はじめに 対象イベント 読み方、使い方 Remote Code Execution(RCE) 親ディレクトリ指定によるopen_basedirのバイパス PHP-FPMのTCPソケット接続によるopen_basedirとdisable_functionsのバイパス JavaのRuntime.execでシェルを実行 Cross-Site Scripting(XSS) nginx環境でHTTPステータスコードが操作できる場合にCSPヘッダーを無効化 GoogleのClosureLibraryサニタイザーのXSS脆弱性 WebのProxy機能を介したService Workerの登録 括弧を使わないXSS /記号を使用せずに遷移先URLを指定 SOME(Same Origin Method Execution)を利用してdocument.writeを順次実行 SQL Injection MySQ
GraphQL is an incredible piece of technology that has captured a lot of mindshare since I first started slinging it in production in 2018. You won’t have to look far back on this (rather inactive) blog to see I have previously championed this technology. After building many a React SPA on top of a hodge podge of untyped JSON REST APIs, I found GraphQL a breath of fresh air. I was truly a GraphQL h
技術部の笹田(ko1)と遠藤(mame)です。クックパッドで Ruby (MRI: Matz Ruby Implementation、いわゆる ruby コマンド) の開発をしています。お金をもらって Ruby を開発しているのでプロの Ruby コミッタです。 本日 12/25 に、ついに Ruby 3.1.0 がリリースされました(Ruby 3.1.0 リリース )。今年も Ruby 3.1 の NEWS.md ファイルの解説をします。NEWS ファイルとは何か、は以前の記事を見てください。 プロと読み解く Ruby 2.6 NEWS ファイル - クックパッド開発者ブログ プロと読み解くRuby 2.7 NEWS - クックパッド開発者ブログ プロと読み解くRuby 3.0 NEWS - クックパッド開発者ブログ 本記事は新機能を解説することもさることながら、変更が入った背景や苦労な
Python 3.11から追加された標準パッケージtomllibの紹介 | IIJ Engineers Blog
2018年新卒入社し、SOCにてインフラ管理を担当。その後、マルウェア解析や検証業務などに従事。2022年度からは、社内のSREチームにて兼務を開始。主な保持資格は、CISSP, OSCP, GREM, GXPN, RISS, CKA, CKSなど。バイナリを読むのが好きで、一番好きな命令はx86の0x90(NOP命令)。 はじめに 私は、業務でマルウェア解析のようなリバースエンジニアリングをしており、業務効率化のために自作ツールを作ることがあります。皆さんは自作のツールの設定ファイルに、どのようなファイル形式を利用していますか。昨今は、KubernetesやAnsibleなどで用いられるYAMLや、フロントエンド界隈で頻繁に利用されるJSONなどが多い印象です。そんな中、今回はTOMLと呼ばれるファイル形式の紹介をします。プログラミング言語Rustのパッケージ管理ファイルに利用されていた
Introducing Amazon S3 Vectors: First cloud storage with native vector support at scale (preview) | Amazon Web Services
AWS News Blog Introducing Amazon S3 Vectors: First cloud storage with native vector support at scale (preview) Today, we’re announcing the preview of Amazon S3 Vectors, a purpose-built durable vector storage solution that can reduce the total cost of uploading, storing, and querying vectors by up to 90 percent. Amazon S3 Vectors is the first cloud object store with native support to store large ve
REST API Design Best Practices Handbook – How to Build a REST API with JavaScript, Node.js, and Express.js
By Jean-Marc Möckel I've created and consumed many API's over the past few years. During that time, I've come across good and bad practices and have experienced nasty situations when consuming and building API's. But there also have been great moments. There are helpful articles online which present many best practices, but many of them lack some practicality in my opinion. Knowing the theory with
プロと読み解くRuby 3.4 NEWS テクノロジー部門技術基盤グループの笹田(ko1)と遠藤(mame)です。Ruby (MRI: Matz Ruby Implementation、いわゆる ruby コマンド) の開発をしています。お金をもらって Ruby を開発しているのでプロの Ruby コミッタです。 本日 12/25 に、恒例のクリスマスリリースとして、Ruby 3.4.0 がリリースされました(Ruby 3.4.0 リリース )。今年も STORES Product Blog にて Ruby 3.4 の NEWS.md ファイルの解説をします(ちなみに、STORES Advent Calendar 2024 の記事になります。他も読んでね)。NEWS ファイルとは何か、は以前の記事を見てください。 プロと読み解く Ruby 2.6 NEWS ファイル - クックパッド開発者
Developers are increasingly relying on AI coding assistants to accelerate our daily workflows. These tools can autocomplete functions, suggest bug fixes, and even generate entire modules or MVPs. Yet, as many of us have learned, the quality of the AI’s output depends largely on the quality of the prompt you provide. In other words, prompt engineering has become an essential skill. A poorly phrased
