1. Home
  2. Discover
  3. Technology
  4. Better Dev Link

BetterDev #196 - Allow arbitrary URLs, expect arbitrary code execution and curl those funny ipv4 addresses

Better Dev #196 Apr 19, 2021

Hi all, This week is an issue of network knowledge, tips and tricks. The fundamental of how computers can talk to each others :-). If you enjoy this newsletter, make a small contribution to help me to keep working on it.

Allow arbitrary URLs, expect arbitrary code execution

This team found and reported 1-click code execution vulnerabilities in popular software including Telegram, Nextcloud, VLC, Libre-/OpenOffice, Bitcoin/Dogecoin Wallets, Wireshark and Mumble. Read on so we know more about these attacking vector to better secure our software when writing code and handle the URLs securely.

curl those funny ipv4 addresses

Do you know 192.168.0.1 can be written in octal as 0300.0250.0.01 or in hexadecimal as 0xc0.0xa8.0x00.0x01. And bonus point 16843009 is 1.1.1.1 so you can do ping 16843009

Listing the contents of a remote ZIP archive, without downloading the entire file

HTTP supports a header accept-ranges: bytes and Ranges bytes:start-end to signal it only need a part of the file. It’s usually use in streaming so we can seek to any part of video/auto. In this post we made use of it to only fetch a particular file in zip bundle

actually you are rolling your own crypto

The mantra “don’t roll your own crypto” is widely known and accepted amongst programmers, but what does it actually mean? It turns out that such a simple statement is not so simple to follow.

Slow and Steady: Converting Sentry’s Entire Frontend to TypeScript

Given a project with years of development and actively use in production? How would you go about switching to a different language? Especially in a space that move incrediblly fast as Frontend? Sentry.com shares their strategy for JavaScript to TypeScript migration to learn. If you don’t have time this week, then only read this article

Managing Transaction ID Exhaustion (Wraparound) in PostgreSQL

In Postgres, Transaction ID can be compared is used for isolated data access control. A row version with an insertion XID greater than the current transaction’s XID is “in the future” and should not be visible to the current transaction. But it’s only 32 bits. This blog post is going to cover is an easy way to monitor for it and what can be done to prevent it ever being a problem.

Cleaning up a large number of blobs in PostgreSQL

Storing BLOBs in database is an open-ended discussion. When working on my email forwarding project, I did that and it isn’t that bad. If you are in the “pro BLOB” camp, we want to share some insights into how binary data can be handled in PostgreSQL with maximum efficiency.

Accurate, low-overhead per process bandwidth monitoring on Linux in 40 lines of bpftrace

Searching for “per process network usage linux” is disappointing. Most of the recommended tools – like iftop, nload, bmon, and iptraf. But they mostly report per-interface or per-socket traffic. In this post, OP is going to explain line-by-line how to write a bpftrace program that measures per-process network traffic. The code is C but once you learn eBPF, it’s easy to find binding for Ruby/Python/Go etc.

Content-aware image resizing in JavaScript

Content-aware image resizer based on Seam Carving algorithm. Here is the result code repository

Code to read

whitenoise

Radically simplified static file serving for Python web apps

Python
easy_upnp

uPnP is a features of router that allow you to port forward a client on LAN to the internet without manually configure the router. The client adverise its service, the router picks up and auto configure. It’s interesting to learn about those small protocol. Another similar project, but a bit more complex implementation is playfull so check its out too

Ruby
node-tail

The zero dependency Node.js module for tailing a file. Similar to tail -f but in NodeJS.

JavaScript

A shell parser, formatter, and interpreter with bash support; includes shfmt

Go
encore

The Go backend framework with superpowers: distributed tracing, no boilerplate, secret management, api doc

Go
rust_sqlite

Simple embedded database modeled off SQLite in Rust


Tools

gitleaks

Scan git repos (or files) for secrets using regex and entropy 🔑


feast

Feature Store for Machine Learning


shellcheck

a static analysis tool for shell scripts. Seriously, run your shell script through it.


bash-language-server

The Language Server Protocol (LSP) defines the protocol used between an editor or IDE and a language server that provides language features like auto complete, go to definition, find all references etc. This is an LSP implementation for bash so you can use it in any text editor that speak LSP protocol such as vim, vscode, atom, emacs, Sublime Text.


calendso

The open-source Calendly alternative


DivideAndScan

Divide full port scan results and use it for targeted Nmap runs


That's it for this round, have a great day! If you like this newsletter, please tell the world or tweet about this!
You can view this issue in web browser.

