0:00:25
hey ho hey hello what's going on welcome
0:00:29
back to another session of buildbreaking
0:00:32
brought to you by if you said the
0:00:34
recorders you were right you just owned
0:00:37
yourself a clap ping
0:00:44
first thing is first
0:00:45
let's do the acknowledgement to our
0:00:47
country and pay our respects to the
0:00:50
elders of the past present and future so
0:00:57
i begin today by acknowledging the
0:00:59
traditional custodians of the land on
0:01:01
which we gather today and pay my
0:01:03
respects to the elders past present and
0:01:06
future i extend their respect to
0:01:08
aboriginal and torres strait islander
0:01:13
all right that was smoothly done
0:01:17
i'm pretty sure you guys are wondering
0:01:19
where is the the raw coder who is tory
0:01:23
um he was having technical problems with
0:01:31
the idea was to basically restart and
0:01:41
99 of the time works brilliantly so
0:01:46
if that works this time as well
0:01:55
so today what we're gonna be doing is um
0:02:06
jira to track everything so let's go
0:02:11
didn't want it to open in the same
0:02:14
otherwise i would be gone
0:02:17
so i would share my screen and
0:02:21
we can take it from there but first
0:02:23
let's play some tunes
0:02:27
right i'll play probably dance
0:02:40
all right let's share the screen
0:02:54
let's go into jira and see what we have
0:03:11
no that's the wrong one
0:03:17
am i forgetting it
0:03:28
you'll be here anytime soon
0:03:34
so we can basically
0:03:37
i think a little websocket connection
0:03:40
until the end um let's move on to the
0:04:06
new nose created by concurrent users are
0:04:11
right yeah we can probably jump on this
0:04:13
one because this would be a critical one
0:04:16
in order to be released reproduce
0:04:22
that is fine so we will jump on that
0:04:30
just so that he's in the loop too
0:04:33
all right new notes
0:04:35
created by concurrent users are not
0:04:39
so what we would probably do is um
0:04:49
hey conrad 64 welcome
0:04:52
good to have you as
0:05:02
actually i've just heard her entering
0:05:05
noise so well oh here you go tori is
0:05:16
wow it's just it's just you and me zayn
0:05:24
well first of all it makes me the last t
0:05:27
yeah i was gonna say that and then
0:05:32
the last t yeah yeah
0:05:34
it actually makes a lot of sense to be
0:05:41
sorry you're frozen
0:05:57
you probably want to jump off and come
0:06:01
sorry internet oh here we go
0:06:07
even though it's you and me i still
0:06:09
don't have the login for stream yard
0:06:15
good pig would pick that would be
0:06:19
then being a bad boy i still haven't
0:06:24
what's going on you did a long time ago
0:06:27
by zayn's old age coming into play oh no
0:06:30
no before it was you and finesse because
0:06:34
i think we only get two
0:06:38
now i'm not happy anymore
0:06:40
i'll actually first thing is first i'll
0:06:44
send it to you now he can't
0:06:52
i'll bother i'll bother you
0:06:54
about it like tomorrow or something
0:06:57
i know you're gonna
0:06:59
you're gonna spam me i know that sure
0:07:02
sure i can do that
0:07:07
okay you might not be in this spot but i
0:07:11
will get to the bottom of that one and
0:07:13
send it to you yeah i'll be up to the
0:07:21
no i'll do it after the stream uh i
0:07:23
don't want to take and stream time
0:07:26
yeah all right so lastly standing
0:07:32
i'm gonna actually call you now the last
0:07:38
yeah so what i was thinking that
0:07:42
the i don't really want to test
0:07:49
as in putting it on line because um
0:07:53
what happened the last time
0:07:55
what happened again
0:07:57
so what i'm gonna basically do is jump
0:08:05
it will happen again
0:08:09
so yeah what i'm thinking there
0:08:16
choose another error there doesn't
0:08:19
require us putting it online
0:08:26
fix the errors that are not for life
0:08:31
if we don't need to
0:08:34
fix them only when going live
0:08:38
let's fix those arrows first
0:08:41
how does that sound
0:08:49
all right cool so i'm gonna share my
0:08:56
let's see what do we have here
0:09:04
looking at this one
0:09:10
created by concurrent users are not
0:09:14
