this post was submitted on 09 Apr 2024
39 points (89.8% liked)

Programming

17110 readers
264 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 1 year ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz
39
Datadog has a security footgun (sheriffcranky.substack.com)
submitted 5 months ago by tyteen4a03@lemmy.zip to c/programming@programming.dev
9 comments fedilink hide all child comments
top 9 comments
sorted by: hot top controversial new old
[–] FizzyOrange@programming.dev 14 points 5 months ago

Saving this for when people try to claim that naming things isn't important!

Also that is clearly a security issue. Anyone who tries to claim otherwise is forgetting that humans exist. Though I suspect they were just trying to avoid admitting fault and doing work. Disappointing either way.

[–] ericjmorey@programming.dev 7 points 5 months ago (1 children)

My takeaway from this is to use CSP to minimize your reliance on others doing things intelligently. And that Datadog is not doing things intelligently at the inconvenience of their consumers.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[–] BodilessGaze@sh.itjust.works 4 points 5 months ago (1 children)

Unfortunately, retrofitting CSP on an existing site can be nightmare, especially if you have external dependencies. At my job, we spent months trying to enable CSP on one our oldest sites, but ultimately gave up because one of our dependencies won't work unless we added "unsafe-inline" everywhere, which kinda defeats the whole point of CSP.

[–] tyteen4a03@lemmy.zip 2 points 5 months ago

Having something is better than nothing! In our case, having connect-src enabled would have avoided the incident.

[–] onlinepersona@programming.dev 4 points 5 months ago

I can't find the adjective to use for datadog's documentation, but I wouldn't call it good. It seems like it's written by different teams but every team writes everybody's documentation. There's no section just for a single team and nothing feels coordinated.

Anti Commercial AI thingyCC BY-NC-SA 4.0

[–] bigredgiraffe@lemmy.world 2 points 5 months ago* (last edited 5 months ago) (1 children)

I mean sure but that’s a lot of words to say “I didn’t read the directions and no one caught it in a merge request review because no one else read the directions either.”

Their documentation and examples are pretty easy to read and the site parameter is explained in the getting started guide and even linked from the readme for the JavaScript sdk, and in lots of sample configurations so I’m not sure how this made it into a release and then no one noticed the missing metrics for eleven days, sounds like lots of issues in that shop.

The behavior of the sdk isn’t great but the proposed solution wouldn’t work because you can use custom endpoints for all of the components using endpoints on domains you own anyway.

[–] tyteen4a03@lemmy.zip 2 points 5 months ago* (last edited 5 months ago) (1 children)

Not sure what you're referring to by "custom endpoints" - if you are a normal Datadog RUM user you can only ever send data to one of the several "sites". There's nothing customizable.

[–] bigredgiraffe@lemmy.world 1 points 5 months ago (1 children)

That is what I’m saying, that SDK covers more than just normal users.

[–] tyteen4a03@lemmy.zip 3 points 5 months ago

So what part of the proposed solutions "wouldn't work"?