The Phoenix Framework vulnerability scanner - Source

Updates include minor bug fixes, and checks for some types of command injection.

https://hex.pm/packages/retort/2.0.0

Changelog

https://github.com/C-S-D/retort/compare/v1.3.2…v2.0.0

Enhancements

• Document Retort.Resources
• Update to alembic 3.3.0
  • Drop the need for changeset_render by using JaSerializer.Formatter.Utils.format_key directly to make it the same as calcinator.
• Update to calcinator 3.0.0
  • Retort.Response.Error.to_calcinator_error(Retort.Response.t, Ecto.Changeset.t) will convert Retort.Response.t data Alembic.Document.t errors to a Calcinator error. If the Alembic.Error.t format is unrecognized, it is assumed to be convertable to Ecto.Changeset.t errors using Retort.Response.Error.Ecto.Changeset.add_alembic_errors(changeset, errors)

Bug Fixes

• A missed rename left the application name used for Application.get_env as the original :interpreter_server_rpc instead of :retort in Retort.Resources.timeout/2.
• Fix (Map -> map) typo in Retort.Client.Generic.start_link options.
• Retort.Resources.client_start_link should not have been 0-arity, but 1-arity, so it can take in the client_start_link_options as an argument instead of depending on lookup by module to retrieve some hidden state.
• Retort.Meta.valid!/2 checked if the Ecto.Repo was sandboxed with Application.get_env(:retort, Retort.Repo), which is a faithful translation of the original in :interpreter_server_rpc, but has the problem that it only works in retort itself. To allow the repo to be check to be configured, Retort.Meta.valid!/2 now takes an :ecto_repo_module option, which is check if its sandboxed if any of the :ecto_schema_modules are database-backed (have a non-blank __schema__(:source)).
• Retort.Server.Generic.Resources.handle_method/2 converts {:error, :sandbox_token_missing} into RPC response errors instead of a CaseClauseError exception.

Incompatible Changes

• Retort.Resources.client_start_link callback changes arity from 0 to 1 and now should take in options instead of calling Retort.Resources.client_start_link_options/0.
• Retort.Client.Generic.start_link calls where the ecto_schema_module_by_type ecto_schema_modules are database-backed will now require :ecto_repo_module to check if the Ecto.Repo.t is sandboxed.
• Require alembic ~> 3.3
  • changeset_render is no longer needed for Retort.Server.Generic.Resources, so Retort.Server.Generic.Resources.t has been removed and a Calcinator.t should be used as the state instead.
• Require to calcinator ~> 3.0
  • Retort.Response.Error.Ecto.Changeset.add_alembic_errors(changeset, [Alembic.Error.t]) will convert the Alembic.Error.ts to validation errors added to the changeset. It’s a way to reverse the conversion done by Alembic.Document.from_ecto_changeset in alembic 3.3.0.
  • Retort.Response.Error.to_calcinator_error(Retort.Response.t, Ecto.Changeset.t) will convert Retort.Response.t data Alembic.Document.t errors to a Calcinator error. If the Alembic.Error.t format is unrecognized, it is assumed to be convertable to Ecto.Changeset.t errors using Retort.Response.Error.Ecto.Changeset.add_alembic_errors(changeset, errors)
  • Retort.Server.Generic.Resoruces.handle_method/2 is simplified using put_rendered_or_error/2, so that the large, duplicate cases are eliminated and error handling remains consistent across actions. For error, put_calcinator_error is called.
  • use Retort.Resources generates delete(changeset, query_options) to match the updated Calcinator.Resources.delete/2.
  • Retort.Resources.client_start_link_options now takes (module, query_options), so that if :meta exists in query_options and “beam” is set, then the pre-existing “beam” will be reused.
  • All action callbacks in Retort.Resources catch {:exit, {:timeout, _}} from the Retort.Client.Generic calls, log them, and then return {:error, :timeout}, so that Calcinator.Controller can turn it into a 504 Gateway Timeout instead of crashing the calling process.
  • All action callbacks in Retort.Resources can transform {:error, %Retort.Response.Error{}} to Calcinator errors using Retort.Client.Generic.error_to_calcinator_error.
  • meta in query_options is put back into the mergable params passed to Retort.Client.Generic calls in Retort.Resources