i guess this would
0:09:25
would we need to put this on
0:09:28
line then test this functionality again
0:09:32
i think so isn't it
0:09:38
are you there tori
0:09:44
just i was i'm sorry i was distracted
0:09:49
when multiple users enter into a new
0:09:51
board now notes admin should be able to
0:09:52
save all the notes on forward
0:09:55
for multiple users
0:10:03
i think um as long as this to do with
0:10:08
func we might be able to
0:10:11
test this one without putting the app on
0:10:16
i'm just going to check it if we can
0:10:19
what do you mean when you put the app
0:10:21
online you mean like
0:10:31
oh so api gateway is still up
0:10:35
yeah it must be up because all we did
0:10:38
disable the static hosting from
0:10:50
api gateway needs to
0:10:53
be up unless there's a way to emulate it
0:11:01
then all they uh then even if we're
0:11:04
using a local development server
0:11:10
we can still get attacked
0:11:14
why don't you just put online under
0:11:18
so you have a test website that then
0:11:23
you don't have to bring it down okay so
0:11:25
in um so i think corn
0:11:28
we probably have to tell convoy 64 the
0:11:40
it all started like
0:11:42
maybe last week or two weeks ago when
0:11:48
working on some part of the
0:11:52
client i can't remember and then
0:11:55
all of a sudden there was a massive
0:11:57
eruption of farting sounds
0:12:00
and that's when we discovered there's a
0:12:02
vulnerability in the app because we were
0:12:08
the back end of the websockets
0:12:11
or any of or any of the backhand and so
0:12:17
some some bad actor who
0:12:20
uh watches the show regularly was
0:12:26
and then playing those fart noises
0:12:32
on all of our browsers
0:12:35
while we were live streaming
0:12:38
you know what's funny
0:12:39
to zayn is even paul text me today and
0:12:43
he's like i heard you fart a lot
0:12:52
i do have i do have
0:12:55
a medical condition
0:13:04
okay i'm gonna start putting the
0:13:06
branches according to
0:13:14
other things as well so this one could
0:13:33
actually don't worry about that
0:13:53
and let me open this one now
0:13:59
so um what do you what do you want to do
0:14:04
what i'm trying to do is test it
0:14:07
without putting in on the s3 bucket we
0:14:18
this thing if it is then work on this
0:14:25
yeah khanvar there is more than just the
0:14:27
websocket vulnerability that is correct
0:14:37
yeah but you know it wouldn't it
0:14:38
wouldn't be fun if there weren't some
0:14:46
be careful though there may be a
0:14:51
are you planning for one yeah we're
0:14:53
gonna put a honey pot and then we're
0:14:54
gonna take control of their computers oh
0:15:18
to run local server
0:15:28
uh i actually don't know because i think
0:15:30
i run it a different way
0:15:35
well i have i i use the debugger which
0:15:43
do you have the extension
0:15:48
well there is yeah there is an extension
0:15:50
too you can just click
0:15:54
i can't believe i forgot this honestly
0:15:57
oh it's a python command
0:16:02
node local web server http server web
0:16:08
was it in the package.json
0:16:13
it's a really simple command that i'm
0:16:18
maybe it's in your terminal just try up
0:16:29
it's been a while now good use locations
0:16:33
uh grab what is it grab command
0:16:36
to look through your history
0:16:40
i forget how to do it now
0:16:58
okay there you got the answer so just
0:17:02
and then whatever huh
0:17:06
yeah i think even local it should find
0:17:11
that's interesting
0:17:16
it's still loading it shouldn't take
0:17:23
oh he says you do need to pipe history
0:17:28
i thought that was like
0:17:51
oh no no no the character pipe is in
0:18:06
yeah yes i was right it's a local server
0:18:11
why don't you say that to the
0:18:13
package.json that way you don't ever
0:18:15
have to remember it
0:18:18
um how do we do that
0:18:21
uh you can put it in you can put the
0:18:23
command in package.json
0:18:34
okay i don't know how to do that now
0:18:38
there are no scripts
0:18:46
why are there two package.json because
0:18:49
one is in this cdl
0:18:53
folder and the other one is the main one
0:18:57
what does the main one do
