IdeaWell

Project ideas from Hacker News discussions.

No strcpy either

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

1. Flaws of Legacy C String Functions

Critics highlight issues with strcpy (unsafe without bounds), strncpy (poor API, no null-termination guarantee, historical fixed-width use), and truncation behaviors.
"Removing strcpy from your code does not make it memory safe." (saagarjha)
"strncpy was initially introduced... to deal with fixed-length name fields... Such fields are not used in the same way as strings." (tourist2d, quoting rationale)

2. AI-Generated "Slop" Vulnerability Reports

Maintainers face harassment from bogus AI-flagged strcpy issues, often without repro steps or payouts, acting as honeypots.
"It has been proven... that strcpy in source code is like a honey pot for generating hallucinated vulnerability claims." (Scubabear68, quoting article)
"It's a symptom of complete failure... to stave off harassment over false security impact from bots." (easterncalculus)

3. Need for Safer, Modern String Handling

Calls for length-aware APIs, new stdlib functions, or libraries like bstrlib/slices to replace null-terminated strings.
"strcpy has the best interface... if you know this then you can just use memcpy instead." (jandrese)
"Is it really too late for the C committee... to develop a modern string library?" (jandrese)

🚀 Project Ideas

AI Slop Report Filter

Summary

  • A web service or GitHub Action that scans incoming vulnerability reports (e.g., HackerOne, GitHub issues) for hallmarks of AI-generated "slop" like hallucinated strcpy CVEs, lacking repro steps, or generic explanations without context.
  • Core value: Saves maintainers time by auto-filtering/tagging bogus reports, reducing harassment from bounty farmers.

Details

Key Value
Target Audience OSS maintainers, SaaS security teams receiving bug bounties
Core Feature NLP-based classifier trained on slop examples (e.g., no repro, strcpy flags without bounds checks); integrates with email/GitHub webhooks
Tech Stack Python (spaCy/Transformers for NLP), FastAPI, GitHub API; host on Vercel/AWS Lambda
Difficulty Medium
Monetization Revenue-ready: Freemium (free for OSS, $10/mo pro for teams)

Notes

  • "I dread the idea of starting to get notifications from them in my own projects." (snvzz); "maintainers are even remotely thinking about... changes... to stave off harassment over false security impact from bots." (easterncalculus).
  • HN would love the irony of fighting AI slop with AI; high utility for curl-like projects.

SafeSlice Strings

Summary

  • A lightweight C library providing length-prefixed "slices" (ptr + len) with safe copy/append/concat functions, zero-copy views, and drop-in macros for legacy code migration.
  • Core value: Eliminates null-termination footguns, truncation surprises, and UB in overlaps; mimics Rust slices for modern C.

Details

Key Value
Target Audience C/C++ developers tired of strncpy/strlcpy quirks, embedded/systems programmers
Core Feature Struct {char* ptr; size_t len;}; funcs like slice_copy(dst_slice, src_slice), slice_append_fmt; auto-null for C interop
Tech Stack Pure C99, no deps; optional fuzzing with AFL++; publish to GitHub/vcpkg
Difficulty Low
Monetization Hobby

Notes

  • "I've always wondered at the motivations of the various string routines in C - every one of them seems to have some huge caveat which makes them useless." (t43562); calls for "modern string library that ships with base C26" (jandrese).
  • HN loves practical C fixes (bstrlib mentions); sparks debates on std adoption, easy to prototype/test.

StrAudit Linter

Summary

  • A Clang plugin/standalone static analyzer that audits string ops (strcpy/strncpy/etc.), distinguishes safe usage (pre-checked bounds) from unsafe, and suggests bounded replacements or proves safety.
  • Core value: Reduces false AI flags by generating "safe" badges/reports; catches real bugs missed by generic tools.

Details

Key Value
Target Audience C projects with security audits (curl, OSS repos), CI pipelines
Core Feature Dataflow analysis for bounds checks before copies; reports with repro PoCs; integrates with GitHub Actions/SonarQube
Tech Stack LLVM/Clang plugin, Rust/WASM for analyzer core; YAML config for custom rules
Difficulty High
Monetization Revenue-ready: Open core, $20/mo enterprise scans

Notes

  • "Removing strcpy from your code does not make it memory safe." (saagarjha) but "strcpy in source code is like a honey pot for generating hallucinated vulnerability claims" (article quote); "stupid report may give you invites" (skirge).
  • HN debates analyzers (ZeroPath praise); practical for "long and arduous process" (pama), boosts FOSS security.

Read Later