Allow arbitrary URLs, expect arbitrary code execution
This team found and reported 1-click code execution vulnerabilities in popular software including Telegram, Nextcloud, VLC, Libre-/OpenOffice, Bitcoin/Dogecoin Wallets, Wireshark and Mumble. Read on so we know more about these attacking vector to better secure our software when writing code and handle the URLs securely.
curl those funny ipv4 addresses
Do you know 192.168.0.1 can be written in octal as 0300.0250.0.01 or in hexadecimal as 0xc0.0xa8.0x00.0x01. And bonus point
188.8.131.52 so you can do
actually you are rolling your own crypto
The mantra “don’t roll your own crypto” is widely known and accepted amongst programmers, but what does it actually mean? It turns out that such a simple statement is not so simple to follow.
Slow and Steady: Converting Sentry’s Entire Frontend to TypeScript
Managing Transaction ID Exhaustion (Wraparound) in PostgreSQL
In Postgres, Transaction ID can be compared is used for isolated data access control. A row version with an insertion XID greater than the current transaction’s XID is “in the future” and should not be visible to the current transaction. But it’s only 32 bits. This blog post is going to cover is an easy way to monitor for it and what can be done to prevent it ever being a problem.
Accurate, low-overhead per process bandwidth monitoring on Linux in 40 lines of bpftrace
Searching for “per process network usage linux” is disappointing. Most of the recommended tools – like iftop, nload, bmon, and iptraf. But they mostly report per-interface or per-socket traffic. In this post, OP is going to explain line-by-line how to write a bpftrace program that measures per-process network traffic. The code is C but once you learn eBPF, it’s easy to find binding for Ruby/Python/Go etc.
Code to read
Radically simplified static file serving for Python web apps
uPnP is a features of router that allow you to port forward a client on LAN to the internet without manually configure the router. The client adverise its service, the router picks up and auto configure. It’s interesting to learn about those small protocol. Another similar project, but a bit more complex implementation is playfull so check its out too
The zero dependency Node.js module for tailing a file. Similar to
tail -f but in NodeJS.
A shell parser, formatter, and interpreter with bash support; includes shfmt
The Go backend framework with superpowers: distributed tracing, no boilerplate, secret management, api doc
Simple embedded database modeled off SQLite in Rust
Scan git repos (or files) for secrets using regex and entropy 🔑
Feature Store for Machine Learning
a static analysis tool for shell scripts. Seriously, run your shell script through it.
The Language Server Protocol (LSP) defines the protocol used between an editor or IDE and a language server that provides language features like auto complete, go to definition, find all references etc. This is an LSP implementation for bash so you can use it in any text editor that speak LSP protocol such as vim, vscode, atom, emacs, Sublime Text.
The open-source Calendly alternative
Divide full port scan results and use it for targeted Nmap runs
That's it for this round, have a great day! If you like this newsletter, please tell the world, or
tweet about this