0:19:04
it just works so i'm not touching it
0:19:08
oh that looks like it's the back end
0:19:10
async compression express
0:19:22
directories lib engines node yeah that
0:19:24
looks like the back end
0:19:26
it is the background running node
0:19:30
express and that's the
0:19:32
dependency dot env
0:19:36
well i'm going to focus on just this one
0:19:39
and why does it not want to work
0:20:04
today we're learning
0:20:36
okay here we go that is done and now
0:20:38
open this bad boy up
0:20:47
it just say that it did add it
0:20:51
let me put one fold up and then do it
0:20:58
this way this is the come on
0:21:06
change free packages
0:21:17
let me know when you get it
0:21:24
i thought you said something simple
0:21:30
guess what my friend this is so for tech
0:21:33
mode anything can happen
0:21:37
hello welcome to the tech mode
0:21:41
i've probably seen you enter the command
0:21:43
like plenty of times and i have i do not
0:21:48
it's saying that come on is not even
0:22:08
is that the package is it a it's a
0:22:14
so it's an npm module
0:22:20
local local server local web server
0:22:36
local server didn't really give me any
0:23:00
converts suggesting you look in your in
0:23:02
your nodebot modules
0:23:05
and see if it's there
0:23:08
or he's suggesting to use that to run it
0:23:12
yeah i'm pretty sure he won't be there
0:23:14
because it's not finding it
0:23:18
it's not in the node modules
0:23:29
is it is it this package thing
0:23:32
i'm gonna send you a link
0:23:36
is it this package
0:23:39
give me for a sec i'm on the sky
0:23:48
which one will you say
0:24:03
or is it or is it this one because
0:24:05
there's yeah it is
0:24:09
sure it's not very popular
0:24:13
using it all this time
0:24:17
i'll try what convoy i said
0:24:20
as in in the bin folder ah okay
0:24:27
hidden directory apparently
0:24:31
was was that the case
0:24:33
no interesting i don't even have a bin
0:24:42
what happened to my
0:24:47
is it the workspace settings did you
0:24:49
hide the node modules
0:24:51
no i didn't go to vs code the click vs
0:25:02
you don't you have nothing in vs no no
0:25:04
no sorry the folder vs code under
0:25:06
scrumbler enhancement oh
0:25:14
next to github below github
0:25:17
uh no not that one
0:25:25
uh oh your node modules are down below
0:25:31
below left i know but
0:25:38
yes which is this one here
0:25:42
goodness there's nothing in there
0:25:45
oh there is these two as in dot env and
0:25:50
but that's not the one we're after
0:25:54
this is really interesting to be honest
0:25:59
it's been uh he's saying ls yeah like
0:26:03
use the command to show your
0:26:14
that's only packaged
0:26:17
got locked that's it
0:26:21
wow i wasn't expecting hang on a minute
0:26:29
ah so is in the wrong one
0:26:34
if you go to client and one folder up it
0:26:37
would be here we're going to node
0:27:00
it's not there apparently
0:27:02
okay well i'm gonna basically do is try
0:27:06
install it again maybe something
0:27:10
might have happened
0:27:34
interesting still not coming up
0:27:46
this is getting interesting
0:27:56
we need we need to get the client up man
0:28:04
uh well there there's an extension zane
0:28:07
you can just use live server and just
0:28:09
forget about all this
0:28:15
like it's a it's a um extension a vs
0:28:18
code extension live server
0:28:21
is that what it's called live server and
0:28:24
then you don't have to worry about the
0:28:25
commands anymore just
0:28:30
yeah this one yeah i think so
0:28:36
yeah that's it yeah 21 million
0:28:41
let's install that it'll give you a
0:28:43
little play button in the
0:28:46
um looks like you need to reload maybe
0:28:52
you're good oh you don't need to okay
0:28:54
cool and then on the bottom you see
0:28:57
where it says go live
0:29:03
yeah you just click that and it should
0:29:07
i think it will probably start the
0:29:10
without any configuration
0:29:20
okay it's it's dependent without without
0:29:23
configuration it just tries to start
0:29:28
current directory you are in
0:29:32
like well current folder i should say
0:29:36
yeah current directory so if you open vs