In this second part of my “GraphQL Authentication” series, I dive into the front-end and wire up a simple authentication system using React and Apollo client.

https://www.dailydrip.com/topics/elixir/drips/phoenix-and-the-frontend

https://hex.pm/packages/calcinator/3.0.0

Bug fixes for error handling and testing support led to incompatible changes in behaviours, but use generated code is updated as well, so no changes if you only use Calcinator.Resources.Ecto.Repo.

Enhancements

• Can now return (and is preferred to return instead of a timeout exit) {:error, :timeout} from all Calcinator.Resources action @callbacks.
• When structs are deleted directly instead of changesets, there’s no way to add constraints, such as no_assoc_constraint or assoc_constraint that would transform DB errors into validation errors, so Calcinator.delete/3 generate a changeset from Calcinator.Resources.changeset(struct, %{})
• Make the Alembic.Document.t and Alembic.Error.t that Calcinator.Controller.Error uses internally available in Calcinator.Alembic.Document and Calcinator.Alembic.Error, respectively, so they can be reused in overrides and retort.
• Pass :meta through Calcinator.Retort.query_options, which allows pass through of meta like from Calcinator.Meta.Beam, which is necessary for indirect callbacks through RPC calls for retort.
• Move Calcinator.Meta.Beam key to module attribute to prevent typos.
• Calcinator.Meta.beam.put_new_lazy allows beam information to only be set in meta if its not already there to allow for loops between Calcinator servers.

Bug Fixes

• The Calcinator actions @spec and @doc include (hopefully) all the errors they can return now
  • {:error, :sandbox_access_disallowed}
  • {:error, :sandbox_token_missing}
  • {:error, :timeout}
• Ensure Calcinator.Controller actions have case clauses for all the declared return types from Calcinator calls.
• get_related_resources could not handle has_many related resources, specifically
  • Calcinator.JaSerializer.PhoenixView.get_related_resource/3 would not allow data to be a list.
  • Calcinator.RelatedView.render with data assumes the data was singular and “links” could be added to that “data” map.
  • Calcinator.authorized did not allow the unfiltered data to be list.
• Fix source assigns for get_related_resource example: example still used pre-open-sourcing association and id_key.
• Fix show_relationship example that was just wrong. The same assigns as get_related_resource should be used. Since at first I couldn’t figure out why showing a relationship would need a view module and I wrote the code, I added a note explaining its for the view_module.type/0 callback since relationships are resource identifiers with id and type.
• Calcinator.RelationshipView.data/1 assumed that [:related][:resource] was nil or a map, which didn’t handle the list for has_many relationships.

Incompatible Changes

• Calcinator.Resources.allow_sandbox_access/1 must now return :ok | {:error, :sandbox_access_disallowed}. The previous {:already, :allowed | :owner} maps to :ok while :not_found maps to {:error, :sandbox_access_disallowed}.
• If you previously had total coverage for all return types from Calcinator actions, they now also return {:error, :sandbox_access_disallowed} and {:error, :timeout}. Previously, instead of {:error, :sandbox_access_disallowed}, :not_found may been returned, but that was a bug that leaked an implementation detail from how DBConnection.Ownership works, so it was removed.
• Calcinator.delete deletes a changeset instead of a resource struct
  • Calcinator.Resources.delete/1 must expect an Ecto.Changeset.tinstead of a resource struct
  • use Calcinator.Resources.Ecto.Repo generates delete/1 that expects an Ecto.Changeset.t and calls Calcinator.Resources.Ecto.Repo.delete/2, which now expects a changeset instead of resource struct as the second argument.
• :meta is now a required key in Calcinator.Resources.query_options.
• Calcinator.Resources.delete/2 must now accept both the Ecto.Changeset.t with any constraints and the Calcinator.Resources.query_options, so that the new meta key can be used to continue propagating the Calcinator.Meta.Beam from the original caller in a chain of calls.

