はじめに 対象イベント 読み方、使い方 Remote Code Execution(RCE) 親ディレクトリ指定によるopen_basedirのバイパス PHP-FPMのTCPソケット接続によるopen_basedirとdisable_functionsのバイパス JavaのRuntime.execでシェルを実行 Cross-Site Scripting(XSS) nginx環境でHTTPステータスコードが操作できる場合にCSPヘッダーを無効化 GoogleのClosureLibraryサニタイザーのXSS脆弱性 WebのProxy機能を介したService Workerの登録 括弧を使わないXSS /記号を使用せずに遷移先URLを指定 SOME(Same Origin Method Execution)を利用してdocument.writeを順次実行 SQL Injection MySQ
January 2016 boasted a Powerball jackpot of 1.5 billion dollars. This generated a lot of interest in the lottery and the Los Angeles Times released a simulator where you start with 100 dollars and play until that is gone. I had seen previous work for predicting Java’s Math.random() and thought it would be a fun project to replicate for the browser. The first step is to find the algorithm used in t
AI関連、競合は現れども、性能的にやはりOpenAI一強なのかなぁというところに現れたAnthropic Claude 3は、確かに明らかに性能がいい、GPT-4を凌駕している……!というわけで大いに気に入った(ついでに最近のOpenAIのムーブが気に入らない)ので、C#で使い倒していきたい!そこで、まずはSDKがないので非公式SDKを作りました。こないだまでプレビュー版を流していたのですが、今回v1.0.0として出します。ライブラリ名は、Claudeだから、Claudiaです!.NET全般で使えるのと、Unity(Runtime/Editor双方)でも動作確認をしているので、アイディア次第で色々活用できると思います。 GitHub - Cysharp/Claudia 今回のSDKを作るにあたっての設計指針の一番目は、公式のPython SDKやTypeScript SDKと限りなく似せる
Incident Metrics in SRE
Štěpán Davidovič Incident Metrics in SRE Critically Evaluating MTTR and Friends Boston Farnham Sebastopol Tokyo Beijing Boston Farnham Sebastopol Tokyo Beijing 978-1-098-10313-2 [LSI] Incident Metrics in SRE by Štěpán Davidovič Copyright © 2021 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebas
こんにちは、MLデータ部データ基盤ブロックの奥山(@pokoyakazan)です。趣味の範疇ですが、「ぽこやかざん」という名前でラジオ投稿や大喜利の大会に出たり、「下町モルモット」というコンビで週末に漫才をしたりしています。私は普段、全社データ基盤の開発・運用を担当しており、このデータ基盤はGCPのBigQuery上に構築されています。そして、データ基盤内の各テーブルは、大きく分けて以下の2種類に分類されます。 システムDBのデータやログデータなどが、特に加工されることなく連携されている一次テーブル 一次テーブルから必要なデータを使いやすい形に集計したデータマート 本記事では、後者のデータマートを集計するジョブを制御するワークフローエンジンを、DigdagからCloud Composerに移行した事例について紹介します。Cloud Composerとは、GCPにてApache Airflo
TL;DR; We are changing std::sort in LLVM’s libcxx. That’s a long story of what it took us to get there and all possible consequences, bugs you might encounter with examples from open source. We provide some benchmarks, perspective, why we did this in the first place and what it cost us with exciting ideas from Hyrum’s Law to reinforcement learning. All changes went into open source and thus I can
Introduction Data preprocessing is a necessary step in any machine learning workflow, affecting both the model’s effectiveness and the ease of maintenance. While scikit-learn is commonly used for preprocessing due to its integration with the broader Python ecosystem, DuckDB offers a practical alternative by enabling SQL-based data transformations within Python. Its declarative syntax supports modu
4 Pandas Anti-Patterns to Avoid and How to Fix Them
pandas is a powerful data analysis library with a rich API that offers multiple ways to perform any given data manipulation task. Some of these approaches are better than others, and pandas users often learn suboptimal coding practices that become their default workflows. This post highlights four common pandas anti-patterns and outlines a complementary set of techniques that you should use instea
Gamedev in Lisp. Part 1: ECS and Metalinguistic Abstraction - cl-fast-ecs by Andrew
Gamedev in Lisp. Part 1: ECS and Metalinguistic Abstraction In this series of tutorials, we will delve into creating simple 2D games in Common Lisp. The result of the first part will be a development environment setup and a basic simulation displaying a 2D scene with a large number of physical objects. It is assumed that the reader is familiar with some high-level programming language, has a gener
Agents
Intelligent agents are considered by many to be the ultimate goal of AI. The classic book by Stuart Russell and Peter Norvig, Artificial Intelligence: A Modern Approach (Prentice Hall, 1995), defines the field of AI research as “the study and design of rational agents.” The unprecedented capabilities of foundation models have opened the door to agentic applications that were previously unimaginabl
Golang Mini Reference 2022: A Quick Guide to the Modern Go Programming Language (REVIEW COPY)
Golang Mini Reference 2022 A Quick Guide to the Modern Go Programming Language (REVIEW COPY) Harry Yoon Version 0.9.0, 2022-08-24 REVIEW COPY This is review copy, not to be shared or distributed to others. Please forward any feedback or comments to the author. • feedback@codingbookspress.com The book is tentatively scheduled to be published on September 14th, 2022. We hope that when the release da