If you have any suggestion/feedback, do tell me by replying to this email. I read them all.



No longer want to receive these emails? Unsubscribe

Older messages

BetterDev #194 - This man thought opening a txt file is fine, he thought wrong. macos cve-2019-8761

Monday, April 5, 2021

Better Dev #194 Apr 05, 2021 Hi all, This week, We had some interesting low level links about font rendering, IP parse, and a few tools which I'm sure will make you engineer life easier, checkout

BetterDev #191 - A developers guide to HIPAA compliance and application development

Monday, March 15, 2021

Better Dev #191 Mar 15, 2021 Hi all, This week, We had some interesting tools which I'm sure will make you engineer life easier, checkout tools section. If you enjoy this newsletter, make a small

BetterDev #190 - Common Nginx misconfigurations that leave your web server open to attack

Monday, March 1, 2021

Better Dev #190 Mar 01, 2021 Hi all, I hope you enjoy this week's newsletter. We had some interesting links to help secure Nginx and practice breaking and fixing K8S. If you enjoy this newsletter,

BetterDev #189 - How Buffer Pool Works and Reconnecting your application after a Postgres failover

Monday, February 22, 2021

Better Dev #189 Feb 22, 2021 How Buffer Pool Works: An Implementation In Go a database need to read and write data from disk in an efficient manner. And the answer to that is: buffer pool. In this post

BetterDev #187 - Build a Regex Engine in Less than 40 lines of code

Tuesday, February 9, 2021

Better Dev #187 Feb 08, 2021 This week is a short issue since I have been focus a bit on my side project, hanami, an email forwarding service that support webhook and SMTP as well. Give it a try if you

You Might Also Like

The Long Road Home: A Story of Loss, Learning, and Renaissance - PART 4

Wednesday, November 27, 2024

Top Tech Content sent at Noon! How the world collects web data Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, November 27, 2024? The HackerNoon

Top Tech Deals 🏷️ PS5 Slim, 4K TVs, 10th Gen iPad, and More!

Wednesday, November 27, 2024

The Black Friday madness is here! How-To Geek Logo November 27, 2024 Top Tech Deals: PS5 Slim, 4K TVs, 10th Gen iPad, and More! The Black Friday madness is here! Black Friday sales are here, and we

The 165+ best Black Friday deals

Wednesday, November 27, 2024

Windows Super God Mode; Bluesky starter packs; Tech gifts under $100 -- ZDNET ZDNET Tech Today - US November 27, 2024 Black Friday 2024 live blog Best Black Friday deals 2024: 165+ sales live now

⚙️ Neuralink's new trial

Wednesday, November 27, 2024

Plus: Zoom is becoming an AI-first company ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

Matrix Botnet Exploits IoT Devices in Widespread DDoS Botnet Campaign

Wednesday, November 27, 2024

THN Daily Updates Newsletter cover The AI Value Playbook ($35.99) FREE for a Limited Time Business leaders are challenged by the speed of AI innovation and how to navigate disruption and uncertainty.

The Sequence Chat: Why are Foundation Models so Hard to Explain and What are we Doing About it?

Wednesday, November 27, 2024

Addressing some of the interpretability challenges of foundation models and the emerging fields of mechanistic interpretability and behavioral probing. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

Overcoming Perfectionism: How to Break Free from the Enemy of Progress

Wednesday, November 27, 2024

Discover how perfectionism hinders progress and learn practical strategies to overcome the fear of imperfection, boost productivity, and achieve your goals without getting stuck in the pursuit of

🖤 Laravel Black Friday Deals!

Wednesday, November 27, 2024

The biggest deals of the year Laravel Black Friday Deals View in browser Laravel News Editor Note: We are sending this outside the regular Sunday newsletter schedule because some of these specials end

BetterDev #271 - Memory: The Forgotten History and Why did Windows 95 setup use three operating systems?

Wednesday, November 27, 2024

Better Dev #271 Nov 26, 2024 Hi all, Welcome to thanksgiving issue of BetterDev. Hope everyone had a safe and warm thanksgiving. It's getting so cold these days. If you are in warzone such as

Mapped | Unemployment Rate By U.S. State in 2024 💼

Tuesday, November 26, 2024

As of October 2024, DC and Nevada tied for the highest unemployment rate in the US at 5.7%. Which states saw the lowest rates? View Online | Subscribe | Download Our App FINAL CHANCE - ENDS TONIGHT!