You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, thanks for the great project! I noticed that networkit does not check for out of bound array access for many operations in the C++ code, and this problem persists in the Python API. For example:
In [1]: importnetworkitasnkIn [2]: g=nk.Graph(n=10)
In [3]: g.degree(14)
Out[3]: 17734729476854972094In [4]: g.degree(10000000000000)
[1] 83923segmentationfaultipython
If networkit is used in an environment that accepts user inputs and the calling code does not check for the validity of the input either, this could lead to security vulnerabilities.
Is this behaviour intentional? I don't think it should be, since out-of-bound access in C++ is UB, and even if there is a strong reason, I think it should be much better documented, with scary warnings for the casual user. If no, is there any plan to fix it? Simply replacing calls like v[i] with v.at(i) will transform these UB into runtime exceptions, which I think is sufficient. On modern CPUs bound checking is almost free, so omitting them usually does not make code run faster.
The text was updated successfully, but these errors were encountered:
Hi, thanks for the great project! I noticed that networkit does not check for out of bound array access for many operations in the C++ code, and this problem persists in the Python API. For example:
If networkit is used in an environment that accepts user inputs and the calling code does not check for the validity of the input either, this could lead to security vulnerabilities.
Is this behaviour intentional? I don't think it should be, since out-of-bound access in C++ is UB, and even if there is a strong reason, I think it should be much better documented, with scary warnings for the casual user. If no, is there any plan to fix it? Simply replacing calls like
v[i]
withv.at(i)
will transform these UB into runtime exceptions, which I think is sufficient. On modern CPUs bound checking is almost free, so omitting them usually does not make code run faster.The text was updated successfully, but these errors were encountered: