WTF Bites
-
@zerosquare the former is easier than you think.
-
@dcoder If it says "prior to version 8", it implies they corrected this in V8. So, they did learn and apply the lesson, if a bit late.
-
@Gąska : If you allow byte-granularity access to the buffer, then you need byte-granularity initializations checks. Otherwise you could just write one byte to mark the buffer as initialized, and siphon the rest of the data.
And on top of that, making sure there's no way data can leak is a hard problem. Even CPU manufacturers, who literally are at the lowest abstraction level and employ highly skilled people, don't get it right every time (think Spectre, among others).
Expecting a NodeJS developer to implement that flawlessly is not what I'd call "sane".
-
@Medinoc Fair point.
Logic is a barrier to shitposting though.
-
@zerosquare said in WTF Bites:
If you allow byte-granularity access to the buffer, then you need byte-granularity initializations checks. Otherwise you could just write one byte to mark the buffer as initialized, and siphon the rest of the data.
No, the initialization check just means that it has to zero out all of the memory when you actually try to use it.
However, NodeJS is a server-side programming language; no way should it be running untrusted code. If I'm not mistaken, both C and C++ will let you
malloc
some memory and then read its contents as a char type without first initializing it; this isn't even undefined behavior unless you're using a non-char type.
-
This means you simply delay the cost of zero-initializing, but you still have to pay it. Why not, but it doesn't make much difference (unless you create buffers and never use them?).
-
Here's some Indian outsourcer code to darken your day.
-
@anotherusername said in WTF Bites:
However, NodeJS is a server-side programming language; no way should it be running untrusted code.
It is not just a server-side runtime. It is also used for sandboxing untrusted code in various places, because, being derived from the browser JS VM, it is actually one of the better runtimes for that purpose.
@anotherusername said in WTF Bites:
If I'm not mistaken, both C and C++ will let you
malloc
some memory and then read its contents as a char type without first initializing it; this isn't even undefined behavior unless you're using a non-char type.However, you can only get at garbage your own process left from earlier operations, not possibly sensitive garbage from other process, because the operating system (or at least Linux) does actually zero pages when mapping new ones into your address space.
But because NodeJS does consider use case with several instances in the same process that are supposed to be isolated, it needs to do its own scrubbing.
-
@scarlet_manuka said in WTF Bites:
my workplace, in which my seat is probably at about tries.tries.purely
Not bad, speaking as someone with an office at fats.churn.noses. Which probably says far too much without looking it up…
-
@anotherusername said in WTF Bites:
@zerosquare said in WTF Bites:
@cvi: now you understand how Europeans feel when they see stuff like "Paris, Texas", "Berlin, Wisconsin" or "London, Kentucky" ;)
I knew a girl in college who was from Mexico, Missouri. She was also somewhat dark-skinned, and for kicks she sometimes just told people she was from Mexico. There's also a Lebanon, Missouri. The largest county by area in Missouri is Texas County, with Houston as the county seat. And I have to finish this list with Peru, Nebraska.
Filed Under: Amusing geographic facts that nobody here really cares about
There's also a Versailles, Missouri. It might be named after the Versailles in France, but if you pronounce it like those snobs in France do then you're pronouncing it wrong.
There is a Milan, Tennessee and the hicks there pronounce it My-Len.
-
@cartman82 what
-
@anotherusername said in WTF Bites:
However, NodeJS is a server-side programming language; no way should it be running untrusted code.
It is not just a server-side runtime. It is also used for sandboxing untrusted code in various places, because, being derived from the browser JS VM, it is actually one of the better runtimes for that purpose.
@anotherusername said in WTF Bites:
If I'm not mistaken, both C and C++ will let you
malloc
some memory and then read its contents as a char type without first initializing it; this isn't even undefined behavior unless you're using a non-char type.However, you can only get at garbage your own process left from earlier operations, not possibly sensitive garbage from other process, because the operating system (or at least Linux) does actually zero pages when mapping new ones into your address space.
But because NodeJS does consider use case with several instances in the same process that are supposed to be isolated, it needs to do its own scrubbing.
From a quick Google, any time you run untrusted code in NodeJS you should be running it in a sandbox, which puts it in its own separate process. This will ensure that misbehaving code can't lock up your parent process, but it'll also isolate its memory space.
