← Back to context

Comment by efitz

3 months ago

I will think of LLMs as not being a toy when they start to challenge me when I tell it to do stupid things.

“Remove that bounds check”

“The bounds check is on a variable that is read from a message we received over the network from an untrusted source. It would be unsafe to remove it, possibly leading to an exploitable security vulnerability. Why do you want to remove it, perhaps we can find a better way to address your underlying concern”.

2 comments

efitz

Reply
jumploops  3 months ago

I dealt with this exact situation yesterday using o3.

For context, we use a PR bot that analyzes diffs for vulnerabilities.

I gave the PR bot's response to o3, and it gave a code patch and even suggested a comment for the "security reviewer":

> “The two regexes are linear-time, so they cannot exhibit catastrophic backtracking. We added hard length caps, compile-once regex literals, and sticky matching to eliminate any possibility of ReDoS or accidental O(n²) scans. No further action required.”

Of course the security review bot wasn't satisfied with the new diff, so I passed it's updated feedback to o3.

By the 4th round of corrections, I started to wonder if we'd ever see the end of the tunnel!

dymk  3 months ago

As long as it delivers the message with "I can't let you do that, dymk", I'll be happy