profile
viewpoint
Benny Siegert bsiegert @google Switzerland GmbH Switzerland http://www.mirbsd.org

bsiegert/BulkTracker 7

Track bulk build status in pkgsrc

bsiegert/gourl2pkg 3

Add Go packages to pkgsrc easily

bsiegert/goutils 1

A collection of simple system utilities

bsiegert/perl-mirbsd 1

Ongoing integration of perl-5.14 into the MirBSD src tree

bsiegert/9wm 0

X11 Window Manager inspired by Plan 9's rio

bsiegert/anita 0

Automated NetBSD Installation and Test Application

bsiegert/bmon 0

bandwidth monitor and rate estimator

Pull request review commentgoogle/go-safeweb

Implemented the Commit phase in the CSP and XSRF plugins

+// Copyright 2020 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+// 	https://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++package csp_test++import (+	"github.com/google/go-safeweb/safehttp"+	"github.com/google/go-safeweb/safehttp/plugins/csp"+	"github.com/google/go-safeweb/safehttp/safehttptest"+	safetemplate "github.com/google/safehtml/template"+	"net/http/httptest"+	"strings"+	"testing"+)++func TestServeMuxInstallCsp(t *testing.T) {

nit: TestServeMuxInstallCSP

maramihali

comment created time in 6 days

PullRequestReviewEvent

Pull request review commentgoogle/go-safeweb

Implemented the Commit phase in the CSP and XSRF plugins

+// Copyright 2020 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+// 	https://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++package xsrf_test++import (+	"github.com/google/go-safeweb/safehttp"+	"github.com/google/go-safeweb/safehttp/plugins/xsrf"+	"github.com/google/go-safeweb/safehttp/safehttptest"+	safetemplate "github.com/google/safehtml/template"+	"net/http/httptest"+	"strings"+	"testing"+)++func TestServeMuxInstallXsrf(t *testing.T) {

nit: s/Xsrf/XSRF/

maramihali

comment created time in 6 days

Pull request review commentgoogle/go-safeweb

Implemented the Commit phase in the CSP and XSRF plugins

 func addCookieID(w *safehttp.ResponseWriter) (*safehttp.Cookie, error) { // In case of state changing requests (all except GET, HEAD and OPTIONS), the // interceptor checks for the presence of the XSRF token in the request body // (expected to have been injected) and validates it.-func (i *Interceptor) Before(w *safehttp.ResponseWriter, r *safehttp.IncomingRequest, cfg interface{}) safehttp.Result {+func (it *Interceptor) Before(w *safehttp.ResponseWriter, r *safehttp.IncomingRequest, cfg interface{}) safehttp.Result {

nit: Why it instead of i? Single-letter receiver names are the recommended style.

maramihali

comment created time in 6 days

PullRequestReviewEvent

issue openedcdr/code-server

`--wait` command-line option

If you are working in the terminal, the suggested way of using VS Code itself as your editor for commit messages and such is to set

export EDITOR="code --wait"

This does not work within code-server obviously. You can set EDITOR to code-server but it does not have a --wait option, so git (or whatever) will not wait for you to close the window.

The --wait option, together with one or more files, should make the code-server binary only exit when these files are closed.

created time in 6 days

PullRequestReviewEvent

push eventbsiegert/blog

Benny Siegert

commit sha 0669eb4bb0df69e27a136d7c577dc8c82a72390f

New blog post!

view details

push time in 16 days

Pull request review commentgoogle/go-safeweb

Added pre-login XSRF protection to the XSRF plugin

 func Token(r *safehttp.IncomingRequest) (string, error) { 	return tok.(string), nil } +func addCookieID(w *safehttp.ResponseWriter) (*safehttp.Cookie, error) {+	buf := make([]byte, 20)+	_, err := rand.Read(buf)+	if err != nil {+		panic(fmt.Errorf("crypto/rand.Read: %v", err))

I am nervous about this panic in the request path. Can this return the error instead?

maramihali

comment created time in 17 days

PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentgoogle/go-safeweb

Per handler interceptor configurations

+// Copyright 2020 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+// 	https://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++package safehttp++// Config provide additional configurations to Interceptors when needed.+type Config interface {

Maybe Option would be a better name?

mihalimara22

comment created time in a month

PullRequestReviewEvent

issue commentgoogle/go-safeweb

Make sure ServeMux is used in the right order

In Goa, we have state variables that we set and check with atomics and return an error if in the wrong phase. For instance, if you want to add a module to a running server, it will be rejected this way.

empijei

comment created time in a month

issue commentgolang/go

x/build: add builder for netbsd/arm64

@cagedmantis I am excited to hear about the non-reverse arm64 builder! There does not need to be any waiting involved; we can have both builders for the time being, and I'll happily decommission the reverse builder.

@dmitshur provided a key, and I have the builder running right now. I will send a CL to add it to the coordinator.

bcmills

comment created time in a month

push eventbsiegert/BulkTracker

Benny Siegert

commit sha 26ec654e661b6c3c7f9e10470b54c3087d42b1bd

We are now a Go module!

view details

push time in a month

Pull request review commentgoogle/go-safeweb

Add a plugin to automatically nonce templates.

+// Package htmlinject provides utilities to pre-process HTML templates and inject additional parts to them before parsing.+package htmlinject++import (+	"errors"+	"fmt"+	"io"+	"strings"++	"golang.org/x/net/html"+)++// Rule is a directive to instruct Transform on how to rewrite the given template.+type Rule struct {+	// Name is used for debug purposes in case rewriting fails.+	Name string+	// OnTag is the tag to be used to trigger the rule.+	OnTag string+	// WithAttributes is a filter applied on tags to decide whether to run the Rule:+	// only tags with the given attributes key:value will be matched.+	WithAttributes map[string]string+	// AddAttributes is a list of strings to add to the HTML in place of attributes.+	// All the given strings will be appended verbatim after the matched tag so they+	// should be prefixed with a space.+	AddAttributes []string+	// AddNodes is a list of nodes to append immediately after the openin tag that matched.+	// This means that for elements that have a matching closing tag the added node will be+	// a child node, for self-closing tags it will be a sibling.+	AddNodes []string+}++func (r Rule) String() string { return r.Name }++// Config is a slice of Rules that are somehow related to each other.+type Config []Rule++// CSPNoncesDefault is the default config for CSP Nonces. The rewritten template+// expects the CSPNonce Func to be available in the template to provide nonces.+var CSPNoncesDefault = CSPNonces(`nonce="{{CSPNonce}}"`)++// CSPNonces constructs a Config to add CSP nonces to a template. The given nonce+// attribute will be automatically prefixed with the required empty space.+func CSPNonces(nonceAttr string) Config {+	nonceAttr = " " + nonceAttr+	return Config{+		Rule{+			Name:          "Nonces for scripts",+			OnTag:         "script",+			AddAttributes: []string{nonceAttr},+		},+		Rule{+			Name:           "Nonces for link as=script rel=preload",+			OnTag:          "link",+			WithAttributes: map[string]string{"rel": "preload", "as": "script"},+			AddAttributes:  []string{nonceAttr},+		},+	}+}++// XSRFTokensDefault is the default config to add hidden inputs to forms to provide+// an anti-XSRF token. The rewritten template expects the XSRFToken Func to be available+// in the template to provide tokens and sets the name for the sent value to be "xsrftoken".+var XSRFTokensDefault = XSRFTokens(`<input type="hidden" name="xsrf-token" value="{{XSRFToken}}">`)++// XSRFTokens constructs a Config to add the given string as a child node to forms.+func XSRFTokens(inputTag string) Config {+	return Config{Rule{+		Name:     "XSRFTokens on forms",+		OnTag:    "form",+		AddNodes: []string{inputTag}}}+}++// Transform rewrites the given template according to the given configs.+// If the passed io.Rewriter has a `Size() int64` method it will be used to pre-allocate buffers.+func Transform(src io.Reader, cfg ...Config) (tpl string, _ error) {+	rw := rewriter{+		rules:     map[string][]Rule{},+		tokenizer: html.NewTokenizer(src),+		out:       &strings.Builder{},+	}+	if sizer, ok := src.(interface{ Size() int64 }); ok {+		rw.out.Grow(int(sizer.Size()))+	}+	for _, c := range cfg {+		for _, r := range c {+			rw.rules[r.OnTag] = append(rw.rules[r.OnTag], r)+		}+	}+	if err := rw.rewrite(); err != nil {+		return "", fmt.Errorf("transforming template: %v", err)+	}+	return rw.out.String(), nil+}++type rewriter struct {+	// tag -> rules for that tag+	rules     map[string][]Rule+	tokenizer *html.Tokenizer+	out       *strings.Builder+}++// emitRaw copies the current raw token to the output.+func (r rewriter) emitRaw() error {+	_, err := r.out.Write(r.tokenizer.Raw())+	return err+}++// rewrite runs the rewriter.+func (r rewriter) rewrite() error {+	for {+		switch tkn := r.tokenizer.Next(); tkn {+		case html.ErrorToken:+			if err := r.tokenizer.Err(); !errors.Is(err, io.EOF) {+				return err+			}+			// We got EOF, let's just emit the last token and exit.+			return r.emitRaw()+		case html.StartTagToken, html.SelfClosingTagToken:+			if err := r.processTag(); err != nil {+				return err+			}+		default:+			if err := r.emitRaw(); err != nil {+				return err+			}+		}+	}+}++func (r rewriter) processTag() error {+	// Copy raw tokens to better formats+	var (+		tagname    string+		attributes = map[string]string{}+		raw        = make([]byte, len(r.tokenizer.Raw()))+	)+	{+		copy(raw, r.tokenizer.Raw())+		tag, hasAttr := r.tokenizer.TagName()+		tagname = string(tag)+		for hasAttr {+			key, val, more := r.tokenizer.TagAttr()+			hasAttr = more+			attributes[string(key)] = string(val)+		}+	}++	// Filter rules by attributes+	var triggeredRules []Rule+	{+		rules := r.rules[tagname]+		for _, r := range rules {+			match := true+			for k, v := range r.WithAttributes {+				if attributes[k] != v {+					match = false+				}+			}+			if match {+				triggeredRules = append(triggeredRules, r)+			}+		}+	}++	// Emit the rewritten HTML+	{+		// Write the "<" symbol and the tag name, e.g. "<script"

