Property-Based Testing Caught a Security Bug I Never Would Have Found

https://kiro.dev/blog/property-based-testing-fixed-security-bug/

62•nslog•1mo ago

Comments

mananaysiempre•1mo ago

TL;DR: obj[key] with user-controlled key == "__proto__" is a gift that keeps on giving; buy our AI tool that will write subtle vulnerabilities like that which you yourself won’t catch in review but then it will also write some property-based tests that maybe will

fireflash38•1mo ago

Don't forget you can use AI to turn a 50 word blog post into a 2,000 word one!

mirthturtle•1mo ago

For real. The bullet-point summary at the beginning with a "Why this matters for..." immediately followed by, "This isn't just a theoretical exercise—it's a real example of..." Dead giveaways.

raphting•1mo ago

Exactly this! AI fluff all over in that article.

latentsea•1mo ago

You're absolutely right!

nslog•1mo ago

Didn't react just have basically the same vuln

mananaysiempre•1mo ago

The code in TFA is, by a hair’s breadth, not actually vulnerable, as long as the type signature of the function is obeyed. React spinned the same gun in the game of Russian roulette but was less lucky.

toobulkeh•1mo ago

It also talks about using PBT and Randomness for some reason. This is clearly just a test value of a non-AI library written by a human.

My take away is “don’t write your own input tests, use a library”. The rest is AI-slip

mananaysiempre•1mo ago

Theoretically a good fuzzer could discover this value by itself, but I don’t believe anything like that exists that could run JS code and explore VM-level branches, at least not for JS code that’s even this complex. Otherwise, yes, PBT is less trivial than it seems, though I’m guessing a simple `strings jsc` coupled with general knowledge of special values of other types[1,2] could get you quite far.

[1] https://www.exploringbinary.com/php-hangs-on-numeric-value-2...

[2] https://www.exploringbinary.com/java-hangs-when-converting-2...

mhitza•1mo ago

Technically a property based test caught the issue.

What I've found surprising is that the __proto__ string is a fixed set from the strings sampling set. Whereas I'd have expected the function to return random strings in the range given.

But maybe that's my biased expectation being introduced to property-based testing with random values. It also feels like a stretch to call this a property-based test, because what is the property "setters and getters that work"? Cause I expect that from all my classes.

arnsholt•1mo ago

Good PBT code doesn't simply generate values at random, they skew the distributions so that known problematic values are more likely to appear. In JS "__proto__" is a good candidate for strings as shown here, for floating point numbers you'll probably want skew towards generating stuff like infinities, nans, denormals, negative zero and so on. It'll depend on your exact domain.

sublinear•1mo ago

> Is this exploitable? No. ... JSON.stringify knows to skip the __proto__ field. ... However, refactors to the code could ... [cause] subtle incorrectness and sharp edge cases in your code base.

So what? This line of what-if reasoning is so annoying especially when it's analysis for a language like javascript. There's no vulnerability found here and most web developers are well aware of the risky parts of the language. This is almost as bad as all the insane false positives SAST scans dump on you.

Oh I'm just waiting to get dogpiled by people who want to tell me web devs are dumber than them and couldn't possibly be competent at anything.

yakshaving_jgt•1mo ago

> most web developers are well aware of the risky parts of the language

I don't think this is true, and I think that's supported by the success of JavaScript: The Good Parts.

It would be unfair to characterise a lack of comprehensive knowledge of JavaScript foot-guns as general incompetence.

oncallthrow•1mo ago

> most web developers are well aware of the risky parts of the language

In my experience this really isn’t true. Most web developers I know are not familiar (enough) with prototype pollution.

By the way, this isn’t because they are “dumb”. It’s the tool’s fault, not the craftsman’s, in this case. Prototype pollution is complicated and surprising

jgalt212•1mo ago

> insane false positives SAST scans dump on you

Great LLM use case: Please explain to the box ticking person why these "insane false positives SAST" are false and / or of no consequence.

philipwhiuk•1mo ago

> We write unit tests for the happy path, maybe a few edge cases we can imagine, but what about the inputs we'd never consider? Many times we assume that LLMs are handling these scenarios by default,

Do we?

RGamma•1mo ago

I've seen companies advertise with LLM generated claims (~Best company for X according to ChatGPT), I've seen (political) discussions being held with LLM opinions as "evidence".

So it's pretty safe to say some (many?) attribute inappropriate credence to LLM outputs. It's eating our minds.

sevensor•1mo ago

What’s interesting to me about this, reckless as it is, is that the conversation has begun to shift toward balancing LLMs with rigorous methods. These people seem to be selling some kind of AI hype product backed by shoddy engineering, and even they are picking up on the vibe. I think this is a really promising sign for the future.

bpt3•1mo ago

When "we" = "developers we imagined when using LLMs to generate this marketing slop based on a contrived scenario", then sure!

bluGill•1mo ago

The original claim for TDD is your write tests for all your edge cases. It doesn't matter about inputs you didn't consider because they are covered in the edge. If you can only accept inputs from 2-7 (inclusive) you check 1,2,7,8 - if those pass you assume the rest work.

Cpoll•1mo ago

You forgot 0, -1, null, "1".

bluGill•1mo ago

Since I work in a strongly typed languages the last two will fail to compile and are thus not worth the bother - those who don't have that luxury of course need to test the edge cases that apply to them. The first are maybe, in my experience they are rarely a problem, but we need to go from the abstract to the particular algorithm before we can have a discussion on if they are potentially a problem or not.

OptionOfT•1mo ago

If you're using Rust you can push it one level further: use a NonZeroU*.

