Skip to content

Add analyzer detecting let! _ = ... .#12

Merged
fkj merged 1 commit into
masterfrom
add-let-wildcard-result-analyzer
Apr 24, 2026
Merged

Add analyzer detecting let! _ = ... .#12
fkj merged 1 commit into
masterfrom
add-let-wildcard-result-analyzer

Conversation

@fkj

@fkj fkj commented Nov 21, 2025

Copy link
Copy Markdown
Collaborator

This detects a pattern that makes it easy to accidentally introduce subtle security bugs.

@fkj

fkj commented Nov 21, 2025

Copy link
Copy Markdown
Collaborator Author

Results of running on the Verify solution

64 occurrences detected, none of which were false positives.
Most occurrences were in test code or in the management API. Most occurrences were validation code which is the target of the analyzer.
Almost of the occurrences look like they could be fixed with minor rewrites.

@fkj fkj force-pushed the add-let-wildcard-result-analyzer branch from ce37335 to f3795cd Compare February 24, 2026 13:31
@fkj fkj marked this pull request as ready for review March 12, 2026 15:14
@fkj fkj requested a review from kasperhj March 12, 2026 15:14
@kasperhj

kasperhj commented Apr 24, 2026

Copy link
Copy Markdown

This detects a pattern that makes it easy to accidentally introduce subtle security bugs.

It would be nice with an example where wildcard let! surmounts to a security bug. So beyond enforcing this rule, people could see why it is important to enforce.

@fkj

fkj commented Apr 24, 2026

Copy link
Copy Markdown
Collaborator Author

This detects a pattern that makes it easy to accidentally introduce subtle security bugs.

It would be nice with an example where wildcard let! surmounts to a security bug. So beyond enforcing this rule, people could see why it is important to enforce.

Is the example in the positive test case not enough? I think it shows quite concisely that the pattern makes it possible to silently ignore a validation error.

@kasperhj

kasperhj commented Apr 24, 2026

Copy link
Copy Markdown

It would be nice with an example where wildcard let! surmounts to a security bug. So beyond enforcing this rule, people could see why it is important to enforce.

Is the example in the positive test case not enough? I think it shows quite concisely that the pattern makes it possible to silently ignore a validation error.

I'm not sure I understand the example then. What is being ignored?

@fkj

fkj commented Apr 24, 2026

Copy link
Copy Markdown
Collaborator Author

It would be nice with an example where wildcard let! surmounts to a security bug. So beyond enforcing this rule, people could see why it is important to enforce.

Is the example in the positive test case not enough? I think it shows quite concisely that the pattern makes it possible to silently ignore a validation error.

I'm not sure I understand the example then. What is being ignored?

That's because I used a bad example for this one... sorry!
Updated the example in 35b6244, added explanatory comments in 034192f and updates snapshots in d3fe1cc.

@kasperhj

kasperhj commented Apr 24, 2026

Copy link
Copy Markdown

That's because I used a bad example for this one... sorry! Updated the example in 35b6244, added explanatory comments in 034192f and updates snapshots in d3fe1cc.

Ahh yes. return indeed makes sense. Sanity restored.

@fkj
Add analyzer detecting let! _ = ... .
9db2411 
This detects a pattern that makes it easy to accidentally introduce
subtle security bugs.
@fkj fkj force-pushed the add-let-wildcard-result-analyzer branch from d3fe1cc to 9db2411 Compare April 24, 2026 12:29
@fkj fkj merged commit d1901c7 into master Apr 24, 2026
2 checks passed
@fkj fkj deleted the add-let-wildcard-result-analyzer branch April 24, 2026 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kasperhj kasperhj kasperhj approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fkj @kasperhj