm really really glad I moved out of that group.
|
# ? Dec 13, 2021 17:44 |
|
It's probably a good thing I don't work in Security because every time one of these vulnerabilities comes to light I'm always like "so what?"
|
# ? Dec 13, 2021 17:48 |
|
ExcessBLarg! posted:That isn't exactly the problem. Like, this is always bad: That's true, but I don't think that's a very important distinction. As I understand it, only one component in Log4j (PatternAppender) even supports using lookups inside code:
code:
Even if the format-string form didn't do property interpretation, it is still a gaping security hole in practice if a developer doing code:
code:
code:
I think from discussion on the mailing list, they are coming to the (IMO right) decision that allowing interpolation in logger input strings is too risky and does not provide much value, so they're removing that feature. Placeholders will only work in formats you specify in the logging config, which is much harder for an attacker to replace. Esran fucked around with this message at 20:00 on Dec 13, 2021 |
# ? Dec 13, 2021 19:57 |
|
I haven't touched Java since 1.6 (2012-ish?) and need to relearn it for my job, I have prior dev experience but need a recommendation for a book, I would prefer one that has exercises at the end of chapters to work through. Does anyone have a plug for one they like? I usually do no-starch but theirs doesn't seem super great for what I'm trying to do since its just walking you through projects.
|
# ? Dec 13, 2021 20:31 |
|
Esran posted:I think from discussion on the mailing list, they are coming to the (IMO right) decision that allowing interpolation in logger input strings is too risky and does not provide much value, so they're removing that feature. Placeholders will only work in formats you specify in the logging config, which is much harder for an attacker to replace. yeah this is my interpretation too, it should have been fine to allow runtime-configured convenience features (although loading arbitrary class loading is a step too far imo) via the config files but they’re actually scanning the string for those tokens after the log input string is generated, which obviously opens up logging injection attacks. Even from a performance sense, you really want to follow the model where the logger is built once at startup and allowing runtime log strings to load additional things after logger initialization is kind of baffling and potentially opens up resource leaks/etc.
|
# ? Dec 13, 2021 20:42 |
|
Yes, agreed about loading arbitrary classes. The problem is that JNDI is a really powerful tool with an innocent-looking interface. The code in log4j2 basically just looks like this: code:
|
# ? Dec 13, 2021 21:43 |
|
Esran posted:That's true, but I don't think that's a very important distinction. As I understand it, only one component in Log4j (PatternAppender) even supports using lookups inside
|
# ? Dec 13, 2021 22:49 |
|
I think it came as a surprise to everyone (including some of the log4j devs lol ) that there would even be a security reason to use the interpolation form, since I don't think many people were aware that you could do placeholders in log messages in the first place.
|
# ? Dec 14, 2021 00:06 |
|
https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/ log4j2 electric boogaloo: i warned u about jndi bro! also guess what’s apparently a giant Java legacy monolith? SMS backend systems, lol. Makes sense, SIM cards are all Javacard - and the easiest way to interop with that is probably more Java. It all runs Java! https://mobile.twitter.com/infosecatom/status/1469774771634249740?s=21 Paul MaudDib fucked around with this message at 10:49 on Dec 15, 2021 |
# ? Dec 15, 2021 10:17 |
|
Thought I was being overly cautious when I wrote "upgrade to 2.15.0 (or higher, if available)" in my recommendations, but I guess not, lol.
|
# ? Dec 15, 2021 13:28 |
|
Is there a notional problem with serving an api of {serviceName, apiVersion, gitCommitShortHash, gitCommitTime}? serviceName and apiVersion are practically public info. gitCommit tells you when it was built and what the short hash was. Like, I dunno if I'd make the commit info public willingly, but it's kinda important internally for tracking builds/changes. Short commit does give you a unique handle into some git tree presumably, but there's also likely many strings that could uniquely identify your code...
|
# ? Dec 16, 2021 09:33 |
|
oh gently caress, how many android things use log4j2? AT&T just cut off both my parents Samsung J7s. Can't talk to the network anymore, cut off, "please call us we're giving you a free S9!", my iphone on the plan is fine. I wonder if that was a log4j thing. What if Android can be pwned by SMS or some other basic vuln? 7 billion devices run java. (tm) Especially a lot of Javacard infra and baseband infra, apparently. Paul MaudDib fucked around with this message at 14:08 on Dec 16, 2021 |
# ? Dec 16, 2021 14:02 |
|
Paul MaudDib posted:Is there a notional problem with serving an api of {serviceName, apiVersion, gitCommitShortHash, gitCommitTime}? A git short hash might as well be a random identifier. It is not enough to do anything with outside of identify the version. If they could use that git sha it means they have your repo and exposing that sha doesn’t matter at that point.
|
# ? Dec 16, 2021 14:29 |
|
necrotic posted:A git short hash might as well be a random identifier. It is not enough to do anything with outside of identify the version. If they could use that git sha it means they have your repo and exposing that sha doesn’t matter at that point. the idea I don't like is giving a publicly servable hash that could be used to trivially aim and target the git repo on the network. Yes, if they can find it, they could target other strings, and it's not supposed to be available at all, but a commit hash (short or full) is more or less an arrow back to git and potentially any credentials that are stored there/etc. yes, if they have the hash and access they win, but, at least it's not literally "scan for hash files in .git with this substring".
|
# ? Dec 16, 2021 14:40 |
|
Paul MaudDib posted:the idea I don't like is giving a publicly servable hash that could be used to trivially aim and target the git repo on the network. Yes, if they can find it, they could target other strings, and it's not supposed to be available at all, but a commit hash (short or full) is more or less an arrow back to git and potentially any credentials that are stored there/etc. If they have your git repo they will find what they want in it, regardless of having the short hash exposed in some public identifier or not. Also, don’t store credentials in the repo. They should exist outside the repo so if the repo is popped they don’t get credentials.
|
# ? Dec 16, 2021 14:49 |
|
Paul MaudDib posted:oh gently caress, how many android things use log4j2? Yes everything runs Java, but not everything runs Log4j2, fortunately. I bet the J7s do, just like you guess. I wouldn't want them on my network, either.
|
# ? Dec 16, 2021 15:13 |
|
I'm relatively new to JAVA so I hope this isn't too silly of a question but I'm having an issue with my project that I feel like is simple but my google searches haven't helped. I'm using Spring Tool Suite and I'm making a review website where things can be rated 0-5 stars. This is stored in my model attribute for the review as the Rating property, that is 0 - 5. I'm trying to create a for loop in my jsp that takes the value of that model attribute (0 - 5) and loops that many times, each time populating a Star on the html. I have the star from fontawesome, my model attribute works fine and the data is passing fine, but I don't know how to make the loop... create html on the jsp. Am I overthinking this and is there a simple way to do this? I'm not very familiar with JSP's and i'm kinda flying the seat of my pants on this one.
|
# ? Dec 19, 2021 01:30 |
|
|
# ? May 13, 2024 04:30 |
|
I'm pretty new as well, but I'd use thymeleaf, pretty simple to add the dependency in spring and it makes it very easy to do exactly what you're wanting to do with the th:each tag. https://www.baeldung.com/thymeleaf-iteration
|
# ? Jan 5, 2022 01:10 |