Mum: Nikaangalia umri wa huyu mwanamke, kweli nilichoka. Na vile nilichoka na nikaona Kijana yangu anampenda nikaona sitaingilia.
Son: Gari huoni body unaangalia engine. ππππ
Just shipped my first open source security contribution π.
I ran a Trivy SAST scan on @formbricks, found a CRITICAL stored XSS vulnerability (CVE-2026-44990, CVSS 9.3), reproduced it locally, and opened a PR with the fix.
Here's the full breakdown:
What I did:
β Reproduced the vulnerability locally against [email protected]
β Confirmed the upstream fix ships in 2.17.4
β Identified the exact call site in the Formbricks codebase
β Verified allowedTags whitelist alone does NOT block the bypass
β Applied a hardening fix
In @formbricks specifically, the affected file is:
apps/web/modules/survey/follow-ups/lib/email.ts
A malicious survey respondent could inject a payload that executes JS in an admin's HTML email client.
The allowedTags whitelist? Doesn't help β xmp leaks BEFORE tag evaluation.
The bug lives in sanitize-html node package in versions <=2.17.3.
<xmp> is a raw-text element β htmlparser2 parses its contents as plain text on input. But sanitize-html's context handler appends it to output WITHOUT escaping.
It is dangerously easy to build a neural network today without actually understanding how it works.
We live in an era of 'import torch'. You can train a model in three lines of code, but the moment you need to debug a collapsing loss function or a vanishing gradient, syntax won't save you. You need first principles.
I recently went through this notebook collection by Simon J.D. Prince, and it is the antidote to tutorial hell.
Instead of just showing you the code, it forces you to visualize the mechanics:
1./ The Math => It builds the intuition for shallow networks and regions before adding complexity.
2./ The Optimization => It doesn't just use an optimizer; it compares Line Search, SGD, and Adam so you see why they behave differently.
3./ The Modern Stack => It connects the dots from basic backpropagation all the way to Self-Attention and Graph Neural Networks.
Move from running code to engineering systems => this is a goldmine.
someone asked Beej how sockets work in C. he got tired of explaining it. so in 1995 he put it all online.
it's been the definitive socket programming guide for 30 years.
it covers everything: TCP, UDP, IPv4, IPv6, non-blocking I/O, select(), poll().
graduate OS courses worldwide assign it. it's funnier than any technical book has a right to be.
it's free and always will be.
think OSI
everyone memorizes Please Do Not Throw Sausage Pizza Away for interviews, then immediately forgets it after getting the offer
honestly, that's a mistake
a lot of weird prod networking bugs are just which layer am I actually debugging? problems
layers 5 and 6 are mostly academic in day-to-day infra work. TCP/IP kind of folded that stuff into the application layer, and forcing juniors to reason about presentation/session usually creates more confusion than clarity
what matters more:
- Connection refused? Probably L4
- Connection reset halfway through? Also L4-ish, but now you're asking who killed the socket. App? LB? firewall? idle timeout?
- TLS cert error? Don't call it layer 6 in real life. Just say TLS
- DNS resolves but curl hangs? Now you're checking routing, firewall, IPv6, MTU/PMTUD, proxy config, etc
the useful skill is not reciting the model
it's debugging top-down:
- Can the app resolve the name?
- Can it open a socket?
- Does the packet leave the box?
- Does it get a SYN-ACK back?
- Does ARP/NDP work?
- Is some firewall silently dropping it?
most of the time you stop around L3/L4 and the answer is still: something in the network path said no
also, tcpdump is not scary
it's basically ls for packets. Once you get comfortable with it, networking bugs become way less mystical
btw, good drill list for interviews / real pager pain:
https://t.co/xMcUSW9O8W
also, I'm available for b2b remote work from Armenia. Let's chat
#linux #devops #sre #networking #sysadmin #tcpip #homelab