AST vs. Bytecode: Interpreters in the Age of Meta-Compilation
233 AST vs. Bytecode: Interpreters in the Age of Meta-Compilation OCTAVE LAROSE, University of Kent, UK SOPHIE KALEBA, University of Kent, UK HUMPHREY BURCHELL, University of Kent, UK STEFAN MARR, University of Kent, UK Thanks to partial evaluation and meta-tracing, it became practical to build language implementations that reach state-of-the-art peak performance by implementing only an interprete
syntaxdesign
One of the most recognizable features of a languages is its syntax. What are some of the things about syntax that matter? What questions might you ask if you were creating a syntax for your own language? Motivation A programming language gives us a way structure our thoughts. Each program, has a kind of internal structure, for example: How can we capture this structure? One way is directly, via pi
Note: I received a lot of great feedback from the discussions at Mastodon and Hacker News, so I've updated the post with some improvements to the font! I've also added some further examples and acknowledgements at the end. Syntax Highlighting in Hand-Coded Websites The problem I have been trying to identify practical reasons why hand-coding websites with HTML and CSS is so hard (by hand-coding, I
The Ultimate Interactive JQ Guide Learn how to search, query, and modify JSON data with 25 interactive jq examples and explanations Cover Photo by Pixabay Has this ever happened to you? You’ve just received a massive JSON file that looks like it was designed to confuse you. Or maybe you entered a command, and you got so much JSON that it looks incomprehensible. Important: Level up your jq skills w
Agentic GraphRAG for Commercial Contracts | Towards Data Science
In every business, legal contracts are foundational documents that define the relationships, obligations, and responsibilities between parties. Whether it’s a partnership agreement, an NDA, or a supplier contract, these documents often contain critical information that drives decision-making, risk management, and compliance. However, navigating and extracting insights from these contracts can be a
The joy of building a ray tracer, for fun, in Rust. // flurries of latent creativity
TLDR? You can find the code and a bunch of examples on GitHub at dps/rust-raytracer. Over the holiday break, I decided to learn Rust. Rust is a modern systems programming language which has a really interesting type system. The type system can catch broad classes of common programming mistakes - e.g. ensuring memory is accessed safely - at compile time while generating tight, performant machine co
以下の記事が面白かったので、簡単にまとめました。 ・Introducing Structured Outputs in the API 1. Structured Outputs昨年のDevDayで、「JSONモード」を導入しました。これは、OpenAIのモデルを使用して信頼性の高いアプリを構築しようとしている開発者にとって便利な構成要素です。「JSONモード」は、有効なJSON出力を生成するためのモデルの信頼性を向上させますが、モデルの応答が特定のスキーマに準拠することを保証するものではありません。本日、APIに「Structured Outputs」を導入します。これは、モデルによって生成された出力が、開発者が提供するJSONスキーマと完全に一致するように設計された新機能です。 複雑なJSONスキーマのフォローの評価では、「Structured Outputs」を備えた新しいモデル「g
Tier 4 Support § Support for these targets is entirely experimental. If this target is provided by LLVM, LLVM may have the target as an experimental target, which means that you need to use Zig-provided binaries for the target to be available, or build LLVM from source with special configure flags. zig targets will display the target if it is available. This target may be considered deprecated by
This paper reflects work done in late 2022 and 2023 to audit for vulnerabilities in terminal emulators, with a focus on open source software. The results of this work were 10 CVEs against terminal emulators that could result in Remote Code Execution (RCE), in addition various other bugs and hardening opportunities were found. The exact context and severity of these vulnerabilities varied, but some
The Architecture of a Modern Startup | by Dmitry Kruglov | Nov, 2022 | Better Programming
workflow — all images by authorThe Tech side of startups can sometimes be very fluid and contain a lot of unknowns. What tech stack to use? Which components might be overkill for now but worth keeping an eye on in the future? How to balance the pace of business features development while keeping the quality bar high enough to have a maintainable codebase? Here I want to share our experience buildi
