Comment by Smaug123

Comment by Smaug123 10 days ago

18 replies

View on Hacker News

I'll gesture at it. It's not an open source tool, so I can't point at the code (and in fact I just checked and I don't have perms to see the Jira ticket I caused to be raised!), and I am wary of describing security bugs in company-internal code. But in general terms it was a service that attempted to check whether a request was allowed, and it ignored errors from that check. (I just searched history for a bit to find the error in the absence of any actual details about it, but it was a while ago and I failed.) Sorry this is not a very satisfying answer.

[removed] 10 days ago
[deleted]
Reply View 0 replies
foldr 9 days ago

Any language where errors are returned as values will allow you to ignore errors (if you don’t have proper linting set up, and unless it has something fancy like linear types). I’ve even seen a similar error in Haskell code, where someone called an isLoggedIn function inside a monad with the expectation that it would short-circuit evaluation, whereas in fact it just retuned a Bool.

Reply View 13 replies
  • thinkharderdev 9 days ago

    Very true, but I do think there is an issue in the margin about how easy it is to ignore errors. For example, in Java you might have something like

    ``` void checkPermissions() throws AuthException ```

    so you have to actively ignore errors by catching the exception. Likewise in Rust you can do

    ``` fn check_permissions() -> Result<(),AuthError> ```

    In that case you can just use the `?` operator to short-circuit (and clippy will warn you if your forget to do that).

    In other words, while language design can't fully prevent you from ignoring precondition checks, it can make it harder to forget or even force you to actively ignore precondition failures

    Reply View 12 replies
    • randomdata 9 days ago

      But isn't the idiomatic Go solution something like this?

          func checkPermissions(success func())
      Like anything, you can still screw it up if you try hard enough, but it should nudge most in the right direction. The talk of error handling seems like a distraction or a case of someone confusingly trying to write code in another language using Go syntax.

      Obviously you are not forced to think of the user when designing an API, but you don't have to be mindful of the user in any language. Not even Haskell can save a developer who doesn't care, as noted in an earlier comment.

      Reply View 0 replies
    • foldr 9 days ago

      Go linters do a pretty good job of spotting where error return values have been ignored, so I'd suggest that the kind of bug the OP is referring to is pretty unlikely to happen in a Go project that's properly configured.

      Reply View 10 replies
      • Smaug123 9 days ago

        Sure - my question is "why do you need to set up the third party linters when they're so critical to the correctness of your program" really. It's the general "yeah we'll give you these footguns which are the first thing every developer will learn about during their first incident; good luck, and I hope you know you need to do things this way!" attitude I object to.

        Reply View 9 replies
[removed] 10 days ago
[deleted]
Reply View 0 replies
goodlinks 9 days ago

Isnt this the same as any language though.. check if have permission then ignore the result seems like something that the language cannot protect you from?

Reply View 1 reply
  • Smaug123 9 days ago

    I mean, Golang has an unused variables compile error, which presumably is trying to do precisely this. It's like they got so close to forcing the user to acknowledge the possibility of errors, and then stopped just before the end!

    Reply View 0 replies