はじめに 対象イベント 読み方、使い方 Remote Code Execution(RCE) 親ディレクトリ指定によるopen_basedirのバイパス PHP-FPMのTCPソケット接続によるopen_basedirとdisable_functionsのバイパス JavaのRuntime.execでシェルを実行 Cross-Site Scripting(XSS) nginx環境でHTTPステータスコードが操作できる場合にCSPヘッダーを無効化 GoogleのClosureLibraryサニタイザーのXSS脆弱性 WebのProxy機能を介したService Workerの登録 括弧を使わないXSS /記号を使用せずに遷移先URLを指定 SOME(Same Origin Method Execution)を利用してdocument.writeを順次実行 SQL Injection MySQ
はじめに サーバーサイドエンジニアの mokuo です。普段はカード決済やあとばらいチャージに関連する機能の開発や運用を行っております。 本記事でお話すること 日本の住所を都道府県、市区町村、丁目番地、それ以降などに分割する方法の検討から技術選定、実際に動いているコード(ほぼそのまま)をお見せします。 想定読者 サーバーサイドエンジニアを主な読者として想定しています。 日本の住所を分割する機能の実装方法を知りたい方 Deno*1や Hono*2 の採用事例、実装例を知りたい方 はじめに 本記事でお話すること 想定読者 🤔 背景と課題 🎯 住所分割の方針検討 ✂️ 住所分割方法: normalize-japanese-addresses に決定 🧩 npm ライブラリの組み込み: Hono + Deno に決定 🏠️ インフラ構成: ECS + EFS に決定 💪 2日で実装する
Another year passes. I was hoping to write more articles instead of just these end-of-the-year screeds, but I almost died in the spring semester, and it sucked up my time. Nevertheless, I will go through what I think are the major trends and happenings in databases over the last year. There were many exciting and unprecedented developments in the world of databases. Vibe coding entered the vernacu
REST API Design Best Practices Handbook – How to Build a REST API with JavaScript, Node.js, and Express.js
By Jean-Marc Möckel I've created and consumed many API's over the past few years. During that time, I've come across good and bad practices and have experienced nasty situations when consuming and building API's. But there also have been great moments. There are helpful articles online which present many best practices, but many of them lack some practicality in my opinion. Knowing the theory with
GitHub - modelcontextprotocol/servers: Model Context Protocol Servers
Official integrations are maintained by companies building production ready MCP servers for their platforms. 21st.dev Magic - Create crafted UI components inspired by the best 21st.dev design engineers. 2slides - An MCP server that provides tools to convert content into slides/PPT/presentation or generate slides/PPT/presentation with user intention. ActionKit by Paragon - Connect to 130+ SaaS inte
dodaの技術負債を解消するコンテナ環境で動くAPIサーバー - techtekt(テックテクト) | パーソルキャリアのエンジニアブログ
こんにちは。dodaサイト開発グループの齋藤です。 doda トップページリビルドプロジェクトにて、コンテナ環境で動くAPIサーバー(hydrogenと社内では読んでいます)を作成しました。 そのAPIサーバーの開発が活発化してきたため、社外向けへの知見の共有と、社内のチーム向けのドキュメントとして、プロジェクトにおいて工夫した点などをこの記事にて公開することにします。 なぜAPIサーバー(hydrogen)を作成したのか これまでdodaではJava側でHTMLまで返すMPA(Multiple Page Application)で作られていました。 しかし今回のdodaトップページリビルドプロジェクトではSPA(Single Page Application)で作っており、APIが必要になりました。 参考:フロントエンドに関する記事はこちらです。 APIの作成は既存のシステムでも可能です
How modern browsers work
Note: For those eager to dive deep into how browsers work, an excellent resource is Browser Engineering by Pavel Panchekha and Chris Harrelson (available at browser.engineering). Please do check it out. This article is an overview of how browsers work. Web developers often treat the browser as a black box that magically transforms HTML, CSS, and JavaScript into interactive web applications. In tru
How we built the Grafbase local development experience in Rust
How we built the Grafbase local development experience in Rust Grafbase provides an edge-native GraphQL platform that combines multiple data-sources into a single API and includes a serverless database, search, edge caching, preview environments and much more. Around May 2022 we started working on a local development experience, written in Rust, to mirror this functionality locally and allow you t
この記事は、Scala Advent Calendar 2023の5日目の記事です。 qiita.com 大遅刻してしまいましたが、Scalaは遅延評価できるのでモーマンタイですね。 この記事では、Scalaをクラウドネイティブな環境で使う例の紹介として、ScalaをJavaScriptコードにトランスパイルしてAWS Lambdaで動作させる方法を紹介します。 愉快な遠足の始まりだ!!! Scalaプラットフォームの発展 Scalaはクラウドネイティブ時代に乗り遅れている?(いえいえ) 想定環境 Scala.jsで快適にLambda関数を書いてみよう 最低限のScala.jsを実装する 設定 トランスパイル Scala.jsコードをLambda関数の呼び出し規約に合わせる 規約を実装する Lambda関数を作成する イベントなどの入力 ここまでのまとめ Scala.jsでライブラリを利用
Weird Lexical Syntax
I just learned 42 programming languages this month to build a new syntax highlighter for llamafile. I feel like I'm up to my eyeballs in programming languages right now. Now that it's halloween, I thought I'd share some of the spookiest most surprising syntax I've seen. The languages I decided to support are Ada, Assembly, BASIC, C, C#, C++, COBOL, CSS, D, FORTH, FORTRAN, Go, Haskell, HTML, Java,
AST vs. Bytecode: Interpreters in the Age of Meta-Compilation
233 AST vs. Bytecode: Interpreters in the Age of Meta-Compilation OCTAVE LAROSE, University of Kent, UK SOPHIE KALEBA, University of Kent, UK HUMPHREY BURCHELL, University of Kent, UK STEFAN MARR, University of Kent, UK Thanks to partial evaluation and meta-tracing, it became practical to build language implementations that reach state-of-the-art peak performance by implementing only an interprete