Tier 4 Support § Support for these targets is entirely experimental. If this target is provided by LLVM, LLVM may have the target as an experimental target, which means that you need to use Zig-provided binaries for the target to be available, or build LLVM from source with special configure flags. zig targets will display the target if it is available. This target may be considered deprecated by
This article was discussed on Hacker News. This is a continuation of my last post on how to write a tree-sitter grammar in an afternoon. Building on the grammar we wrote, now we’re going to write a linter for Imp, and it’s even easier! The final result clocks in less than 60 SLOC and can be found here. Recall that tree-sitter is an incremental parser generator. That is, you give it a description o
In 2006 Microsoft conducted a customer survey to find what new features users want in new versions of Microsoft Office. To their surprise, more than 90% of what users asked for already existed, they just didn't know about it. To address the "discoverability" issue, they came up with the "Ribbon UI" that we know from Microsoft Office products today. Office is not unique in this sense. Most of us ar
No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loaders Executive Summary In April 2016, Microsoft shocked the PC world when it announced the Windows Subsystem for Linux (WSL). WSL is a supplemental feature that runs a Linux image in a near-native environment on Windows, allowing for functionality like command line tools from Linux without the over-he
Announcing DuckDB 1.3.0
To install the new version, please visit the installation guide. Note that it can take a few hours to days to release some client libraries (e.g., Go, R, Java) and extensions (e.g., the UI) due to the extra changes and review rounds required. We are proud to release DuckDB 1.3.0. This release of DuckDB is named “Ossivalis” after Bucephala Ossivalis, an ancestor of the Goldeneye duck that lived mil
I did this in 2020 and then again in 2021, but I’m in the mood to look around again. Let’s look through Are We GUI Yet? and see what’s up these days. The task today is to have a text label and an input field that can change the text in the label. In React, for example, this is basically free: const Demo = () => { let [state, setState] = useState("Hello, world!"); return ( <div> <p>{state}</p> <inp
Try Mastering Emacs for free! Are you struggling with the basics? Have you mastered movement and editing yet? When you have read Mastering Emacs you will understand Emacs. It’s that time again: there’s a new major version of Emacs and, with it, a treasure trove of new features and changes. Notable features include the formal inclusion of native compilation, a technique that will greatly speed up y
Node.js
Notable changes Add support for externally shared js builtins By default Node.js is built so that all dependencies are bundled into the Node.js binary itself. Some Node.js distributions prefer to manage dependencies externally. There are existing build options that allow dependencies with native code to be externalized. This commit adds additional options so that dependencies with JavaScript code
Or if the package is only meant to be run on Node.js and wants to fallback to CJS on older versions that don't have require(esm): { "type": "module", "exports": { // On new version of Node.js, both require() and import get the ESM version "module-sync": "./index.js", // On older version of Node.js, where "module-sync" and require(esm) are // not supported, use the CJS version to avoid dual-package
Renato Athaydes
Revenge of Lisp (Part 1⁄2) Background vector created by upklyak - www.freepik.com This may surprise you if you know me, but I’ve been learning Common Lisp for a few weeks now. It all started when I was reading, funnily enough, a blog post about another, much more hyped, language called Julia. The post was titled Julia and the reincarnation of Lisp, and in it the author lamented that despite his lo
A professional programmer delivers value through the authoring and maintaining of software that solves problems. (There are other important ways for professional programmers to deliver value but this post is about programming.) Programmers rely on various tools to author software. Arguably the most important and consequential choice of tool is the programming language. In this post, I will articul
