Alus Restor

celebrating 5 followers #arlecchino

tetsuo still has me blocked and his team says that kind of bs.. alright then, i just looked at the repo that he published, and took the time to review the code again: found 12+ critical security vulnerabilities. executable stack enabled via setjmp/longjmp with comments claiming "modern kernels enforce nx regardless". that's completely false. cmakelists.txt line 15-19 literally enables code injection vulnerabilities while telling users it's "safe" arena allocator has textbook toctou race conditions (arena.c:117-134), integer overflows in allocation checks (156-166), missing bounds validation in aligned allocs (283-300). memory is never freed back to os in most paths, just accumulates until oom. "arena-based memory management" is broken claims "complete dns resolver with dnssec".. grep -r "DNSSEC" returns nothing. no dnssec validation exists. dns has no source port randomization, vulnerable to cache poisoning. no rebinding protection, no rate limiting compiler flags are INSANE: -wno-return-type, -wno-error=return-type, -fno-strict-aliasing, -wno-implicit-int. literally suppressing critical warnings to hide undefined behavior. no stack protector, no fortify source, no relro, no pie. basically zero security hardening websocket mask keys use weak prng (socketws-frame.c:38), violates rfc 6455. http/2 has no hpack bomb protection, unbounded header decompression is classic dos. no stream id exhaustion handling, no flow control validation, priority tree manipulation unchecked tls implementation skips ocsp stapling verification, missing hostname verification in multiple paths, no downgrade protection. ssl_secure_clear_buf gets optimized away by compiler. thread-local exception stack has zero synchronization, thats literal undefined behavior in c11 io_uring uses sqpoll without capability checks (socketpoll_uring.c:149), buffer registration has no bounds checking, submission queue overflow unhandled, multishot poll races everywhere claims "zero dependencies except openssl" but requires liburing, zlib, brotli, pthread. claims "all custom. no libcurl. no libuv" while using multiple external libs readme says "http/3 + quic (in progress)".. it's just string constants, no implementation. "simple api layer" mentioned but doesn't exist. "fuzz harnesses" claimed - zero fuzz files in repo. "examples folder (30+ demo programs)" but no examples directory exists. "unit/integration test suite" but no tests found lack of input validation: no url validation, header injection vulns, integer overflows in size calcs, no bounds checking on user inputs. curl_main.c:249-260 header validation incomplete this isn't "hand-rolled from scratch", it's false advertising. executable stack alone makes it unsuitable for any use. 8 critical vulns, 4 high severity, multiple memory corruption bugs, broken protocol implementations, and straight up lies about features the readme claims "the code shown is battle-tested" while having zero tests. "passes full test suite" that doesn't exist. "fuzzed (not full coverage)" with no fuzz harnesses i would also like to add that @tetsuoai and @dreamworks2050 claim that me and laurie were acting in bad faith with "unreleased code": the code was public when both of us posted the tweet. shortly after the gist got deleted along all the other tweets he posted arguing with us about this. don't twist the situation. before you tell me to just submit issues and PRs instead of posting this: i took the time to make this review because i am sincerely upset and do not accept getting slandered like this for just criticizing false claims. i will not spend more time fixing a vibe-coded codebase that is falsely advertised. i don't care/mind that this is vibecoded, my problem is that this is falsely advertised to a following base of over 200k people who will not take their time to do their due dilligence like i did. i do not feel okay with you and your team claiming that i posted that code review "for engagement" thank you, if you truly care about making this good then look at the issues i mentioned and fix them, if you're just doing this for engagement then so be it finally, before you claim that you don't have me blocked, you keep blocking me and unblocking me, conveniently you blocked me again right after you released that repo, i wonder why