> BTC: bc1qs0sq7agz5j30qnqz9m60xj4tt8th6aazgw7kxr ETH: 0x1D834755b5e889703930AC9b784CB625B3cd833E USDT(Tron): TPrCq8LxGykQ4as3o1oB8V7x1w2YPU2o5n Ton: UQAtBuFWI3H_LpHfEToil4iYemtfmyzlaJpahM3tFSoxomYQ Doge: D7GMQdKhKC9ymbT9PtcetSFTQjyPRRfkwTdismiss OOP: the worst thing that happened to programming [2/24/2025] In this article, we will try to understand why OOP is the worst thing that happened to prog
以下の記事が面白かったので、簡単にまとめました。 ・Realtime API 1. Realtime API「Realtime API」は、低遅延なマルチモーダル会話エクスペリエンスを構築するためのAPIです。現在、入出力の両方でテキスト・音声がサポートされており、Function Calling を利用することもできます。 特徴は次のとおりです。 ・ネイティブな音声合成 低遅延でニュアンスに富んだ出力が得られる ・自然で操作可能な音声 自然な抑揚を持ち、笑ったり、ささやいたり、トーンの指示に従うことができる ・同時マルチモーダル出力 テキストはモデレーションに役立ち、オーディオにより安定した再生が保証される 2. クイックスタート「Realtime API」は、「WebSocket」を介して通信するステートフルなイベントベースAPIです。 機能を紹介するデモアプリ「openai-real
Couple of weeks ago when I was publishing The Hidden Cost of URL Design I needed to add SQL syntax highlighting. I headed to PrismJS website trying to remember if it should be added as a plugin or what. I was overwhelmed with the amount of options in the download page so I headed back to my code. I checked the file for PrismJS and at the top of the file, I found a comment containing a URL: /* http
Rust でも学べる関数型ドメイン駆動設計 - Domain Modeling Made Functional の読書感想文 - じゃあ、おうちで学べる
はじめに なぜ 2026 年に、2018 年出版の本を再読するのでしょうか。正直に言えば、『Architecture Modernization』の翻訳作業で DDD の概念が頻出し、「分かったつもり」の理解では訳せなくなったからです。初読から 7 年。関数型の視点で DDD を説明する本書を、今度こそ腹落ちさせたかった。 読む動機 『Domain Modeling Made Functional』は、DDD と関数型プログラミングを組み合わせたアプローチを解説する書籍です。 Domain Modeling Made Functional: Tackle Software Complexity with Domain-Driven Design and F# (English Edition) 作者:Wlaschin, ScottPragmatic BookshelfAmazon 著者の
Since I wrote about async Ruby and patched Solid Queue to support fibers, people keep asking the same questions. What happens when a fiber blocks? Don’t you still need threads? What about database transactions? What about Ractors? This post answers all of it. From the ground up. The four primitives Ruby gives you four concurrency primitives: processes, threads, fibers, and Ractors. They nest. Ever
What We Learned from a Year of Building with LLMs (Part I)
It’s an exciting time to build with large language models (LLMs). Over the past year, LLMs have become “good enough” for real-world applications. The pace of improvements in LLMs, coupled with a parade of demos on social media, will fuel an estimated $200B investment in AI by 2025. LLMs are also broadly accessible, allowing everyone, not just ML engineers and scientists, to build intelligence into
缶つぶし機とソフトウェア移行技術 - Refactoring to Rust の読書感想文 - じゃあ、おうちで学べる
はじめに ——あるいは、「知っている」と「理解している」の間 Rustのことは、知っていた。学習もしていた。実務でも使っていた。 でも、それは知っているつもりだった。 知ってるつもり 無知の科学 (ハヤカワ文庫NF) 作者:スティーブン スローマン,フィリップ ファーンバック早川書房Amazon 日々Rustで開発し、BoxとRcとArcを使い分け、tokio::spawnでタスクを生成し、?演算子を当たり前のように書いている。FFI?PyO3使えばいいでしょ。WebAssembly?wasm-bindgenがあるじゃない。技術的には、確かに「使える」レベルにはあった。 でも、心のどこかで感じていた違和感があった。 オートバイのエンジンを分解できる人と、エンジンが動く原理を理解している人は違う。コードが動くことと、なぜそう書くべきかを理解することも違う。私は前者だった。メカニックではあった
Today we’re excited to announce the release of TypeScript 4.8! If you’re not yet familiar with TypeScript, it’s a language that builds on JavaScript and adds syntax for types. These types let you put your expectations and assumptions into your code, and those assumptions can then be checked by the TypeScript type-checker. This checking can help avoid typos, calling uninitialized values, mixing up
Notable changes built-in .env file support Starting from Node.js 20.6.0, Node.js supports .env files for configuring environment variables. Your configuration file should follow the INI file format, with each line containing a key-value pair for an environment variable. To initialize your Node.js application with predefined configurations, use the following CLI command: node --env-file=config.env
