This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that
This Gist aims to centralise the most relevant public sources of information related to the HTTP/2 Rapid Reset vulnerability. This vulnerability has been disclosed jointly by Google, Amazon AWS, and Cloudflare on 10 October 2023 at 12:00 UTC.
Please help us make this page as comprehensive as possible by contributing relevant references, vendor advisories and statements, mitigations, etc.
| #!/bin/bash | |
| # | |
| # dump.sh | |
| # | |
| # Dumps messages and attachments for selected 1-1 direct messages, and selected named | |
| # channels and group PMs, from the authenticated Slack workspace. Subsequent runs will | |
| # fetch only the new content since the previous run. | |
| # | |
| # NOTE: This will cache the user and channel listing, so if new users or channels are | |
| # expected it is best to delete these files so they are re-acquired. |
It happens that there are many standards for storing cryptography materials (key, certificate, ...) and it isn't always obvious to know which standard is used by just looking at file name extension or file content. There are bunch of questions on stackoverflow asking about how to convert from PEM to PKCS#8 or PKCS#12, while many tried to answer the questions, those answers may not help because the correct answer depends on the content inside the PEM file. That is, a PEM file can contain many different things, such as an X509 certificate, a PKCS#1 or PKCS#8 private key. The worst-case scenario is that someone just store a non-PEM content in "something.pem" file.
| ''' | |
| Script to archive Slack messages from a channel list. | |
| You have to create a Slack Bot and invite him to private channels. | |
| View https://github.com/docmarionum1/slack-archive-bot for how to configure your account. | |
| Then provide the bot token to this script with the list of channels. | |
| ''' | |
| TOKEN='xoxb-xxxxx-xxxxxx-xxxxxxxxxxx' | |
| channels = { |
| { | |
| "_type":"export", | |
| "__export_format":4, | |
| "__export_date":"2020-02-03T22:17:29.587Z", | |
| "__export_source":"insomnia.desktop.app:v7.0.6", | |
| "resources":[ | |
| { | |
| "_id":"req_1a56b9b120a94264b79018d1ecee95f3", | |
| "authentication":{ | |
| "accessTokenUrl":"https://identity.xero.com/connect/token", |
| Here is a workaround for the lack of a client credentials flow in Xero's OAuth 2.0 / OpenID Connect implementation. | |
| From Xero's FAQ: https://developer.xero.com/faq/all/oauth-private | |
| "Is there an equivalent of two-legged private apps in OAuth 2.0? | |
| No, all users will follow the same OAuth 2.0 code flow. | |
| Once you have an access token and refresh token you can refresh indefinitely or until the token is revoked by the user." | |
| Workaround: | |
| 1. Login to Xero as the Xero user to use for the machine-to-machine flow workaround. |
Use your service account's key JSON file to get an access token to call Google APIs.
Good for seeing how things work, including the creation of JWT token.
To create a JWT token, you can replace create-jwt-token.sh script with tools like step.
If you just want to get an access token for a service account,
| # === EDITOR === | |
| Pry.editor = 'vi' | |
| # === PROMPT === | |
| Pry.prompt = [ ->(obj, nest_level, _) { "✎ " }, ->(obj, nest_level, _) { "#{' ' * nest_level} " } ] | |
| # === COLORS === | |
| unless ENV['PRY_BW'] | |
| Pry.color = true | |
| Pry.config.theme = "railscasts" |
