はじめに 対象イベント 読み方、使い方 Remote Code Execution(RCE) 親ディレクトリ指定によるopen_basedirのバイパス PHP-FPMのTCPソケット接続によるopen_basedirとdisable_functionsのバイパス JavaのRuntime.execでシェルを実行 Cross-Site Scripting(XSS) nginx環境でHTTPステータスコードが操作できる場合にCSPヘッダーを無効化 GoogleのClosureLibraryサニタイザーのXSS脆弱性 WebのProxy機能を介したService Workerの登録 括弧を使わないXSS /記号を使用せずに遷移先URLを指定 SOME(Same Origin Method Execution)を利用してdocument.writeを順次実行 SQL Injection MySQ
Wasmはなぜセキュアなのか?
Wasmはなぜセキュアなのか? 前回Wasmのバイナリを読んでみたが、実行時にどのようにセキュアに実行しているのか気になったので調べてみた。 とりあえず今回も公式ドキュメントを見ながら整理しつつ、実際のコードも無理なく辿れそうなところはwasmerの実装を参考に見ていきたいと思う。 Wasmの目指すセキュリティ とりあえず公式の記載を脳死で読解していく。 The security model of WebAssembly has two important goals: (1) protect users from buggy or malicious modules, and (2) provide developers with useful primitives and mitigations for developing safe applications, within the
技術部の笹田(ko1)と遠藤(mame)です。クックパッドで Ruby (MRI: Matz Ruby Implementation、いわゆる ruby コマンド) の開発をしています。お金をもらって Ruby を開発しているのでプロの Ruby コミッタです。 本日 12/25 に、ついに Ruby 3.1.0 がリリースされました(Ruby 3.1.0 リリース )。今年も Ruby 3.1 の NEWS.md ファイルの解説をします。NEWS ファイルとは何か、は以前の記事を見てください。 プロと読み解く Ruby 2.6 NEWS ファイル - クックパッド開発者ブログ プロと読み解くRuby 2.7 NEWS - クックパッド開発者ブログ プロと読み解くRuby 3.0 NEWS - クックパッド開発者ブログ 本記事は新機能を解説することもさることながら、変更が入った背景や苦労な
ContentsHTMLCSSWeb APIsJavaScriptWeb AppsMediaPrivacySecurityWKWebViewSafari Web ExtensionsWeb InspectorFeedbackAnd More With over 70 additions to WebKit, Safari 15.4 is packed with new web technologies, updates, and fixes. We’ve assembled a huge release as part of our commitment to web developers, and the people who use the web. This is the first big WebKit release of 2022, and we’re just getting
技術部の笹田(ko1)と遠藤(mame)です。クックパッドで Ruby (MRI: Matz Ruby Implementation、いわゆる ruby コマンド) の開発をしています。お金をもらって Ruby を開発しているのでプロの Ruby コミッタです。 昨日 12/25 に、恒例のクリスマスリリースとして、Ruby 3.2.0 がリリースされました(Ruby 3.2.0 リリース)。今年も Ruby 3.2 の NEWS.md ファイルの解説をします。NEWS ファイルとは何か、は以前の記事を見てください。 プロと読み解く Ruby 2.6 NEWS ファイル - クックパッド開発者ブログ プロと読み解くRuby 2.7 NEWS - クックパッド開発者ブログ プロと読み解くRuby 3.0 NEWS - クックパッド開発者ブログ プロと読み解く Ruby 3.1 NEWS -
REST API Design Best Practices Handbook – How to Build a REST API with JavaScript, Node.js, and Express.js
By Jean-Marc Möckel I've created and consumed many API's over the past few years. During that time, I've come across good and bad practices and have experienced nasty situations when consuming and building API's. But there also have been great moments. There are helpful articles online which present many best practices, but many of them lack some practicality in my opinion. Knowing the theory with
I often feel like javascript code in general runs much slower than it could, simply because it’s not optimized properly. Here is a summary of common optimization techniques I’ve found useful. Note that the tradeoff for performance is often readability, so the question of when to go for performance versus readability is a question left to the reader. I’ll also note that talking about optimization n
Developers are increasingly relying on AI coding assistants to accelerate our daily workflows. These tools can autocomplete functions, suggest bug fixes, and even generate entire modules or MVPs. Yet, as many of us have learned, the quality of the AI’s output depends largely on the quality of the prompt you provide. In other words, prompt engineering has become an essential skill. A poorly phrased
Today we are excited to announce the availability of TypeScript 6.0! If you are not familiar with TypeScript, it’s a language that builds on JavaScript by adding syntax for types, which enables type-checking to catch errors, and provide rich editor tooling. You can learn more about TypeScript and how to get started on the TypeScript website. But if you’re already familiar with the language, you ca
GitHub - modelcontextprotocol/servers: Model Context Protocol Servers
Official integrations are maintained by companies building production ready MCP servers for their platforms. 21st.dev Magic - Create crafted UI components inspired by the best 21st.dev design engineers. 2slides - An MCP server that provides tools to convert content into slides/PPT/presentation or generate slides/PPT/presentation with user intention. ActionKit by Paragon - Connect to 130+ SaaS inte
WebKit Features in Safari 16.4
Mar 27, 2023 by Patrick Angle, Marcos Caceres, Razvan Caliman, Jon Davis, Brady Eidson, Timothy Hatcher, Ryosuke Niwa, and Jen Simmons ContentsWeb Push on iOS and iPadOSImprovements for Web AppsWeb ComponentsCSSHTMLJavaScript and WebAssemblyWeb APIImages, Video, and AudioWKWebViewDeveloper ToolingWeb InspectorSafari Web ExtensionsSafari Content BlockersNew Restrictions in Lockdown ModeMore Improve
