Don't Panic!

JPA Entity Graph

Published on April 4, 2026

A common criticism of JPA is that it generates inefficient SQL, often resulting in several queries where one would do. In particular, it’s prone to the n+1 problem where it loads an entity with one query and then runs an additional query for each item in an owned collection. JPA Entity Graph is one way to avoid this. It allows the application developer to closely control how related entities are fetched. You can use JPA Entity Graph to tell JPA to load a complex web of entities with a single query and significantly improve performance of your application.

Exploiting deserialization vulnerabilities

Published on January 1, 2026

Object deserialization is the cause of some of the most serious vulnerabilities in Java. Object deserialization is baked into the language and has been available since version 1. Many libraries and frameworks use it to copy state and other data across JVMs. As a result, it’s unlikely ever to be removed from Java. Most ‘fixes’ to known vulnerabilities are little more than simple allow / block listing and new bypasses for previous fixes are discovered all the time.

Many techniques for exploiting deserialization vulnerabilities rely on code present in third party libraries and do not require any specific first party application code.

JUnit and static fields

Published on December 18, 2025

I’m sure you’ve seen this pattern of using static fields to maintain application state:

public class AppState {

    static MovieRepository movieRepository;
    static StarRepository starRepository;

    static {
        AppState.movieRepository = new MovieRepository();
        AppState.starRepository = new StarRepository();
    }
}

One reason this is a bad idea is it can cause inconsistent test results. If one test modifies the application state and then a second test runs, the second test will use the first test’s state.

Coding is the easy bit

Published on June 11, 2025

In Rory Sutherland’s 2021 book Alchemy, he describes The Doorman Fallacy:

The ‘doorman fallacy’, as I call it, is what happens when your strategy becomes synonymous with cost-saving and efficiency; first you define a hotel doorman’s role as ‘opening the door’, then you replace his role with an automatic door-opening mechanism.

The problem arises because opening the door is only the notional role of a doorman; his other, less definable sources of value lie in a multiplicity of other functions: taxi-hailing, security, vagrant deterrence, customer recognition, as well as in signalling the status of the hotel.
Rory Sutherland

Continue readingCoding is the easy bit

Docker multi-architecture builds

Published on May 24, 2025

If you download an image from the Docker Hub library, it’s likely to be available for multiple architectures. If you pull it from an AMD / Intel 64 bit machine, you’ll get the amd64 architecture image. If you pull it from an ARM based machine (including Apple Silicon), you’ll get the arm64 based image. Typically when you build a custom image, you’ll build for your own architecture only. Docker multi-architecture builds however allow you to build for multiple target architectures.

Large JSON responses with Jackson

Published on February 1, 2025

Jackson is the standard Object to JSON mapping library for Java. It converts POJOs to JSON strings and it parses JSON strings to populate POJOs. It sits behind many JSON based REST servers in Java including Spring MVC. For basic use cases it is very simple to use. Indeed, with Spring Boot it is completely transparent – the framework leverages Jackson to do Object to JSON mapping for you. It’s feature rich and extensible so it can usually handle more complex use cases too. One such use case is returning large JSON responses with Jackson.

Shell access over UART

Published on January 3, 2025

Many IoT devices have a UART connector somewhere on the board. It is often used to debug the device before mass production. Sometimes there will be a nice four pin header to connect to. Other devices give you just some plated through holes ready to solder. In some cases the holes exist but the traces have been disconnected in the final layout. In any case if you can connect to it you can often obtain device logs, issue commands and sometimes access the boot loader. If you’re lucky you can get full shell access over UART.

In the first part of a teardown of a D-Link DCS-932L internet enabled security camera, I looked at extracting firmware from flash memory. In this second part, I look at connecting to UART and using the root shell to have a rummage about the camera’s file system.

Extract firmware from flash memory

Published on January 2, 2025

To analyse a device’s firmware, you’ll first need to obtain the firmware. If you’re lucky, the device manufacturer has made the firmware available for download. If it’s not available, or if you don’t trust that what’s on the website is what’s on your device, you can extract the firmware from flash memory. This post outlines how to extract firmware from flash memory on a D-Link DCS-932L internet enabled security camera.

NFS shares in Docker

Published on December 20, 2024

Network File System (NFS) is a widely supported and simple protocol for accessing files over a network as if they were local. This makes it ideal for many Docker (and other container) architectures as container storage is ephemeral and limited. Attaching NFS shares in Docker allows your container to read and write files to persistent network storage.

Move /home on SELinux systems

Published on April 30, 2024

Here’s a cautionary tale: taking shortcuts can lead to disaster! I wanted to move /home to a new partition on an SELinux protected system. I ended up locking myself out of my VM.

Don't Panic! Posts