Forem: Vaclav Mlejnsky

Nicely asking our users to update the app through an XSS attack

Vaclav Mlejnsky — Mon, 22 Mar 2021 16:47:31 +0000

Devbook is a desktop app that allows developers to search Stack Overflow, official documentation, and code on GitHub. It's the first step in building a search engine for developers.

We shared a crude first version of Devbook on Hacker News in December. HN folks seemed to like it. Devbook was on the front page and eventually got to the #5 spot. We were excited! People might actually like what we built!

Feedback and suggestions started coming in. It was time to work on an update. With this momentum, working on the next version was easy. We shipped a new update in the next few days and were ready to hear what people think.

Here came the horrible realization though - we forgot to ship the auto-update functionality in the first version. How will people already using Devbook update to the new version? This isn't a website or a mobile app. Devbook is a desktop app distributed outside of any app store. People don't just receive notifications about a new version.

About 500 users from HN were stuck on the first version, unable to update and we had no way to reach out to them. In the grand scheme of things, 500 users are not that many. For us though, it was crucial to get them to update to the new version and learn what they think. Those 500 users were everything. We had to come up with some way to inform them about a new version.

Time to get creative. We started thinking. The app is communicating with our server every time a user searches. So there might be a way to get our message across. Maybe every time when a user searches in Devbook we could change the content of the first result so it tells the user to update?

Then it hit us. What we were actually sending as a search response from our server was the actual Stack Overflow HTML. In Devbook, we just (dangerously and with great ignorance) injected the HTML into the app's frontend. That's great (if you ignore the security implications of course)! It means we can change the HTML to whatever we want!

Yeah, but how do we know which users should actually receive the custom HTML? We had people using two versions of the app - one without the auto-updater and one with the auto-updater. Well, here comes the ugliness of all this. As I said above, we were injecting the HTML code directly into the app's frontend. This means the HTML code isn't sanitized. With this, we can theoretically run any code we want. We could use Electron's API to find out the version of the app and show the update prompt based on that.

That's exactly what we ended up doing. We injected our custom script to the onerror event listener on the <img/> tag

<img style="display:none" onerror="update_code" src="#"/>

Here's the actual code prompting user to update

// Cleanup the old download reminder
clearTimeout(window.devbookUpdateHandle);
if (!window.isDevbookNewVersionCheckDisabled) {
  const remote = window.require("electron").remote;
  const appVersion = remote.app.getVersion();
  if (appVersion === "0.0.1") {
    function askForNewVersionDownload() {
      window.isDevbookNewUpdateSilenced = true;
      const shouldDownload = confirm("New Devbook version is available \\n\\n Click OK to download. \\n\\n You must install the new version manually!");
      if (shouldDownload) {
        remote.shell.openExternal("<new_version_url>");
      } else {
        clearTimeout(window.devbookNewUpdateHandle);
        const updateHandle = setTimeout(() => {
          askForNewVersionDownload();
        }, 8 * 60 * 60 * 1000);
        window.devbookNewUpdateHandle = updateHandle;
      }
    }
    if (!window.isDevbookNewUpdateSilenced) {
      setTimeout(() => {
        askForNewVersionDownload();
      }, 4000);
    }
  }
}
window.isDevbookNewVersionCheckDisabled = true;

This is the actual model that a user sees

Eventually, about 150 users updated through this hack to a Devbook version that has an auto-updater.

Search Stack Overflow, docs, and code on GitHub from a single app

Vaclav Mlejnsky — Sat, 13 Mar 2021 19:38:13 +0000

Hey all!

My friend and I are both developers and working on the app called Devbook. I thought this community might find it especially useful. It's basically a search engine made just for developers.

It's a desktop app available for Windows, Linux, macOS. It works similar to Spotlight on macOS. You hit a global shortcut and Devbook appears as an overlay on top of any app you might be using. Then you just start typing and we search Stack Overflow, code on GitHub and docs. No ads, content marketing, personalization, slow websites, etc. Plus it's all controllable using just a keyboard. This way you almost don't need to leave your coding editor.

The goal was to keep you as a programmer productive as much as possible and minimize the annoying context switching.

We made this based on our own needs. We realized how much time we spent on Google searching for stuff when coding. Looking for information should be a better experience than that. A place where developers first-class citizens.

Here's a short video of me using Devbook

Would love to learn what you folks think. Give it a try and let me know!

What productivity tools are you using?

Vaclav Mlejnsky — Mon, 18 Jan 2021 17:55:44 +0000

Hey folks!

I think most of the developers like to explore different tooling to make them more productive. Tools like Vim or Emacs seems like proof of this (not commenting on their learning curve though).

One of the things developers spend most of their is search. We read different studies concluding that devs spend about 15% of their time just typing queries into Google. My co-founder and I care about developers' productivity a lot and we think there should be a better solution.
We started building Devbook. Devbook is a search engine for developers. We are starting with a crude initial version that allows you to search in docs, Stack Overflow, and public GitHub code using a single input (more resources coming soon!). It's a desktop app that works similar to spotlight we the focus on being able to control using just a keyboard and not getting in your way.
We have all kinds of developers using Devbook. There beginners, students, or skilled senior devs from companies like Amazon.

You can download Devbook here. For now, it's completely free.

Would love to know what do you think about Devbook!

Also, I'd be interested to know what tools and services are you using to make you more productive? Share your stack!

I am building an app that makes your terminal collaborative and team-friendly. Would you use it?

Vaclav Mlejnsky — Tue, 18 Aug 2020 13:52:44 +0000

Hi folks!

Like any developer, I use my terminal a lot during the day. Recently, I switched from VSCode to Vim so the usage went even up. But when working with my team I often felt like the experience is somewhat broken. Often I found myself copying and sending short command snippets on Slack and then searching for them a few days later, taking a screenshot of my terminal output and sending it to my coworkers, or asking my teammates what version of a CLI tool they are using. This got me inspired to work on this project - a terminal that is more team-centric and collaborative.

The app is called Sidekick, here is the landing page - https://getsidekick.app. Sidekick isn't a new terminal emulator. Instead, it's an app that runs alongside your existing terminal emulator. This way you don't have to switch to a new terminal app from your favorite one. Sidekick is something like a command center for your dev team.
Some of the features are:

Hassle-free terminal session sharing with your team. It's done through WebRTC and it's collaborative for both sides.
Share & pin commands with your team so you don't have to send it to each other on Slack and then search for it 5 days later.
See what projects are your teammates working on in the realtime.
See what tools have your teammates installed and their versions.
Be able to search in your team's shell history.

I would love to know your feedback on this and learn more about the problems you have when using terminals in your team.

Happy to answer any questions! Thanks!