Skip to content

Instantly share code, notes, and snippets.

View mdickopp's full-sized avatar

Martin Dickopp mdickopp

2 followers · 0 following
  • Berlin, Germany
View GitHub Profile
@mdickopp
mdickopp / Sandboxing-npm.md
Last active November 30, 2025 12:45
Sandboxing npm

Sandboxing npm

The script wrapper.sh runs npm in a sandboxed environment on Linux systems. It is based on the bwrap command which is found in the bubblewrap package. Its purpose is to mitigate some kinds of supply chain attacks.

To install it, store it in a directory under the name npm and make it executable. Create a symlink npx to the script in the same directory – likewise for other commands you want to sandbox. Add the directory to your PATH environment variable instead of or before the directory where the

@mdickopp
mdickopp / main.rs
Created January 20, 2025 19:16
Test file for https://github.com/bevyengine/bevy/issues/17004
use bevy_ecs::component::Component;
#[derive(Component)]
struct C0000;
#[derive(Component)]
struct C0001;
#[derive(Component)]
struct C0002;
@mdickopp
mdickopp / CVE-2024-22893.md
Created September 25, 2024 12:59
CVE-2024-22893

CVE-2024-22893

Password validation vulnerable to timing attacks in OpenSlides 4.0.15

OpenSlides 4.0.15 verifies passwords by comparing password hashes using a function with content-dependent runtime. This can allow attackers to obtain information about the password hash using a timing attack.

This vulnerability has been fixed in OpenSlides 4.0.16.

@mdickopp
mdickopp / CVE-2024-22892.md
Created September 25, 2024 12:51
CVE-2024-22892

CVE-2024-22892

Weak password hashing in OpenSlides 4.0.15

OpenSlides 4.0.15 hashes passwords by applying a single round of SHA-512 to the cleartext password and the salt. Attackers who have obtained the hashed passwords can therefore calculate the cleartext passwords within a very short amount of time, using massively-parallel computing (such as cloud computing) and GPU, ASIC, or FPGA hardware.