I am slightly concerned about the possibility that this may go wrong, e.g. if the input string has whitespace between the < and the tag name (is that allowed?). Maybe use len(tagname) + bytes.Index(raw, tagname)?

empijei

comment created time in a month

Pull request review commentgoogle/go-safeweb

Add a plugin to automatically nonce templates.

+// Package htmlinject provides utilities to pre-process HTML templates and inject additional parts to them before parsing.+package htmlinject++import (+	"errors"+	"fmt"+	"io"+	"strings"++	"golang.org/x/net/html"+)++// Rule is a directive to instruct Transform on how to rewrite the given template.+type Rule struct {+	// Name is used for debug purposes in case rewriting fails.+	Name string+	// OnTag is the tag to be used to trigger the rule.+	OnTag string+	// WithAttributes is a filter applied on tags to decide whether to run the Rule:+	// only tags with the given attributes key:value will be matched.+	WithAttributes map[string]string+	// AddAttributes is a list of strings to add to the HTML in place of attributes.+	// All the given strings will be appended verbatim after the matched tag so they+	// should be prefixed with a space.+	AddAttributes []string+	// AddNodes is a list of nodes to append immediately after the openin tag that matched.+	// This means that for elements that have a matching closing tag the added node will be+	// a child node, for self-closing tags it will be a sibling.+	AddNodes []string+}++func (r Rule) String() string { return r.Name }++// Config is a slice of Rules that are somehow related to each other.+type Config []Rule++// CSPNoncesDefault is the default config for CSP Nonces. The rewritten template+// expects the CSPNonce Func to be available in the template to provide nonces.+var CSPNoncesDefault = CSPNonces(`nonce="{{CSPNonce}}"`)++// CSPNonces constructs a Config to add CSP nonces to a template. The given nonce+// attribute will be automatically prefixed with the required empty space.+func CSPNonces(nonceAttr string) Config {+	nonceAttr = " " + nonceAttr+	return Config{+		Rule{+			Name:          "Nonces for scripts",+			OnTag:         "script",+			AddAttributes: []string{nonceAttr},+		},+		Rule{+			Name:           "Nonces for link as=script rel=preload",+			OnTag:          "link",+			WithAttributes: map[string]string{"rel": "preload", "as": "script"},+			AddAttributes:  []string{nonceAttr},+		},+	}+}++// XSRFTokensDefault is the default config to add hidden inputs to forms to provide+// an anti-XSRF token. The rewritten template expects the XSRFToken Func to be available+// in the template to provide tokens and sets the name for the sent value to be "xsrftoken".+var XSRFTokensDefault = XSRFTokens(`<input type="hidden" name="xsrf-token" value="{{XSRFToken}}">`)++// XSRFTokens constructs a Config to add the given string as a child node to forms.+func XSRFTokens(inputTag string) Config {+	return Config{Rule{+		Name:     "XSRFTokens on forms",+		OnTag:    "form",+		AddNodes: []string{inputTag}}}+}++// Transform rewrites the given template according to the given configs.+// If the passed io.Rewriter has a `Size() int64` method it will be used to pre-allocate buffers.+func Transform(src io.Reader, cfg ...Config) (tpl string, _ error) {+	rw := rewriter{+		rules:     map[string][]Rule{},+		tokenizer: html.NewTokenizer(src),+		out:       &strings.Builder{},+	}+	if sizer, ok := src.(interface{ Size() int64 }); ok {+		rw.out.Grow(int(sizer.Size()))+	}+	for _, c := range cfg {+		for _, r := range c {+			rw.rules[r.OnTag] = append(rw.rules[r.OnTag], r)+		}+	}+	if err := rw.rewrite(); err != nil {+		return "", fmt.Errorf("transforming template: %v", err)+	}+	return rw.out.String(), nil+}++type rewriter struct {+	// tag -> rules for that tag+	rules     map[string][]Rule+	tokenizer *html.Tokenizer+	out       *strings.Builder+}++// emitRaw copies the current raw token to the output.+func (r rewriter) emitRaw() error {+	_, err := r.out.Write(r.tokenizer.Raw())+	return err+}++// rewrite runs the rewriter.+func (r rewriter) rewrite() error {+	for {+		switch tkn := r.tokenizer.Next(); tkn {+		case html.ErrorToken:+			if err := r.tokenizer.Err(); !errors.Is(err, io.EOF) {+				return err+			}+			// We got EOF, let's just emit the last token and exit.+			return r.emitRaw()+		case html.StartTagToken, html.SelfClosingTagToken:+			if err := r.processTag(); err != nil {+				return err+			}+		default:+			if err := r.emitRaw(); err != nil {+				return err+			}+		}+	}+}++func (r rewriter) processTag() error {+	// Copy raw tokens to better formats+	var (+		tagname    string+		attributes = map[string]string{}+		raw        = make([]byte, len(r.tokenizer.Raw()))+	)+	{+		copy(raw, r.tokenizer.Raw())+		tag, hasAttr := r.tokenizer.TagName()+		tagname = string(tag)+		for hasAttr {+			key, val, more := r.tokenizer.TagAttr()+			hasAttr = more+			attributes[string(key)] = string(val)+		}+	}++	// Filter rules by attributes+	var triggeredRules []Rule+	{+		rules := r.rules[tagname]+		for _, r := range rules {+			match := true+			for k, v := range r.WithAttributes {+				if attributes[k] != v {+					match = false+				}+			}+			if match {+				triggeredRules = append(triggeredRules, r)+			}+		}+	}++	// Emit the rewritten HTML+	{+		// Write the "<" symbol and the tag name, e.g. "<script"+		if _, err := r.out.Write(raw[:len(tagname)+1]); err != nil {

nit: save the subexpression into a variable.

n := len(tagname)+1
empijei

comment created time in a month

Pull request review commentgoogle/go-safeweb

Add a plugin to automatically nonce templates.

+// Package htmlinject provides utilities to pre-process HTML templates and inject additional parts to them before parsing.

nit: into them

empijei

comment created time in a month

Pull request review commentgoogle/go-safeweb

Add a plugin to automatically nonce templates.

