JQuery: Always use dataType for $.ajax
I recently investigated a XSS vulnerability reported via Bugcrowd. I could reproduce the issue, I just didn’t understand it. The vulnerability looked like this:
Attacker uploads a JavaScript file onto Confluence as attachment
Manipulate a Confluence macro via REST API to have invalid parameters.
Now, when the macro is edited/used, the code in the uploaded JavaScript is executed.
The code snipped looked something like this:
// AJS is the Atlassian JavaScript library entry point. AJS.$ refers to the included JQuery library
AJS.$.ajax({
url: 'url-manipulated-by-attacker-to-downloads-the-attachment-file',
type: 'GET',
success: function (response) {
// some basic processing
}
})One Billion Row Challenge: Learned So Far
Last Update 2024-02-04, see below
I participate in the One Billion Row Challenge by Gunnar Morling: Parse one billion rows of CSV, in plain Java, and be fast at it. It is a friendly completion and learning experience.
I had three goals:
Be faster than the 'naive' reference solution.
Experiment a bit more with the new Memory access API’s
Experiment the first time with the new SIMD APIs.
Copy, Paste and Edit Java to C# after 20 years
This post is part of C# Advent Calendar 2023. Visit it for all the awesome upcoming posts!
C# and .NET have an awesome ecosystem, with tons of libraries and code snippets out there.
But sometimes you get that rare snippet of code in another language. In this blog post, we copy, paste, and edit some example snippets from Java languages to C#. When C# started back in 2001, Java and C# were similar languages. But in the last 20 years, C# has quickly evolved in its unique way. So, let’s if that similarity still helps you:
Java: Native Memory Handling is Getting Easier
JDK 19, 20, 21 has a new preview API called 'Foreign Function & Memory API' that makes interacting with native memory and native libraries way easier. Before you had to use JNI, JNA or JNR to interact with native libraries.
Further, interacting with 'native' memory was clunky. You either used ByteBuffers,
which have a clunky/dated API, max addressable size 2GByte plus 'freeing' relying on
the GC, unless you do ugly reflection hacks. Or you went down the Unsafe route.
Anyway, if your projects allows, I would heavily recommend to the new APIs. If it is a project you deploy in your backend, you can control the JDK. If it is a new library, I would still think about starting/consider the new APIs, so that the library can be kick ass by the time it is mature.
Mysterious Hanging Java Process
I recently had a Java (Bamboo Dev Instance) app just hanging when it started up. Since it was a dev setup, which sometimes has other issues, I did the usual things, like:
Turn it on and off again, aka restart it.
Clean up the working directory, like a
mvn clean,make cleanor what ever.Check out a stable branch.
Run against different sets of dependency versions
The app kept on being stuck. So, I was forced to debug it =).