Last semester at university, I took a course called "Syntax-Based Tools and Compilers". It focused on building a scanner, parser, compiler, and so on for a language called PL0. We used Python in the course, but I was really interested in learning Rust at the time. So, I decided to embark on a side project (yes, another one!). This time, I wanted to build a JSON parser in Rust. My goal was to test
Version 1.108 is now available! Read about the new features and fixes from December. Release date: June 12, 2025 Security update: The following extension has security updates: ms-python.python. Update 1.101.1: The update addresses these issues. Update 1.101.2: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome t
Agent Skills対応Agentを作ろう|はち
1. はじめに2025年末にAnthropicがAgent Skillsという機能をオープンスタンダード化し、Xなどでもよく話題になっていると思います。MCP然りでAnthropicはこういったスタンダード化をするのが上手いなと感心させられます。 色々議論されていると思いますが、Agentの開発を行っている私的にAgent Skillsのメリットは以下の2点だと考えています。 再利用性:1度作ったSkillを別エージェントでも使いやすい。 段階的開示(progressive disclosure):そのSkillが必要になったときだけその詳細やスクリプトについてAgentが読み込むことができる。(プロンプトの圧縮につながる。) AnthropicとしてはあくまでClaude CodeやClaude APIでできることを増やしたいがためのオープンスタンダード化ということなのか、自作Agent
This post is an account of why I prefer using the attrs library over Pydantic. I'm writing it since I am often asked this question and I want to have something concrete to link to. This is not meant to be an objective comparison of attrs and Pydantic; I'm not interested in comparing bullet points of features, nor can I be unbiased since I'm a major contributor to attrs (at time of writing, second
The joy of building a ray tracer, for fun, in Rust. // flurries of latent creativity
TLDR? You can find the code and a bunch of examples on GitHub at dps/rust-raytracer. Over the holiday break, I decided to learn Rust. Rust is a modern systems programming language which has a really interesting type system. The type system can catch broad classes of common programming mistakes - e.g. ensuring memory is accessed safely - at compile time while generating tight, performant machine co
Building a recommendation engine inside Postgres with Python and Pandas | Crunchy Data Blog
Building a recommendation engine inside Postgres with Python and Pandas I'm a big fan of data in general. Data can tell you a lot about what users are doing and can help you gain all sorts of insights. One such aspect is in making recommendations based on past history or others that have made similar choices. In fact, years ago I wrote a small app to see if I could recommend wines based on how oth
以下の記事が面白かったので、簡単にまとめました。 ・Introducing Structured Outputs in the API 1. Structured Outputs昨年のDevDayで、「JSONモード」を導入しました。これは、OpenAIのモデルを使用して信頼性の高いアプリを構築しようとしている開発者にとって便利な構成要素です。「JSONモード」は、有効なJSON出力を生成するためのモデルの信頼性を向上させますが、モデルの応答が特定のスキーマに準拠することを保証するものではありません。本日、APIに「Structured Outputs」を導入します。これは、モデルによって生成された出力が、開発者が提供するJSONスキーマと完全に一致するように設計された新機能です。 複雑なJSONスキーマのフォローの評価では、「Structured Outputs」を備えた新しいモデル「g
Tier 4 Support § Support for these targets is entirely experimental. If this target is provided by LLVM, LLVM may have the target as an experimental target, which means that you need to use Zig-provided binaries for the target to be available, or build LLVM from source with special configure flags. zig targets will display the target if it is available. This target may be considered deprecated by