+// Package htmlinject provides utilities to pre-process HTML templates and inject additional parts to them before parsing.+package htmlinject++import (+	"errors"+	"fmt"+	"io"+	"strings"++	"golang.org/x/net/html"+)++// Rule is a directive to instruct Transform on how to rewrite the given template.+type Rule struct {+	// Name is used for debug purposes in case rewriting fails.+	Name string+	// OnTag is the tag to be used to trigger the rule.+	OnTag string+	// WithAttributes is a filter applied on tags to decide whether to run the Rule:+	// only tags with the given attributes key:value will be matched.+	WithAttributes map[string]string+	// AddAttributes is a list of strings to add to the HTML in place of attributes.+	// All the given strings will be appended verbatim after the matched tag so they+	// should be prefixed with a space.+	AddAttributes []string+	// AddNodes is a list of nodes to append immediately after the openin tag that matched.+	// This means that for elements that have a matching closing tag the added node will be+	// a child node, for self-closing tags it will be a sibling.+	AddNodes []string+}++func (r Rule) String() string { return r.Name }++// Config is a slice of Rules that are somehow related to each other.+type Config []Rule++// CSPNoncesDefault is the default config for CSP Nonces. The rewritten template+// expects the CSPNonce Func to be available in the template to provide nonces.+var CSPNoncesDefault = CSPNonces(`nonce="{{CSPNonce}}"`)++// CSPNonces constructs a Config to add CSP nonces to a template. The given nonce+// attribute will be automatically prefixed with the required empty space.+func CSPNonces(nonceAttr string) Config {+	nonceAttr = " " + nonceAttr+	return Config{+		Rule{+			Name:          "Nonces for scripts",+			OnTag:         "script",+			AddAttributes: []string{nonceAttr},+		},+		Rule{+			Name:           "Nonces for link as=script rel=preload",+			OnTag:          "link",+			WithAttributes: map[string]string{"rel": "preload", "as": "script"},+			AddAttributes:  []string{nonceAttr},+		},+	}+}++// XSRFTokensDefault is the default config to add hidden inputs to forms to provide+// an anti-XSRF token. The rewritten template expects the XSRFToken Func to be available+// in the template to provide tokens and sets the name for the sent value to be "xsrftoken".+var XSRFTokensDefault = XSRFTokens(`<input type="hidden" name="xsrf-token" value="{{XSRFToken}}">`)++// XSRFTokens constructs a Config to add the given string as a child node to forms.+func XSRFTokens(inputTag string) Config {+	return Config{Rule{+		Name:     "XSRFTokens on forms",+		OnTag:    "form",+		AddNodes: []string{inputTag}}}+}++// Transform rewrites the given template according to the given configs.+// If the passed io.Rewriter has a `Size() int64` method it will be used to pre-allocate buffers.

Would it make sense to give the Size method interface a name and a doc comment?

empijei

comment created time in a month

Pull request review commentgoogle/go-safeweb

Introduced the safehttptest to aid end-to-end testing

+// Copyright 2020 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+// 	https://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++package safehttptest++import (+	"html/template"+	"io"+	"net/http"+	"strings"++	"github.com/google/go-safeweb/safehttp"+	"github.com/google/safehtml"+)++type testDispatcher struct{}++func (testDispatcher) Write(rw http.ResponseWriter, resp safehttp.Response) error {+	switch x := resp.(type) {+	case safehtml.HTML:+		_, err := rw.Write([]byte(x.String()))+		return err+	default:+		panic("not a safe response type")+	}+}++func (testDispatcher) ExecuteTemplate(rw http.ResponseWriter, t safehttp.Template, data interface{}) error {+	switch x := t.(type) {+	case *template.Template:+		return x.Execute(rw, data)+	default:+		panic("not a safe response type")+	}+}++// ResponseRecorder encapsulates a safehttp.ResponseWriter that records+// mutations for later inspection in tests. The safehttp.ResponseWriter+// should be passed as part of the handler function in tests.+type ResponseRecorder struct {+	safehttp.ResponseWriter+	rw *responseRecorder

May I ask why there is both a ResponseRecorder and a lowercase responseRecorder? Can't you just merge the latter into the former?

mattiasgrenfeldt

comment created time in a month

Pull request review commentgoogle/go-safeweb

Introduced the safehttptest to aid end-to-end testing

 type ResponseWriter struct { 	header Header } -func newResponseWriter(d Dispatcher, rw http.ResponseWriter) ResponseWriter {+// NewResponseWriter creates a safehttp.ResponseWriter from+// a safehttp.Dispatcher and a http.ResponseWriter.

nit: same as above

mattiasgrenfeldt

comment created time in a month

Pull request review commentgoogle/go-safeweb

Introduced the safehttptest to aid end-to-end testing

 type IncomingRequest struct { 	URL       *url.URL } -func newIncomingRequest(req *http.Request) *IncomingRequest {+// NewIncomingRequest creates an safehttp.IncomingRequest

nit: creates an IncomingRequest

Don't prefix with the package name if the symbol is in the same package.

mattiasgrenfeldt

comment created time in a month

pull request commentNetBSD/pkgsrc

devel/gearmand: update to 1.1.19.1

This fails to build for me (on NetBSD/aarch64) with the following error:

  CXXLD    bin/gearman
  CXXLD    t/unittest
ld: libtest/t_unittest-unittest.o: in function `lookup_false_TEST(void*)':
/usr/pkgsrc/devel/gearmand/work/gearmand-1.1.19.1/libtest/unittest.cc:973: warning: Warning: reference to the libc supplied alloca(3); this most likely will not work. Please use the compiler provided version of alloca(3), by supplying the appropriate compiler flags (e.g. not -std=c89).
ld: /usr/pkgsrc/devel/gearmand/work/gearmand-1.1.19.1/libtest/unittest.cc:973: undefined reference to `alloca'
ld: libtest/.libs/libtest.a(libtest_libtest_la-gearmand.o): in function `Gearmand::ping()':
/usr/pkgsrc/devel/gearmand/work/gearmand-1.1.19.1/libtest/gearmand.cc:86: undefined reference to `alloca'
gmake[2]: *** [Makefile:4842: t/unittest] Error 1
gmake[2]: Leaving directory '/usr/pkgsrc/devel/gearmand/work/gearmand-1.1.19.1'

Any ideas?

mmoll

comment created time in 2 months

pull request commentNetBSD/pkgsrc

textproc/icu: Require GCC 4.9+

Requiring GCC 4.9 is probably the wrong thing to do. (In fact, I would argue that the GCC_REQD line should not be there at all.

Instead, since this is a C++11 feature, the USE_LANGUAGES line should read

USE_LANGUAGES= c99 c++11
mmoll

comment created time in 2 months

Pull request review commentgoogle/go-safeweb

Safe header type

+// Copyright 2020 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+// 	https://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++package safehttp++import (+	"net/http"+	"net/textproto"+)++var disallowedHeaders = map[string]bool{"Set-Cookie": true}++// Header represents the key-value pairs in an HTTP header.+// The keys will be in canonical form, as returned by+// textproto.CanonicalMIMEHeaderKey.+type Header struct {+	wrappedHeader http.Header

Makes sense. Thanks.

mattiasgrenfeldt

comment created time in 2 months

Pull request review commentgoogle/go-safeweb

Safe header type

+// Copyright 2020 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+// 	https://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++package safehttp++import (+	"net/http"+	"net/textproto"+)++var disallowedHeaders = map[string]bool{"Set-Cookie": true}++// Header represents the key-value pairs in an HTTP header.+// The keys will be in canonical form, as returned by+// textproto.CanonicalMIMEHeaderKey.+type Header struct {+	wrappedHeader http.Header

Maybe this can be an anonymous struct member. This means that alll methods of http.Header would be available in this Header type, unless you overwrite them.

mattiasgrenfeldt

comment created time in 2 months

Pull request review commentgoogle/go-safeweb

Safe header type

+// Copyright 2020 Google LLC+//+// Licensed under the Apache License, Version 2.0 (the "License");+// you may not use this file except in compliance with the License.+// You may obtain a copy of the License at+//+// 	https://www.apache.org/licenses/LICENSE-2.0+//+// Unless required by applicable law or agreed to in writing, software+// distributed under the License is distributed on an "AS IS" BASIS,+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.+// See the License for the specific language governing permissions and+// limitations under the License.++package safehttp++import (+	"net/http"+	"net/textproto"+)++var disallowedHeaders = map[string]bool{"Set-Cookie": true}++// Header represents the key-value pairs in an HTTP header.+// The keys will be in canonical form, as returned by+// textproto.CanonicalMIMEHeaderKey.+type Header struct {+	wrappedHeader http.Header+	immutable     map[string]bool+}++func newHeader(h http.Header) Header {+	return Header{wrappedHeader: h, immutable: map[string]bool{}}+}++// MarkImmutable marks the header with the name `name` as immutable.+// This header is now read-only. `name` is canonicalized using+// textproto.CanonicalMIMEHeaderKey first.+func (h Header) MarkImmutable(name string) {+	name = textproto.CanonicalMIMEHeaderKey(name)+	if disallowedHeaders[name] {+		return+	}+	h.immutable[name] = true+}++// Set sets the header with the name `name` to the value of `value`.

