L2[17:11:37] *** Server sets mode: +ntz

L4[17:13:29] *** Server sets mode: +ntz

L5[17:13:39] <Michiyo> ffs

L6[17:37:48] <gruetzkopf> shall i throw a sql query against my quasselcores postgresql?

L7[17:41:23] <Forec​aster> Invert the polarity of the positron shield!

L8[17:47:08] <techt​astic> @walksanator also, make sure any input text is sanitized so theres no opening for an SQL Injection Attack

L9[17:48:45] <Forec​aster> That's no fun

L10[17:52:17] <techt​astic> this is ment to interact with a playerbase who its playing a programming magic mod and is ment to be a cross-world/server storage system for their stuff

L11[17:52:18] <techt​astic> theres bound to be a few apples bad enough and knowledgeable enough

L12[17:56:31] <walks​anator> >techtastic: <@596098777941540883> also, make sure any input text is sanitized so theres no…

L13[17:56:31] <walks​anator> I am using a library

L14[17:56:34] <walks​anator> I trust it to sanatize

L15[17:56:53] <walks​anator> hooked up a random iota generator

L16[17:57:01] <walks​anator> (and made a sanatizer for iotas)

L17[17:57:06] <walks​anator> https://imgur.com/qLH2erz.png

L18[17:58:02] <walks​anator> so now all that is left is to hook up the Flatbuffer transport

L19[17:58:13] <walks​anator> which I also revamped that since last time

L20[18:00:11] <walks​anator> here is my """well designed""" sanatizer

L21[18:00:11] <walks​anator> https://github.com/walksanatora/HexOvermindServer/blob/main/src/bin/main.rs#L81-L158

L22[18:00:25] <walks​anator> (all the sanatizer does is punt entity iotas

L23[18:00:36] <walks​anator> cross-server item transfer is not coming in this update

L24[18:00:39] <walks​anator> duh

L25[18:09:39] <techt​astic> >walksanator: I trust it to sanatize

L26[18:09:39] <techt​astic> never just trust it, verify

L27[18:12:35] <walks​anator> > In SQL, queries can be separated into prepared (parameterized) or unprepared (simple). Prepared queries have their query plan cached, use a binary mode of communication (lower bandwidth and faster decoding), and utilize parameters to avoid SQL injection. Unprepared queries are simple and intended only for use case where a prepared statement will not work, such as various database commands (e.g., PRAGMA or SET or BEGIN).

L28[18:12:38] <walks​anator> it protects

L29[18:12:59] <walks​anator> and after all if `6,131,690` downloads

L30[18:13:05] <walks​anator> it has to be decently secure

L31[18:14:30] <S​ky> >walksanator: cross-server item transfer is not coming in this update

L32[18:14:30] <S​ky> what do you mean I cant move items from my creative singleplayer world to my survival multiplayer server?

L33[18:14:37] <walks​anator> >Sky: what do you mean I cant move items from my creative singleplayer world to my s…

L34[18:14:38] <walks​anator> not yet

L35[18:14:43] <walks​anator> also it will be *very* expensive

L36[18:14:44] <walks​anator> and checked

L37[18:15:38] <walks​anator> like not only do you allready have to build the multiblock (using some hard to make/expensive amethyst buds and slipways)

L38[18:15:59] <S​ky> ok lets say it costs like 10 nether stars per item stack

L39[18:16:00] <S​ky> i can go build a wicked efficient nether star farm, and then I can start moving lots of items from singleplayer to multiplayer?

L40[18:16:20] <walks​anator> I am considering something like `(nbt_size/16)*stack size`

L41[18:16:32] <walks​anator> >Sky: ok lets say it costs like 10 nether stars per item stack

L42[18:16:32] <walks​anator> i can go build a wick…

L43[18:16:33] <walks​anator> more items are less effective

L44[18:16:38] <walks​anator> after 1k it becomes 90%

L45[18:16:45] <walks​anator> and ever other 0 reduces that by another 5%

L46[18:16:47] <S​ky> build a new item machine

L47[18:16:52] <walks​anator> so 10k 85%

L48[18:17:01] <walks​anator> >Sky: build a new item machine

L49[18:17:01] <walks​anator> correct you have to diversify

L50[18:17:03] <S​ky> and what is the % here? % of items moved?

L51[18:17:13] <walks​anator> >Sky: and what is the % here? % of items moved?

L52[18:17:13] <walks​anator> points cost

L53[18:17:19] <S​ky> how do you make points?

L54[18:17:21] <walks​anator> yet thats right I am making a EMC system

L55[18:17:29] <walks​anator> >Sky: how do you make points?

L56[18:17:29] <walks​anator> having items in your mote nexus

L57[18:17:34] <walks​anator> more "complex" items = more points

L58[18:17:40] <S​ky> that would be nice if I knew what a mote nexus is

L59[18:17:40] <walks​anator> it pulls randomly

L60[18:17:43] <walks​anator> like risk of rain 2

L61[18:18:02] <S​ky> I can have my M/E system autocraft hundreds of super complex items, can't I?