More than that and you'll need nightly for now: https://docs.rs/ranged_integers/latest/ranged_integers/

Piraty•1mo ago

It's always good to write tests with the "The Enterprise Developer from Hell" in mind: https://fsharpforfunandprofit.com/posts/property-based-testi...

nslog•1mo ago

This is a great talk. More technical videos should be done from the basics like this.

koakuma-chan•1mo ago

This kind of bug would never have happened if you used a proper programming language like Rust.

kittoes•1mo ago

This just can't be your answer to everything... the article clearly stated that they're developing a client application for browsers. Rust advocates like yourself are really doing more harm than good by ignoring real world constraints.

koakuma-chan•1mo ago

You can use Rust to develop client application for browsers. Check out dioxus.

regular_trash•1mo ago

Rust is an unergonomic language that slows development in the general case (because it has lots of arcane syntax and rules, and people generally don't know it). Suggesting it as the "obvious" choice ignores the tradeoffs that come with adopting it for a project.

koakuma-chan•1mo ago

You can just hire people who know Rust. One Rust developer would likely end up more productive than ten Cursor baby sitters in the long run, and you would actually get a high quality app.

wredcoll•1mo ago

This is like some kind of psy-op to get people to hate rust.

koakuma-chan•1mo ago

Sure. Then good companies will be able to filter out people by only hiring those who know Rust.

yakshaving_jgt•1mo ago

I don’t think this kind of sanctimoniousness has much of a success rate as a marketing approach.

koakuma-chan•1mo ago

No marketing can save humanity from its inevitable demise.

yakshaving_jgt•1mo ago

Yeah but Rust can’t either.

hansvm•1mo ago

To be fair, this particular issue wouldn't have happened in C, Python, Forth, Zig, or a host of other languages. String-based weirdness is something of a JS issue.

cogman10•1mo ago

This particular issue looks to be pretty uniquely a javascript problem. I don't even think hyper flexible languages like Ruby would ultimately experience this sort of problem.

mananaysiempre•1mo ago

Ruby can experience a similar problem[1], but that’s largely because its metaobject protocol draws no distinction between a read-only field and a zero-argument method. Python’s model does not have that issue (at the cost of significant complexity) and it is about as flexible as Ruby’s ultimately. (Python’s more rigid syntax is not relevant either way.)

[1] https://news.ycombinator.com/item?id=33155527

Show HN: We had 20 Claude terminals open, so we built Orcha

Your Best Thinking Is Wasted on the Wrong Decisions

Warcraftcn/UI – UI component library inspired by classic Warcraft III aesthetics

Trump Vodka Becomes Available for Pre-Orders

Velocity of Money

Stop building automations. Start running your business

You can't QA your way to the frontier

Show HN: PalettePoint – AI color palette generator from text or images

Robust and Interactable World Models in Computer Vision [video]

Nestlé couldn't crack Japan's coffee market.Then they hired a child psychologist

Notes for February 2-7

Study confirms experience beats youthful enthusiasm

The Big Hunger by Walter J Miller, Jr. (1952)

The Genus Amanita

We have broken SHA-1 in practice

Ask HN: Was my first management job bad, or is this what management is like?

Ask HN: How to Reduce Time Spent Crimping?

KV Cache Transform Coding for Compact Storage in LLM Inference

A quantitative, multimodal wearable bioelectronic device for stress assessment

Why Big Tech Is Throwing Cash into India in Quest for AI Supremacy

How to shoot yourself in the foot – 2026 edition

Eight More Months of Agents

From Human Thought to Machine Coordination

The new X API pricing must be a joke

Show HN: RMA Dashboard fast SAST results for monorepos (SARIF and triage)

Show HN: Source code graphRAG for Java/Kotlin development based on jQAssistant

Python Only Has One Real Competitor

Tmux to Zellij (and Back)

Ask HN: How are you using specialized agents to accelerate your work?

Passing user_id through 6 services? OTel Baggage fixes this

Show HN: We had 20 Claude terminals open, so we built Orcha

Your Best Thinking Is Wasted on the Wrong Decisions

Warcraftcn/UI – UI component library inspired by classic Warcraft III aesthetics

Trump Vodka Becomes Available for Pre-Orders

Velocity of Money

Stop building automations. Start running your business

You can't QA your way to the frontier

Show HN: PalettePoint – AI color palette generator from text or images

Robust and Interactable World Models in Computer Vision [video]

Nestlé couldn't crack Japan's coffee market.Then they hired a child psychologist

Notes for February 2-7

Study confirms experience beats youthful enthusiasm

The Big Hunger by Walter J Miller, Jr. (1952)

The Genus Amanita

We have broken SHA-1 in practice

Ask HN: Was my first management job bad, or is this what management is like?

Ask HN: How to Reduce Time Spent Crimping?

KV Cache Transform Coding for Compact Storage in LLM Inference

A quantitative, multimodal wearable bioelectronic device for stress assessment

Why Big Tech Is Throwing Cash into India in Quest for AI Supremacy

How to shoot yourself in the foot – 2026 edition

Eight More Months of Agents

From Human Thought to Machine Coordination

The new X API pricing must be a joke

Show HN: RMA Dashboard fast SAST results for monorepos (SARIF and triage)

Show HN: Source code graphRAG for Java/Kotlin development based on jQAssistant

Python Only Has One Real Competitor

Tmux to Zellij (and Back)

Ask HN: How are you using specialized agents to accelerate your work?

Passing user_id through 6 services? OTel Baggage fixes this

Property-Based Testing Caught a Security Bug I Never Would Have Found

Comments