week 16, 2022

Find what JavaScript variables are leaking

Detecting variables that are mistakenly or unknowingly added to the global scope can be helpful to debug your apps and avoid naming collisions. The more a web app and its dependencies grow, the more having a good understanding of what’s happening in the global scope becomes important (e.g., to ensure multiple libraries — or even multiple apps! — can coexist on the page without global name collisions).

Source: Find what JavaScript variables are leaking into the global scope, an article by Matteo Mazzarolo.

The temptation of writing shell scripts, illustrated

It's an article of faith in many quarters that you shouldn't write anything much as a shell script and should instead use a proper programming language. I generally agree with this in theory, but recently I went through a great experience of why this doesn't necessarily work out for me in practice, as I wrote (and then rewrote) a shell script that really should be a program in, say, Python.

Source: The temptation of writing shell scripts, illustrated, an article by Chris Siebenmann.

Extracting WhatsApp messages from an iOS backup

I was recently exploring how to get a local backup of WhatsApp messages from my iPhone. I switched from Android to iOS in the past and lost all of my WhatsApp messages. I wanted to make sure that if I switched again from iOS to Android I don’t lose any messages. I don’t really care if I can import the messages in WhatsApp. I just don’t want to lose all of the important information I have in my chats. I don’t have any immediate plans for switching (if ever) but it seemed like a fun challenge and so I started surveying the available tools and how they work.

This was mostly a learning exercise for me regarding how Apple stores iOS backups and how I can selectively extract information and data from one. My target was to have a local copy of WhatsApp messages that I can read and search through locally. It would be doubly awesome if I can move the messages to an Android device but, as I mentioned before, that wasn’t my main aim.

Source: Extracting WhatsApp messages from an iOS backup, an article by Yasoob Khalid.

Rust traits and dependency injection

Dependency injection is one of my favorite design patterns to develop highly-testable and modular code. To apply this pattern, all you have to do is follow two simple guidelines:

  1. Separate object construction from usage. In practical terms: stop creating objects inside constructors and take those objects as input arguments.
  2. Use interfaces instead of concrete types as constructor parameters. In this way, the receiver remains agnostic to the implementation of those types and thus it becomes possible to supply different implementations.

Source: Rust traits and dependency injection, an article by Julio Merino.

Dune (2021)

A noble family becomes embroiled in a war for control over the galaxy's most valuable asset while its heir becomes troubled by visions of a dark future.

In the evening we watched Dune. Alice and Adam got tired and fell asleep. I liked the movie a lot; 8 out of 10.

Beyond Skyline (2017)

A tough-as-nails detective embarks on a relentless pursuit to free his son from a nightmarish alien warship.

In the evening we watched Beyond Skyline, an SF movie so bad that it was actually OKish to watch. So I give it a 6 out of 10.


Memray is a memory profiler for Python. It can track memory allocations in Python code, in native extension modules, and in the Python interpreter itself. It can generate several different types of reports to help you analyze the captured memory usage data. While commonly used as a CLI tool, it can also be used as a library to perform more fine-grained profiling tasks.

Source: Memray is a memory profiler for Python.

Introduction to Doctests in Haskell

Documenting software can be challenging, but it doesn’t always need to be so.

In this article, we’ll introduce doctests: a concept that makes the documentation process pleasant and effective.

By putting tests inside module docs, doctests allow functions to speak for themselves and help you get the most out of your testing efforts.

Source: Introduction to Doctests in Haskell, an article by Nurlan Alkuatov.

CVE-2022-21449: Psychic Signatures in Java

It turns out that some recent releases of Java were vulnerable to a similar kind of trick, in the implementation of widely-used ECDSA signatures. If you are running one of the vulnerable versions then an attacker can easily forge some types of SSL certificates and handshakes (allowing interception and modification of communications), signed JWTs, SAML assertions or OIDC id tokens, and even WebAuthn authentication messages. All using the digital equivalent of a blank piece of paper.

Source: CVE-2022-21449: Psychic Signatures in Java, an article by Neil Madden.

Smart SSH bastion that works with any SSH client

Warpgate is a smart SSH bastion host for Linux that can be used with any SSH client.

  • Set it up in your DMZ, add user accounts and easily assign them to specific hosts within the network.
  • Warpgate will record every session for you to replay and review later through a built-in admin web UI.
  • Not a jump host - forwards your connections straight to the target instead.
  • Single-file statically linked binary with no dependencies.
  • Written in 100% safe Rust.

Source: Warpgate.

Analyzing iMessage with SQL

Message is one of the most popular messaging platforms today, largely because it is built into iOS and Mac devices. Since its release, it has evolved significantly. But, at its core, it is simply an instant messaging platform. iMessage uses SQLite in the background to store relational data about messages, conversations, and their participants.

Source: Analyzing iMessage with SQL, an article by Daniel Lifflander.