Comment by tptacek

Comment by tptacek 10 days ago

3 replies

View on Hacker News

Given the total lack of empirical evidence (that is: language-specific vulnerabilities in the myriad large high-profile Go projects run all over the Internet; instances of bug classes not found in other mainstream memory-safe languages --- "memory-safe" here just to factor C/C++ out of that set) for those security concerns, why do you prioritize them?

We of course continue to find SQLI, authz, SSRF, metacharacter parsing and cryptography vulnerabilities in Go codebases, the same way we do in literally every general-purpose programming language; what the the vulnerabilities we actually see, over 15 years of explosive growth in use, that are distinctive to Go? It's been 4 years since I was a full-time software security person, but I keep up, and did a lot of work in Go before then, and I'm not aware of anything beyond "if you skip the ,ok on a type conversion you might panic something".

ngrilly 9 days ago

I must say that I really appreciate your patience in addressing these comments. If the possibility of race conditions leading to UB and the lack of sum types in Go are so bad for security, then it shouldn't be difficult to observe exploitable vulnerabilities in real-world Go code bases.

Reply View 2 replies
  • dfawcus 9 days ago

    In a specific scenario, I have made use of interface values, and type switches as a form of "tagged union" / "sum type".

    All it requires is that the module defining the interface, and structs implementing it, are in the same package, and the interface requires a private method.

    I used that to have a message type, passing instances of it over a channel of that interface, and demuxing based on a type switch of the message.

    One could use a similar scheme for return values from functions, just that for the simple error / no-error case it would not be idiomatic, however that should not prevent one from doing so if desired.

    Reply View 1 reply
    • ngrilly 9 days ago

      Yes, that’s a possible pattern to emulate a sum type in Go.

      Reply View 0 replies