🌊 Avoid HTTP/2 floods, 🤐 don't log your secrets, and 🗣️ upcoming conferences

The show is supported by you, the listener. Stick around till after the news to hear more. This is Cup of Go for April 5, 2024. Keep up to date with the important happenings in the Go community in about 15 minutes per week. I'm Jonathan Hall.

And I'm Shay Nehmad .

Hi, Shay.

Hello. I've sent you a link. Have you read it? No, you haven't because it's a members only story.

Yes. Medium. I hate Medium.

We found a really cool link we wanted to share with you, but someone posted it on Medium. And since we saw it, made a a member only story, which I'm fine with. If that's a good way for you to make money, go ahead and do that. But Medium has been bad for creators and bad for consumers and messes up SEO.

And it means we won't talk about your story on the show except vaguely in, like, anonymous terms Yeah. Like this.

When, I did, Medium before in a company, I also just published it on my own, like, static site free blog. And then if someone wants to support, they can sign up to Medium, unsubscribe from their emails, and keep

reading your blog. And just so just by the way, to so nobody thinks we're picking on Medium per se. If you post a really great news story about Go behind any paywall, we're not gonna talk about it on the show.

Unless there's, you know, a free

Unless there's a free version as well that we can share with the audio.

Yeah. Alright. So luckily, the Go forum, you know, the Go Google group is still not behind the paywall. That's right. So what have you seen there?

So we had a new, security release this week. Go 1.22.2 and 121.9 were both released with a security release that I I really don't know anything about. Have you looked into it, Shay?

Yeah. So I actually read the blog post by Bartek Nowotardsky. I hope that's how, that name is pronounced. 2 blog posts. 1, it just gives an overview. So the overview is there is a vulnerability in HTTP 2 called continuation flood. And then on that, you know, blog, by the way, talking about it, a static blog, super simple theme published for free. Bartek just gives the technical details, which I find super interesting. What do you know about HTTP 2?

Not a whole lot. It allows for, like, by default, a single TCP handshake with but with multiple requests over that open connection. Some prefetching is is capabilities are in there. I I don't know a lot about it.

I think a lot of people are in your position where they know it's, like, better ish than h t p one. But, you know, if I ask you what do you know about h t p one, you could probably whip up an implementation in, like, a few days that's passable.

I could probably whip up something that looked kind of like h t three one from memory.

Yeah. That it's just been around so long. It's so ubiquitous. We've been dealing with it so much. Oh, yeah. Of course. So the first line is a text line, and then whatever. And then boom, h u p 2 is binary. It's not even text lines. It replay it sends frames from one side to another.

Sounds like my 3 year old talking to me now.

Yeah. But the interesting one for this vulnerability is a combo of headers and continuation. So just to get Partik's a look on things, he's like, if you wanna learn more, you can just read the RFC. Which I respect. I respect. Reading an RFC once a month or so is what's keeping my mind sharp. And it also improves my technical writing. So I highly recommend it.

I see you're choosing RFCs better than I am.

Yeah. But but I definitely haven't read the HTTP to RFC. I'm not that hardcore anymore. Maybe when I was 18, I would have, sat down and and read it. But not now. Because now I have a beautiful podcast that just streaming the information directly into my ears, which is what's gonna happen right now. So what do you think happens in the headers frame?

I would imagine that, you send some headers, some key value pairs of sort of some sort.

Exactly. So you send the headers, they're stole they're packed using HPAK, and you just send them and you can send them with some flags. Every frame has a flag, like a bunch of flags you can send it. One of them is end headers, which means, alright, I'm done sending all the headers. I think you're by this is a audio medium. So this doesn't carry very well. But John has this, like, suspicious thin eyes

where

he's like, oh, wait. I think I know where this is going. The other type of frame is a continuation frame. It's very similar to the headers frame, but they just have one flag which is end headers. So, you know, you know when I finish setting you all the headers.

Because the server loads all the headers into memory before deciding whether or not to accept or reject the connection and and process it otherwise. Right? So you could just generate random headers and send it without consuming memory on your side to the server. Right? So you're still using network bandwidth, but you're not using local memory. You're only using server memory. Is that is that the idea?

Yes. And also, there's nothing, this is the most boring case. Actually, in Go, and we won't go into the code here because it's a little complicated to understand why it happens, which is, by the way, always where vulnerabilities hide in these, like, oh, wait, what? It actually behaves like this? In Go, it causes CPU exhaustion and not a like a memory problem.