IDEs CLion DataGrip DataSpell Fleet GoLand IntelliJ IDEA PhpStorm PyCharm RustRover Rider RubyMine WebStorm Plugins & Services Big Data Tools Code With Me JetBrains Platform Scala Toolbox App Writerside JetBrains AI Grazie Junie JetBrains for Data Kineto Team Tools Datalore Space TeamCity Upsource YouTrack Hub Qodana CodeCanvas Matter .NET & Visual Studio .NET Tools ReSharper C++ Languages & Frame
Introducing Ezno
Ezno is an experimental compiler I have been working on and off for a while. In short, it is a JavaScript compiler featuring checking, correctness and performance for building full-stack (rendering on the client and server) websites. This post is just an overview of some of the features I have been working on which I think are quite cool as well an overview on the project philosophy ;) It is still
Wasm 3.0 Completed Published on September 17, 2025 by Andreas Rossberg. Three years ago, version 2.0 of the Wasm standard was (essentially) finished, which brought a number of new features, such as vector instructions, bulk memory operations, multiple return values, and simple reference types. In the meantime, the Wasm W3C Community Group and Working Group have not been lazy. Today, we are happy t
Cloudflare Workers + Hono ワークショップ - ServerlessDays Tokyo 2023
Cloudflare Workers + Hono ワークショップ 資料はこちら => workshops.yusuke.run #serverlessdays Yusuke Wada 2023-09-24 ServerlessDays Tokyo 2023 workshops.yusuke.run アジェンダ ワークショップについて Workers イントロダクション Hono イントロダクション 基本編 プロキシ編 Web API編 フルスタック編 AI編 Honoをより深く知る その他 1. ワークショップについて 1.1 対象 対象者 Cloudflareでのアプリケーション作成に興味のある方 Honoを使ってみたい方 フロント、バックエンド問いません 前提条件 Wranglerが動く環境をつくっておく npx wrangler が動く JavaScriptに対する知識があるとよい
Extreme Explorations of TypeScript's Type System | Learning TypeScript
TypeScript's type system is Turing Complete: meaning it has conditional branching (conditional types) and works with an arbitrary huge amount of memory. As a result, you can use the type system as its own programming language complete with variables, functions, and recursion. Developers have pushed the bounds of type operations possible in the type system to write some pretty incredible things! Th
Today, we are excited to announce the launch of .NET 10, the most productive, modern, secure, intelligent, and performant release of .NET yet. It’s the result of another year of effort from thousands of developers around the world. This release includes thousands of performance, security, and functional improvements across the entire .NET stack-from languages and developer tools to workloads-enabl
Functional programming is finally going mainstream Object-oriented and imperative programming aren’t going away, but functional programming is finding its way into more codebases. Klint Finley // July 12, 2022 Paul Louth had a great development team at Meddbase, the healthcare software company he founded in 2005. But as the company grew, so did their bug count. That’s expected, up to a point. More
Sublime Text 4
The first stable release of Sublime Text 4 has finally arrived! We've worked hard on providing improvements without losing focus on what makes Sublime Text great. There are some new major features that we hope will significantly improve your workflow and a countless number of minor improvements across the board. A huge thanks goes out to all the beta testers on discord and all the contributors to
CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js - Codean Labs
This post details CVE-2024-4367, a vulnerability in PDF.js found by Codean Labs. PDF.js is a JavaScript-based PDF viewer maintained by Mozilla. This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened. This affects all Firefox users (<126) because PDF.js is used by Firefox to show PDF files, but also seriously impacts many web- and Electron-based a
Today we’re excited to announce the availability of TypeScript 4.7! If you’re not yet familiar with TypeScript, it’s a language that builds on JavaScript and adds syntax for types. Types help describe what kinds of values you’re working with and what kinds of functions you’re calling. TypeScript can use this information to help you avoid about mistakes like typos, missing arguments, or forgetting
