Public code

This page contains links to some open-source projects I’ve created or had a significant hand in. Feel free to judge my hacky code.


In early 2021, I wrote a tool for pentesting web applications built on Firebase on behalf of iosiro, my employer. Firebase allows you to skip writing a traditional backend for your web application by just having the JavaScript interact directly with a NoSQL database, which introduces exactly the kinds of security risks you would think it does. In a Firebase app, all authorisation logic has to be implemented as database rules, and things you don’t write rules for tend to fall open. For more details, check out the release blog post.

Baserunner lets you load up the configuration of a Firebase app and log in as a regular user. It is intended to help test for areas where rules need to be changed or added. It can be thought of as a generic client for any application that uses Firebase.



Over the second half of 2019, I made minor contributions to F-Secure Labs’s awspx, a tool for visualising resource relationships and effective access in AWS environments. The tool’s name is mash-up of AWS and auspex, which was the name given to interpreters of omens in ancient Rome. Similarly, the tool interprets AWS policies to show what effective access rights may portend.

I contributed some code to the command-line interface and service ingestors, which try to infer what resources each service has by inspecting the classes generated by boto3 Resources.

For an in-depth look into the tool’s workings, check out the accompanying blog post.

Old theme

Most of the styling this website used from August 2015 through May 2019 is available as a Hugo theme under the MIT licence (i.e. you can do whatever you want with it but don’t hold me responsible or expect support). There’s a demo site here.

Features include random taglines on every page, a shortcode for captions and yellow aside boxes. Due to breaking changes since I switched themes, it is unlikely to work in versions of Hugo newer than 0.55.

The current site theme will be made available in a similar manner when I get tired of it and redo everything again. And speaking of getting tired of things…

Code mausoleum

Here are a bunch of projects that didn’t make it very far for various reasons. Some of the code or ideas may be salvageable.

Ruby Lua Table Parser is the result of when I needed to write a parser for Lua tables, because they’re just different enough from JSON objects that you can’t convert them with regex. It’s not fully robust, but I didn’t need it to be.

Open4Comment was to be this site’s public commenting system, but then I implemented webmentions instead.

Templater is a weird project to overengineer filling in textual templates, Madlibs-style. A custom parser and web interface for something that would be better done with sed. It seemed like a good idea at the time.

GameLibrarian was going to be a Steam-style slick interface for my extensive freeware game collection, but I made the mistake of starting it as a Windows Metro app, which ended up being a pretty awful platform for something that needs file access. It may be worth resurrecting one day in a different form. Until then, there’s

Ghostly Kerning is a typesetting plugin for a very early version of the Ghost blogging platform. I no longer use Ghost, and Ghost no longer seems to take plugins (or “apps”, as it once called them). Also Github says this uses a vulnerable version of lodash, so tread with care.

Corporate Synergy Simulator is a training value-add to foster growth and dynamism in your company’s organisational culture. It not only encompasses big-picture thinking by incorporating market-driven coffee-drinking mechanics into the holistic system, but also shifts these goalposts by providing a variety of miniature training add-ons. Written with a friend in GameMaker Studio 1.4 for the Global Game Jam in January 2016.