Well, I would have I I was gonna say something about that. If you're not explicitly disabling HTTP 2, you probably have it enabled without realizing it if you're running in an HTTP service. Now whether it's being used or not, is another question. Although, I think it's used far more than we realize because

For human traffic, it's 62%. Yeah. If you exclude bots, which I don't know if you should for this matter, but that's what the, data Cloudflare gives. 62.2% of, HTTP traffic, it's a is HTTP 2. And, you know, that's this basically means that Bartek founded a found and fixed a large part of the Internet, which is not something a lot of people do.

You should update.

And if you're listening to this podcast, you probably have an HTTP server running in production written in Probably so. So, perhaps doubly fast. So, yeah, HGP had a vulnerability. In other news, dog bites man.

Well, we are halfway through our our program, and we've covered essentially one story, but a good one. Let's talk a little bit. Let's change gears a bit and talk about some conferences.

So there's a call for papers for Go West. Right? Yay. Isn't that a song? I think about it for a sec.

So Go West conference is happening in October TBD. The date isn't determined yet. I suppose I'm looking for a venue. But even so, it's happening in October in Lehi, Utah. So if you're in that part of the world or want to be, here's your chance to submit this, a paper. It's not a paper. It's a presentation. Call for presentations. That's what the p stands for. Right?

I think it's still call for papers because you the submission is a paper. Okay. But in reality, obviously, it's a call for PDF because the submission is a PDF.

Exactly. Call for HTTP form data. Anyway, you can submit a proposal to speak at, Go West Conference in October. Link is in the show notes, or you could probably Google it. We also have a bunch of other conferences coming up. We're not gonna mention them all because there's too many to mention in one episode, but the ones coming up very soon. We have 42 coming up. This is an online conference, April 25th. So that was that's one for all of our listeners you could attend, virtually.

Yeah. Just 20 days from now. I would, recommend just putting, you know, in your works calendar. Alright. Let's, you know, put it on, even in the background. The one, talk I'm interested about from, Con 42 is effectively onboarding and integrating new devs. This is not something people usually talk about but, so I'm just, curious how did they, like, there's a whole, track for culture, which is interesting, I think. So that's in 20 days. Right? 20 days from now. April 25th.

One other one that I wanna mention today, well, I think we'll save the rest for another week. GopherCon Brazil is coming up May 9 10. It looks like this is a at least a dual language conference because they have a website in both Portuguese and one in English. But if you're gonna be in Florianopolis, I hope that's how you say it, in Brazil, Check that out. GopherCon Brazil, May 9 10.

Yeah. And if you like to plan out your year, slightly more than advanced, we'll keep mentioning these conferences as they come up. But there are a lot more. Right? Taiwan, Japan, Berlin, Russia, London, Italy, all throughout the year. So we'll put the link to the Go wiki, which is where we have this information, and you should have it as well.

No proposals to talk about this week. We'll have some for next week. We are gonna mention a couple bits from the community. 1 is a blog post of continuing the theme of security. Chai, how would you prevent a password from being logged to your server logs?

So, you know, I just type out all my logs.

Mhmm.

You know, I I just type up them out manually into Datadog or Kibana as they come in from request. So I I just wouldn't write it.

Yeah. So you see that oh, there's a password. I'm gonna skip over this part.

Don't you hear the typewriter in the background?

Computer says no. Totally.

It happened to me in the past. So egg on my face. I Oh, yeah. Implemented the logging thing in my previous place, and it logged every single field and I felt very smart about it. And then someone found their password in the logs and we had to do a whole thing. Even though I I was aware of this problem, I just didn't think about it at that context.

Mhmm.

How would you prevent it? Or how have you prevented it in the past? I guess, is a better question.

Yeah. There's a few different ways I've done it. I mean, the first thing most people do is they have their logging provider Datadog or Sentry or whatever just, like, filter out sensitive looking key names, which is, I suppose, better than nothing, but I don't trust that to to do a good job. So I try to be a little more proactive. And, some approaches I've taken are to encrypt everything that's not in a an acceptable list.

Oh, that's cool.

Like, I don't usually wanna log a password even encrypted, but there are data I do want it to log, but I don't want it to be clear text, you know, maybe, the response to an HTTP request or something like that that might contain a credit card number or or whatever. Yeah. But I I can't know that I'll prior it. So I'll encrypt that sometimes. But there's some other approaches. What what does this blog post tell us to do?

