Thursday, July 2, 2026

Github Action to build an artefact - Java application (.war file generation)

 

# This workflow will build a package using Maven and then publish it to GitHub packages when a release is created
# For more information see: https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#apache-maven-with-a-settings-path
name: AscentOne Portal Backend - Maven
permissions:
actions: read
contents: read
on:
workflow_dispatch:
inputs:
command:
description: 'Which environment to build'
required: true
default: 'test'
type: choice
options:
- test
- production
jobs:
# build-frontend:
# uses: ./.github/workflows/AscentOne.yml
build:
runs-on: ubuntu-latest
environment: AscentOne.${{ github.event.inputs.command || 'test' }}
steps:
- uses: actions/checkout@v4
- name: Set up JDK 11
uses: actions/setup-java@v4
with:
java-version: '11'
distribution: 'temurin'
# Determine which branch to use in config repo
- name: Resolve config repo branch
id: config_branch
env:
BRANCH_NAME: ${{ github.ref_name }}
TOKEN: ${{ secrets.ACCESSTOKEN }}
run: |
if git ls-remote --exit-code --heads \
https://x-access-token:${TOKEN}@github.com/AscentOne-Ltd/AscentOne-cicd-templates.git \
"${BRANCH_NAME}" >/dev/null 2>&1; then
echo "ref=${BRANCH_NAME}" >> $GITHUB_OUTPUT
echo "Using branch ${BRANCH_NAME}"
else
echo "ref=main" >> $GITHUB_OUTPUT
echo "Branch ${BRANCH_NAME} not found. Using main."
fi
# ✅ Pull config repo
- name: Checkout config repo
uses: actions/checkout@v4
with:
repository: AscentOne-Ltd/AscentOne-cicd-templates
token: ${{ secrets.CICDACCESSTOKEN }}
path: config-repo
ref: ${{ steps.config_branch.outputs.ref }}
# ✅ Copy configs
- name: Copy config files
working-directory: AscentOneBackend
run: |
ENV=${{ github.event.inputs.command || 'test' }}
cp ../config-repo/templates/applications/AscentOne//$ENV/application.yml src/main/resources/application.yml
cp ../config-repo/templates/applications/AscentOne/$ENV/application-prod.yml src/main/resources/application-prod.yml
cp ../config-repo/templates/applications/AscentOne/$ENV/application-int.yml src/main/resources/application-int.yml
cp ../config-repo/templates/applications/AscentOne/$ENV/application-dev.yml src/main/resources/application-dev.yml
cp ../config-repo/templates/applications/AscentOne/$ENV/logback.xml src/main/resources/logback.xml
- name: Download frontend artifact
uses: dawidd6/action-download-artifact@v3
with:
workflow: ascentOneAngularfrontend.yml
name: application-ascentOneAngularfrontend-${{ github.event.inputs.command }}
path: ascentOneAngularfrontend-new

- name: Copy malfunction new frontend into backend resource folder
run: |
rm -rf AscentOneBackend/src/main/webapp/resources/html*
mkdir -p AscentOneBackend/src/main/webapp/resources/html
cp -r ascentOneAngularfrontend-new/malfunction/. AscentOneBackend/src/main/webapp/resources/html
- name: Build with Maven
working-directory: AscentOneBackend
run: mvn clean package -DskipTests
- name: Upload AscentOneBackend WAR artifact
uses: actions/upload-artifact@v4
with:
name: AscentOneBackend.war
path: AscentOneBackend/target/*.war

Monday, April 27, 2026

Security Vulnerability - Regular Expression Denial of Service (ReDoS)

NVD - CVE-2025-69873

 1. Backtracking (in the context of regular expressions and algorithms) is a trial‑and‑error process where the engine tries one possible path, and if that path fails, it goes back (“backtracks”) and tries another.

Think of backtracking like this:

“Try option A.
If it doesn’t work, rewind and try option B.
If that doesn’t work, rewind further and try option C…”

This is fine when there are only a few options.
It becomes dangerous when the number of options grows exponentially.


What is catastrophic backtracking?

Catastrophic backtracking happens when:

  • A regex has nested repetition or ambiguity
  • The engine must try an enormous number of paths
  • Matching time becomes extremely slow

Example :

^(a+)+$


Why it’s bad:

  • a+ already repeats
  • Wrapping it in ()+ creates nested repetition
  • The engine keeps retrying the same matches in different groupings

Just adding one more character to the input can double execution time.


What is ReDoS

A ReDoS vulnerability stands for Regular Expression Denial of Service. It is a type of Denial‑of‑Service (DoS) attack that exploits how some regular expressions are evaluated.

ReDoS happens when a specially crafted input causes a regular expression to take an extremely long time to evaluate, consuming CPU and making an application unresponsive.


Why backtracking causes ReDoS

Backtracking itself is normal.
It becomes a vulnerability when attackers can control the input.

Attack flow:

  1. Attacker sends specially crafted input
  2. Regex engine enters massive backtracking
  3. CPU usage spikes
  4. Application becomes unresponsive

In Node.js or single‑threaded environments:

  • One slow regex = entire server blocked

What makes it a vulnerability?

ReDoS becomes a security vulnerability when:

  1. A regex is evaluated on untrusted input
  2. The regex or the input can be influenced by an attacker
  3. The regex runs on a shared or single-threaded resource (e.g. Node.js event loop)

An attacker can then:

  • Send a single request
  • Tie up CPU
  • Block all other users

Getting access token from Microsoft using Powershell

 


$tenantId   = "<your-tenant-id>"

$clientId   = "<yourclient-id>"

$client_secret= "<client-secret>"

$scope      = "api://<your-client-id>/.default"

$grant_type = "client_credentials"


$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"


$body = @{

    client_id      = "$clientId"

    client_secret  = "$client_secret"

    scope          =  "$scope"

    grant_type     = "client_credentials"

}


$graphToken = Invoke-RestMethod `

    -Method POST `

    -Uri $tokenUrl `

    -ContentType "application/x-www-form-urlencoded" `

    -Body $body



$token =  $graphToken.access_token