L62[18:18:03] <walks​anator> >Sky: that would be nice if I knew what a mote nexus is

L63[18:18:03] <walks​anator> "infinite" storage of 1023 items

L64[18:18:11] <S​ky> ah

L65[18:18:12] <walks​anator> that can only be accessed by hexcasting

L66[18:18:34] <walks​anator> so if you figure out how to ME export into it 👏 although *tbh*

L67[18:18:34] <walks​anator> if you have done that

L68[18:18:41] <walks​anator> *what would you even need to import anymore*

L69[18:18:56] <S​ky> creative mode only items :P

L70[18:19:07] <S​ky> like wouldnt i be able to send over a creative energy cube from mekanism?

L71[18:19:12] <walks​anator> banned

L72[18:19:12] <S​ky> creative mana pools?

L73[18:19:14] <walks​anator> by default

L74[18:19:17] <S​ky> oh, theres a banlist

L75[18:19:19] <walks​anator> get deleted when recieved

L76[18:19:20] <walks​anator> yep

L77[18:19:30] <S​ky> time to make my own mod that implements these, and make it closed source :)

L78[18:19:31] <walks​anator> tag and itemid bans are avaliable for config

L79[18:19:42] <walks​anator> >Sky: time to make my own mod that implements these, and make it closed source :)

L80[18:19:42] <walks​anator> then it wont show up

L81[18:19:45] <walks​anator> since to import a item

L82[18:19:51] <walks​anator> it has to be on the recieveing server

L83[18:19:59] <walks​anator> otherwise it becomes "generic media mass"

L84[18:20:03] <S​ky> hm

L85[18:20:08] <walks​anator> and also this is handled *mc* server side

L86[18:20:09] <S​ky> theres definitely a way to abuse this

L87[18:20:23] <walks​anator> the only thing the rust server does rn is filter out truename iotas

L88[18:20:32] <walks​anator> oh yeah thats a given

L89[18:21:04] <walks​anator> anyways heres the db schema

L90[18:21:04] <walks​anator> ```

L91[18:21:05] <walks​anator> CREATE TABLE IF NOT EXISTS `HexDataStorageCode Block pastebined null

L92[18:21:24] <techt​astic> id still verify, just because it has 6mil downloads doesnt mean its not broken ,just that it was used 6 mil times

L93[18:21:56] <walks​anator> I will check github for open issues

L94[18:22:01] <walks​anator> actually wait this would be a vuln

L95[18:22:05] <walks​anator> and only disclosed to the devs

L96[18:22:09] <techt​astic> Optifine has possible millions of downloads despite breaking every other mod

L97[18:22:28] <walks​anator> yes but that wont exploit your DB

L98[18:22:33] <walks​anator> also optifine isn't open source

L99[18:23:00] <techt​astic> still, verify, try to attack your own DB within the game using your system

L100[18:23:36] <walks​anator> the only attack vector I can see are Pattern or Data

L101[18:23:50] <walks​anator> Pattern is out since it is filtered to only be `qweasd` any others are filtered

L102[18:23:54] <walks​anator> for Data I will check if it is valid NBT

L103[18:24:28] <techt​astic> just because you cant see it, doesnt mean an attack vector doesnt exist outside your field of view

L104[18:24:35] <walks​anator> give me a sql attack

L105[18:24:39] <walks​anator> just a string

L106[18:24:59] <techt​astic> idk, im not a habitual attacker, i dont have such into lying around

L107[18:25:33] <techt​astic> id likely just google it

L108[18:26:36] <walks​anator> is this one?

L109[18:26:36] <walks​anator> Code Block pastebined null

L110[18:26:52] <kristo​pher38> >walksanator: give me a sql attack

L111[18:26:52] <kristo​pher38> then give me your query

L112[18:27:14] <walks​anator> Code Block pastebined null

L113[18:27:21] <walks​anator> this is the RS command and the query

L114[18:27:44] <walks​anator> signature is *only* `qweasd` so cannot be attacked for obvious reasons (try to exploit qweasd)

L115[18:27:50] <walks​anator> the only vector I can see is `bytes`

L116[18:27:53] <walks​anator> since that is NBT data

L117[18:27:59] <kristo​pher38> yeah that caught my attention too

L118[18:28:01] <walks​anator> (password is not user controlled)

L119[18:29:13] <kristo​pher38> you should sanitize `bytes` for size and being a valid NBT

L120[18:29:17] <walks​anator> because bytes is the only one that goes in with *no* sanatization (by me)

L121[18:29:29] <walks​anator> that is currently the plan

L122[18:29:55] <walks​anator> (gonna try and load it uncompressed, and if it fails, send a error message back to the client "invalid nbt"

L123[18:32:37] <Hawk777> Should probably make sure there isn’t any way to construct a blob of bytes that’s both valid NBT data and also something else you don’t want (or, you know, just make sure that the “something else” can’t actually do anything, which would be the ideal solution).

