Notably, Starlette powers FastAPI, an extremely popular Python framework for building HTTP services.
replyIs this still true?
replyYou may be thinking of Litestar (previously named Starlite) that was based on Starlette akin to FastAPI but then went their own direction implementing a framework rather than relying on an upstream for their core product.
replyYes, it's literally the first bullet point on the project's website.
reply[dead]
replyIronically typing ‘make sure my server is secure’ into an LLM either wasn’t done, or missed it until now.
replyThe posted page has an entire section titled "Why didn't Mythos find this?"
replytl;dr: the bug spans three components in different code bases that when looked at in isolation each do reasonable things. The bug is in the interaction, in the assumed properties of the value that eventually gets exposed as request.url.path. That was apparently too subtle for current Anthropic models to spot
So an LLM was unable to reason about a codebase to find cross-library vulnerabilities.
replyYour response was a weak excuse, it’s a clear demonstration of the shortcomings of LLMs which will inevitably cause headlines in the future.
If you point an LLM at a middleware and ask it to find vulnerabilities, then not finding this is a shortcoming.
replyWhether "LLM failed to spot vulnerability that took humans 8 years to find" is a great headline about shortcomings of LLMs is questionable, but it is a good example of a category of bug that is particularly hard to spot for humans and LLMs alike
When the past month has been full of headlines claiming that Mythos et al. will be the end of secure software as well know it, it's fair game to emphasize the places we know already are not going to be covered by them.
reply