Parsing SQL - Strumenta
The code for this tutorial is on GitHub: parsing-sql SQL is a language to handle data in a relational database. If you worked with data you have probably worked with SQL. In this article we will talk about parsing SQL. It is in the same league of HTML: maybe you never learned it formally but you kind of know how to use it. That is great because if you know SQL, you know how to handle data. However
KDL is a small, pleasant document language with XML-like node semantics that looks like you're invoking a bunch of CLI commands! It's meant to be used both as a serialization format and a configuration language, much like JSON, YAML, or XML. It looks like this: package { name my-pkg version "1.2.3" dependencies { // Nodes can have standalone values as well as // key/value pairs. lodash "^3.2.1" op
In this blog post we benchmark many Ruby versions and the latest Ruby Just-in-Time compilers (JITs) on the newest Ruby benchmark suite, yjit-bench. As a teaser, the geometric mean speedups compared to CRuby 3.1 on these 14 benchmarks are: MJIT 1.26x, YJIT 1.39x, JRuby 1.86x and TruffleRuby 6.23x. Read on to find more about the benchmarks and gain insights on these speedups. This blog post is also
A new JavaScript backend was merged into GHC on November 30th, 2022! This means that the next release of GHC will be able to emit code that runs in web browsers without requiring any extra tools, enabling Haskell for both front-end and back-end web applications. In this post, we, the GHC DevX team at IOG, describe the challenges we faced bringing GHCJS to GHC, how we overcame those challenges, and
The Grug Brained Developer
The Grug Brained Developer A layman's guide to thinking like the self-aware smol brained Introduction this collection of thoughts on software development gathered by grug brain developer grug brain developer not so smart, but grug brain developer program many long year and learn some things although mostly still confused grug brain developer try collect learns into small, easily digestible and fun
By Jun He, Natallia Dzenisenka, Praneeth Yenugutala, Yingyi Zhang, and Anjali Norwood TL;DRWe are thrilled to announce that the Maestro source code is now open to the public! Please visit the Maestro GitHub repository to get started. If you find it useful, please give us a star. What is MaestroMaestro is a horizontally scalable workflow orchestrator designed to manage large-scale Data/ML workflows
Update 1.86.2: The update addresses these issues. Update 1.86.1: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the January 2024 release of Visual Studio Code. There are many updates in this version that we hope you'll like, some of the key highlights include: Per-window zoom levels - Adjust the zoom leve
Introduction to Go 1.19 The latest Go release, version 1.19, arrives five months after Go 1.18. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Changes to the language There is only one small change to the language, a
Tier 4 Support § Support for these targets is entirely experimental. If this target is provided by LLVM, LLVM may have the target as an experimental target, which means that you need to use Zig-provided binaries for the target to be available, or build LLVM from source with special configure flags. zig targets will display the target if it is available. This target may be considered deprecated by
research!rsc: Floating-Point Printing and Parsing Can Be Simple And Fast (Floating Point Formatting, Part 3)
Introduction A floating point number f has the form f=m·2e where m is called the mantissa and e is a signed integer exponent. We like to read numbers scaled by powers of ten, not two, so computers need algorithms to convert binary floating-point to and from decimal text. My 2011 post “Floating Point to Decimal Conversion is Easy” argued that these conversions can be simple as long as you don’t car
Proto Best Practices
Clients and servers are never updated at exactly the same time - even when you try to update them at the same time. One or the other may get rolled back. Don’t assume that you can make a breaking change and it’ll be okay because the client and server are in sync. Don’t Re-use a Tag NumberNever re-use a tag number. It messes up deserialization. Even if you think no one is using the field, don’t re-
Introduction to Go 1.19 The latest Go release, version 1.19, arrives five months after Go 1.18. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Changes to the language There is only one small change to the language, a
