Mike Samuel mikesamuel

## gist:1885435

      
              1 file
            
          
              867 forks
            
          
              188 comments
            
          
              2992 stars
            
          
                CristinaSolana
                / gist:1885435
            
            
              Created
              February 22, 2012 14:56
            
              
                Keeping a fork up to date
              
          
    1. Clone your fork:

git clone git@github.com:YOUR-USERNAME/YOUR-FORKED-REPO.git

2. Add remote from original repository in your forked repository:

cd into/cloned/fork-repo
git remote add upstream git://github.com/ORIGINAL-DEV-USERNAME/REPO-YOU-FORKED-FROM.git
git fetch upstream


## escape-vm.js
"use strict";
const vm = require("vm");

const sandbox = { anObject: {} };
const whatIsThis = vm.runInNewContext(`
    const ForeignObject = anObject.constructor;
    const ForeignFunction = ForeignObject.constructor;
    const process = ForeignFunction("return process")();
    const require = process.mainModule.require;
    require("fs");

## .gitlab-ci.yml
image: java:8-jdk

stages:
  - build
  - test
  - deploy

before_script:
#  - echo `pwd` # debug
#  - echo "$CI_BUILD_NAME, $CI_BUILD_REF_NAME $CI_BUILD_STAGE" # debug

## header-safe-defaults.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              3 stars
            
          
                mikesamuel
                / header-safe-defaults.md
            
            
              Last active
              June 19, 2021 04:08
            
              
                Golang header safe defaults library proposal
              
          
    Secure Header Set

_{^{tinyurl.com/sec-header-sets}}
A proposed library that provides safe defaults (with opt-out) for security-relevant HTTP response headers.


Secure Header Set
Background


## api.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                mikesamuel
                / api.md
            
            
              Last active
              October 30, 2017 16:20
            
              
                API for building URL classifiers
              
          
    URL Classifier Builder

This is now implemented: https://github.com/OWASP/url-classifier
Problem

Matching URLs with regular expressions is hard.
Even experienced programmers who are familiar with the URL spec produce code like /http:\/\/example.com/
which spuriously matches unintended URLs like

  
## frenemies.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                mikesamuel
                / frenemies.md
            
            
              Last active
              February 28, 2018 16:29
            
              
                Frenemies: Mutual suspicion in Node.js
              
          
    Node Frenemies

Lets project teams trust code they know with more than code they don't.

Goal
Non-goals
Use Case Summary
Solution: Node module loader acts as trusted intermediary to enable mutual suspicion

Reliable Channel Example


Example Code


## hashable-json.js
"use strict";

// Prompted by https://esdiscuss.org/topic/json-canonicalize

// Given a string of JSON produces a string of JSON without unnecessary
// degrees of freedom like whitespace, optional escape sequences, and
// unnecessary variance in number representation.
function hashable(json) {
  const strs = []  // Side table to collect string bodies
  return reorderProperties(

## README.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              2 stars
            
          
                mikesamuel
                / README.md
            
            
              Last active
              June 23, 2018 01:18
            
              
                Options for Hardening React &| JSX
              
          
    Options for Hardening React &| JSX


Background
Problem
Options

Before Desugar
After Desugar
Mutate CreateElement
Mutate Reconciler


Hybrid of Before Desugar and Mutate Reconciler
	"use strict";
	const vm = require("vm");

	const sandbox = { anObject: {} };
	const whatIsThis = vm.runInNewContext(`
	const ForeignObject = anObject.constructor;
	const ForeignFunction = ForeignObject.constructor;
	const process = ForeignFunction("return process")();
	const require = process.mainModule.require;
	require("fs");
	image: java:8-jdk

	stages:
	- build
	- test
	- deploy

	before_script:
	# - echo `pwd` # debug
	# - echo "$CI_BUILD_NAME, $CI_BUILD_REF_NAME $CI_BUILD_STAGE" # debug
	"use strict";

	// Prompted by https://esdiscuss.org/topic/json-canonicalize

	// Given a string of JSON produces a string of JSON without unnecessary
	// degrees of freedom like whitespace, optional escape sequences, and
	// unnecessary variance in number representation.
	function hashable(json) {
	const strs = [] // Side table to collect string bodies
	return reorderProperties(