Style note: Doc comments in Go do not typically use backticks and other formatting things. Instead, try to make the names of the params flow in the text.

Set sets the header with the given name to the given value

or something.

You can see how the text is formatted by looking at https://pkg.go.dev/github.com/google/go-safeweb.

mattiasgrenfeldt

comment created time in 2 months

pull request commentNetBSD/pkgsrc

devel/gearmand: update to 1.1.19

Can you provide a commit message? That is, a changelog between the current version in pkgsrc and the new version. It can be copied verbatim from the source.

mmoll

comment created time in 2 months

PR opened hills/xosview

On NetBSD, turn cpu speed error into a warning

Different architectures use different values for this sysctl, this is why it is marked as "machdep". Not having the CPU frequency available should not be a fatal error.

Question for you: does it make sense to return a single value for the CPU speed? I noticed that the FreeBSD code averages the speed over all cores. NetBSD/evbarm, where I ran into this issue, can set the CPU speed independently for "big" and "little" cores, depending on CPU. I feel like it makes sense to have the frequency be a per-CPU property.

Where is the CPU speed even shown in the UI?

+1 -1

0 comment

1 changed file

pr created time in 2 months

create barnchbsiegert/xosview

branch : tscfreq

created branch time in 2 months

create barnchbsiegert/xosview

branch : evbarmbattery

created branch time in 2 months

push eventbsiegert/xosview

Gleb Smirnoff

commit sha f6dae73c04a5a4d06e1262d243653b775feb5a69

Use BSD libc API getifaddrs(3) instead of using kvm(3) to obtain interface byte counters relying on unstable kernel ABI, which differs a lot in different BSD operating systems and is very likely to change in the future. Actually this commit was driven by the fact that xosview doesn't compile on FreeBSD 11. The change also simplifies code a lot. The change was tested on FreeBSD 11, but should work on all *BSD versions, according to documentation on getifaddrs(3).

view details

Gleb Smirnoff

commit sha 62124668f091182c21c495dbcd510ac18419bc49

In modern (all supported) FreeBSD versions, the vmmeter went to a per-CPU private regions, and can't be longer easily read via kvm(3). Thus, utilize the sysctl(3) API to fetch vmmeter data.

view details

Gleb Smirnoff

commit sha 0724f2bc69154943357c29bfd9f63eca47edf6ab

Strip empty fields from the nlist.

view details

Kartik Mistry

commit sha dc281d4fcc605c3cadfba45dcc0ac1ad5403a9f3

arm64 doesn't have sys/io.h and sys/perm.h like many other Linux architectures Author: Steve McIntyre <93sam@debian.org>

view details

Mark Hills

commit sha f652c05e905b7d81a06ba2d3dd4bdc401315bdbb

Do not parse error when 64-bit kernel is used with 32-bit userland $ ./xosview /proc/meminfo: parse error, ' 34359738367 kB ' is out of range $ cat /proc/meminfo | grep 34359738367 VmallocTotal: 34359738367 kB This value is a fixed value, it originates from the kernel in fs/proc/meminfo.c: (unsigned long)VMALLOC_TOTAL >> 10, Reported-by: Stephan Böttcher <stephan@psjt.org>

view details

Kyle Terrien

commit sha cfa32c350470c97000e17018d41bda709da71cef

Fix typo that was blocking compilation on gcc 6

view details

Tomi Tapper

commit sha 6da3ea5c4892ed04b9e534de5777a5c5a892fa10

Support coretemp on linux 3.15 Sysfs node for platform device sensors has changed in kernel version 3.15.

view details

Tomi Tapper

commit sha 90d95380a7e0d219281d00a23d8308afc16e407d

Fix coretemp for AMD K10 CPUs on kernel >= 3.17. The k10temp 'name' attribute file was moved in kernel 3.17 (k8temp still uses the old path). Try both paths.

view details

Tomi Tapper

commit sha f81dc416fbbe70248f2e03429caa02e154753259

OpenBSD build fix. OpenBSD 5.7 no longer has sys/dkstat.h

view details

Tomi Tapper

commit sha 3cea857bf22e90d51d154917bac0ac713871e1dd

Use right variable in error message. Output filename, not its stream we just failed to open (exposed by gcc6).

view details

Samuel Thibault

commit sha 0b50d51873630ed704b17933be1771186f416e70

gnu: >2G getting negative Now that GNU/Hurd supports >2G memory, xosview needs to be fixed :) This patch turns the page count into double before multiplying by the page size, to avoid being truncated by the 32bit size of the page count.

view details

Alex D

commit sha 63b87e847589c67a1fa593f763cc49bbc92236bb

Fix /sys/class/net traversal on recent Linux systems When xosview is doing readdir on /sys/class/net, it doesn't check whether it sees a symlink or directory and tries to open /sys/class/net/bonding_masters/statistics/rx_bytes which fails of course. This patch simply checks if entry under /sys/class/net is a symlink.

view details

Mark Hills

commit sha c6b9b5a0ac0fc8bcee85c6032ad07d0fe526cbde

Merge remote-tracking branch 'klipperkyle/master' * klipperkyle/master: Fix typo that was blocking compilation on gcc 6

view details

Mark Hills

commit sha 4c7bda7eab17432763bd55bc60c99cddf3d9cb95

Merge remote-tracking branch 'kartikm/aarch64' * kartikm/aarch64: arm64 doesn't have sys/io.h and sys/perm.h like many other Linux architectures

view details

Mark Hills

commit sha 7ed5978d198fb691091db67520e31a68e078178b

Merge remote-tracking branch 'glebius/master' * glebius/master: Strip empty fields from the nlist. In modern (all supported) FreeBSD versions, the vmmeter went to a per-CPU private regions, and can't be longer easily read via kvm(3). Thus, utilize the sysctl(3) API to fetch vmmeter data. Use BSD libc API getifaddrs(3) instead of using kvm(3) to obtain interface byte counters relying on unstable kernel ABI, which differs a lot in different BSD operating systems and is very likely to change in the future. Actually this commit was driven by the fact that xosview doesn't compile on FreeBSD 11. The change also simplifies code a lot.

view details

Pino Toscano

commit sha c2b5ddb4f9bd062cfc4805ce157987ed8a1315a1

Create a PNG version of the icon Use the convert utility of ImageMagick to create a PNG version of the xosview icon, so it can be used in XDG menus. The exact invocation used is: $ convert xosview.xpm -gravity center -background transparent \ -extent 32x32 xosview.png

view details

Pino Toscano

commit sha 2aecc051f54fd3525e69deffcd0fbc39366f41d5

Make xosview.desktop valid - remove the extension from the 'Icon' key, since it will soon use the xosview icon from the XDG icon theme - remove the 'Application' category, since it is deprecated (there is Type=Application already) In addition, add the 'Monitor' category, as it represents what xosview does.

view details

Pino Toscano

commit sha f7ecc7dc35bed3b10fe2ed752f9835543d799ae9

Install desktop file and its icon Install the desktop file, and the PNG icon in the right directory, so xosview is integrated in the XDG menu by default (i.e. with no need to manually install files).

view details

Mark Hills

commit sha acef3cde0b53e46e00cc53c170602d7ee04788ba

Do not crash sometimes when parsing /sys for network throughput Two examples of the bugs seen are below which cause the program to exit. Handle them by moving to regular C file handling, which I preferred over wrapping in exceptions as the error cases and releasing of resources is clearer; elsewhere in the project we have considered them better for parsing /sys and /proc information. It looks like there is code here that parses /proc, and is most likely redundant because users are unlikely to be on an old enough kernel to require this; I imagine everyone has /sys mounted and we the codebase probably won't build on the old compilers that would be required on such systems. $ xosview Can not open file : /sys/class/net/tap0/statistics/rx_bytes $ xosview terminate called after throwing an instance of 'std::ios_base::failure' what(): basic_filebuf::underflow error reading the file Abort (core dumped) (gdb) bt #0 0x000000320a0325e5 in raise () from /lib64/libc.so.6 #1 0x000000320a033dc5 in abort () from /lib64/libc.so.6 #2 0x000000320f8bea7d in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib64/libstdc++.so.6 #3 0x000000320f8bcbd6 in ?? () from /usr/lib64/libstdc++.so.6 #4 0x000000320f8bcc03 in std::terminate() () from /usr/lib64/libstdc++.so.6 #5 0x000000320f8bcd22 in __cxa_throw () from /usr/lib64/libstdc++.so.6 #6 0x000000320f8619da in std::__throw_ios_failure(char const*) () from /usr/lib64/libstdc++.so.6 #7 0x000000320f87172a in std::basic_filebuf<char, std::char_traits<char> >::underflow() () from /usr/lib64/libstdc++.so.6 #8 0x000000320f87809b in std::basic_istream<char, std::char_traits<char> >::sentry::sentry(std::basic_istream<char, std::char_traits<char> >&, bool) () from /usr/lib64/libstdc++.so.6 #9 0x000000320f87860b in std::basic_istream<char, std::char_traits<char> >& std::basic_istream<char, std::char_traits<char> >::_M_extract<unsigned long long>(unsigned long long&) () from /usr/lib64/libstdc++.so.6 #10 0x00000000004215a7 in NetMeter::getSysStats(unsigned long long&, unsigned long long&) () #11 0x000000000042197a in NetMeter::checkevent() () #12 0x000000000040c390 in XOSView::run() () #13 0x000000000040b5a1 in main ()