2024-10-16, Version 23.0.0 (Current), @RafaelGSS We’re excited to announce the release of Node.js 23! Key highlights include: Enabling require(esm) by default for Node.js applications Removing support for Windows 32-bit systems Stabilizing the node --run command Enhancements to the test runner, including glob pattern support for coverage files Node.js 23 will replace Node.js 22 as the ‘Current’ re
As Elixir's Machine Learning (ML) ecosystem grows, many Elixir enthusiasts who wish to adopt the new machine learning libraries in their projects are stuck at a crossroads of wanting to move away from their existing ML stack (typically Python) while not having a clear path of how to do so. I would like to take some time to talk to WHY I believe now is a good time to start porting over Machine Lear
Noble Numbat Release Notes Table of Contents Introduction New features in 24.04 LTS Known Issues Official flavours More information Introduction These release notes for Ubuntu 24.04 LTS (Noble Numbat) provide an overview of the release and document the known issues with Ubuntu and its flavours. For details of the changes applied since 24.04, please see the 24.04.2 change summary. Support lifespan
Cognitive load is what matters
The logo image was taken from Reddit. It is a living document, last update: May 2025. Your contributions are welcome! Introduction There are so many buzzwords and best practices out there, but most of them have failed. We need something more fundamental, something that can't be wrong. Sometimes we feel confusion going through the code. Confusion costs time and money. Confusion is caused by high co
I find blockchain fascinating because it extends open source software development to open source + state. This seems to be a genuine/exciting innovation in computing paradigms; We don’t just get to share code, we get to share a running computer, and anyone anywhere can use it in an open and permissionless manner. The seeds of this revolution arguably began with Bitcoin, so I became curious to dril
The logo image was taken from Reddit. It is a living document, last update: May 2025. Your contributions are welcome! Introduction There are so many buzzwords and best practices out there, but most of them have failed. We need something more fundamental, something that can't be wrong. Sometimes we feel confusion going through the code. Confusion costs time and money. Confusion is caused by high co
Implement tcl in tcl
Maybe someone has already done this. But the question in my mind is how much of Tcl can be implimented in Tcl itself. Obviously you can't implement system calls in Tcl, but you could implement just about everthing else. What commands/parts of Tcl would be in the minimal set? Earl Johnson Minimal set"set" both scalar and array modes."eval" command"unknown" "string index" command"string length" comm
The Watermelon Operator
The Watermelon Operator Sep 24, 2024 In these two most excellent articles, https://without.boats/blog/let-futures-be-futures and https://without.boats/blog/futures-unordered, withoutboats introduces the concepts of “multi-task” and “intra-task” concurrency. I want to revisit this distinction — while I agree that there are different classes of patterns of concurrency here, I am not quite satisfied
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
【2020年】CTF Web問題の攻撃手法まとめ - こんとろーるしーこんとろーるぶい
Hacking the JavaScript Lottery
neue cc - Claudia - Anthropic ClaudeのC# SDKと現代的なC#によるウェブAPIクライアントの作り方
Cloud Composerにデータマート集計基盤を移行しました - ZOZO TECH BLOG
Changing std::sort at Google’s Scale and Beyond
Basic Feature Engineering with DuckDB
Font with Built-In Syntax Highlighting
The Ultimate Interactive JQ Guide
OpenAI API の Structured Outputs の使い方|npaka
0.8.0 Release Notes ⚡ The Zig Programming Language
"�[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs
0.10.0 Release Notes ⚡ The Zig Programming Language
How to write a linter using tree-sitter in an hour
Lesser Known PostgreSQL Features
Linux Executables Deployed as Stealth Windows Loaders
A 2025 Survey of Rust GUI Libraries
What's New in Emacs 28.1?
Node.js — Node.js v22.10.0 (Current)
Gregory Szorc's Digital Home | Rust is for Professionals
Node.js — Node.js v23.0.0 (Current)
From Python to Elixir Machine Learning
Ubuntu 24.04 LTS (Noble Numbat) Release Notes
A from-scratch tour of Bitcoin in Python
Cognitive load is what matters