0:29:39
code inside of the client folder it
0:29:50
but you can configure it too
0:29:59
i think so which may not work
0:30:12
click to close the server
0:30:22
however if i do now
0:30:38
yeah of course because it's the
0:30:45
and it's not wanting to go there
0:31:16
i'm pretty sure he was this quran but
0:31:19
but you're not finding it
0:31:40
oh that's looking promising now
0:32:16
what would it do then
0:32:21
should install it to the package.json
0:32:26
has apparently done it added free
0:32:35
server oh come on dude
0:32:40
just just use the just use the extension
0:32:45
yeah but that's not working for us
0:32:49
okay then just quick and dirty wait for
0:32:52
now for tonight is just without
0:32:54
configuration just open up the client
0:32:57
folder in vs code and then just click go
0:32:59
live and it should launch it
0:33:03
like i think you actually have to open
0:33:06
the client folder with vs code
0:33:09
like not in the terminal
0:33:11
and wait a minute um
0:33:26
um so that there is index.html
0:33:35
let's try it that way
0:33:39
yeah you can do cd client and then hit
0:33:51
okay now we are here
0:33:55
oh it might be because of the applying
0:33:57
the latest updates
0:34:01
hang on i'm gonna try and do that
0:34:04
and see what it does
0:34:27
it was the update thing
0:34:30
okay that was stopping it
0:34:43
left it's an empty
0:34:46
one we can reproduce the issue and be on
0:34:49
the way to fixing it as well
0:35:02
okay cool just one board and
0:35:07
t1 right so if i get to one
0:35:11
one two three four
0:35:16
just to think about like it in in like a
0:35:20
retrospective like it's good if we
0:35:23
add any commands we need to the
0:35:26
package.json file under like the scripts
0:35:29
and that way they're always available
0:35:31
like we we can never forget them
0:35:38
true yeah that'll be a really good
0:35:42
then we can just npm start it launches
0:35:49
the client and that that way it just
0:35:52
just never happens
0:35:55
absolutely i think that would be the way
0:36:05
i actually realized we can't even test
0:36:14
are you needing multiple users
0:36:17
yeah we need concurrent users
0:36:23
only happens when there's concurrent
0:36:28
so what i'm going to basically do is
0:36:35
enable this setting called simple rule
0:36:39
we it but you i mean you can be your own
0:36:42
concurrent user you can just
0:36:49
window like another tab and
0:36:56
i don't think that would work because i
0:36:58
already tried it once before as in just
0:37:06
it didn't work who's who's tick who who
0:37:09
made that ticket who made that issue
0:37:15
and where did he get it from
0:37:18
apparently he was testing it
0:37:20
huh as in he must have observed it
0:37:26
when we are doing it on the show
0:37:28
and then because i'm i asked
0:37:33
log all the issues that we're
0:37:35
experiencing into jira
0:37:38
so he might have done that
0:37:41
where's my phone hang on i need to get
0:37:43
my phone for the mfa code is in there
0:37:49
you sure the nation's sending us on a
0:37:58
let me uh throw him off their game for
0:38:01
four weeks while i leave
0:38:05
that would be cruel
0:38:13
too maybe maybe that was his game man
0:38:16
maybe the whole time he's he's being so
0:38:22
and i'm sure you would never suspect him
0:38:25
i've watched a lot of movies it's
0:38:27
usually not the person you suspect
0:38:45
hang on hang on have you been hanging
0:38:46
around with your devil
0:38:49
no why are you sure
0:38:56
because you talking like him now i don't
0:39:07
and it's just two different users
0:39:13
maybe there is no tory
0:39:18
you're scaring me now who am i talking
0:39:24
that'd be funny though
0:39:32
that's all positives made positives
0:39:36
because this project is almost there we
0:39:38
just need a little bit more of a push
0:39:42
yeah i was just thinking thinking about
0:39:44
that bug i was just wondering if it
0:39:49
with concurrent users or if it just
0:39:51
happens to be the other issue which is
0:39:56
race condition issue or whatever in
0:40:03
yeah you might be right it could be
0:40:08
we would probably have to
0:40:12
and see what's actually