So, first of all, I wanna shout out the blog itself. It's william.dev. We already mentioned William's blogs once in the past. It's like beautifully designed and has a really nice, like, panache to it, I think. I think we talked about it when we talked about, URL parameters or something.

I'll call out one other problem and that would be if you need to use a JSON marshaler, for example, in other use cases. Like, maybe you have a struct that you actually send to the end user or logged or to a database that you need that that sensitive data persisted, then you have to have 22 versions of the struct. You have to be careful which one you send to the log and which one you use elsewhere. So that there could be some complications in in that level of things. But still, I agree.

So the only thing I'll say is if you need to send the password or whatever sensitive data exposed for these, like, three cases, for the first time you get it from the user and for the, like, the path it travels to your application all the way to the database or the third party, whatever. It's a good thing that this code will look will be the exception and will look exceptional. You know what I mean? Mhmm. I think it's okay to say in this case, I'll cast it to the sensitive data exposed data struct whatever whatever.

So yeah. I saw this post, I think I saw it yesterday on Reddit. It was also mentioned on our our Slack channel.

Yeah. Thanks, Peter.

But, I mean, this is worth mentioning because it's just it's just a a a play out of the last year's cup of go playbook. The question is, if you could redesign Go from scratch, what would you change? And it's just it's it's basically a repeat of our stumper questions from last year's interviews. Yeah.

We should probably do a supercut at some point of all the answers from all the guests and see how much should they line up with this blog post.

The questions we asked our our guests were if you could take something out of Go, if you could ask them to Go, what would it be? And there's some good answers in this. The top voted one at the moment is there's too many ways to create a variable and that they show 5. They aren't all identical functionally, but they're they're subtly different in some cases. But, yeah, there's still 5 ways to create a variable and knowing the difference between them and which ones are identical, which ones aren't is a little bit tricky.

And I just wanna shout out the 2nd top voted one, which is not having to use a magic date for time formatting in the standard library.

Somebody should create a proposal about that.

Yeah. So I actually wrote that, while I agree the Go team won't, relitigate. If you're wondering why we're laughing, you need to listen to the previous episodes, and also welcome new listener. But we've been talking about this time formatting thing every episode even though I haven't done a custom time formatting, function once since we've started talking about it. So I guess we should stop.

Like,

don't use, 0 values. Use option types instead. I'm like, a lot of the utilitarian nature of Go, which is I just wanna be useful and simple and to the point, is based on 0 values. Right? And if you just take 0 values of the language, you have to change so many things.

I don't know. So I I responded, and the things I had mentioned were things that will not be they would all be backward breaking changes so they wouldn't be implemented.

Are you sure? Because I think, there is a proposal to create pointer to a simple type.

Oh, so so yeah. So that one, in fact, Rob Pike has even weighed in in favor of that.

And also Seeb's?

Yeah. Many people have. I I don't know why it's not done. But so for for clarity, what I proposed adding was the ability to encode, create a pointer to a concrete type. So the example I gave is at quote, foo, end quote. And that's not legal right now because quote, foo, quote is not addressable. My proposal is that it would just create a variable of type string that has that value and then evaluate to a pointer to that string.

The problem with this sort of, proposals is that it's obvious, I think, really, it's obvious that it should be part of the language. But since it wasn't and since since it still isn't, people can be like, it doesn't warrant a language change. Because it really it it's okay for you to write a one liner function that does just that. Right? It's not like a complex fill with edge cases function. It's super simple to write one.

Now that we have generics, it is super simple. It is a like a a 3 line function.

And it's really uncomfortable. You would you wouldn't import it from some place else. Right? You wouldn't write a package called pointer creator and then from pointer creator import. You wouldn't do that because it's just a one liner, but you would write this.

I have done it within a package. I wouldn't import a third party package for that. But, like, within a project, I would create a package. Usually called PTR, and it has a single function called 2. Mhmm. Sometimes I have a reverse that it it does the opposite, you know, a dereferences a pointer or returns a zero value.

I think as as you go along, you collect more and more of these helper functions that you like. They're awkward to put in the language, because they're too small to warrant the language change and updating the documentation and adding a new way to do things, which is the going back to this, Reddit thread, is the first, suggestion. Right? There are 5 ways to create a new variable. Theoretically, this is the 6th one.

