jub0bs
LightNews LightNews
jub0bs.com
jub0bs
@jub0bs.com
2.3K followers 260 following 380 posts
infosec enthusiast • Go dev & trainer • minor contributor to the Go project • minimalist • atheist • chaotic good • trying to make sense of the Web • he/him
Blog: https://jub0bs.com
Free Go course: https://github.com/jub0bs/go-course-beginner
Free 🇵🇸!
Posts Replies Media Videos
Pinned
jub0bs.com
jub0bs @jub0bs.com · Aug 30
⚡ I've been contributing micro-optimisations to Go's standard library in my spare time: github.com/golang/go/co...

💸 I don't intend to stop any time soon, but if you benefit from my work and would like to support it, consider sponsoring me on GitHub: github.com/sponsors/jub...

#golang #OpenSource
Sponsor @jub0bs on GitHub Sponsors
infosec enthusiast • Go developer & trainer • minimalist • chaotic good • trying to make sense of the Web • he/him
github.com
jub0bs.com
"A good API should be, not only easy to use, but also hard to misuse." (Josh Bloch)

github.com/rs/cors/issu...

#golang #CORS
Near-arbitrary origins can still be allowed with credentials · Issue #197 · rs/cors
Problem PR #56 implemented a restriction regarding the wildcard; middleware created as follows don't reflect arbitrary origins (good): cors.New(cors.Options{ AllowedOrigins: []string{"*"}, AllowCre...
github.com
November 9, 2025 at 12:11 PM
jub0bs.com
Productivity tip: don't have kids; don't have cats. 😬
November 4, 2025 at 10:52 AM
Reposted by jub0bs
golang.org
🥳 Go 1.25.2 and 1.24.8 are released!

📢 Announcement: https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI/m/qZN5nc-mBgAJ

📦 Download: https://go.dev/dl/#go1.25.2

#golang
$ go install golang.org/dl/go1.25.2@latest $ go1.25.2 download Downloaded 0.0% ( 0 / 58280426 bytes) ... Downloaded 50.0% (29140213 / 58280426 bytes) ... Downloaded 100.0% (58280426 / 58280426 bytes) Unpacking go1.25.2.linux-riscv64.tar.gz ... Success. You may now run 'go1.25.2' $ go1.25.2 version go version go1.25.2 linux/riscv64
October 7, 2025 at 6:51 PM
jub0bs.com
"Bonjour. Je suis Nicolas Sarkozy, et j'ai le grand plaisir de lire 'Le temps des oranges' pour Audible." 😂
September 25, 2025 at 1:59 PM
jub0bs.com
CVE-2025-10630: REDoS in Zabbix plugin for Grafana dashboard (fixed in v6.0.2)

To anybody relying on some PCRE engine (such as github.com/dlclark/regexp2): either forbid users to submit arbitrary patterns or enforce some reasonable timeout on matching.

#websecurity #golang

youtu.be/Z_mYyBYP4ZI
CVE-2025-10630: REDoS in Zabbix plugin for Grafana dashboard (fixed in v6.0.2)
YouTube video by jub0bs
youtu.be
September 24, 2025 at 3:00 PM
jub0bs.com
🤦 #AIslop in action! Grafana's fix to CVE-2025-10630 in v6.0.0 of their Zabbix plugin happened to be way off base, but this AI tool fails to figure it out and happily lulls Grafana users into a false sense of security. www.miggo.io/vulnerabilit...
CVE-2025-10630: Grafana-Zabbix ReDoS vulnerability | Miggo
Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metric...
www.miggo.io
September 24, 2025 at 2:41 PM
jub0bs.com
💡 Judiciously ponder the design of a function that operates on user input and returns a slice or a map, lest it constitute a denial-of-service vector. If you're not careful, a single malicious request may cause a huge spike in allocations. cwe.mitre.org/data/definit...
#golang #websecurity
CWE - CWE-405: Asymmetric Resource Consumption (Amplification) (4.18)
Common Weakness Enumeration (CWE) is a list of software weaknesses.
cwe.mitre.org
September 23, 2025 at 1:36 PM
Reposted by jub0bs
roland.zone
I did a talk at the UK GopherCon last month about what my team does, and I only let my laptop fall asleep twice! www.youtube.com/watch?v=oLtq...
Go Security – Past, Present, and Future - Roland Shoemaker
YouTube video by GopherCon UK
www.youtube.com
September 19, 2025 at 5:26 PM
Reposted by jub0bs
handle.invalid
And now it looks like #GopherConUK started publishing videos!
September 18, 2025 at 12:02 PM
Reposted by jub0bs
bboreham.bsky.social
My talk from #gopherconuk is up on YouTube!
My take on how map is implemented in Go, and what changed from Go 1.23 to 1.24 and 1.25.

youtu.be/M05t7Q6LbFs

* Talk contains no AI, but does contain pictures of cats.
Swiss Maps in Go - Bryan Boreham
YouTube video by GopherCon UK
youtu.be
September 18, 2025 at 1:13 PM
Reposted by jub0bs
t0xodile.com
The recording for my latest research has been released! If you prefer to listen rather than read, now is your chance.

P.S. It may be worth listening to it at a slower speed due to my tendency to talk at the speed of light...
The Single-Packet Shovel: Digging For Desync-Powered Request Tunnelling - Thomas Stacey
YouTube video by Bsides Exeter
www.youtube.com
September 11, 2025 at 3:19 PM
jub0bs.com
When the stars align, a one-character change can have a surprisingly significant impact on performance. 🤩

In this case, omitting a superfluous index in a slice expression was enough to make the enclosing function inlineable. ⚡

github.com/golang/go/pu...

