Alexandre ZANNI noraj

Ruby: The future of frozen string literals

What is a literal?

In programming languages, literals are textual representations of values in the source code. This is a syntactical concept.

Some examples:

7 # integer literal

Unicode XSS via Combining Characters

Most application security practitioners are familiar with Unicode XSS, which typically arises from the Unicode character fullwidth-less-than-sign. It’s not a common vulnerability but does occasionally appear in applications that otherwise have good XSS protection. In this blog I describe another variant of Unicode XSS that I have identified, using combining characters. I’ve not observed this in the wild, so it’s primarily of theoretical concern. But the scenario is not entirely implausible and I’ve not otherwise seen this technique discussed, so I hope this is useful.

Recap of Unicode XSS

Lab: https://4t64ubva.xssy.uk/

A quick investigation of the lab shows that it is echoing the name parameter, and performing HTML escaping:

Moving gulpfile from CommonJS (CJS) to ECMAScript Modules (ESM)

Context

del v7.0.0 moved to pure ESM (no dual support), which forced me to move my gulpfile to ESM to be able to continue to use del.

The author sindresorhus maintains a lot of npm packages and does not want to provides an upgrade guide for each package so he provided a generic guide. But this guide is a bit vague because it's generic and not helping for gulp, hence this guide.

Guide

How to use Bundler and RubyGems on WebAssembly

# Download prebuilt ruby
curl -LO https://github.com/ruby/ruby.wasm/releases/download/2022-08-09-a/ruby-head-wasm32-unknown-wasi-full.tar.gz
tar xfz ruby-head-wasm32-unknown-wasi-full.tar.gz

# Install the same version of native ruby to avoid bundler version mismatch in "BUNDLED WITH" of Gemfile.lock
rbenv install 3.2.0-dev
rbenv local 3.2.0-dev

Get Pull Requests using GH's GraphQL API

How to get Pull Requests data using Github in the browser, or using the API to allow for automating reporting or building in values into a website.

Resources

GitHub GQL API: https://developer.github.com/v4/
Explorer: https://developer.github.com/v4/explorer/
Github community topics - these were used to understand the syntax needed.

Lexicon

BA: BlackArch
AL: ArchLinux
SO: StackOverflow

PKGBUILD

AL PKGBUILD guide: https://wiki.archlinux.org/index.php/PKGBUILD
BA PKGBUILD templates: https://github.com/BlackArch/blackarch-pkgbuilds

Configure systemd-resolved to use a specific DNS nameserver for a given domain

Use case

Given

I use a VPN to connect to my work network
I'm on a Linux computer that uses systemd-resolved
I have a work domain called example.com
example.com is hosted by both public and private DNS nameservers

MP3 Direct Link Hosting

A list of tutorials on how to upload & get direct mp3 link on some websites.

JukeHost
~~Kiwi6~~ (service is no longer accessible)
OpenDrive

JukeHost

How to change your commit messages in Git?

At some point you’ll find yourself in a situation where you need edit a commit message. That commit might already be pushed or not, be the most recent or burried below 10 other commits, but fear not, git has your back 🙂.

Not pushed + most recent commit:

git commit --amend

This will open your $EDITOR and let you change the message. Continue with your usual git push origin master.

	#!/usr/bin/env ruby
	require 'csv'

	installed_tools = %x(pacman -Sl blackarch).split("\n").grep(/\[installed\]/)

	tools_list = []

	installed_tools.each do \|line\|
	_repo, tool, _version, _status = line.split(' ', 4)
	description = %x(pacman -Qs #{tool}).split("\n")[1].strip