view details

fernape

commit sha 0b4861c9fed2dc8450edf2dff7988ebd784a520b

Fix build in FreeBSD 12 vm.stats.vm.* is not paired with the fields in struct vmmeter anymore. Since we are not using all the fileds in vmmeter, define our own structure with the fields we are interested in. Testing: * Builds for {10.4,11.1}{amd64,i386}, 11.2amd64, 12i386 OK * Run test in 11.2 OK

view details

push time in 2 months

Pull request review commentgoogle/go-safeweb

Header parsing tests

+package requestparsing++import (+	"bytes"+	"context"+	"net/http"+	"testing"++	"github.com/google/go-cmp/cmp"++	"github.com/google/go-safeweb/testing/requesttesting"+)++func TestBasicAuth(t *testing.T) {+	type testWant struct {+		headers  map[string][]string+		ok       bool+		username string+		password string+	}++	var tests = []struct {+		name    string+		request []byte+		want    testWant+	}{+		{+			name: "Basic",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "Pelle:Password".+				"Authorization: Basic UGVsbGU6UGFzc3dvcmQ=\r\n" ++				"\r\n"),+			want: testWant{+				// Same Base64 as above.+				headers:  map[string][]string{"Authorization": []string{"Basic UGVsbGU6UGFzc3dvcmQ="}},+				ok:       true,+				username: "Pelle",+				password: "Password",+			},+		},+		{+			name: "NoTrailingEquals",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "Pelle:Password" without trailing equals.+				"Authorization: Basic UGVsbGU6UGFzc3dvcmQ\r\n" ++				"\r\n"),+			want: testWant{+				// Same Base64 as above.+				headers:  map[string][]string{"Authorization": []string{"Basic UGVsbGU6UGFzc3dvcmQ"}},+				ok:       false,+				username: "",+				password: "",+			},+		},+		{+			name: "DoubleColon",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "Pelle:Password:Password".+				"Authorization: Basic UGVsbGU6UGFzc3dvcmQ6UGFzc3dvcmQ=\r\n" ++				"\r\n"),+			want: testWant{+				// Same Base64 as above.+				headers:  map[string][]string{"Authorization": []string{"Basic UGVsbGU6UGFzc3dvcmQ6UGFzc3dvcmQ="}},+				ok:       true,+				username: "Pelle",+				password: "Password:Password",+			},+		},+		{+			name: "NotBasic",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "Pelle:Password:Password".+				"Authorization: xasic UGVsbGU6UGFzc3dvcmQ6UGFzc3dvcmQ=\r\n" ++				"\r\n"),+			want: testWant{+				// Same Base64 as above.+				headers:  map[string][]string{"Authorization": []string{"xasic UGVsbGU6UGFzc3dvcmQ6UGFzc3dvcmQ="}},+				ok:       false,+				username: "",+				password: "",+			},+		},+		{+			name: "Ordering",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "AAA:aaa".+				"Authorization: basic QUFBOmFhYQ==\r\n" ++				// Base64 encoding of "BBB:bbb".+				"Authorization: basic QkJCOmJiYg==\r\n" ++				"\r\n"),+			want: testWant{+				// Base64 encoding of "AAA:aaa" and then of "BBB:bbb" in that order.+				headers:  map[string][]string{"Authorization": []string{"basic QUFBOmFhYQ==", "basic QkJCOmJiYg=="}},+				ok:       true,+				username: "AAA",+				password: "aaa",+			},+		},+		{+			name: "CasingOrdering1",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "AAA:aaa".+				"Authorization: basic QUFBOmFhYQ==\r\n" ++				// Base64 encoding of "BBB:bbb".+				"authorization: basic QkJCOmJiYg==\r\n" ++				"\r\n"),+			want: testWant{+				// Base64 encoding of "AAA:aaa" and then of "BBB:bbb" in that order.+				headers:  map[string][]string{"Authorization": []string{"basic QUFBOmFhYQ==", "basic QkJCOmJiYg=="}},+				ok:       true,+				username: "AAA",+				password: "aaa",+			},+		},+		{+			name: "CasingOrdering2",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "AAA:aaa".+				"authorization: basic QUFBOmFhYQ==\r\n" ++				// Base64 encoding of "BBB:bbb".+				"Authorization: basic QkJCOmJiYg==\r\n" ++				"\r\n"),+			want: testWant{+				// Base64 encoding of "AAA:aaa" and then of "BBB:bbb" in that order.+				headers:  map[string][]string{"Authorization": []string{"basic QUFBOmFhYQ==", "basic QkJCOmJiYg=="}},+				ok:       true,+				username: "AAA",+				password: "aaa",+			},+		},+	}++	for _, tt := range tests {+		t.Run(tt.name, func(t *testing.T) {+			resp, err := requesttesting.MakeRequest(context.Background(), tt.request, func(r *http.Request) {+				if diff := cmp.Diff(tt.want.headers, map[string][]string(r.Header)); diff != "" {+					t.Errorf("r.Header mismatch (-want +got):\n%s", diff)+				}++				username, password, ok := r.BasicAuth()+				if ok != tt.want.ok {+					t.Errorf("_, _, ok := r.BasicAuth() got: %v want: %v", ok, tt.want.ok)+				}++				if username != tt.want.username {+					t.Errorf("username, _, _ := r.BasicAuth() got: %q want: %q", username, tt.want.username)+				}++				if password != tt.want.password {+					t.Errorf("_, password, _ := r.BasicAuth() got: %q want: %q", password, tt.want.password)+				}+			})+			if err != nil {+				t.Fatalf("MakeRequest() got err: %v", err)+			}++			if !bytes.HasPrefix(resp, []byte(statusOK)) {+				got := string(resp[:bytes.IndexByte(resp, '\n')+1])

Ah right, %q escapes the newline characters.

I proposed in another comment to have a helper that extracts just the first line, without the \r\n.

mattiasgrenfeldt

comment created time in 3 months

Pull request review commentgoogle/go-safeweb

Header parsing tests

+package requestparsing++import (+	"bytes"+	"context"+	"io/ioutil"+	"net/http"+	"testing"++	"github.com/google/go-safeweb/testing/requesttesting"++	"github.com/google/go-cmp/cmp"+)++func TestContentLengthTransferEncoding(t *testing.T) {+	type testWant struct {+		headers          map[string][]string+		contentLength    int64+		transferEncoding []string+		body             string+	}++	var tests = []struct {+		name    string+		request []byte+		want    testWant+	}{+		{+			name: "ContentLength",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				"Content-Length: 5\r\n" ++				"\r\n" ++				"ABCDE\r\n" ++				"\r\n"),+			want: testWant{+				headers:          map[string][]string{"Content-Length": []string{"5"}},+				contentLength:    5,+				transferEncoding: nil,+				body:             "ABCDE",+			},+		},+		{+			name: "ContentButNoContentLength",

General comment: these names do not have to be camel case. I usually see regular strings with spaces.

