[Daniel's week] December 13, 2025

Sat Dec 13 00:06:43 CET 2025

Hi friends!

Be nice to each other.

## Security

We received six security reports on Hackerone[1] this week, two of them
clearly just AI slop[2], but one of them turned out to be a real problem that
we are now working on. It will become the third pending CVE waiting to be
published in sync with the curl 8.18.0 release in January.

I spent *many* hours this week looking into possible security issues.

## AI

All three pending CVEs were discovered with AI-powered tools. We keep getting
more reports and issues discovered by such tools.

I have started toying and experimenting with letting two different AI
solutions do reviews on pull-requests I do against curl. I typical ask both
GitHub's Copilot [4] and Augment Code [3] for feedback on the same PR. They
are both decent reviewers and quite surprisingly they rarely provide the same
feedback.

I find AI reviews to be pretty helpful. They can provide some early comments
and feedback, typically much faster than any humans. Also, they tend to find
things and details to highlight that maybe humans are not so good at. Also, I
think we are all used that provided reviews are often suggestions or even
somewhat opinionated and not necessary clear black and white truths. I mean,
human reviews often also contain comments and remarks that I as an author
disagree with and disregard. Exactly the same as with AI reviews.

The jury is still out on the question if Copilot or Augment is the better
choice. They both add value, so using both is actually better than any single
one of them on their own.

An important detail here is of course that I don't pay for either of these
services. It makes it easier to use them like this since every contribution
they bring is then just added value - minus the noise of their potential false
positives of course. If I had to pay, I would have had to weigh the cost into
the equation in a way I don't now.

## FOSDEM

I was asked and accepted to do the closing keynote at FOSDEM 2026 [5] with my
talk "Open Source Security in spite of AI". That starts at 17:00 on the
Sunday, which in some regards is awful because everyone is tired and a lot of
people have already gone home or is beginning to do so, but it is still an
honor to be asked and since by that point all other tracks have closed at
least I am likely to get the audience that is still awake. In addition to
that, I never did one the keynotes at FOSDEM before. I look forward to this!

This should become my 16th FOSDEM talk; 16 years since after my first FOSDEM.

## 40K stars

I happened to notice that curl repository on GitHub [6] now has surpassed
40,000 stars. Yes, just another number without significance but you know I'm a
sucker for those.

## rc1 regressions

We shipped curl 8.18.0 release candidate one [7] on Saturday. We got two minor
build regressions reported, but otherwise it seems to be smooth sailing. It
might of course be because no one is actually testing it. Who knows? ;-)

## URL checks

We have had a CI job for checking all outgoing URLs we link to in markdown
documentation for a while, and last week I made it also find and check all
"raw" links. That is basically every URL mentioned that isn't an example one.
This helps us make sure that we don't keep sending people to dead places.

However, as we sometimes push a lot of commits in pull requests etc it became
clear that doing the URL checks for every push was way overkill. Checking all
those URLs several hundred times per day is not making anyone happy.

This week we have instead rewritten the job to check the links daily, and then
as an addition we made it scan even more files and also check URLs mentioned
in source code and elsewhere.

The link checker [8] also has a fairly extensive whitelist for URLs we *know*
work that we don't have to check. Right now, the script finds and checks 474
different URLs using 203 different host names.

## No AIxCC flaws

Remember the AIxCC competition? After lots of research and triaging, the
conclusion has landed: not a single *real* problem was found in #curl.

My previous write-up on the not so impressive injected problems they found is
here [9].

## chasing down mallocs

In my ongoing missing to fix problems in curl that ignores an OOM error and
then does another allocation call anyway, I happened to glance over our
alt-svc handling code when I realized that we made three separate allocations
for new each entry that just seemed a little ineffective.

So I rewrote the logic to instead accomplish the same with a single alloc,
while also fixing the flow to return error problems on the first OOM error.

Since our HSTS code shares a lot of the same spirit as the alt-svc code, I
then took a dive in there to see if I could do a similar cleanup there. Yeah,
I could easily combine two allocs to instead become one. Nice.

Inspired by those wins, I then thought maybe I could fixup some cookie logic
as well and *bam*, did I fall down a really deep rabbit hole!

I realized that a lot of the curl cookie parser logic actually allocates
memory for pieces of cookie meta data while parsing, which makes it have to
free the memory again if something in the cookie formatting isn't right, or
even if the cookie is discarded for other reasons.

I ended up spending a few hours to avoid all allocations before the cookie is
found to be okay and fit for saving and I could even remove a superfluous data
field we previously allocated per each cookie: we would save both the actual
path and a cleaned up version of the path when in reality everything could be
made to work fine with just using the clean one.

In the end, my measurements showed my PR [10] removed up to 38% of the
allocations done in cookie-using tests! Of course the results show more saves
when we receive many cookies that aren't fine in some ways and that is not a
typical real-world scenario, but I think I managed to accomplish this save
without doing any sacrifices. On the contrary, I think I also cleaned up and
made the code easier to read and follow as a result.

## Coming up

- Monday: curl-8.18.0 rc2 ships
- undoubtedly more Hackerone reports to deal with

## Links

[1] = https://hackerone.com/curl
[2] = https://gist.github.com/bagder/07f7581f6e3d78ef37dfbfc81fd1d1cd
[3] = https://www.augmentcode.com/
[4] = https://github.com/copilot
[5] = https://fosdem.org/2026/
[6] = https://github.com/curl/curl/
[7] = https://curl.se/rc/
[8] = https://github.com/curl/curl/blob/master/scripts/mdlinkcheck
[9] = https://daniel.haxx.se/blog/2025/10/22/aixcc-curl-details/
[10] = https://github.com/curl/curl/pull/19864

-- 

  / daniel.haxx.se