-
@codejunkie said in WTF Bites:
@anotherusername said in WTF Bites:
@zerosquare said in WTF Bites:
@cvi: now you understand how Europeans feel when they see stuff like "Paris, Texas", "Berlin, Wisconsin" or "London, Kentucky" ;)
I knew a girl in college who was from Mexico, Missouri. She was also somewhat dark-skinned, and for kicks she sometimes just told people she was from Mexico. There's also a Lebanon, Missouri. The largest county by area in Missouri is Texas County, with Houston as the county seat. And I have to finish this list with Peru, Nebraska.
Filed Under: Amusing geographic facts that nobody here really cares about
There's also a Versailles, Missouri. It might be named after the Versailles in France, but if you pronounce it like those snobs in France do then you're pronouncing it wrong.
There is a Milan, Tennessee and the hicks there pronounce it My-Len.
https://www.reddit.com/r/MapPorn/comments/2enuqr/missouri_places_named_after_other_places/
First comment:
https://www.reddit.com/r/MapPorn/comments/2enuqr/missouri_places_named_after_other_places/ck1am29/
-
@zerosquare said in WTF Bites:
This means you simply delay the cost of zero-initializing, but you still have to pay it. Why not, but it doesn't make much difference (unless you create buffers and never use them?).
First thing I'm thinking of is keeping an 'initialized up to' marker. Working on the assumption that the buffer is populated in order, rather than random.
Writes beyond the marker require zero-filling the intermediate bit, then updating the marker to just past the write. Reads past the marker return zero (and don't require updating the marker).
-
@codejunkie said in WTF Bites:
@anotherusername said in WTF Bites:
There's also a Versailles, Missouri. It might be named after the Versailles in France, but if you pronounce it like those snobs in France do then you're pronouncing it wrong.
There is a Milan, Tennessee and the hicks there pronounce it My-Len.
Indiana has Milan (also pronounced (MY-lən), Versailles (Vər-SAY-əls), Kosciusko (Kah-zee-AH-skoh) County, Galveston (Gal–VESS-tən)...
-
@anotherusername said in WTF Bites:
However, NodeJS is a server-side programming language; no way should it be running untrusted code.
It is not just a server-side runtime. It is also used for sandboxing untrusted code in various places, because, being derived from the browser JS VM, it is actually one of the better runtimes for that purpose.
Damn, forgot about untrusted code. Yes, in that case, zeroing on allocation makes perfect sense.
I've just realized how spoiled I've become by only working with low-level fully privileged code.
@zerosquare said in WTF Bites:
This means you simply delay the cost of zero-initializing, but you still have to pay it. Why not, but it doesn't make much difference (unless you create buffers and never use them?).
If you initialize buffer with real values prior to any read, then you don't need any zero initialization at all. And not reading prior to writing is like Data Structures 101 and is how every single library container works.
-
is how every single library container works
Which is why we have to have kernel-level mitigation against things like this, natch.
-
@gąska So you have an overloaded constructor function which takes a default "true" bool of "zerofill" which you can set to false if you have performance problems due to said zerofill.
Problem solved.
-
@rhywden wasn't the problem that an option to not zero fill exists at all?
-
@rhywden wasn't the problem that an option to not zero fill exists at all?
No, the problem was that "not zerofilling" was the default and you always had to manually initialize.
-
@tsaukpaetra said in WTF Bites:
is how every single library container works
Which is why we have to have kernel-level mitigation against things like this, natch.
As I said, I've become quite careless with security after working in environment where all code is in-house and fully trusted and security is provided by other means.
-
@rhywden wasn't the problem that an option to not zero fill exists at all?
No, the problem was that "not zerofilling" was the default and you always had to manually initialize.
Except you didn't, because as the docstring helpfully points out,
new Buffer()
is deprecated andBuffer.alloc()
should be used instead - andBuffer.alloc()
does zero fill.
-
@gąska You realize that I used the past tense? Pray tell, what does the term "deprecate" tell you?
-
-
@gąska You realize that I used the past tense?
I didn't. But now that you pointed out you actually meant 2015 Node.JS, I can only say that it's no surprise it was absolute shit. Everything JS was absolute shit back in 2015.
-
-
@tsaukpaetra believe me, it was MUCH worse than now.
-
-
-
@gąska You realize that I used the past tense? Pray tell, what does the term "deprecate" tell you?
That I forgot to turn off/suppress warnings?
-
@tsaukpaetra said in WTF Bites:
Polish a turd
Hey, don't shit-talk @Gąska like that!