mattiasgrenfeldt

comment created time in 3 months

Pull request review commentgoogle/go-safeweb

Header parsing tests

+package requestparsing++import (+	"bytes"+	"context"+	"net/http"+	"testing"++	"github.com/google/go-cmp/cmp"++	"github.com/google/go-safeweb/testing/requesttesting"+)++func TestBasicAuth(t *testing.T) {+	type testWant struct {+		headers  map[string][]string+		ok       bool+		username string+		password string+	}++	var tests = []struct {+		name    string+		request []byte+		want    testWant+	}{+		{+			name: "Basic",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "Pelle:Password".+				"Authorization: Basic UGVsbGU6UGFzc3dvcmQ=\r\n" ++				"\r\n"),+			want: testWant{+				// Same Base64 as above.+				headers:  map[string][]string{"Authorization": []string{"Basic UGVsbGU6UGFzc3dvcmQ="}},+				ok:       true,+				username: "Pelle",+				password: "Password",+			},+		},+		{+			name: "NoTrailingEquals",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "Pelle:Password" without trailing equals.+				"Authorization: Basic UGVsbGU6UGFzc3dvcmQ\r\n" ++				"\r\n"),+			want: testWant{+				// Same Base64 as above.+				headers:  map[string][]string{"Authorization": []string{"Basic UGVsbGU6UGFzc3dvcmQ"}},+				ok:       false,+				username: "",+				password: "",+			},+		},+		{+			name: "DoubleColon",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "Pelle:Password:Password".+				"Authorization: Basic UGVsbGU6UGFzc3dvcmQ6UGFzc3dvcmQ=\r\n" ++				"\r\n"),+			want: testWant{+				// Same Base64 as above.+				headers:  map[string][]string{"Authorization": []string{"Basic UGVsbGU6UGFzc3dvcmQ6UGFzc3dvcmQ="}},+				ok:       true,+				username: "Pelle",+				password: "Password:Password",+			},+		},+		{+			name: "NotBasic",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "Pelle:Password:Password".+				"Authorization: xasic UGVsbGU6UGFzc3dvcmQ6UGFzc3dvcmQ=\r\n" ++				"\r\n"),+			want: testWant{+				// Same Base64 as above.+				headers:  map[string][]string{"Authorization": []string{"xasic UGVsbGU6UGFzc3dvcmQ6UGFzc3dvcmQ="}},+				ok:       false,+				username: "",+				password: "",+			},+		},+		{+			name: "Ordering",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "AAA:aaa".+				"Authorization: basic QUFBOmFhYQ==\r\n" ++				// Base64 encoding of "BBB:bbb".+				"Authorization: basic QkJCOmJiYg==\r\n" ++				"\r\n"),+			want: testWant{+				// Base64 encoding of "AAA:aaa" and then of "BBB:bbb" in that order.+				headers:  map[string][]string{"Authorization": []string{"basic QUFBOmFhYQ==", "basic QkJCOmJiYg=="}},+				ok:       true,+				username: "AAA",+				password: "aaa",+			},+		},+		{+			name: "CasingOrdering1",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "AAA:aaa".+				"Authorization: basic QUFBOmFhYQ==\r\n" ++				// Base64 encoding of "BBB:bbb".+				"authorization: basic QkJCOmJiYg==\r\n" ++				"\r\n"),+			want: testWant{+				// Base64 encoding of "AAA:aaa" and then of "BBB:bbb" in that order.+				headers:  map[string][]string{"Authorization": []string{"basic QUFBOmFhYQ==", "basic QkJCOmJiYg=="}},+				ok:       true,+				username: "AAA",+				password: "aaa",+			},+		},+		{+			name: "CasingOrdering2",+			request: []byte("GET / HTTP/1.1\r\n" ++				"Host: localhost:8080\r\n" ++				// Base64 encoding of "AAA:aaa".+				"authorization: basic QUFBOmFhYQ==\r\n" ++				// Base64 encoding of "BBB:bbb".+				"Authorization: basic QkJCOmJiYg==\r\n" ++				"\r\n"),+			want: testWant{+				// Base64 encoding of "AAA:aaa" and then of "BBB:bbb" in that order.+				headers:  map[string][]string{"Authorization": []string{"basic QUFBOmFhYQ==", "basic QkJCOmJiYg=="}},+				ok:       true,+				username: "AAA",+				password: "aaa",+			},+		},+	}++	for _, tt := range tests {+		t.Run(tt.name, func(t *testing.T) {+			resp, err := requesttesting.MakeRequest(context.Background(), tt.request, func(r *http.Request) {+				if diff := cmp.Diff(tt.want.headers, map[string][]string(r.Header)); diff != "" {+					t.Errorf("r.Header mismatch (-want +got):\n%s", diff)+				}++				username, password, ok := r.BasicAuth()+				if ok != tt.want.ok {+					t.Errorf("_, _, ok := r.BasicAuth() got: %v want: %v", ok, tt.want.ok)+				}++				if username != tt.want.username {+					t.Errorf("username, _, _ := r.BasicAuth() got: %q want: %q", username, tt.want.username)+				}++				if password != tt.want.password {+					t.Errorf("_, password, _ := r.BasicAuth() got: %q want: %q", password, tt.want.password)+				}+			})+			if err != nil {+				t.Fatalf("MakeRequest() got err: %v", err)+			}++			if !bytes.HasPrefix(resp, []byte(statusOK)) {+				got := string(resp[:bytes.IndexByte(resp, '\n')+1])

Won't this give you the trailing newline as well? That will make the error message look weird, with a linebreak in between.

mattiasgrenfeldt

comment created time in 3 months

Pull request review commentgoogle/go-safeweb

Header parsing tests

+

nit: remove this empty line

mattiasgrenfeldt

comment created time in 3 months

Pull request review commentgoogle/go-safeweb

Header parsing tests

+package requestparsing++import (+	"bytes"+	"context"+	"net/http"+	"testing"++	"github.com/google/go-cmp/cmp"++	"github.com/google/go-safeweb/testing/requesttesting"+)++type basicAuthWant struct {+	headers  map[string][]string+	ok       bool+	username string+	password string+}++var basicAuthTests = []struct {+	name    string+	request []byte+	want    basicAuthWant+}{+	{+		name: "Basic",+		request: []byte("GET / HTTP/1.1\r\n" ++			"Host: localhost:8080\r\n" ++			"Authorization: Basic UGVsbGU6UGFzc3dvcmQ=\r\n" ++			"\r\n"),+		want: basicAuthWant{+			headers:  map[string][]string{"Authorization": []string{"Basic UGVsbGU6UGFzc3dvcmQ="}},+			ok:       true,+			username: "Pelle",+			password: "Password",+		},+	},+	{+		name: "NoTrailingEquals",+		request: []byte("GET / HTTP/1.1\r\n" ++			"Host: localhost:8080\r\n" ++			"Authorization: Basic UGVsbGU6UGFzc3dvcmQ\r\n" ++			"\r\n"),+		want: basicAuthWant{+			headers:  map[string][]string{"Authorization": []string{"Basic UGVsbGU6UGFzc3dvcmQ"}},+			ok:       false,+			username: "",+			password: "",+		},+	},+	{+		name: "DoubleColon",+		request: []byte("GET / HTTP/1.1\r\n" ++			"Host: localhost:8080\r\n" ++			"Authorization: Basic UGVsbGU6UGFzc3dvcmQ6UGFzc3dvcmQ=\r\n" ++			"\r\n"),+		want: basicAuthWant{+			headers:  map[string][]string{"Authorization": []string{"Basic UGVsbGU6UGFzc3dvcmQ6UGFzc3dvcmQ="}},+			ok:       true,+			username: "Pelle",+			password: "Password:Password",+		},+	},+	{+		name: "NotBasic",+		request: []byte("GET / HTTP/1.1\r\n" ++			"Host: localhost:8080\r\n" ++			"Authorization: xasic UGVsbGU6UGFzc3dvcmQ6UGFzc3dvcmQ=\r\n" ++			"\r\n"),+		want: basicAuthWant{+			headers:  map[string][]string{"Authorization": []string{"xasic UGVsbGU6UGFzc3dvcmQ6UGFzc3dvcmQ="}},+			ok:       false,+			username: "",+			password: "",+		},+	},+	{+		name: "Ordering",+		request: []byte("GET / HTTP/1.1\r\n" ++			"Host: localhost:8080\r\n" ++			"Authorization: basic QUFBOmFhYQ==\r\n" ++			"Authorization: basic QkJCOmJiYg==\r\n" ++			"\r\n"),+		want: basicAuthWant{+			headers:  map[string][]string{"Authorization": []string{"basic QUFBOmFhYQ==", "basic QkJCOmJiYg=="}},+			ok:       true,+			username: "AAA",+			password: "aaa",+		},+	},+}++func TestBasicAuth(t *testing.T) {+	for _, tt := range basicAuthTests {+		t.Run(tt.name, func(t *testing.T) {+			resp, err := requesttesting.MakeRequest(context.Background(), tt.request, func(r *http.Request) {+				if diff := cmp.Diff(tt.want.headers, map[string][]string(r.Header)); diff != "" {+					t.Errorf("r.Header mismatch (-want +got):\n%s", diff)+				}++				username, password, ok := r.BasicAuth()+				if ok != tt.want.ok || username != tt.want.username || password != tt.want.password {+					t.Errorf("username, password, ok := r.BasicAuth() got: %q, %q, %v want: %q, %q, %v", username, password, ok, tt.want.username, tt.want.password, tt.want.ok)+				}+			})+			if err != nil {+				t.Errorf("MakeRequest() got: %v want: nil", err)+			}++			if !bytes.HasPrefix(resp, []byte(statusOK)) {