0:40:35
okay so if i give you this url
0:40:42
or you put the server up
0:40:51
get the test on and then we can
0:40:55
okay yeah sure send it to me
0:41:03
what would you like me to do
0:41:08
create a card and um just
0:41:15
there's already script tags
0:41:21
this is already scripted
0:41:23
what's going on right now
0:41:25
i'm scared yeah you really did it you
0:41:27
deleted that that was me though i'm
0:41:29
creating that card
0:42:05
save successfully so let's go
0:42:10
in that one and check how many notes are
0:42:16
two notes are saved with your high zane
0:42:22
that's interesting
0:42:23
okay um so it did work
0:42:26
yes it's working apparently
0:42:32
create one now again
0:42:53
now i'm gonna save that
0:43:24
do it it will encourage the
0:43:27
others as well okay
0:44:13
no i mean when we were on the show and
0:44:20
yeah yeah that was pretty i don't know
0:44:23
if you were hearing everything i was
0:44:26
hearing but it was
0:44:30
i wasn't hearing it was like i thought
0:44:33
was you actually doing it reality and
0:44:36
i'm like um okay i wish i had that kind
0:44:45
create an other note and this time i'm
0:44:48
not going to touch you or not i'll just
0:45:01
no free new note call i'm just gonna
0:45:12
notes free new note
0:45:19
ah so that's the problem
0:45:30
bug you there tori
0:45:38
so see there is a bug because we can't
0:45:50
okay let me try one more time
0:45:57
who's sending script tags
0:46:19
actually i know how to check
0:46:21
we don't even need to test this
0:46:32
it doesn't work so if the admin who
0:46:35
actually creates the account
0:46:47
because like i'm i'm looking if you if
0:46:50
you open the console
0:46:55
the and then you type in note what is it
0:47:01
uh note map or something board notes map
0:47:07
this is like a variable
0:47:12
just like like you're going to enter
0:47:17
yeah it should auto complete for you
0:47:22
yeah and if you end and if you click
0:47:27
what do you have inside there what cars
0:47:38
or the note 4 is not there
0:47:43
so i think it's only go until
0:47:56
okay so i think what's happening then
0:48:07
someone sends a websocket i mean a mess
0:48:10
like a message with a new card
0:48:14
and you don't touch it
0:48:16
right if you touch it it gets added to
0:48:19
the map let's try that right
0:48:22
try touching a card and then just
0:48:24
opening up the new board notes map again
0:48:32
yeah so now it's there okay so
0:48:35
i think there's just it's just missing a
0:48:38
piece of functionality on the front end
0:48:40
it like when it gets a card
0:48:43
a new card on the front on the
0:48:47
when it receives a card from via the
0:48:50
then you should add
0:48:56
the notes map that like map
0:48:59
yeah that map yeah yeah that'll solve
0:49:04
yeah so i think that would be basically
0:49:06
the fix for this one
0:49:09
good catches smash
0:49:19
let's bring this one down
0:49:27
wait can i just play one last round i'm
0:49:30
just kidding no no
0:49:38
it is fun though but at the wrong time
0:49:42
to be honest it's just pretty cool to
0:49:49
and then like having a people like that
0:49:51
javascript is injected
0:49:54
like onto your web page it's pretty cool
0:49:57
yeah yeah for sure
0:50:00
uh okay so this one is there um we need
0:50:03
to create another arrow
0:50:10
the note if it's called any as in don't
0:50:20
you mean sanitize them
0:50:37
okay so this one will come right at the
0:50:43
hash being corbin okay so we can
0:50:46
basically focus on this one
0:50:49
and take it from there
0:50:52
so uh since since we have a few minutes
0:50:55
yeah i just i just sent you um the
0:50:59
in the chat a link to the other
0:51:05
and on github and there you can see how
0:51:11
the websocket in the back end
0:51:14
using they just use they're not using
0:51:17
dom purify they're using another package
0:51:20
which i think is actually which i think
0:51:23
is actually a little bit outdated
0:51:25
but i could be wrong about that but you
0:51:28
can see the implementation um
0:51:31
in in the code and it would be very
0:51:35
to what we would be doing
0:51:37
yeah yeah that makes sense though