Assessing Claude Mythos Preview’s cybersecurity capabilities April 7, 2026 Nicholas Carlini, Newton Cheng, Keane Lucas, Michael Moore, Milad Nasr, Vinay Prabhushankar, Winnie Xiao Hakeem Angulu, Evyatar Ben Asher, Jackie Bow, Keir Bradwell, Ben Buchanan, David Forsythe, Daniel Freeman, Alex Gaynor, Xinyang Ge, Logan Graham, Kyla Guru, Hasnain Lakhani, Matt McNiece, Mojtaba Mehrara, Renee Nichol, A
AWS公式SDKにも存在した、署名付きURLにおけるパストラバーサル - GMO Flatt Security Blog
はじめに こんにちは。GMO Flatt Securityのセキュリティエンジニアの松井(@ryotaromosao)とチョン(Eui Chul Chung)です。 皆さんは、「署名付きURLにおけるパストラバーサル」の脆弱性をご存知でしょうか? Webアプリケーションで署名付きURLを実装する際、AWS公式のSDKを用いることが多いかと思います。過去にはその公式SDK自体にパストラバーサルの脆弱性が見つかった事例がありました。また一方で、公式SDK側では正しい対策がされているものの、アプリケーション開発者の実装ミスによってパストラバーサルが引き起こされてしまうケースも存在します。 本記事では、実際にAWS SDKで見つかった脆弱性の事例を交えながら、コードベースで署名付きURLにおけるパストラバーサルの脆弱性を深掘りしていきたいと思います。また、後半では、SDKを利用するアプリケーション
In this post I’ll walk through the full implementation of a Virtual DOM in a bit over 200 lines of JavaScript. The result is a full-featured and sufficiently performant virtual DOM library (demos). It’s available on NPM as the smvc package. The main goal is to illustrate the fundamental technique behind tools like React. React, Vue and the Elm language all simplify the creation of interactive web
Today we’re excited to announce the release of TypeScript 5.2! If you’re not familiar with TypeScript, it’s a language that builds on top of JavaScript by making it possible to declare and describe types. Writing types in our code allows us to explain intent and have other tools check our code to catch mistakes like typos, issues with null and undefined, and more. Types also power TypeScript’s edi
Today we are announcing the beta release of TypeScript 6.0! To get started using the beta, you can get it through npm with the following command: npm install -D typescript@beta TypeScript 6.0 is a unique release in that we intend for it to be the last release based on the current JavaScript codebase. As announced last year (with recent updates here), we are working on a new codebase for the TypeSc
On January 14, 2006, John Resig introduced a JavaScript library called jQuery at BarCamp in New York City. Now, 20 years later, the jQuery team is happy to announce the final release of jQuery 4.0.0. After a long development cycle and several pre-releases, jQuery 4.0.0 brings many improvements and modernizations. It is the first major version release in almost 10 years and includes some breaking c
1 Introduction Compilers, assemblers and similar tools generate all the binary code that processors execute. It is no surprise then that these tools play a major role in security analysis and hardening of relevant binary code. Often the only practical way to protect all binaries with a particular security hardening method is to have the compiler do it. And, with software security becoming more and
AST vs. Bytecode: Interpreters in the Age of Meta-Compilation
233 AST vs. Bytecode: Interpreters in the Age of Meta-Compilation OCTAVE LAROSE, University of Kent, UK SOPHIE KALEBA, University of Kent, UK HUMPHREY BURCHELL, University of Kent, UK STEFAN MARR, University of Kent, UK Thanks to partial evaluation and meta-tracing, it became practical to build language implementations that reach state-of-the-art peak performance by implementing only an interprete
The product https://joinmastodon.org Mastodon is a free, open-source social network server based on ActivityPub where users can follow friends and discover new ones. On Mastodon, users can publish anything they want: links, pictures, text, and video. All Mastodon servers are interoperable as a federated network. Open source The project is open source at https://github.com/mastodon/mastodon License
Private Browsing 2.0
Jul 16, 2024 by John Wilander, Charlie Wolfe, Matthew Finkel, Wenson Hsieh, and Keith Holleman When we invented Private Browsing back in 2005, our aim was to provide users with an easy way to keep their browsing private from anyone who shared the same device. We created a mode where users do not leave any local, persistent traces of their browsing. Eventually all other browsers shipped the same fe
WebKit Features in Safari 18.0
ContentsNew in Safari 18Web apps for MacCSSSpatial WebHTMLJavaScriptWeb APICanvasManaged Media SourceWebRTCHTTPSWebGLWeb InspectorPasskeysSafari ExtensionsApple PayDeprecationsBug Fixes and moreUpdating to Safari 18.0Feedback Safari 18.0 is here. Along with iOS 18, iPadOS 18, macOS Sequoia and visionOS 2, today is the day another 53 web platform features, as well as 25 deprecations and 209 resolve