2023-10-17, Version 21.0.0 (Current), @RafaelGSS and @targos We're excited to announce the release of Node.js 21! Highlights include updates of the V8 JavaScript engine to 11.8, stable fetch and WebStreams, a new experimental flag to change the interpretation of ambiguous code from CommonJS to ES modules (--experimental-default-type), many updates to our test runner, and more! Node.js 21 will repl
Today we’re excited to announce our Release Candidate (RC) of TypeScript 4.8. Between now and the stable release of TypeScript 4.8, we expect no further changes apart from critical bug fixes. To get started using the RC, you can get it through NuGet, or use npm with the following command: npm install -D typescript@rc You can also get editor support by Downloading for Visual Studio 2022/2019 Follow
PowerShell: the object-oriented shell you didn’t know you needed | Chris Warrick
PowerShell is an interactive shell and scripting language from Microsoft. It’s object-oriented — and that’s not just a buzzword, that’s a big difference to how the standard Unix shells work. And it is actually usable as an interactive shell. Getting Started PowerShell is so nice, Microsoft made it twice. Specifically, there concurrently exist two products named PowerShell: Windows PowerShell (5.1)
Tier 4 Support § Support for these targets is entirely experimental. If this target is provided by LLVM, LLVM may have the target as an experimental target, which means that you need to use Zig-provided binaries for the target to be available, or build LLVM from source with special configure flags. zig targets will display the target if it is available. This target may be considered deprecated by
This article was discussed on Hacker News. This is a continuation of my last post on how to write a tree-sitter grammar in an afternoon. Building on the grammar we wrote, now we’re going to write a linter for Imp, and it’s even easier! The final result clocks in less than 60 SLOC and can be found here. Recall that tree-sitter is an incremental parser generator. That is, you give it a description o
Blogged Answers: My Experience Modernizing Packages to ESM
Random musings on React, Redux, and more, by Redux maintainer Mark "acemarke" Erikson This is a post in the Blogged Answers series. Details on the painful experiences and hard-earned lessons I've learned migrating the Redux packages to ESM Table of Contents 🔗︎ Introduction Redux Packages Background Packages and Configurations Issue History Early Attempts Migrating to Vitest Initial Alpha Testing
Shai Hulud Strikes Again (v2)Another wave of Shai-Hulud campaign has hit npm with more than 500 packages and 700+ versions affected. Update: November 26, 2025 PostHog has published a detailed post mortem describing how one of its GitHub Actions workflows was abused as an initial access vector for Shai Hulud v2. An attacker briefly opened a pull request that modified a script executed via pull_requ
I want to write a post about Pitchfork, explaining where it comes from, why it is like it is, and how I see its future. But before I can get to that, I think I need to share my mental model on a few things, in this case, Ractors. When Ractors were announced 4 or 5 years ago, many people expected we’d quickly see a Ractor-based web server, some sort of Puma but with Ractors instead of threads. Yet
In 2006 Microsoft conducted a customer survey to find what new features users want in new versions of Microsoft Office. To their surprise, more than 90% of what users asked for already existed, they just didn't know about it. To address the "discoverability" issue, they came up with the "Ribbon UI" that we know from Microsoft Office products today. Office is not unique in this sense. Most of us ar