I would make it a helper that just extracts the status from the reponse and compare that string.

if got, want := extractStatus(resp), statusOK; got != want {
  t.Errorf(...)
}
mattiasgrenfeldt

comment created time in 3 months

CommitCommentEvent

Pull request review commentgoogle/go-safeweb

Testing harness for HTTP request parsing

+package requestparsing++import (+	"context"+	"errors"+	"io"+	"net"+	"net/http"+	"sync"+)++type mockHandler struct {+	// called in the ServeHTTP function with the received request.+	callback func(*http.Request)+}++func (h *mockHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {+	h.callback(r)+	io.WriteString(w, "Hello world!")+}++type mockListener struct {+	closeOnce      sync.Once+	connChannel    chan net.Conn+	serverEndpoint io.Closer+	clientEndpoint net.Conn+}++// Creates a mock listener that passes requests to the HTTP server as part of+// the test harness+func newMockListener() *mockListener {+	s2c, c2s := net.Pipe()+	c := make(chan net.Conn, 1)+	c <- s2c+	return &mockListener{+		connChannel:    c,+		serverEndpoint: s2c,+		clientEndpoint: c2s,+	}+}++// Passes an endpoint to the server to enable communication to client+func (l *mockListener) Accept() (net.Conn, error) {+	ch, ok := <-l.connChannel+	if !ok {+		return nil, errors.New("Listener closed")+	}+	return ch, nil+}++func (l *mockListener) Close() (err error) {+	l.closeOnce.Do(func() {+		err = l.serverEndpoint.Close()+		if err != nil {+			return+		}+		err = l.clientEndpoint.Close()+		if err != nil {+			return+		}+		close(l.connChannel)+	})+	return err+}++func (l *mockListener) Addr() net.Addr {+	return l.clientEndpoint.LocalAddr()+}++// SendRequest writes 'request' to the clientEndpoint connection which will //send the request to the server listening on this listener.

nit: linebreak in comment

mattiasgrenfeldt

comment created time in 3 months

Pull request review commentgoogle/go-safeweb

Testing harness for HTTP request parsing

+package requestparsing++import (+	"context"+	"errors"+	"io"+	"net"+	"net/http"+	"sync"+)++type mockHandler struct {+	// called in the ServeHTTP function with the received request.+	callback func(*http.Request)+}++func (h *mockHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {+	h.callback(r)+	io.WriteString(w, "Hello world!")+}++type mockListener struct {+	closeOnce      sync.Once+	connChannel    chan net.Conn+	serverEndpoint io.Closer+	clientEndpoint net.Conn+}++// Creates a mock listener that passes requests to the HTTP server as part of+// the test harness+func newMockListener() *mockListener {+	s2c, c2s := net.Pipe()+	c := make(chan net.Conn, 1)+	c <- s2c+	return &mockListener{+		connChannel:    c,+		serverEndpoint: s2c,+		clientEndpoint: c2s,+	}+}++// Passes an endpoint to the server to enable communication to client+func (l *mockListener) Accept() (net.Conn, error) {+	ch, ok := <-l.connChannel+	if !ok {+		return nil, errors.New("Listener closed")+	}+	return ch, nil+}++func (l *mockListener) Close() (err error) {+	l.closeOnce.Do(func() {+		err = l.serverEndpoint.Close()+		if err != nil {+			return+		}+		err = l.clientEndpoint.Close()+		if err != nil {+			return+		}+		close(l.connChannel)+	})+	return err+}++func (l *mockListener) Addr() net.Addr {+	return l.clientEndpoint.LocalAddr()+}++// SendRequest writes 'request' to the clientEndpoint connection which will //send the request to the server listening on this listener.+// Blocks until the server has read the message.+func (l *mockListener) SendRequest(request []byte) error {+	wrote, err := l.clientEndpoint.Write(request)+	if requestLen := len(request); wrote != requestLen {+		return errors.New("client connection failed to write the entire request")+	}+	return err+}++// ReadResponse reads the response from the clientEndpoint connection which is+// sent by the listening server. Blocks until the server has sent its response+// or times out.+func (l *mockListener) ReadResponse() ([]byte, error) {+	// TODO(maramihali@, grenfeldt@): refactor this+	bytes := make([]byte, 4096)+	n, err := l.clientEndpoint.Read(bytes)+	if n == 4096 {+		return nil, errors.New("response larger than 4096 bytes")+	}+	return bytes[:n], err+}++func makeRequest(ctx context.Context, req []byte, callbackFun func(*http.Request)) ([]byte, error) {+

nit: no empty line at the start of the function.

mattiasgrenfeldt

comment created time in 3 months

Pull request review commentgoogle/go-safeweb

Testing harness for HTTP request parsing

+package requestparsing++import (+	"context"+	"errors"+	"io"+	"net"+	"net/http"+	"sync"+)++type mockHandler struct {+	// called in the ServeHTTP function with the received request.+	callback func(*http.Request)+}++func (h *mockHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {+	h.callback(r)+	io.WriteString(w, "Hello world!")+}++type mockListener struct {+	closeOnce      sync.Once+	connChannel    chan net.Conn+	serverEndpoint io.Closer+	clientEndpoint net.Conn+}++// Creates a mock listener that passes requests to the HTTP server as part of

Function docstrings should begin with the name of the function and end with punctuation.

// newMockListener creates a ... as part of the test harness.

Also: are these fakes instead of mocks?

mattiasgrenfeldt

comment created time in 3 months

push eventbsiegert/blog

Benny Siegert

commit sha 4cd2302d165e8db21672af1d04189687281fc3ac

New blog post on using psrset on the Pinebook Pro.

view details

push time in 3 months

issue commentgolang/go

x/image/tiff: Missing raw stream read/write

/cc @nigeltao

A priori, I am open to such a thing. It might be a useful addition. What should the API look like? Similar to archive/tar maybe?

kpym

comment created time in 3 months

push eventbsiegert/blog

Benny Siegert

commit sha 00739573802d8dba88b190e29bfad40b348a3c1c

Bump theme

view details

push time in 3 months

PR merged bsiegert/purehugo

[Security] Bump minimist from 1.2.0 to 1.2.5 dependencies security

Bumps minimist from 1.2.0 to 1.2.5. This update includes security fixes. <details> <summary>Vulnerabilities fixed</summary> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-vh95-rmgr-6w4m">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>High severity vulnerability that affects minimist</strong> minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "<strong>proto</strong>" payload.</p> <p>Affected versions: >= 1.0.0 < 1.2.3</p> </blockquote> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-7fhm-mqm4-2wp7">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>Moderate severity vulnerability that affects acorn and minimist</strong> minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "<strong>proto</strong>" payload.</p> <p>Affected versions: < 1.2.2</p> </blockquote> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-7fhm-mqm4-2wp7">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>Moderate severity vulnerability that affects acorn, minimist, and svjsl</strong> There are high severity security vulnerabilities in two of ESLints dependencies:

  • <a href="https://app.snyk.io/vuln/SNYK-JS-ACORN-559469">acorn</a>
  • <a href="https://app.snyk.io/vuln/SNYK-JS-MINIMIST-559764">minimist</a></p> <p>The releases 1.8.3 and lower of svjsl (JSLib-npm) are vulnerable, but only if installed in a developer environment. A patch has been released (v1.8.4) which fixes these vulnerabilities.</p> <p>Identifiers:</p> <ul> <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598">CVE-2020-7598</a></li> <li>SNYK-JS-ACORN-559469 (doesn&#39;t have a CVE identifier)</li> </ul> <p>Affected versions: < 1.2.2</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/substack/minimist/commit/aeb3e27dae0412de5c0494e9563a5f10c82cc7a9"><code>aeb3e27</code></a> 1.2.5</li> <li><a href="https://github.com/substack/minimist/commit/278677b171d956b46613a158c6c486c3ef979b20"><code>278677b</code></a> 1.2.4</li> <li><a href="https://github.com/substack/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f"><code>4cf1354</code></a> security notice</li> <li><a href="https://github.com/substack/minimist/commit/1043d212c3caaf871966e710f52cfdf02f9eea4b"><code>1043d21</code></a> additional test for constructor prototype pollution</li> <li><a href="https://github.com/substack/minimist/commit/6457d7440a47f329c12c4a5abfbce211c4235b93"><code>6457d74</code></a> 1.2.3</li> <li><a href="https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab"><code>38a4d1c</code></a> even more aggressive checks for protocol pollution</li> <li><a href="https://github.com/substack/minimist/commit/13c01a5327736903704984b7f65616b8476850cc"><code>13c01a5</code></a> more failing proto pollution tests</li> <li><a href="https://github.com/substack/minimist/commit/f34df077a6b2bee1344188849a95e66777109e89"><code>f34df07</code></a> 1.2.2</li> <li><a href="https://github.com/substack/minimist/commit/67d3722413448d00a62963d2d30c34656a92d7e2"><code>67d3722</code></a> cleanup</li> <li><a href="https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94"><code>63e7ed0</code></a> don't assign onto <strong>proto</strong></li> <li>Additional commits viewable in <a href="https://github.com/substack/minimist/compare/1.2.0...1.2.5">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