Yeah. I I think the the strongest argument in favor of a either a a built in or a standard library change for that is just so there's fewer ways to spell pointer dot 2 because each project you work on is gonna have their own way to do that and, that's just unnecessary, but we'll see.

Yeah. So there's an open proposal, you can go take a look at it. But actually, out of the most, know, compared to most stuff I find on Reddit, this was an interesting, thread. And it really did remind me of the questions we asked at the end of the episode. One thing that's, by the way, very much missing compared to early, you know, early last year when we started this podcast and we asked people what to remove is generics. Nobody's talking about it. It's like, okay, it's fine.

I did see an a very early comment was remove generics, but it got down voted pretty quickly.

Yeah. I think people are happy with it.

And even I like, I would've upvoted that a year ago, but no no. I've I've decided I like generics.

And there's one thing, it's the most downvoted, comment on this thread, but I actually agree with it. I should probably not say this out loud, but bring back semicolons. Yeah. All listeners just threw their phones away. Yeah. Yeah. I I think it's something

in this program. We were we've gone off the rails. Yeah.

Get out of you. Get out of my office. No daughter of mine will write code with semicolons. Some of my some of my best friends write with semicolons. I just wouldn't want my daughter. Alright. Thanks a lot for listening, everyone. Stick around for the ad break to hear some more, fun stuff that happened.

And some of the stuff I forgot last week when I did the ad break by myself. Yeah. That's I don't even know what it was yet. I'll find out. Alright.

Has this ever happened to you? You've been trying to use Go, but you don't know what to do. Cut to a, you know, like a fifties kitchen and, like, the sort of person trying to clean their laptop with, dish soap. Yeah. Yeah.

How was that for That was that that was classy.

Yeah. Like, 4 AM, you wake up, you turn on the television on, like, the sales channel. I don't know what it's called in the in the US. Some people

trying to sell you The shop at home network, I think.

Yeah. Exactly. But wait, there's more. Yeah. But wait, there is more. We wanted to shout out Software You Can Love, which is a conference that's gonna happen in Milan, Italy. We didn't mention it during the episode because it's not strictly a Go thing. It's mostly focused on Zig, which I don't know if you've, had ever played with. But, you know, we're super excited mostly because it's from one of our listeners, and we really wanted to shout them out. They're excited about it.

I've done a bit of reading about it, but that's it. Yeah.

So if, you know, if you're looking for that kick into Zig, and you're around, Milan in late May, so feel free to join the software you can love meetup. We'll put the link in the show notes. This is not sponsored by the way. It's just something one of our listeners is doing, and we just wanna support them doing it. They're not they're not, like, paying us or or anything.

Fancy.

Yeah. It looks, well planned. We want to say thanks to all our Patreons for supporting this show. This is a hobby. Jonathan and I are doing this for fun and for the community in some way, but it is an expensive hobby.

Oh. Yeah. Totally.

Not saying it's racist but also not saying it's not racist. It's just the training data. Anyways, if we don't know, if this is useful for you because we obviously know what the episode what we said in the episode, we we said it.

Maybe you know what you said in the episode.

But if, this is useful for you or you want us to keep doing it, just tell us in the channel.

Or you want a higher quality transcription.

Yeah. That's also.

Is is the AI is bad for you for some reason?

Yeah. We're we're fixing the obvious, like, we're rolling through it, but we're not, doing a deep, like, every it's not a manual work. Not yet, at least. If you say it's useful, then we might, think about it. So the episodes have transcripts now.

Speaking of of swag, you did forget something. So now we're even. We had somebody buy our first wireless charger this last week, and they posted an image of it on our Slack channel. I'm a little disappointed though. It came with a wire. I thought it was supposed to be wireless, but this is Claudio Beatriz also who, just, told us about the the upcoming conference you just mentioned. So Yep. Yep. Yep. A double shout out to Claudio.

to It does. Give it a shot. I mean, it's cute a f. I'll I'll say that. If you just use it as a coaster, not even as a charger, that would be good.

We should we should totally make, Brewster Coasters. We should check and see if that's even possible. That would be great.

Brewster Coasters. Alright. Adding to the to do. And before I get even more tasks, and the AI transcription has to transcribe even more of this nonsense, we'll wish you a happy, and calm weekend. We'll see you next well, we won't see you. This is an audio program, but we'll catch you next week. This, week we don't have an interview for you, but next week we actually have 2. And 2 of them are very interesting. A 100% hit rate. So I'm excited to talk to these interesting people.