Representing Function Properties in TypeScript

We’ve been using TypeScript on an Electron project. It’s been a huge win already—a little additional upfront investment gives us more confidence that our code is correct and reduces the chance that it will pass unexpectedly-shaped objects around, a source of many bugs in my past Node applications. But sometimes, it’s not immediately clear how […]

The Security Spectrum of curl | sh

A growing number of organizations are delivering software, generally for macOS, with a very Unix-y but also controversial pattern: using curl(1) to download a script and piping the output directly to sh (a.k.a. Bash(1)). There’s even a blog tracking the phenomenon, with the pointed description, “People telling people to execute arbitrary code over the network.”

Easy Secure Web Serving with OpenBSD’s acme-client and Let’s Encrypt

As recently as just a few years ago, I hosted my personal website, VPN, and personal email on a computer running OpenBSD in my basement. I respected OpenBSD for providing a well-engineered, no-nonsense, and secure operating system. But when I finally packed up that basement computer, I moved my website to an inexpensive cloud server […]

[Video] Command Injection: How the Shell Makes You Vulnerable

Most web developers are familiar with SQL injection, an all-too-common web vulnerability. The problem typically arises from assembling SQL queries by concatenating strings, without considering they’re allowing whoever supplies the parameters (typically, a consumer of a web API) to write their own SQL code. But SQL isn’t the only place you can get code injected. […]

Date Math Across Time Zones with Moment.js

Time zones—two words that strike fear deep in the heart of every developer. And rightly so. Humans started keeping time over a century ago, pegging their concept of “noon” to the point in the day when the sun is directly overhead. Since then, the world has steadily been moving to where we are now, with […]