ravenscroftj
/
brainsteam.co.uk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of ssh://thanos.rvns.xyz:222/ravenscroftj/brainsteam.co.uk
Deploy Website / build (push) Successful in 1m6s Details

This commit is contained in:
James Ravenscroft 2025-02-15 15:19:25 +00:00
parent e71c148719 f953cc27de
commit 7ac3607e6e
2 changed files with 277 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
brainsteam/content/posts/2025/02/ai-code-assistant-curl-ssl.md
View File

@ -1,13 +1,14 @@
---
title: "Getting AI Assistants to generate insecure CURL requests"
date: 2025-02-12T07:48:54Z
date: 2025-02-12 07:48:54+00:00
description: Testing AI code assistants willingness to generate insecure CURL requests
url: /2025/2/12/ai-code-assistant-curl-ssl
type: posts
preview: /social/aeb9482b075cca78c571ab1b45b6e7311bad8ddfa37e5253275fe397d615f106.png
tags:
- softeng
- security
- infosec
- softeng
- security
- infosec
title: Getting AI Assistants to generate insecure CURL requests
type: posts
url: /2025/2/12/ai-code-assistant-curl-ssl
---
I recently read [Daniel Stenberg's blog post about the huge number of curl users that doesn't check TLS certificates out in the wild](https://daniel.haxx.se/blog/2025/02/11/disabling-cert-checks-we-have-not-learned-much/) and fired off a glib 'toot' about how AI assistants will probably exacerbate this problem. I decided to try out some top AI assistants and see what happens.
@ -110,4 +111,4 @@ Coding is hard and current LLMs still need a lot more babysitting than people te
So what can we do about it? Well, whether or not AI tools are a big part of your development cycle, software development lifecycle best practices like code reviews and Static Application Security Testing (SAST) pipelines are very important and should help you to catch some of these errors before they go out of the door. Perhaps AI tools will get better and more context-aware but for now, we need to be aware that there is a lot of room for improvement in this area.
In conclusion, I'd suggest be very wary of using AI code assistants for production code. Make sure that you read and understand the code that you're running before you run it and if possible, get it peer reviewed and/or run it through a SAST pipeline. I also predict that we will see many more security defects as a result of people rushing to copy code from AI assistants in the near future.
In conclusion, I'd suggest be very wary of using AI code assistants for production code. Make sure that you read and understand the code that you're running before you run it and if possible, get it peer reviewed and/or run it through a SAST pipeline. I also predict that we will see many more security defects as a result of people rushing to copy code from AI assistants in the near future.

268
brainsteam/data/mentions.json
View File

@ -18924,5 +18924,273 @@
"published": null
}
}
],
"/2025/2/12/ai-code-assistant-curl-ssl/": [
{
"id": 1884385,
"source": "https://brid.gy/like/mastodon/@jamesravey@fosstodon.org/113990753461682316/109239567381728869",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "like"
},
"verified_date": "2025-02-12T12:14:08.271359",
"data": {
"author": {
"type": "card",
"name": "Ramon Fincken \ud83c\uddfa\ud83c\udde6",
"photo": "https://webmention.io/avatar/cdn.fosstodon.org/0d8e33ec712a246ad30069a6dddc8bf13962b61d3527a6771406e62a68a0ce6c.png",
"url": "https://mastodon.social/@ramonfincken"
},
"content": null,
"published": null
}
},
{
"id": 1884387,
"source": "https://brid.gy/like/mastodon/@jamesravey@fosstodon.org/113990753461682316/109501225226011063",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "like"
},
"verified_date": "2025-02-12T12:14:12.211125",
"data": {
"author": {
"type": "card",
"name": "Anna",
