DEV Community: Shamit

Python, Browsers, and Ubuntu

Shamit — Thu, 24 Apr 2025 07:49:35 +0000

During my role at Summa Linguae Technologies, I was working on a Python tool that tracked test statuses and included a feature to open a webpage in the browser automatically. The issue was that this functionality worked fine on some systems but wasn’t working on Ubuntu.

To debug, I systematically went through possible causes:
Checked if the browser was installed—ensured that a default browser was set.
Verified user permissions—confirmed that the script had the necessary permissions to launch applications.
Tested different commands separately—ran xdg-open, gio open, and sensible-browser manually to see which worked.

After testing, I found that the usual Python method (webbrowser.open()) wasn’t reliable on Ubuntu because it didn’t always respect the default browser settings. Instead, using xdg-open directly resolved the issue. I updated the script to detect the OS and use the appropriate command dynamically.

API Key Exposure & Insecure Supabase Access: a Bug Hunt

Shamit — Tue, 22 Apr 2025 05:56:19 +0000

Like other developers I regularly lurk dev space subreddits, and came across a post by a business dev at a startup who had developed a lead generation micro-SaaS.

User’s need to make an account and can use the site to find sales leads, do targeted outreach, etc using various paid subscription options.

Observing the Signup Flow:
The developer asked other redditors to test the site and provide feedback, so as a first validation step I tried to sign up with an invalid email to test it and took a closer look at the sign up POST request.
Given it’s an invalid email, I did not actually sign up or login, I was still on the sign up page with an error saying the email was invalid.
From the POST request info I saw that the site used a Supabase, and I could also see the API key and Authorization in the headers.

Generally, if this is an anon key and the backend has RLS (Row Level Security) enabled this is not a problem. The frontend uses this token to make calls to Supabase, and RLS + policies determine what the user is allowed to see/do. Supabase's client libraries often expose an anon API key for public access, but it must be protected with Row Level Security (RLS).

Investigating the API Key & Triaging the Bug:
To test that theory, I made a GET request to an endpoint I guessed https://.supabase.co/rest/v1/leads - the SaaS provides marketing leads, so I figured /v1/leads is as good as a guess as any) and added the exposed API keys as part of the request header - I got back hundreds of leads data.

This confirmed that the table was publicly accessible, likely without any RLS or access restrictions, thanks to the exposed API key.
I tested further by exploring if other tables were exposed. I had read access to pretty much everything as long as I could guess a valid endpoint - leads, users, marketing data, etc. For obvious reasons I did not test any write access.

Disclosure:
I reached out to the site owner, shared the issue privately and explained how the API key was exposed. They acknowledged the issue and said they would investigate and patch the exposure.

Client-side keys must be used with backend-enforced access controls like RLS. Whether you're a frontend dev, tester, or backend engineer, this was a great reminder of how small oversights can lead to critical data leaks.

So if you’re working with Supabase, make sure your tables are protected with RLS, and don't assume API key obfuscation is a substitute for access control.

U-Net Image Analysis - Getting back into it

Shamit — Mon, 03 Mar 2025 08:30:58 +0000

My job involving fullstack dev, testing and validation kept me busy, but I did get to dabble into data analysis to optimize our client's limited server resource allocation.

Getting back into PyTorch, and inspired by the AI in Medicine Lab (https://aimlab.ca/) at UBC, I wanted to get back to my undergraduate roots of machine learning algorithms and review what I had learned.

So, back to image analysis...the underlying technique behind much of the work done by DALL-E, Midjourney and Stable Diffusion is an architecture called U-Net.

The U-Net architecture was originally proposed to tackle medical image segmentation, and in general it works as you would expect:
1) The model gets an input image
2) It makes a guess at segmenting the different aspects of the image
3) We compare the loss and use the error to adjust our model's parameters to improve the output
4) Repeat

Not only U-Net models segment the objects on the image, it is very good at creating near pixel perfect masks around the objects - so it's a bit like a variation of classification as each pixel gets a class it belongs to.
So what makes this convolutional model different and so much better?

The architecture contains two parts. The 'Encoders' on the left, and the 'Decoders' on the right.

The encoders condenses the information on an image on each layer, reducing the size of the image. At every stage as we go down the layers, the size of the image halves but the number of channels double.
'Channel' here refers to the number of feature maps and they double as each convolutional layer applies multiple filters to the input, capturing different aspects of the image.

In the early layers filters are used to capture basic edges, basic textures, etc, and in lower layers the model learns high level features such as object shapes, spatial information, etc.

Before I get into the decoding part, the arrows you going from the left to the right? They signify the feature mapping information that we got from the encoding steps being fed into the corresponding decoders.

These skip connections help restore lost spatial information by combining high-level semantic features from the encoder with the finer details, helping the decoder layers to locate features accurately.

Overall, decoders use transposed convolutions (or upsampling layers with convolutions) to reconstruct the image back to its original size.
These fine details are what helps the models to identify exactly where the objects are after they are classified by the encoders.

If encoders identify the 'what's of the image, decoders identify the 'where's. Encoders extract what is in the image, focusing on feature representation, while decoders reconstruct where objects are, ensuring precise localization.