Install: https://hex.pm/packages/calcinator/3.0.0

Version 0.1.3 of WebSockex was just released!

The ChangeLog for this release includes:

• WebSockex.start_link will no longer cause the calling process to exit on connection failure and will return a proper error tuple instead.
• Change WebSockex.Conn.RequestError to WebSockex.RequestError.
• Add handle_connect_failure to be invoked after initiating a connection fails. Fixes #5

Checkout the v0.1.2..v0.1.3 diff for more info.

Hi there!

I just published Veritaserum, a simple sentiment analisys library for Elixir.

It’s based on the AFINN-165 word list, and it also supports:

• emojis (❤️, 😱…)
• boosters (very, really…)
• negators (don’t, not…)

You can check the repo on github.

New blog post on metaprogramming without writing macros, just using quote and unquote, and functions from Code and Macro.

Announcing the release of Commanded v0.10 with support for using Greg Young’s Event Store.

Commanded is an open-source library you can use to build Elixir applications following the Command Query Responsibility Segregation and event sourcing (CQRS/ES) pattern.

This article describes how an Elixir behaviour and adapter approach was used to support multiple event stores.

I released a new version of my GPIO_RPI library today. It started as a fork of elixir_ale, but focuses on the Raspberry Pi only.

This new version allows setting pullup register on initialisation of a pin, allows changing of the input/output direction and mode.

New Elixir library supports the collection and publication of GenServer and GenStage runtime metrics. Metrics data are generated by an introspection agent. No instrumentation is required within the GenServer or GenStage library or within your application source code.

Built-in support for pushing metrics data to statsd agents and Datadog too.

Find out more on the GitHub repo, read the HexDocs, or sit back and enjoy a GitPitch presentation.

The difference between data modeling and database modeling: https://blog.digitalnatives.hu/take-ownership-of-your-data-part-1/

Security-focused static analysis for the Phoenix Framework: Github.

Sobelow automatically detects some types of the following security issues:

• Insecure configuration
• Cross-Site Scripting
• SQL injection
• Directory traversal
• Unsafe serialization

Changelog

v3.3.0

Enhancements

• #44 - @KronicDeth
  • Alembic.Document.from_ecto_changeset/2 converts the errors in ecto_changeset to Alembic.Error.t in a single Alembic.Document.t. Bypasses a bug in JaSerializer where it assumes all fields that don’t end in _id are attribute names, which leads to association names (as opposed to their foreign key) being put under /data/attributes. Alembic.Document.from_ecto_changeset reflects on the Ecto.Changeset.t data struct module to get the __schema__/1 information from the Ecto.Schema.t. It also assumes that if the field maps to no known attribute, association or foreign key, then the error should not have an Alembic.Source.t instead of defaulting to /data/attributes.
  • Update circle.yml
    • Erlang 19.3
    • Elixir 1.4.1

Bug Fixes

• #43 - @KronicDeth
  • Allow Alembic.Error.t source to be nil
  • Lower minimum coverage because coverage number varies from run to run.

Changelog

Bug Fixes

• Allow Alembic.Error.t source to be nil

– https://hex.pm/packages/alembic/3.2.1

A basic tutorial to setup ExVCR and how to filter sensitive data in the tests

https://dev.mikamai.com/2017/05/16/testing-http-in-elixir-with-exvcr/

Just released Zuck, a Facebook API client for Elixir. Messenger and other cool features coming soon! https://github.com/boudra/zuck

Matryoshka, an image transformation reverse proxy written in elixir. Still in development, feel free to send PR’s :)

https://github.com/pilu/matryoshka

A build utility that allows you to to use mix packages in an elixir script. https://github.com/minhajuddin/mix_script

Elixir With Love is a proactive conference about introducing developers to this exciting new language and building a diverse Elixir community.

http://www.elixir-with-love.com/