0:51:40
made sure that nothing
0:51:44
code is at least easily
0:51:48
injected onto the page
0:51:51
yeah i'm gonna actually save it into
0:51:58
actually i'll just comment to here
0:52:02
it's funny to me too because um i'm so
0:52:05
used to working with the modern
0:52:08
like framework like react
0:52:10
um and so it must mean
0:52:13
and i could be wrong about this but it
0:52:15
must mean that jquery
0:52:18
has its own vulnerabilities
0:52:23
the code is not sanitized
0:52:28
jquery is actually creating the note and
0:52:31
putting the text on the note
0:52:39
yeah once it's added it's it's it's
0:52:44
um yeah he has javascript code because
0:52:47
it's just like injecting a script tag
0:52:53
so i'm used to like react um
0:52:58
handled for you mostly i don't i
0:53:01
yeah so i was surprised
0:53:04
by that actually i was like oh okay
0:53:07
then jquery just doesn't handle it for
0:53:12
yeah and that's pretty much
0:53:15
yeah the bottom line yes okay
0:53:22
looking to fix that part now base adding
0:53:25
the webs is not adding the on notes
0:53:28
through the websocket in the array eval
0:53:51
what was it called again
0:54:08
this is coming from here
0:54:10
and this is coming from notes
0:54:15
right and where is it
0:54:25
in the cards into scoot.js
0:54:31
any cards in this crypto
0:54:41
in it initial users
0:54:44
requested the board
0:54:53
whereby did you add the websocket
0:55:00
you mean receiving a message
0:55:05
i'm just connecting to the web socket
0:55:14
make sure that the notes we are
0:55:19
through the websockets they're actually
0:55:21
added to that array
0:55:24
so you mean like receiving a message
0:55:32
um i think that's on still front then
0:55:39
on message or something
0:55:44
toast message no on opening that it
0:55:46
would be on on messages
0:55:51
yeah this is the one received message
0:55:54
yeah and then it sends it to that get
0:55:56
data function which is that or get
0:55:59
message that get message function is
0:56:08
go to definition get message ah cases
0:56:13
doing a hair message
0:56:18
ah we've got any cards
0:56:28
yeah i like to come back to my
0:56:32
brain is half fried because of that
0:56:37
it's a websocket one so eval when the
0:56:40
text comes across the websocket is
0:56:42
definitely xss though
0:56:47
so the eval like um
0:56:52
is that something convar that's used in
0:56:55
jquery because i'm not that familiar
0:57:04
the example i put above is the one you
0:57:06
should be more concerned about
0:57:13
because you can persist anything you
0:57:15
want yeah yeah right if it's
0:57:17
if it's saved um to the back end
0:57:21
i think dynamo i don't know i don't know
0:57:24
what dynamodb does but i think it
0:57:29
when i was when i was saying to refuse i
0:57:31
made the board flash like a disco
0:57:41
yeah i didn't get that part um
0:57:47
yeah we're gonna change it
0:57:50
i think i think dynamo db
0:58:04
but we shouldn't rely on that anyways
0:58:23
we'll probably have to come back to the
0:58:26
new notes while web socket tomorrow
0:58:33
and see how we go hopefully we can get
0:58:36
the fix for that one
0:58:39
at the same day which is
0:58:41
tomorrow which which would be great
0:58:44
but if not then we will
0:58:47
keep keep continuing until it's fixed
0:58:50
that should be good
0:58:53
um do you want to do that honestly
0:59:03
like looked at a particular bug that we
0:59:15
not the admin but the or the person that
0:59:18
created the board the client that
0:59:19
created the board but a different client
0:59:23
they created a note
0:59:26
that note wasn't being saved
0:59:29
to this global map that we're using
0:59:32
inside of the client-side code
0:59:36
so when the admin saved the board that
0:59:42
to the dynamodb backend
0:59:45
so that was a bug and should be a pretty
0:59:53
we'll come back to it tomorrow so if you
0:59:56
want to see how we
0:59:58
fixed this bug hopefully
1:00:01
tomorrow which should be like tour
1:00:04
emphasizes it's a pretty simple fix
1:00:11
yeah join us tomorrow's same place
1:00:16
a different task or the same task
1:00:25
thanks for joining guys cheers
