undefined | Better HN

0 pointsTheDong3y ago0 comments

Most vulnerabilities in boring web apps are not memory safety issues.

I've decided to pick an arbitrary list of security issues where the fixes will be visible to gain some small anecdotal evidence. The top result for "gitlab CVEs" is this august release announcement, let's look at the first three vulns on it: https://about.gitlab.com/releases/2022/08/30/critical-securi...

1. Remote Command Execution via GitHub import

This one was a typeing issue where an object with special keys resulted in dynamic code execution. That could not happen in rust. See the hn discussion here - https://news.ycombinator.com/item?id=33155527

2. Stored XSS via labels color

This can be made into a type-system issue with a good enough type system, text and html should be different types. Arguably this could happen with rust, but honestly, probably would not.

3. Content injection via Incidents Timeline description

This one is also arguably a typing issue for the same reason as above.

----

Hey, look, 3 errors that type systems would help with and which had security implications.

> it's much less clear that stronger type systems reduce vulnerabilities; in fact, the evidence mostly cuts the other way.

What do you mean by that? In what case is a worse type-system (like java or go) going to make it harder to write vulnerabilities than a stronger type system (like haskell or rust)

0 comments

tptacek3y ago

I'm simply going to say this again: Rust's type system doesn't meaningfully mitigate XSS, RCE, or metacharacter injection. You are equally likely to write an SQLI or an SSRF in Rust as you are in Java.

There are exactly two types of vulnerabilities Rust (and some other modern memory-safe languages) mitigate beyond memory corruption:

1. Java, Python, and Ruby have deserialization libraries that can easily be misused to create RCE vulnerabilities.

2. Python, Ruby, and Javascript have eval and eval-equivalents (which is essentially what your first example is).

You can pretend anything is a type system issue, but neither of these two vulnerabilities are properly understood as type safety errors. Java has a sharply more prescriptive and policed type system than Ruby does, but both have deserialization issues; it's just a generational thing.

Deserialization in new Java code is unlikely; deserialization is much less common than SSRF, which plagues Rust code just like everything else. In 2022, there is no meaningful security benefit to Rust over Java.

There are other reasons to use Rust! People should just stop making up fake security reasons to do it.

j / k navigate · click thread line to collapse