jub0bs

@jub0bs@infosec.exchange
179 Followers
179 Following
439 Posts

#infosec enthusiast • #golang dev & trainer • minor contributor to the Go project • minimalist • atheist • chaotic good • trying to make sense of the Web • he/him
Free Go course: https://github.com/jub0bs/go-course-beginner

Free 🇵🇸!

Websitehttps://jub0bs.com
Blueskyhttps://bsky.app/profile/jub0bs.com
GitHubhttps://github.com/jub0bs
Xhttps://x.com/login?redirect_after_login=https%3A%2F%2Fx.com%2Flogout%3Fredirect_after_logout%3Dhttps%253A%252F%252Fjub0bs.com
jub0bs4d ago
☝️Unpopular opinion: most Gophers should (re-)read @joshbloch's Effective Java book. Much (though not all) of the wisdom it contains is transferable to #golang.
jub0bs5d ago

Difficult to disagree with this post by Efron Licht: Gin, #golang's arguably most popular Web framework, is pretty bad and should be avoided at all costs. 🙅

https://eblog.fly.dev/ginbad.html

ginbad.md

A good software article you should probably read

jub0bsNov 21

Your weekly reminder to migrate from rs/cors to jub0bs/cors. 😇

https://github.com/rs/cors/issues/198

With some CORS configurations, some handlers can introduce synchronisation bugs and cause data races · Issue #198 · rs/cors

Problem Presumably for performance, the library (v1.11.1 and some older versions) reuses some non-exported slice variables and struct field from one middleware call to the next: package-level var h...

GitHub
jub0bsNov 11
Neil MaddenNov 11

Monotonic Collections: a middle ground between immutable and fully mutable

This post covers several topics around collections (sets, lists, maps/dictionaries, queues, etc) that I’d like to see someone explore more fully. To my knowledge, there are many alternative collection libraries for Java and for many other languages, but I’m not aware of any that provide support for monotonic collections. What is a monotonic collection, I hear you ask? Well, I’m about to answer that.

http://neilmadden.blog/2025/11/11/monotonic-collections-a-middle-ground-between-immutable-and-fully-mutable/

Monotonic Collections: a middle ground between immutable and fully mutable

This post covers several topics around collections (sets, lists, maps/dictionaries, queues, etc) that I’d like to see someone explore more fully. To my knowledge, there are many alternative collect…

Neil Madden
jub0bsNov 9

"A good API should be, not only easy to use, but also hard to misuse." (Josh Bloch)

https://github.com/rs/cors/issues/197

#golang #CORS

jub0bsNov 4
Productivity tip: don't have kids; don't have cats. 😬
jub0bsOct 8
James KettleOct 8
The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! https://www.youtube.com/watch?v=zr5y6Bapbnw&list=PLoX0sUafNGbEkK0ai5P_DB2HDnljRAJyZ&index=1
RomHack 2025 - James “albinowax” Kettle - HTTP/1.1 Must Die! The Desync Endgame

YouTube
jub0bsSep 25
"Bonjour. Je suis Nicolas Sarkozy, et j'ai le grand plaisir de lire 'Le temps des oranges' pour Audible." 😂
jub0bsSep 24

CVE-2025-10630: REDoS in Zabbix plugin for Grafana dashboard (fixed in v6.0.2)

To anybody relying on some PCRE engine (such as github.com/dlclark/regexp2): either forbid users to submit arbitrary patterns or enforce some reasonable timeout on matching.

#websecurity #golang

https://youtu.be/Z_mYyBYP4ZI

CVE-2025-10630: REDoS in Zabbix plugin for Grafana dashboard (fixed in v6.0.2)

YouTube
jub0bsSep 24

🤦 #AIslop in action! Grafana's fix to CVE-2025-10630 in v6.0.0 of their Zabbix plugin happened to be way off base, but this AI tool fails to figure it out and happily lulls Grafana users into a false sense of security.

https://www.miggo.io/vulnerability-database/cve/CVE-2025-10630

CVE-2025-10630: Grafana-Zabbix ReDoS vulnerability | Miggo

Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring.  Versions 5.2.1 and below contained a ReDoS vulnerability via user-supplied regex query which could causes CPU usage to max out. This vulnerability is fixed in version 6.0.0.