jub0bs

@[email protected]
194 Followers
185 Following
475 Posts

#infosec enthusiast • #golang dev & trainer • contributor to the Go project • minimalist • chaotic good • trying to make sense of the Web • he/him
Free Go course: https://github.com/jub0bs/go-course-beginner

Free 🇵🇸! Leave 🇱🇧 alone!

Websitehttps://jub0bs.com
Blueskyhttps://bsky.app/profile/jub0bs.com
GitHubhttps://github.com/jub0bs
Xhttps://x.com/login?redirect_after_login=https%3A%2F%2Fx.com%2Flogout%3Fredirect_after_logout%3Dhttps%253A%252F%252Fjub0bs.com
jub0bsJan 31

🎉 I've just released v0.11.0 of jub0bs/cors, my CORS middleware library for #golang!

Bar any surprises, this will be the last minor release before v1.

https://github.com/jub0bs/cors

💣 This release brings a couple of simplifying but potentially breaking changes. None of them is very likely to affect you.
😇 The library's API is now simpler.
⚡Middleware execution during preflight is now faster and incurs fewer heap allocations.

💸 As always, sponsors are welcome!

https://pkg.go.dev/github.com/jub0bs/cors#pkg-index
https://github.com/jub0bs/cors/blob/v0.11.0/CHANGELOG.md
https://github.com/jub0bs/cors-benchmarks/blob/main/README.md#results
https://github.com/sponsors/jub0bs

jub0bsJun 16, 2025

💡 Did you know that you can craft URLs that bypass X/Twitter's URL shortener (t[.]co) and domain deny list?

For instance, try sharing https://x.com/login?redirect_after_login=https%3A%2F%2Fx.com%2Flogout%3Fredirect_after_logout%3Dhttps%253A%252F%252Fddosecrets%2525E3%252580%252582com in a tweet and clicking the link; you will ultimately be redirected to https://ddosecrets.com (which is banned by X) without ever traversing t[.]co!

jub0bsMay 28, 2025
This is the kind of stuff that "optics" conjures up in my mind when I chance upon it in a news article. Nothing else. 🤷
jub0bsFeb 14, 2025
Initialising a #CORS middleware has been steadily getting faster and less memory-hungry in recent versions of github.com/jub0bs/cors, as shown by this chart (lower is better). 😇 #golang
jub0bsDec 9, 2024
#golang's logo may strike you as uninspired and unremarkable. I'm guessing that the manga-style speed lines are meant to convey that the language is intended for "programming at scale". Right?
jub0bsJul 19, 2024
La grande majorité des journalistes télé en France...
jub0bsApr 10, 2024

It turns out that rs/cors (Go's most popular CORS middleware library) allocates a lot of memory in response to some malicious unauthenticated requests.

This behaviour could be abused to crash servers that run on limited memory, thereby causing a denial of service.

No such problem in my own library: https://github.com/jub0bs/cors 😇

Issue: https://github.com/rs/cors/issues/170
PR (not merged yet): https://github.com/rs/cors/pull/171

GitHub - jub0bs/cors: perhaps the best CORS middleware library for Go

perhaps the best CORS middleware library for Go. Contribute to jub0bs/cors development by creating an account on GitHub.

GitHub
jub0bsNov 20, 2023

Unfortunately, I made a mistake while writing benchmarks for jub0bs/fcors. A mistake that ultimately fooled me into thinking that invocations of the CORS middleware it provides (almost) never incur heap allocations... but they do. Not a prohibitive amount, but still. 😞​

I was reusing the same http.ResponseRecorder across iterations of the benchmark loop, but making sure to clear its Header field during each iteration (because my middleware adds HTTP headers to the response). Of course, however, the new clear builtin leaves the capacity of the http.Header unchanged.

The call to ServeHTTP in the first iteration of the benchmark loop would grow the map as needed and, therefore, calls to ServeHTTP in subsequent iterations wouldn't incur any allocations.

I was deceived by the benchmark results, in which the allocations (only incurred during the first iteration) would get averaged out to zero. 😬​

I only realised my mistake after running the benchmark with -benchtime 1x.

Unfortunately, unless there is progress on https://github.com/golang/go/issues/56182, I don't think I can get rid of those heap allocations.

#golang

runtime: expand capacity of map by more than 1 at a time? · Issue #56182 · golang/go

Follow-on to #52157 and #54454 Right now the reference code in /x/exp/maps.Copy will potentially call runtime.growWork_faststr and runtime.hashGrow many times if src and dst are mostly disjoint and...

GitHub
jub0bsAug 8, 2023
Here is a #golang challenge for you! 🤓
Without modifying my package named "puzzler", can you create, in the main function, a variable of (non-exported) type puzzler.config? Playground: https://go.dev/play/p/hSSRfbZbjKK
I'll post a solution tomorrow. 😉
Go Playground - The Go Programming Language

jub0bsAug 8, 2023
NaNs and maps don't mix well, but #golang's 1.21's upcoming 'clear' builtin function will allow us to properly delete all keys from a map (including keys that are not reflexive for equality). This is likely to prove particularly useful in generic code.
https://go.dev/play/p/eoiTQq3YgJ4?v=gotip
Go Playground - The Go Programming Language