alt Hacker NewsThis looks kinda scary to me considering that Zig isn't a safe language and it's being used here to parse untrusted data from the internet. Would the ReleaseSafe mode that Zig provides prevent any attempts of exploiting memory safety bugs?
Replies
that's a valid concern.
first of all, i'm not trying to reinvent the wheel here. for xml parsing, i'm using libexpat, one of the most widely used c xml parsers.
for networking, i'm using libcurl, the industry standard.
i have some limits in place, too. the feed size is capped at 200 kb, and there are timeouts for hanging connections. there's also a sanitization step that strips control characters that could mess with the terminal emulator, mitigating escape sequences.
that said, i'm no security expert, and the source code is public. if anyone more knowledgeable spots a security hole, i'd be happy to merge a fix.
There's active work towards that (which could run as part of CI) and it looks very promising: https://github.com/ityonemo/clr