Parsing SQL - Strumenta
The code for this tutorial is on GitHub: parsing-sql SQL is a language to handle data in a relational database. If you worked with data you have probably worked with SQL. In this article we will talk about parsing SQL. It is in the same league of HTML: maybe you never learned it formally but you kind of know how to use it. That is great because if you know SQL, you know how to handle data. However
Today we’re excited to announce our Release Candidate (RC) of TypeScript 4.7! Between now and the stable release of TypeScript 4.7, we expect no further changes apart from critical bug fixes. To get started using the RC, you can get it through NuGet, or use npm with the following command: npm install typescript@rc You can also get editor support by Downloading for Visual Studio 2022/2019 Following
Today we’re excited to announce the release of TypeScript 5.5! If you’re not familiar with TypeScript, it’s a language that builds on top of JavaScript by making it possible to declare and describe types. Writing types in our code allows us to explain intent and have other tools check our code to catch mistakes like typos, issues with null and undefined, and more. Types also power TypeScript’s edi
Show navigation A recent article on WebAssembly Garbage Collection (WasmGC) explains at a high level how the Garbage Collection (GC) proposal aims to better support GC languages in Wasm, which is very important given their popularity. In this article, we will get into the technical details of how GC languages such as Java, Kotlin, Dart, Python, and C# can be ported to Wasm. There are in fact two m
Introduction HTML, the programming language, is a practical, turing-complete[1], stack-based programming language based on HTML, the markup language. It uses elements defined in HTML, the markup language, in order to do computations. To give you a sense of what HTML, the programming langauge, looks like, below is a sample program that prints the values from 1 to 10 to standard out (console.log) A
2025-05-06, Version 24.0.0 (Current), @RafaelGSS and @juanarbol We’re excited to announce the release of Node.js 24! This release brings several significant updates, including the upgrade of the V8 JavaScript engine to version 13.6 and npm to version 11. Starting with Node.js 24, support for MSVC has been removed, and ClangCL is now required to compile Node.js on Windows. The AsyncLocalStorage API
Node.js 16.x runtime now available in AWS Lambda | Amazon Web Services
AWS Compute Blog Node.js 16.x runtime now available in AWS Lambda This post is written by Dan Fox, Principal Specialist Solutions Architect, Serverless. You can now develop AWS Lambda functions using the Node.js 16 runtime. This version is in active LTS status and considered ready for general use. To use this new version, specify a runtime parameter value of nodejs16.x when creating or updating fu
ESLint v10.0.0 released - ESLint - Pluggable JavaScript Linter
Highlights ESLint v10.0.0 is a major release that includes several new features and breaking changes. Here are some of the most notable updates. Installing Because this is a major release, you may not automatically be upgraded by npm. To ensure you are using this version, run: npm i eslint@10.0.0 --save-dev 1 Copy code to clipboard Node.js < v20.19.0, v21.x, v23.x no longer supported As of this po
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
【2020年】CTF Web問題の攻撃手法まとめ - こんとろーるしーこんとろーるぶい
プロと読み解く Ruby 3.1 NEWS - クックパッド開発者ブログ
New WebKit Features in Safari 15.4
プロと読み解く Ruby 3.2 NEWS - クックパッド開発者ブログ
Optimizing Javascript for fun and for profit
The Prompt Engineering Playbook for Programmers
Announcing TypeScript 6.0 - TypeScript
JavaScript Best Practices | The WebStorm Blog
Wasm 3.0 Completed - WebAssembly
Announcing .NET 10 - .NET Blog
Functional programming is finally going mainstream
Announcing TypeScript 4.7 - TypeScript
Claude Mythos Preview \ red.anthropic.com
A virtual DOM in 200 lines of JavaScript
Announcing TypeScript 5.2 - TypeScript
Announcing TypeScript 6.0 Beta - TypeScript
jQuery 4.0.0 | Official jQuery Blog
Low-Level Software Security for Compiler Developers
Mastodon: Ruby on Rails Open Source Web App
Announcing TypeScript 4.7 RC - TypeScript
Announcing TypeScript 5.5 - TypeScript
A new way to bring garbage collected programming languages efficiently to WebAssembly · V8
HTML: The Programming Language
Node.js — Node.js 24.0.0 (Current)