Seems like Microsoft has just announced Visual Studio 2022. And it already came out! For us at PVS-Studio, this meant only one thing — we must support this IDE in the next PVS-Studio release. Almost everything went smoothly. However, there were some hitches that we're going to discuss today.
Vulnerabilities due to XML files processing: XXE in C# applications in theory and in practice
How can simple XML files processing turn into a security weakness? How can a blog deployed on your machine cause a data leak? Today we'll find answers to these questions, learn what XXE is and how it looks like.
Music on the Commodore PET and the Faulty Robots
After completion of the System Beeps, I wasn’t planning to make another stand alone album release with the pseudo polyphonic music, as I felt the topic had been explored enough. This, however, wouldn’t mean I couldn’t apply the experience and skills gained to make more utilitarian stuff, like an actual retro game OST or an old school demoscene project. Such an opportunity arose in Autumn 2020, as David Murray of The 8-bit Guy Youtube channel fame announced his new game to be in development, the Attack of The PETSCII Robots for Commodore PET and some other Commodore 8-bitters. As I previously worked with David on his previous big release, Planet X3 game for MS-DOS, and this was a perfect opportunity to satisfy my interest towards the pre-graphics era PCs as well as apply my vast experience both in the minimalistic computer music and 6502 assembly programming, I offered my services that had been accepted. Besides the sound code I also had hopes to participate as a music composer this time.
Unfortunately, this time the project didn’t went well on my side, and lots of issues of all kinds eventually turned it into a small scale development hell (you can learn more from a series of posts at my Patreon blog) The end result was that my code and sound effects were only used in the VIC-20 port, and music for other versions has been created by other people. However, I was left with the full working code of the sound system for PET, and a number of music sketches. It would be a pity to file it into the archive, PET projects aren’t a frequent thing these days, so another chance to use the stuff wouldn’t come any time soon. So I got the idea to develop my music sketches into full songs, and release it as an alternative OST, and having David’s approval it has been done and released in the Winter 2021 as Faulty Robots, a small music album for PET that is available as a digital audio release and a runnable program for the actual PET computer.
How to Build a Cryptocurrency Exchange App in 2022
Do you plan to start a cryptocurrency exchange business? If so, now is the perfect time. The easiest and safest way to make money from cryptocurrencies is to create a crypto-exchange application. Regardless of whether traders and investors make or lose money, the cryptocurrency exchange will remain a winner in any case.
But, how to open a cryptocurrency exchange app? So, let’s look at the main stages of the process.
“FPGA InsideOut” – animation about CRC and parallel CRC calculation
Ссылка на русскую версию / link to Russian version
FPGA InsideOut is an attempt to make a set of educational FPGA videos presented in the “human-in-the-loop” style. In these videos we will not only show how we are interfacing with an actual FPGA board but will also provide synchronous real-time visualisation of FPGA's internal logic.
For our first video we have picked a CRC circuit (cycle redundancy check) which is based on a linear feedback shift register. This circuit goes through several transformations during the course of the video. Intrigued? - let’s watch the video.
What memory release strategy does the PVS-Studio C and C++ core use?
In various discussions, we have already commented on how the PVS-Studio C and C++ module works with memory. Now it's time to make a small article from this comment.
Playing with null: Checking MonoGame with the PVS-Studio analyzer
The PVS-Studio analyzer often checks code of libraries, frameworks, and engines for game development. Today we check another project — MonoGame, a low-level gamedev framework written in C#.
Queries in PostgreSQL. Query execution stages
Hello! I'm kicking off another article series about the internals of PostgreSQL. This one will focus on query planning and execution mechanics.
In the first article we will split the query execution process into stages and discuss what exactly happens at each stage.
Stop losing clients! Or how a developer can test a website, by the example of PVS-Studio. Part 1
A website with bugs could be a real pain in the neck for business. Just one 404 or 500 error could end up costing an obscene amount of money for the company and hurt a good reputation. But there is a way to avoid this issue: the website testing. That's sort of what this article is about. After reading this article, you will learn how to test code in Django, create your "own website tester" and much more. Welcome to the article.
MuditaOS: Will your alarm clock go off? Part I
Operating systems are a kind of software where code quality is critical. This time the PVS-Studio analyzer checked MuditaOS. So let's take a look at what the static analyzer found in this open-source OS.
Introduction to Engineering
This is a set of chapters for young engineers. We give practical advice and discuss goals, challenges and approaches used in modern software engineering.
Along with classical foundations this article contains original ideas of conceptualizing engineer's work with emphasis on bringing order to the situation and finding an insight. Engineering is approached as work in uncertainty with other people which requires special skills. Non-obvious complications regarding modern production in big companies are discussed.
This article is based on 15 years of experience in engineering and management in high-tech industries.