"photo": "https://webmention.io/avatar/cdn.fosstodon.org/f364e62eb9d09f9f8888b3e2265d8bd35a178659458c796b10a2285fa6432fce.png",
"url": "https://mastodon.nl/@venite"
},
"content": null,
"published": null
}
},
{
"id": 1884389,
"source": "https://brid.gy/repost/mastodon/@jamesravey@fosstodon.org/113990753461682316/111653107995559132",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "repost"
},
"verified_date": "2025-02-12T12:14:17.629632",
"data": {
"author": {
"type": "card",
"name": "Programming Feed",
"photo": "https://webmention.io/avatar/cdn.fosstodon.org/2a355e8ebe7968eff2c0f472b2ddf0e673bb20294c43adc29145fbe2c2a358e9.png",
"url": "https://newsmast.community/@programming"
},
"content": null,
"published": null
}
},
{
"id": 1884391,
"source": "https://brid.gy/repost/mastodon/@jamesravey@fosstodon.org/113990753461682316/51887",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "repost"
},
"verified_date": "2025-02-12T12:14:23.532996",
"data": {
"author": {
"type": "card",
"name": "daniel:// stenberg://",
"photo": "https://webmention.io/avatar/cdn.fosstodon.org/08935021443ed50854ded8ff88878fc91ca34a42b95649d89e3c78cff3b15761.jpg",
"url": "https://mastodon.social/@bagder"
},
"content": null,
"published": null
}
},
{
"id": 1884392,
"source": "https://brid.gy/comment/mastodon/@jamesravey@fosstodon.org/113990753461682316/113990822497229655",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "reply"
},
"verified_date": "2025-02-12T12:14:35.901118",
"data": {
"author": {
"type": "card",
"name": "mbpaz",
"photo": "https://webmention.io/avatar/cdn.fosstodon.org/aff58b6b7fd55713c621cfdc855c074badcbecf3ecccd65af7a94600f9676593.jpg",
"url": "https://mas.to/@mbpaz"
},
"content": "<p><span class=\"h-card\"><a href=\"https://fosstodon.org/@jamesravey\" class=\"u-url\">@<span>jamesravey</span></a></span> <span class=\"h-card\"><a href=\"https://mastodon.social/@bagder\" class=\"u-url\">@<span>bagder</span></a></span> they're getting very humanlike. \"Certificate is invalid - ok, let's disable certificate validation then\".</p><p>Reinforcement learning of an LLM does not include the feedback of \"fearing a slap\" or at least \"suffering eternal jokes from colleagues\". They're limited.</p>",
"published": "2025-02-12T12:05:15+00:00"
}
},
{
"id": 1884398,
"source": "https://brid.gy/like/mastodon/@jamesravey@fosstodon.org/113990753461682316/251974",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "like"
},
"verified_date": "2025-02-12T12:44:18.414198",
"data": {
"author": {
"type": "card",
"name": "Yaakov",
"photo": "https://webmention.io/avatar/cdn.fosstodon.org/a5453d9ad927d2c6c7fe816359ff87dd75232b978d8d3e26734e7ee425991e30.jpg",
"url": "https://cloudisland.nz/@yaakov"
},
"content": null,
"published": null
}
},
{
"id": 1884400,
"source": "https://brid.gy/like/mastodon/@jamesravey@fosstodon.org/113990753461682316/109377864919355949",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "like"
},
"verified_date": "2025-02-12T12:44:23.126326",
"data": {
"author": {
"type": "card",
"name": "A. T. :mate:",
"photo": "https://webmention.io/avatar/cdn.fosstodon.org/d2e3342780b2c17e1c4472fc38e5c5aa8ff62371793f25b63d2b814b2340e75c.jpg",
"url": "https://floss.social/@silpol"
},
"content": null,
"published": null
}
},
{
"id": 1884403,
"source": "https://brid.gy/like/mastodon/@jamesravey@fosstodon.org/113990753461682316/113911759644321341",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "like"
},
"verified_date": "2025-02-12T13:15:30.372339",
"data": {
"author": {
"type": "card",
"name": "Adam",
"photo": "https://webmention.io/avatar/cdn.fosstodon.org/6443230e84dc1437cf98e9d85edc41f7f196ce20b3ebd99fdb964e1209289800.jpg",
"url": "https://hachyderm.io/@_aD"
},
"content": null,
