Larson: Are insecure code completions a vulnerability? (lwn.net)
<p>Seth Larson, the Python Software Foundation's <a
href="https://pyfound.blogspot.com/2023/06/announcing-our-new-security-developer.html">security
developer-in-residence</a>, has <a
href="https://sethmlarson.dev/are-insecure-code-completions-a-vulnerability">written
about</a> the difficulty in classifying insecure code completion in
the <a href="https://www.jetbrains.com/pycharm/">PyCharm IDE</a> using
its <a
href="https://www.jetbrains.com/help/pycharm/full-line-code-completion.html">Full
Line code completion</a> plugin. Larson discovered that the plugin,
which uses a local "deep learning module" to offer code completions,
suggests code that would lead to severe vulnerabilities. He was unsure
whether it warranted a CVE or not, however:</p>
<blockquote class="bq">
<p>I reported this behavior to JetBrains for "Full Line Code Completion" v253.29346.142
and clearly their support staff weren't certain whether this defect
was a security vulnerability or not either. When I asked to
publish a blog post about this behavior after they confirmed
this report wasn't a "direct security vulnerability" (which
I agree with) but then was asked not to publicize my report and referred to
PyCharm's <a href="https://www.jetbrains.com/legal/docs/terms/coordinated-disclosure/">Coordinated Disclosure Policy</a>
so... which is it? Security vulnerability or not?</p>
<p>I ended up waiting the 90 days anyway and I didn't hear back with
any substantive update from the development team. I double-checked
again today using "Full Line Code Completion" v261.24374.152 and the
behavior is identical, suggesting the same insecure code for both
contexts.</p>
<p>This isn't meant to be a specific dig at PyCharm or JetBrains, I
have no-doubt that examples like this exist in every code generation
model available.</p>
</blockquote>
href="https://pyfound.blogspot.com/2023/06/announcing-our-new-security-developer.html">security
developer-in-residence</a>, has <a
href="https://sethmlarson.dev/are-insecure-code-completions-a-vulnerability">written
about</a> the difficulty in classifying insecure code completion in
the <a href="https://www.jetbrains.com/pycharm/">PyCharm IDE</a> using
its <a
href="https://www.jetbrains.com/help/pycharm/full-line-code-completion.html">Full
Line code completion</a> plugin. Larson discovered that the plugin,
which uses a local "deep learning module" to offer code completions,
suggests code that would lead to severe vulnerabilities. He was unsure
whether it warranted a CVE or not, however:</p>
<blockquote class="bq">
<p>I reported this behavior to JetBrains for "Full Line Code Completion" v253.29346.142
and clearly their support staff weren't certain whether this defect
was a security vulnerability or not either. When I asked to
publish a blog post about this behavior after they confirmed
this report wasn't a "direct security vulnerability" (which
I agree with) but then was asked not to publicize my report and referred to
PyCharm's <a href="https://www.jetbrains.com/legal/docs/terms/coordinated-disclosure/">Coordinated Disclosure Policy</a>
so... which is it? Security vulnerability or not?</p>
<p>I ended up waiting the 90 days anyway and I didn't hear back with
any substantive update from the development team. I double-checked
again today using "Full Line Code Completion" v261.24374.152 and the
behavior is identical, suggesting the same insecure code for both
contexts.</p>
<p>This isn't meant to be a specific dig at PyCharm or JetBrains, I
have no-doubt that examples like this exist in every code generation
model available.</p>
</blockquote>
Comments