How we built a VS Code extension with Rust, WebAssembly, and TypeScript
How we built a VS Code extension with Rust, WebAssembly, and TypeScript We build Oso, a batteries-included framework for building authorization in your application. At the core of Oso is Polar, a declarative language for writing authorization policies. While someday we’ll release a feature that lets a fully-sentient Oso write your authorization policy for you, in the interim we thought it would be
This isn’t another AI-generated blog post about generic security practices. It contains detailed instructions on protecting Node.js applications from supply-chain attacks and describes best practices for security in any programming language. According to the GitHub report, The state of open source and rise of AI in 2023, JavaScript and TypeScript are the #1 and #3 most popular languages hosted on
Why DuckDB
There are many database management systems (DBMS) out there. But there is no one-size-fits-all database system. All take different trade-offs to better adjust to specific use cases. DuckDB is no different. Here, we try to explain what goals DuckDB has and why and how we try to achieve those goals through technical means. To start with, DuckDB is a relational (table-oriented) DBMS that supports the
Introduction: These Aren’t the JSONs You’re Looking For JSON (JavaScript Object Notation) was designed as a simple, lightweight, and human-readable data interchange format, often positioned as a more accessible alternative to XML. It has become the de facto standard for web APIs and system integration. However, while the specification itself is straightforward, different programming languages and
From XML to JSON to CBOR - The CBOR, dCBOR, and Gordian Envelope Book
Press ← or → to navigate between chapters Press S or / to search in the book Press ? to show this help Press Esc to hide this help From XML to JSON to CBOR A Lingua Franca for Data? In modern computing, data exchange is foundational to everything from web browsing to microservices and IoT devices. The ability for different systems to represent, share, and interpret structured information drives ou
Developer Preview: Ruby SDK code generation using Smithy | Amazon Web Services
AWS Developer Tools Blog Developer Preview: Ruby SDK code generation using Smithy What is this? The AWS SDK For Ruby team is happy to announce the developer preview of smithy-ruby, a toolchain that can be used to code generate a “white label” Ruby SDK for your service API using Smithy modeling. An upcoming future version of the AWS SDK For Ruby will use Smithy code generation. What is Smithy? Smit
Update 1.64.1: The update addresses these security issues. Update 1.64.2: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the January 2022 release of Visual Studio Code. There are many updates in this version that we hope you will like, some of the key highlights include: New Side Panel - Display more view
Sketch of a Post-ORM
I’ve been writing a lot of database access code as of late. It’s frustrating that in 2023, my choices are still to either write all of the boilerplate by hand, or hand all database access over to some inscrutable “agile” ORM that will become a crippling liability in the 2-3y timescale. This post is about how I want to use databases, from the perspective of an application server developer—not a DBA
Parsing in GoLet’s examine how Go parses JSON, XML, and YAML. Go’s standard library provides JSON and XML parsers but not a YAML parser, for which there are several third-party alternatives. For our analysis, we’ll focus on: encoding/json version go1.24.1encoding/xml version go1.24.1yaml.v3 version 3.0.1 (the most popular third-party Go YAML library)We’ll use JSON in our following examples, but al
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
【2020年】CTF Web問題の攻撃手法まとめ - こんとろーるしーこんとろーるぶい
Hono + Deno で住所分割APIサーバーを2日で爆速実装する - inSmartBank
Databases in 2025: A Year in Review
AWS Lambda FunctionをScala.jsで書いて爆速Scalaを満喫しよう - Lambdaカクテル
The KDL Document Language
Benchmarking CRuby, MJIT, YJIT, JRuby and TruffleRuby
JavaScript backend merged into GHC | IOG Engineering
Maestro: Netflix’s Workflow Orchestrator
January 2024 (version 1.86)
Go 1.19 Release Notes - The Go Programming Language
0.10.0 Release Notes ⚡ The Zig Programming Language
Go 1.19 Release Notes - The Go Programming Language
Secure Node.js Applications from Supply Chain Attacks
JSON is not JSON Across Languages | Dochia CLI Blog
January 2022 (version 1.64)
Unexpected security footguns in Go's parsers