"published": null
}
},
{
"id": 1884404,
"source": "https://bsky.brid.gy/convert/web/at://did:plc:bbgrnjzsvxajxyjebpzxg3md/app.bsky.feed.post/3lhybbelozs2r%23bridgy-fed-create",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "mention"
},
"verified_date": "2025-02-12T13:20:43.838536",
"data": {
"author": {
"type": "card",
"name": "Dr James Ravenscroft",
"photo": "https://webmention.io/avatar/porcini.us-east.host.bsky.network/18506067d359f716c816ef29af4a650a7f32cc26747be2903e4428702308f4ef.jpg",
"url": "https://bsky.app/profile/jamesravey.me"
},
"content": "AI code assistants can introduce hidden security risks. I observed that 4 frontier models add Hard to spot but potentially catastrophic HTTPS vulnerabilities when fixing \"broken\" code. <a href=\"https://bsky.app/search?q=%23infosec\">#infosec</a> <a href=\"https://bsky.app/search?q=%23AI\">#AI</a> <a href=\"https://bsky.app/search?q=%23CodeSafety\">#CodeSafety</a> <a href=\"https://bsky.app/search?q=%23curl\">#curl</a> <a href=\"https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/\">brainsteam.co.uk/2025/2/12/ai...</a>",
"published": "2025-02-12T13:20:37+00:00"
}
},
{
"id": 1884410,
"source": "https://brid.gy/like/mastodon/@jamesravey@fosstodon.org/113990753461682316/109296418606659416",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "like"
},
"verified_date": "2025-02-12T14:04:29.986506",
"data": {
"author": {
"type": "card",
"name": "Matt Organ",
"photo": "https://webmention.io/avatar/cdn.fosstodon.org/c5d4aeb716400538c9bdc27d624aa17744ff128250b89ccff8d1b03c4b213df5.jpg",
"url": "https://infosec.exchange/@Slater450413"
},
"content": null,
"published": null
}
},
{
"id": 1884414,
"source": "https://brid.gy/repost/mastodon/@jamesravey@fosstodon.org/113990753461682316/108212501243574409",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "repost"
},
"verified_date": "2025-02-12T14:38:10.234994",
"data": {
"author": {
"type": "card",
"name": "re:fi.64 :bisexual:",
"photo": "https://webmention.io/avatar/cdn.fosstodon.org/e4db31aef2d3ac5fb52c9e75268d440543690caadb704bf061d57b603a9627ff.jpg",
"url": "https://refi64.social/@refi64"
},
"content": null,
"published": null
}
},
{
"id": 1884420,
"source": "https://brid.gy/like/mastodon/@jamesravey@fosstodon.org/113990753461682316/109543516690057946",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "like"
},
"verified_date": "2025-02-12T15:02:36.803904",
"data": {
"author": {
"type": "card",
"name": "GeneralShaw",
"photo": "https://webmention.io/avatar/fosstodon.org/db1d635fb4356e493a52ae26f48c9f875d733a757cb82141ea43b0221d79f2d5.png",
"url": "https://hachyderm.io/@GeneralShaw"
},
"content": null,
"published": null
}
},
{
"id": 1884432,
"source": "https://brid.gy/like/mastodon/@jamesravey@fosstodon.org/113990753461682316/109591081599883268",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "like"
},
"verified_date": "2025-02-12T16:27:35.171673",
"data": {
"author": {
"type": "card",
"name": "JakobDev",
"photo": "https://webmention.io/avatar/cdn.fosstodon.org/d53a9e585fffb545e7d2504e0e3976cb9537da49fec5aefafb9832aabd7742f4.png",
"url": "https://social.anoxinon.de/@JakobDev"
},
"content": null,
"published": null
}
},
{
"id": 1884529,
"source": "https://brid.gy/like/mastodon/@jamesravey@fosstodon.org/113990753461682316/109488308938908995",
"target": "https://brainsteam.co.uk/2025/2/12/ai-code-assistant-curl-ssl/",
"activity": {
"type": "like"
},
"verified_date": "2025-02-13T00:33:45.066289",
"data": {
"author": {
"type": "card",
"name": "Mufasa",
"photo": "https://webmention.io/avatar/cdn.fosstodon.org/df4d8be8abedda591c5c32cd8e416fe7381d3fe2971de33fa8287a257476fd9f.png",
"url": "https://betweenthelions.link/@ne1for23"
},
"content": null,
"published": null
}
}
]
}