PVS-Studio for Visual Studio 2022
The PVS-Studio team writes articles on various topics. But we rarely make articles on how to interact with the analyzer. Let's fix it with an article about the PVS-Studio plugin for the Visual Studio 2022 environment.
IT risk management
When you have an IT, which supports all aspects of your organization automated performance and you have a firm confidence that IT executes well, there is always a chance that something could go wrong in technology or in related IT processes. Depending on complexity of IT environment varieties of risks scenarios could arise. This article as a summary of different faithworthy sources aims to help you in getting high level understanding on what could go wrong and how you can predict it in a more conscious way.
My name is Maxim Tornov and I have been working in various IT areas for a long period of time. Since then, for over 14 years I am working in the area of IT/IS risk management with focus on in IT/IS audits, internal control implementation and assessment.
I am sure that at the present the topic of Information Technologies risk management became more vital. Organization’s efficiency in IT risk management directly affects the achievement of various organization’s goals, goals which have dependency on IT, those goals may include reliability and efficiency of business processes, the organization's compliance with regulatory requirements, the integrity of financial reporting, and many others.
I sincerely hope that this material will be useful to you and may give you some new ideas that you can contribute to the benefit of your personal development and the development of your organization's risk management culture.
Q4 2021 DDoS attacks and BGP incidents
2021 was an action-packed year for Qrator Labs.
It started with the official celebration of our tenth year anniversary, continued with massive routing incidents, and ended with the infamous Meris botnet we reported back in September.
Now it is time to look at the events of the last quarter of 2021. There are interesting details in the BGP section, like the new records in route leaks and hijacking ASes, but first things first, as we start with the DDoS attacks statistics.
Re-checking PascalABC.NET
Welcome all fans of clean code! Today we analyze the PascalABC.NET project. In 2017, we already found errors in this project. We used two static analysis tools (more precisely, plugins for SonarQube): SonarC# and PVS-Studio. Today, we analyze this project with the latest version of the PVS-Studio analyzer for C#. Let's see what errors we can find today, especially when our analyzer has become more advanced and got new features: it can find more exquisite errors and potential vulnerabilities.
ACME-client for Tarantool
Link to GitHub. More details about the operation of the algorithm and the module can be found here.
The ACME protocol client is used to automatically obtain a security certificate for your site. Basically everyone uses Let's Encrypt to get a free certificate and auto-renewal. But there are other services, such as Zero SSL. It also supports the ACME protocol.
I relied on two articles from Habr (this and this), as well as RFC8555. But the information in them was not enough to implement their own version of the modulation. At least several times higher than several implementations of the module [at another level]. The tests were conducted on a live service, so there are no autotests yet. You can write and init pull request.
The module is written under Linux. Only the second version of the protocol is considered.
Let’s deal with WeChat — the second most popular messenger in the world
- A short excursion into WeChat;
- About the platform, the version of the application, the utilities used and the decryption of the executable file;
- • About two protocols (old one and new one);
- About serialization of objects;
- Used cryptography and key exchange;
- About headers and hash-functions;
- About the exposures found.
Comparing PHP-FPM, NGINX Unit, and Laravel Octane
Comparing PHP-FPM, NGINX Unit, and Laravel Octane - what to choose for developing microservices.
How PVS-Studio prevents rash code changes, example N2
When developers do make mistakes, it's often accidental or because the developers are in a hurry. These errors often make their way into small edits to the code. Let's review one of these cases: a developer fixes an error and introduces a new one simultaneously.
Kernel Queue: The Complete Guide On The Most Essential Technology For High-Performance I/O
When talking about high-performance software we probably think of server software (such as nginx) which processes millions requests from thousands clients in parallel. Surely, what makes server software work so fast is high-end CPU running with huge amount of memory and a very fast network link. But even then, the software must utilize these hardware resources at maximum efficiency level, otherwise it will end up wasting the most of the valuable CPU power for unnecessary kernel-user context switching or while waiting for slow I/O operations to complete.
Thankfully, the Operating Systems have a solution to this problem, and it's called kernel event queue. Server software and OS kernel use this mechanism together to achieve minimum latency and maximum scalability (when serving a very large number of clients in parallel). In this article we are going to talk about FreeBSD, macOS and kqueue, Linux and epoll, Windows and I/O Completion Ports. They all have their similarities and differences which we're going to discuss here. The goal of this article is for you to understand the whole mechanism behind kernel queues and to understand how to work with each API.
Hubs
Authors' contribution
alizar 91613.8marks 24166.6ru_vds 19882.1alexzfort 14179.0XaocCPS 10986.2pronskiy 10649.4m1rko 10382.0ptsecurity 9556.6Andrey2008 9533.2Jeditobe 9387.6