#golang
path: make Base inlineable by jub0bs · Pull Request #75269 · golang/go
This change adds benchmarks for Base and simplifies it ever so slightly to the point of making it inlineable, thereby unlocking a nice speedup. Here are some benchmark results (no change to allocat...
github.com
September 4, 2025 at 9:14 PM
jub0bs.com
⚡ If you find yourself implementing an iterator on some recursive data structure, do check out the doc comment of golang.org/x/tools/gopls/internal/analysis/recursiveiter. Very useful performance tip by @adonovan.bsky.social! #golang
The Go Programming Language
golang.org
September 4, 2025 at 7:16 PM
Reposted by jub0bs
go-perf.dev
Making `DecodeRuneInString` is inlinable #golang

github.com/golang/go/is...
August 28, 2025 at 11:07 AM
Reposted by jub0bs
flo.znkr.io
The GopherCon EU videos are online. I really enjoyed @misago.org’s about testing/synctest. But there were so many good talks, maybe watch them all?

youtu.be/oIC3zhTAOsY

#gopherconeu #golang
Testing Time (and other asynchronous code) - Damien Neil | GopherCon EU 2025
YouTube video by GopherCon Europe
youtu.be
September 1, 2025 at 2:49 PM
Reposted by jub0bs
prattmic.com
My GopherCon EU talk about Swiss Table maps is now available!

youtu.be/aqtIM5AK9t4
Faster Go Maps With Swiss Tables - Michael Pratt | GopherCon EU 2025
YouTube video by GopherCon Europe
youtu.be
September 1, 2025 at 1:39 PM
jub0bs.com
⚡ I've been contributing micro-optimisations to Go's standard library in my spare time: github.com/golang/go/co...

💸 I don't intend to stop any time soon, but if you benefit from my work and would like to support it, consider sponsoring me on GitHub: github.com/sponsors/jub...

#golang #OpenSource
Sponsor @jub0bs on GitHub Sponsors
infosec enthusiast • Go developer & trainer • minimalist • chaotic good • trying to make sense of the Web • he/him
github.com
August 30, 2025 at 7:58 PM
Reposted by jub0bs
garethheyes.co.uk
I discovered how to use CSS to steal attribute data without selectors and stylesheet imports! This means you can now exploit CSS injection via style attributes! Learn how below:

portswigger.net/research/inl...
<div style='--val: attr(data-uid); --steal: if(style(--val:"1"): url(/1); else: if(style(--val:"2"): url(/2); else: if(style(--val:"3"): url(/3); else: if(style(--val:"4"): url(/4); else: url(/5))))); background: image-set(var(--steal));' data-userid="3">
August 26, 2025 at 12:54 PM
Reposted by jub0bs
renniepak.nl
I enabled sponsorships on Github for cspbypass.com.

The main goal is to cover hosting fees etc. So if you want to support my work, I would highly appreciate it if you could become a sponsor.

github.com/sponsors/ren...

Thanks!
CSP Bypass Search
A tool designed to help ethical hackers bypass restrictive Content Security Policies
cspbypass.com
August 24, 2025 at 5:41 PM
Reposted by jub0bs
notateamserver.xyz
new blog after who knows how long - a deep dive into how a bunch of web protections fit together and also an example of how you can mess that up so bad you find CSRF in a GraphQL API

notateamserver.xyz/blog/cors-xs...
Client-Side Alphabet Soup: SOP, CORS, CSRF, XSS, CSP
When James Kettle says HTTP/1.1 must die, he has a good reason. When I say HTTP must die, I just don't want to deal with it.
notateamserver.xyz
August 17, 2025 at 1:31 AM
jub0bs.com
We may still get a generified version of errors.As in #golang's standard library! 🤞

github.com/golang/go/is...
proposal: errors: As with type parameters · Issue #51945 · golang/go
Currently in 1.18 and before, when using the errors.As method, an error type you would like to write into must be predeclared before calling the function. For example: var myErr *MyCustomError if e...
github.com
August 21, 2025 at 10:36 AM
Reposted by jub0bs
handle.invalid
Here are the slides for my "What's coming to Go 1.25" talk at #GopherConUK!

#golang
What's coming in Go 1.25
What's coming in Go 1.25 GopherCon UK, 2025 - Daniel Martí @mvdan.cc
docs.google.com
August 14, 2025 at 10:52 AM
jub0bs.com
I'm generally skeptical of tools labelled as "AI", but the podcasts that pi.dev can generate from changes to a repo are quite impressive. Here is an example: pi.dev/shows/github...
pi.dev: AI-generated podcasts for the repos you love
Paste the URL of any GitHub repository, and we will automatically generate a podcast using AI to keep you up to date with the latest changes!
pi.dev
August 13, 2025 at 4:35 AM
jub0bs.com
jub0bs/cors has now reached 100 ⭐s on GitHub! 🤩

github.com/jub0bs/cors

#golang
GitHub - jub0bs/cors: perhaps the best CORS middleware library for Go
perhaps the best CORS middleware library for Go. Contribute to jub0bs/cors development by creating an account on GitHub.
github.com
August 4, 2025 at 9:05 AM
Reposted by jub0bs
honoki.net
Now live on tools.honoki.net/smuggler.html

Let me know what you think! ✨
July 22, 2025 at 1:38 PM