Out of all the migrations I help teams with, Go to Rust is a bit of an outlier. It’s not a question of “is Rust faster?” or “does Rust have types?”, Go already gets you most of the way there. The discussion is mostly about correctness guarantees, runtime tradeoffs, and developer ergonomics. A quick disclaimer before we start: this guide is heavily backend-focused. Backend services are where Go is
If you are a Rubyist, you’ve likely been writing # frozen_string_literal: true at the top of most of your Ruby source code files, or at the very least, that you’ve seen it in some other projects. Based on informal discussions at conferences and online, it seems that what this magic comment really is about is not always well understood, so I figured it would be worth talking about why it’s there, w
Amazon S3 オブジェクトを AWS Backup でリストアする際に最終更新日時のタイムスタンプを保存する方法 | Amazon Web Services
Amazon Web Services ブログ Amazon S3 オブジェクトを AWS Backup でリストアする際に最終更新日時のタイムスタンプを保存する方法 このブログは 2023 年 4 月 12 日に Luca Licheri (Senior Technical Account Manager) と Sergio Simone (Solutions Architect) によって執筆された内容を日本語化したものです。原文はこちらを参照してください。 通常、規制の厳しい業界のお客様は、データの整合性を維持し、ライフタイム全体を通じて利用できるよう義務付けられた規則に従っています。整合性要件を満たすためには、関連する任意の監査証跡やオブジェクト作成日時、最終更新日時、タグなどのメタデータ情報と共にデータはリストア可能でなければなりません。 AWS Backup で取得した Ama
Monitoring is a Pain
And we're all doing it wrong (including me) I have a confession. Despite having been hired multiple times in part due to my experience with monitoring platforms, I have come to hate monitoring. Monitoring and observability tools commit the cardinal sin of tricking people into thinking this is an easy problem. It is very simple to monitor a small application or service. Almost none of those approac
ChatGPT Containers can now run bash, pip/npm install packages, and download files
Sponsored by: Teleport — Secure, Govern, and Operate AI at Engineering Scale. Learn more ChatGPT Containers can now run bash, pip/npm install packages, and download files 26th January 2026 One of my favourite features of ChatGPT is its ability to write and execute code in a container. This feature launched as ChatGPT Code Interpreter nearly three years ago, was half-heartedly rebranded to “Advance
--- name: skill-creator description: Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Claude's capabilities with specialized knowledge, workflows, or tool integrations. license: Complete terms in LICENSE.txt --- # Skill Creator This skill provides guidance for creating effective skills. ## About Skills S
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
【2020年】CTF Web問題の攻撃手法まとめ - こんとろーるしーこんとろーるぶい
Why, after 6 years, I’m over GraphQL
プロと読み解く Ruby 3.1 NEWS - クックパッド開発者ブログ
プロと読み解くRuby 3.4 NEWS - STORES Product Blog
The Prompt Engineering Playbook for Programmers
OOP: the worst thing that happened to programming
OpenAI の Realtime API の使い方|npaka
Your URL Is Your State
Ruby Concurrency: What Actually Happens
Announcing TypeScript 4.8 - TypeScript
Node.js — Node.js 20.6.0 (Current)
krish's blog • Parsing JSON in 500 lines of Rust
May 2025 (version 1.101)
Why I use attrs instead of pydantic
OpenAI API の Structured Outputs の使い方|npaka
0.8.0 Release Notes ⚡ The Zig Programming Language
Node.js — Node.js 21.0.0 (Current)
Announcing TypeScript 4.8 RC - TypeScript
0.10.0 Release Notes ⚡ The Zig Programming Language
How to write a linter using tree-sitter in an hour
Shai Hulud Strikes Again (v2) - Socket
What’s The Deal With Ractors?
Lesser Known PostgreSQL Features
Migrating from Go to Rust | corrode Rust Consulting
Frozen String Literals: Past, Present, Future?
prompts.chat - AI Prompts Community