Skip to content

Instantly share code, notes, and snippets.

View 12joan's full-sized avatar

Joe Anderson 12joan

26 followers · 8 following
View GitHub Profile
@12joan
12joan / user-keys-considered-harmful.md
Created December 5, 2025 12:35
User-controlled Keys Considered Harmful - Two Important Takeaways from CVE-2025-55182

User-controlled Keys Considered Harmful

Two important takeaways from CVE-2025-55182

We now have a public POC for CVE-2025-55182, the React Server vulnerability that allows remote code execution on affected servers. The details of how the exploit works are fascinating, and they highlight a couple of important but obscure facts about JavaScript itself that all JS developers should be aware of so that we hopefully don't make the same mistakes in our own code.

1. Promises are overloaded

You may have heard that promises are not monads. This is because the then function is overloaded to act as both map and bind. For anyone without a functional programming background, here's a quick summary of what that means.

@12joan
12joan / Mitigating XSS in Slate.md
Last active October 1, 2024 11:24
A guide to mitigating XSS for link and embed components in Slate

Just a reminder for anyone using Slate:

⚠️ Your app's link and embed components are vulnerable to XSS unless you explicitly check the URL protocol in the component. Attackers can use this to hijack your users' accounts.

// ❌ Vulnerable code
return <iframe src={element.url} />

// ❌ Vulnerable code
return (
@12joan
12joan / fix-extension.rb
Created June 30, 2024 21:10
A Ruby script that uses the `file` command to add or change file extensions for a list of files
#!/usr/bin/ruby
require 'fileutils'
Entry = Struct.new(:path, :extension) do
def self.parse line
columns = line.chomp.split(/:\s*/)
return nil unless columns.length == 2
path, extensions = columns
return nil if extensions == '???'
extension = extensions.split('/').first
@12joan
12joan / pop-pixie-cla.md
Created September 10, 2023 18:31
Pop Pixie CLA

By contributing to Pop Pixie, you agree to the following:

  1. You retain the copyright to any discrete assets that you contribute. (This does not include changes to existing code files or assets.)
  2. You agree to license your contributions under the Creative Commons Attribution-NonCommercial 4.0 International License, credited as "Copyright © Anderbell Studios".
  3. For certain types of asset listed under Pop Pixie's LICENSE.md file (code, Unity files, etc.), you agree to license your contributions under the MIT License, credited as "Copyright © Anderbell Studios".
  4. For significant contributions, you may request for your name or a pseudonym to be added to the in-game credits.
@12joan
12joan / debian-boot-text.txt
Last active November 3, 2023 23:11
Debian boot text
/* The following text was produced by taking a screen recording of a Debian
* virtual machine during startup, processing select frames using OCR and
* merging the resulting texts together with some manual cleanup.
*
* Some lines from the original boot text may have been lost due to the
* framerate of the screen recording. An effort was made to correct errors
* introduced by OCR, but some errors remain. Forks to correct such errors are
* welcome.
*
* Text copyright belongs to various contributors to Debian and other included
@12joan
12joan / loops.rb
Created March 1, 2022 14:54
# Version 1: Using a loop counter to emulate a C-style for loop.
numbers = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]
product = 1
i = 0
while i < numbers.size
product *= numbers[i]
i += 1
end
# Version 2: Avoiding the use of a loop counter using `each`.