undefined | Better HN

0 pointsthayne3y ago0 comments

Well for one it's written in c++, which means it is more likely to have memory safety bugs, which could potentially be security vulnerabilities.

0 comments

nasretdinov3y ago

While generally true, I would argue that for the use cases where full-text search is mostly used (e.g. either search through a public database, or, quite the opposite, an internal system that does search through logs collected from various sources), in practice security vulnerabilities are less of a concern because usually even if you can expose some data stored in the full text index using that vulnerability, it would still only expose data you could already find in that search engine and that's already accessible to you :).

thayneOP3y ago

That might be true in some cases.

But for the public data case, you probably still need to worry about DoS or data corruption.

In the logs case, a malicious actor can probably control at least part of the logs, so if a bug leads to arbitrary code execution, a bad actor could possibly get all kinds of valuable data.

Also, just to be clear, the language doesn't necessarily mean there are significant security bugs. A well written c++ app is probably better than a poorly written java app. It's just harder to avoid memory bugs in c++ than java.

j / k navigate · click thread line to collapse