Discover gists

Not all random values are created equal - for security-related code, you need a specific kind of random value.

A summary of this article, if you don't want to read the entire thing:

Don't use Math.random(). There are extremely few cases where Math.random() is the right answer. Don't use it, unless you've read this entire article, and determined that it's necessary for your case.
Don't use crypto.getRandomBytes directly. While it's a CSPRNG, it's easy to bias the result when 'transforming' it, such that the output becomes more predictable.
If you want to generate random tokens or API keys: Use uuid, specifically the uuid.v4() method. Avoid node-uuid - it's not the same package, and doesn't produce reliably secure random values.
If you want to generate random numbers in a range: Use random-number-csprng.

You should seriously consider reading the entire article, though - it's

VS Code: Debugging Jest

Sometimes, debugging with console.log is not enough to find out what is happening in the code, as console.log prints only plain objects but neither functions nor objects with circular references. Besides, it's possible you may need to know the context and flow of the code.

Read more about debugging with VS Code in VS Code: Debugging.

What is this cheat sheet ?

I recently stumbled on a blind SSTI injection on a bug bounty program (no output nor stack trace, only 500 status code on invalid syntax)

The version was up to date and it was not possible to RCE because the conf was following best practices and there is no public sandbox bypass on the latest version. So was it possible to do stuff anyway ? Yes I found some nice gadgets to enumerate all accessible variables from the engine, read data blindly or perform some DoS.

This is not meant to be complete, you will find classic payloads for freemarker on other cheat sheets this is only the new stuff from my research which is not public anywhere else

get versions

$/
  artifacts/
  build/
  docs/
  lib/
  packages/
  samples/
  src/
 tests/

Scrabs from : https://gist.github.com/jsturgis/3b19447b304616f18657

Using Gmail SMTP with Cloudflare Email Routing: Step-by-Step Guide

Learn how to send emails through Gmail SMTP with Cloudflare Email Routing in this comprehensive guide.

Step 1: Enable 2-Factor Authentication

To proceed with this method, ensure that you have enabled two-factor authentication for your Google account. If you haven't done so already, you can follow the link to set it up → Enable 2FA in your Google account.

	<#
	License terms
	This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

	This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

	You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.
	#>

	#get all Shares

	{
	"feature": {
	"network": {
	"incoming": {
	"mode": "mirror"
	},
	"outgoing": true
	},
	"fs": "write",
	"env": true

	let
	pkgs = import <nixpkgs> {};
	in pkgs.buildFHSUserEnv {
	name = "fhs";
	targetPkgs = pkgs: [
	pkgs.nextcloud-client
	pkgs.fontconfig
	pkgs.freetype
	pkgs.zlib
	pkgs.wine