Wait, what??? Fucking English Language...
-
Pray tell, what does the term "deprecate" tell you?
Not a lot, but the phrase "pray tell" tells one a lot about the person saying it
-
Not a lot, but the phrase "pray tell" tells one a lot about the person saying it
Not as much as "whilst".
-
@blakeyrat said in WTF Bites:
Not a lot, but the phrase "pray tell" tells one a lot about the person saying it
Not as much as "whilst".
Forsooth they could not have known how language would devolve.
-
@tsaukpaetra Wherefore arest weith on this annoyingesteth tangent?
-
@mott555 People who say "whilst" are a WTF. I stand by my post.
EDIT: also I just came across this on StackOverflow:
Luke Sawczak's comment is what I was thinking, haha.
-
@tsaukpaetra Wherefore arest weith on this annoyingesteth tangent?
In truth, because I have desire to slacken in the off direction. It behooves me to continue working but I desire more to lollygag and pretend I am a nincompoop. 'Tis more amusing (to me) in any case.
-
@blakeyrat said in WTF Bites:
Not a lot, but the phrase "pray tell" tells one a lot about the person saying it
Not as much as "whilst".
-
@sloosecannon said in WTF Bites:
@pie_flavor said in WTF Bites:
https://i.imgur.com/zM7kxVt.png
The fuck do I need to log out of free wifi for? And what's the point of a hyperlink to the page I'm already on?
And more importantly, why on Earth are they borrowing a non-internal IP address for their login
Whatever device does that, one of the contractor sites I work on uses the same one (same IP too).
-
@blakeyrat said in WTF Bites:
@mott555 People who say "whilst" are a WTF. I stand by my post.
EDIT: also I just came across this on StackOverflow:
Luke Sawczak's comment is what I was thinking, haha.
-
@hardwaregeek said in WTF Bites:
Conclusion: you guys sucked at inventing original names for geographical things
Settlers wanted to be reminded of places they came from.
-
@anonymous234 said in WTF Bites:
I actually initially assumed A10 was the worst one because it says "great value" (it's the best one).
My family actually prefers most of the "Great Value" branded items from Walmart (it's the generic store brand).
-
@djls45 for many non fresh products, the store brand is usually indistinguishable to the more expensive ones
-
-
Pray tell, what does the term "deprecate" tell you?
That it will continue to exist in legacy code for decades.
-
@hardwaregeek said in WTF Bites:
That it will continue to exist in legacy code for decades.
And that it's probably really useful and that there isn't an equivalent replacement.
-
Jupiter, Florida
Well, I know Florida has a lot of aliens, but I thought they're mostly Cuban. I didn't realize any were quite that alien.
-
it get's used exactly once a year by my coworker's kids at the internal chrismas party.
Not much choice if I want to write down something "live" (as opposed to just peppering people to death with powerpoint slides). I mean ... I guess I could try writing on the walls, but that might have other repercussions. It's tempting, though.
The university I went to painted a wall in a couple of the CS labs with special whiteboard paint. It did make it easy to write stuff, but the markers often dried out because a lot of people would use them and/or someone would leave them out and they'd dry up. They were also a bit of a pain to clean. A cloth would usually erase fine if the drawing was cleared right away. A bit of water helped if it was within a few hours. If it was allowed to dry fully, then it took a LOT of elbow grease to get the ghost lines out.
-
The
train1c1550ef-6ee7-4934-bd33-4738e7a30d1b to 5C85D171-E30C-418A-A20F-DC8065914CC2 will be departing fromplatform3c487383-cbf6-4aca-8437-7d13bd7b21455480F8BD2-CA54-47FD-A3CD-34B16FCD44C8.FTFY
FTFTFYFY
Edit: FTFTFTFYFYFM
-
The university I went to painted a wall in a couple of the CS labs with special whiteboard paint. It did make it easy to write stuff, but the markers often dried out because a lot of people would use them and/or someone would leave them out and they'd dry up. They were also a bit of a pain to clean. A cloth would usually erase fine if the drawing was cleared right away. A bit of water helped if it was within a few hours. If it was allowed to dry fully, then it took a LOT of elbow grease to get the ghost lines out.
My dad wanted to paint a wall in his office with whiteboard paint when he moved into his new house and found it's surprisingly expensive. So ghost lines or other damage to those walls must really piss the facilities people off. :x