</details>

+3 -3

0 comment

1 changed file

dependabot-preview[bot]

pr closed time in 3 months

push eventbsiegert/purehugo

dependabot-preview[bot]

commit sha 65f227edf7feb54a76e6cb194ac066d2074164a0

[Security] Bump minimist from 1.2.0 to 1.2.5 Bumps [minimist](https://github.com/substack/minimist) from 1.2.0 to 1.2.5. **This update includes security fixes.** - [Release notes](https://github.com/substack/minimist/releases) - [Commits](https://github.com/substack/minimist/compare/1.2.0...1.2.5) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

view details

Benny Siegert

commit sha 81d0427bfe7801e8b577bb1facd3aaf51043938a

Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/minimist-1.2.5' Fixes #4

view details

push time in 3 months

PR closed bsiegert/purehugo

[Security] Bump minimist from 1.2.0 to 1.2.5 dependencies security

Bumps minimist from 1.2.0 to 1.2.5. This update includes security fixes. <details> <summary>Vulnerabilities fixed</summary> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-vh95-rmgr-6w4m">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>High severity vulnerability that affects minimist</strong> minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "<strong>proto</strong>" payload.</p> <p>Affected versions: >= 1.0.0 < 1.2.3</p> </blockquote> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-7fhm-mqm4-2wp7">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>Moderate severity vulnerability that affects acorn and minimist</strong> minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "<strong>proto</strong>" payload.</p> <p>Affected versions: < 1.2.2</p> </blockquote> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-7fhm-mqm4-2wp7">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>Moderate severity vulnerability that affects acorn, minimist, and svjsl</strong> There are high severity security vulnerabilities in two of ESLints dependencies:

  • <a href="https://app.snyk.io/vuln/SNYK-JS-ACORN-559469">acorn</a>
  • <a href="https://app.snyk.io/vuln/SNYK-JS-MINIMIST-559764">minimist</a></p> <p>The releases 1.8.3 and lower of svjsl (JSLib-npm) are vulnerable, but only if installed in a developer environment. A patch has been released (v1.8.4) which fixes these vulnerabilities.</p> <p>Identifiers:</p> <ul> <li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598">CVE-2020-7598</a></li> <li>SNYK-JS-ACORN-559469 (doesn&#39;t have a CVE identifier)</li> </ul> <p>Affected versions: < 1.2.2</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/substack/minimist/commit/aeb3e27dae0412de5c0494e9563a5f10c82cc7a9"><code>aeb3e27</code></a> 1.2.5</li> <li><a href="https://github.com/substack/minimist/commit/278677b171d956b46613a158c6c486c3ef979b20"><code>278677b</code></a> 1.2.4</li> <li><a href="https://github.com/substack/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f"><code>4cf1354</code></a> security notice</li> <li><a href="https://github.com/substack/minimist/commit/1043d212c3caaf871966e710f52cfdf02f9eea4b"><code>1043d21</code></a> additional test for constructor prototype pollution</li> <li><a href="https://github.com/substack/minimist/commit/6457d7440a47f329c12c4a5abfbce211c4235b93"><code>6457d74</code></a> 1.2.3</li> <li><a href="https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab"><code>38a4d1c</code></a> even more aggressive checks for protocol pollution</li> <li><a href="https://github.com/substack/minimist/commit/13c01a5327736903704984b7f65616b8476850cc"><code>13c01a5</code></a> more failing proto pollution tests</li> <li><a href="https://github.com/substack/minimist/commit/f34df077a6b2bee1344188849a95e66777109e89"><code>f34df07</code></a> 1.2.2</li> <li><a href="https://github.com/substack/minimist/commit/67d3722413448d00a62963d2d30c34656a92d7e2"><code>67d3722</code></a> cleanup</li> <li><a href="https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94"><code>63e7ed0</code></a> don't assign onto <strong>proto</strong></li> <li>Additional commits viewable in <a href="https://github.com/substack/minimist/compare/1.2.0...1.2.5">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

</details>

+3 -3

0 comment

1 changed file

dependabot-preview[bot]

pr closed time in 3 months

push eventbsiegert/purehugo

dependabot-preview[bot]

commit sha 118af0ef633e312eaa5f4d48e4879c371f832ba5

[Security] Bump concat-with-sourcemaps from 1.0.5 to 1.1.0 Bumps [concat-with-sourcemaps](https://github.com/floridoo/concat-with-sourcemaps) from 1.0.5 to 1.1.0. **This update includes a security fix.** - [Release notes](https://github.com/floridoo/concat-with-sourcemaps/releases) - [Commits](https://github.com/floridoo/concat-with-sourcemaps/commits) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

view details

Benny Siegert

commit sha 974d2c6e80a012dffe83a056f22ba779b7bc4f81

Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/concat-with-sourcemaps-1.1.0' Fixes #3.

view details

push time in 3 months

PR merged bsiegert/purehugo

[Security] Bump concat-with-sourcemaps from 1.0.5 to 1.1.0 dependencies security

Bumps concat-with-sourcemaps from 1.0.5 to 1.1.0. This update includes a security fix. <details> <summary>Vulnerabilities fixed</summary> <p><em>Sourced from <a href="https://github.com/nodejs/security-wg/blob/master/vuln/npm/416.json">The Node Security Working Group</a>.</em></p> <blockquote> <p><strong>Out-of-bounds Read</strong> <code>concat-with-sourcemaps</code> allocates uninitialized Buffers when number is passed as a separator</p> <p>Affected versions: <=1.0.5</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/floridoo/concat-with-sourcemaps/commits">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~floridoo">floridoo</a>, a new releaser for concat-with-sourcemaps since your current version.</p> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

</details>

+3 -3

0 comment

1 changed file

dependabot-preview[bot]

pr closed time in 3 months

push eventbsiegert/blog

Benny Siegert

commit sha 980d69e6faa41a6938cacc2802cf47ce12f73be7

Bump theme version.

view details

push time in 3 months

push eventbsiegert/purehugo

Benny Siegert

commit sha b4123d6ac40b217e91f622005b3bf690ddfa0479

Fix workflow name for GH Actions.

view details

push time in 3 months

push eventbsiegert/purehugo

dependabot-preview[bot]

commit sha 2381fea5918c2f1601feb32cb0c63e0874751de9

Bump gulp from 3.9.1 to 4.0.2 Bumps [gulp](https://github.com/gulpjs/gulp) from 3.9.1 to 4.0.2. - [Release notes](https://github.com/gulpjs/gulp/releases) - [Changelog](https://github.com/gulpjs/gulp/blob/master/CHANGELOG.md) - [Commits](https://github.com/gulpjs/gulp/compare/v3.9.1...v4.0.2) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

view details

dependabot-preview[bot]

commit sha a5ac1ed0d5d8a24e0f3c4747e2c14cee9d9200f6

Bump gulp-uglify from 1.5.4 to 3.0.2 Bumps [gulp-uglify](https://github.com/terinjokes/gulp-uglify) from 1.5.4 to 3.0.2. - [Release notes](https://github.com/terinjokes/gulp-uglify/releases) - [Changelog](https://github.com/terinjokes/gulp-uglify/blob/master/CHANGELOG.md) - [Commits](https://github.com/terinjokes/gulp-uglify/compare/v1.5.4...v3.0.2) Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

view details

Benny Siegert

commit sha 3fcf14f3edaa1a6e6b0067770ebeb9f61ae1b4b9

Updating to Gulp v4: rewrite gulpfile.

view details

Benny Siegert

commit sha 6c0ff725610d45846f45b13f4fc58428fd621462

regen

view details

push time in 3 months

more