L124[18:33:19] <walks​anator> yeah that is what I am thinking

L125[18:33:29] <walks​anator> because nbt does contain valid string

L126[18:34:06] <walks​anator> so whats stopping a string within nbt being like `sqli "; DROP TABLE HexDataStorage;`

L127[18:34:29] <walks​anator> because right subsequent executions may fail

L128[18:34:34] <walks​anator> but the table was dropped

L129[18:36:24] <walks​anator> well this didn't do it https://tinyurl.com/2ek2p5w8

L130[18:37:00] <fingercomp> of course, since you're using prepared statements

L131[18:37:39] <walks​anator> yep

L132[18:37:40] <walks​anator> https://tinyurl.com/2l4xnfwb

L133[18:37:51] <walks​anator> so it is gonna take something *a little more*

L134[18:37:57] <walks​anator> but I dont really do any selecting

L135[18:38:22] <walks​anator> (and what selecting will be done by the aforementiond pattern which is only `qweasd` and max length of 256 chars

L136[18:38:26] <walks​anator> post-filtering

L137[18:52:58] <Amanda> If you're using prepared statements you should be totally safe, AIUI those are usually handled by the SQL db's wire protocol to be substituted server-side safely

L139[19:22:32] <thereds​tonewolf> i use opencomputers to control Immersive Railroading trains. how does getpos() work? What is the result?

L140[19:24:24] <ar2​000> Use the `lua` interpreter to experiment with it

L141[19:24:32] <thereds​tonewolf> thx

L144[20:41:48] <S​3> Amanda: update 8 is the way to go

L145[20:41:58] <S​3> I just wish the map was randomly generated

L146[20:42:09] <S​3> It would make the replay value so much better for me

L147[20:52:03] <Forec​aster> Just invert your controls, bam, brand new experience

L148[21:03:22] <Izzy> S3: you can page through the vtys with alt-, and alt-. :3

L149[21:03:59] <Izzy> https://social.shadowkat.net/media/7d58b6ff1253e5548ee6434776e56c800e5cef33ed97b64c2a82759e919474a1.webm

L150[21:04:06] <Mic​hiyo> ffs... I need to be able to hairpin my connection over my VPN... OR I need to tell my local webserver that any access to hosted domains should connect over the LAN ._.

L151[21:07:22] <techt​astic> Ponders are easier to make than I thought https://tinyurl.com/2eym6m72

L152[21:16:20] <Amanda> @S3 it's a bit laggy sometimes, but I'm generally liking it so far. Bit disconcerting that I'm decapitated in the game though

L153[21:18:24] <Mic​hiyo> ok got iptables to let the hairpin work

L154[21:22:29] <S​3> Lol what

L155[21:22:37] <S​3> Yeah there's some weird bugs for sure

L156[21:22:49] <S​3> My friend and I were breaking it the other day with debug on lol

L157[21:23:08] <Forec​aster> Having a head is overrated anyway

L158[21:23:44] <Forec​aster> It just means you have the potential to get ahead later

L159[21:24:06] <Amanda> @S3 :

L160[21:24:13] <Amanda> https://matrix.camnet.site/_matrix/media/r0/download/camnet.site/qBDtXAJfvqVRWIxIPeSnNlvf/PXL_20230626_212349409.jpg

L161[21:24:39] <S​3> LOL

L162[21:24:52] <Amanda> I've gotta fix my steam deck syncing of screenshots

L163[21:25:02] <S​3> Also that's cool,a steamdeck

L164[21:45:55] <Amanda> That's actually a screenshot in steam, I've broken my syncing to my laptop though, so I decided to just take a photo of the steamdeck with it uo

L165[21:47:00] <Izzy> hoping the steam deck encourages more devs to do their UIs properly

L166[21:47:24] <Izzy> letterboxing or broken UI placement on non-16:9 displays is very disappointing

L168[22:03:23] <Amanda> Izzy: honestly I expect the seemingly growing prevalence of stupid-wide screens is more likely to drive adaptive UIs

L169[22:04:02] <Izzy> so far that seems to just make them have a menu option to select between 16:9, 21:9 and 32:9

L170[22:04:27] <Amanda> Ah

L171[22:05:51] <Izzy> see MHW and MHRise

L172[22:08:45] <Amanda> I'll have to ask my sister how monster hunter stories 2 is doing, shes been playing it on her deck

L173[22:09:50] <Izzy> Code Vein was funny

L174[22:09:58] <Izzy> it was rendering in full res then adding black bars over the top

L175[22:10:21] <Izzy> which is obnoxious because you're rendering geometry you can't see ... but also removing them means hex editing 4 bytes

L179[23:07:18] <Amanda> Izzy: apparently she's playing it in 16:9 because the default was making the menus not work, so I guess Capcom haven't learned yet

L180[23:09:29] <Izzy> of course .-.