news newest ask show jobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Property-Based Testing Caught a Security Bug I Never Would Have Found

https://kiro.dev/blog/property-based-testing-fixed-security-bug/

21•nslog•10h ago

Comments

mananaysiempre•1h ago

TL;DR: obj[key] with user-controlled key == "__proto__" is a gift that keeps on giving; buy our AI tool that will write subtle vulnerabilities like that which you yourself won’t catch in review but then it will also write some property-based tests that maybe will

mhitza•37m ago

Technically a property based test caught the issue.

What I've found surprising is that the __proto__ string is a fixed set from the strings sampling set. Whereas I'd have expected the function to return random strings in the range given.

But maybe that's my biased expectation being introduced to property-based testing with random values. It also feels like a stretch to call this a property-based test, because what is the property "setters and getters that work"? Cause I expect that from all my classes.

sublinear•35m ago

> Is this exploitable? No. ... JSON.stringify knows to skip the __proto__ field. ... However, refactors to the code could ... [cause] subtle incorrectness and sharp edge cases in your code base.

So what? This line of what-if reasoning is so annoying especially when it's analysis for a language like javascript. There's no vulnerability found here and most web developers are well aware of the risky parts of the language. This is almost as bad as all the insane false positives SAST scans dump on you.

Oh I'm just waiting to get dogpiled by people who want to tell me web devs are dumber than them and couldn't possibly be competent at anything.

Beginning January 2026, all ACM publications will be made open access

https://dl.acm.org/openaccess

1693•Kerrick•18h ago•198 comments

Getting bitten by Intel's poor naming schemes

https://lorendb.dev/posts/getting-bitten-by-poor-naming-schemes/

97•LorenDB•4h ago•50 comments

1.5 TB of VRAM on Mac Studio – RDMA over Thunderbolt 5

https://www.jeffgeerling.com/blog/2025/15-tb-vram-on-mac-studio-rdma-over-thunderbolt-5

395•rbanffy•11h ago•121 comments

We pwned X, Vercel, Cursor, and Discord through a supply-chain attack

https://gist.github.com/hackermondev/5e2cdc32849405fff6b46957747a2d28

841•hackermondev•14h ago•317 comments

Texas is suing all of the big TV makers for spying on what you watch

https://www.theverge.com/news/845400/texas-tv-makers-lawsuit-samsung-sony-lg-hisense-tcl-spying

801•tortilla•2d ago•388 comments

History LLMs: Models trained exclusively on pre-1913 texts

https://github.com/DGoettlich/history-llms

489•iamwil•11h ago•193 comments

From Zero to QED: An informal introduction to formality with Lean 4

https://sdiehl.github.io/zero-to-qed/01_introduction.html

36•rwosync•5d ago•1 comments

Noclip.website – A digital museum of video game levels

https://noclip.website/

187•ivmoreau•7h ago•21 comments

Making Google Sans Flex

https://design.google/library/google-sans-flex-font

38•meetpateltech•3h ago•13 comments

Show HN: Orbit a systems level programming language that compiles .sh to LLVM

https://github.com/SIE-Libraries/orbit

8•TheCodingDecode•46m ago•1 comments

GPT-5.2-Codex

https://openai.com/index/introducing-gpt-5-2-codex/

484•meetpateltech•15h ago•250 comments

The state of the kernel Rust experiment

https://lwn.net/SubscriberLink/1050174/63aa7da43214c3ce/

88•dochtman•6d ago•44 comments

Prompt caching: 10x cheaper LLM tokens, but how?

https://ngrok.com/blog/prompt-caching/

101•samwho•2d ago•8 comments

How China built its ‘Manhattan Project’ to rival the West in AI chips

https://www.japantimes.co.jp/business/2025/12/18/tech/china-west-ai-chips/

337•artninja1988•14h ago•369 comments

Reconstructed Commander Keen 1-3 Source Code

https://pckf.com/viewtopic.php?t=18248

72•deevus•6h ago•8 comments

Property-Based Testing Caught a Security Bug I Never Would Have Found

https://kiro.dev/blog/property-based-testing-fixed-security-bug/

21•nslog•10h ago•3 comments

2026 Apple introducing more ads to increase opportunity in search results

https://ads.apple.com/app-store/help/ad-placements/0082-search-results

146•punnerud•4h ago•139 comments

Show HN: Picknplace.js, an alternative to drag-and-drop

https://jgthms.com/picknplace.js/

289•bbx•2d ago•112 comments

SMB Direct – SMB3 over RDMA – The Linux Kernel Documentation

https://docs.kernel.org/filesystems/smb/smbdirect.html

25•tambourine_man•7h ago•5 comments

Top Open Source Authorization Libraries (2024)

https://permify.co/post/open-source-authorization-libraries/

8•mooreds•3d ago•3 comments

Skills for organizations, partners, the ecosystem

https://claude.com/blog/organization-skills-and-directory

265•adocomplete•16h ago•143 comments

Show HN: Stop AI scrapers from hammering your self-hosted blog (using porn)

https://github.com/vivienhenz24/fuzzy-canary

234•misterchocolat•2d ago•155 comments

Pingfs: Stores your data in ICMP ping packets

https://github.com/yarrick/pingfs

3•linkdd•5d ago•1 comments

Great ideas in theoretical computer science

https://www.cs251.com/

100•sebg•10h ago•19 comments

Firefox will have an option to disable all AI features

https://mastodon.social/@firefoxwebdevs/115740500373677782

417•twapi•15h ago•362 comments

Telegraph chess: A 19th century tech marvel

https://spectrum.ieee.org/telegraph-chess

30•sohkamyung•6d ago•8 comments

Two kinds of vibe coding

https://davidbau.com/archives/2025/12/16/vibe_coding.html

89•jxmorris12•12h ago•62 comments

T5Gemma 2: The next generation of encoder-decoder models

https://blog.google/technology/developers/t5gemma-2/

134•milomg•13h ago•24 comments

Delty (YC X25) Is Hiring an ML Engineer

https://www.ycombinator.com/companies/delty/jobs/MDeC49o-machine-learning-engineer

1•lalitkundu•12h ago

Your job is to deliver code you have proven to work

https://simonwillison.net/2025/Dec/18/code-proven-to-work/

744•simonw•18h ago•584 comments