Skip to main content
The Sharp Edges plugin identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes through developer confusion, laziness, or malice.

Overview

Sharp Edges analyzes code and designs through the lens of three adversaries:
  1. The Scoundrel - Can a malicious developer or attacker disable security via configuration?
  2. The Lazy Developer - Will copy-pasting the first example lead to insecure code?
  3. The Confused Developer - Can parameters be swapped without type errors?
Core Principle: The Pit of SuccessSecure usage should be the path of least resistance. If developers must read documentation carefully or remember special rules to avoid vulnerabilities, the API has failed.

Installation

/plugin install trailofbits/skills/plugins/sharp-edges

When to Use

Use this plugin when:
  • Reviewing API designs for security-relevant interfaces
  • Auditing configuration schemas that expose security choices
  • Evaluating cryptographic library ergonomics
  • Assessing authentication/authorization APIs
  • Any code review where developers make security-critical decisions

Sharp Edge Categories

The skill identifies six categories of misuse-prone designs:
APIs that let developers choose algorithms invite choosing wrong ones.The JWT Pattern (canonical example):
  • Header specifies algorithm: attacker can set "alg": "none" to bypass signatures
  • Algorithm confusion: RSA public key used as HMAC secret when switching RS256→HS256
  • Root cause: Letting untrusted input control security-critical decisions
Example - PHP password_hash:
// DANGEROUS: allows crc32, md5, sha1
password_hash($password, PASSWORD_DEFAULT); // Good - no choice
hash($algorithm, $password); // BAD: accepts "crc32"
Defaults that are insecure, or zero/empty values that disable security.Detection patterns:
  • Timeouts/lifetimes that accept 0 (infinite? immediate expiry?)
  • Empty strings that bypass checks
  • Null values that skip validation
  • Boolean defaults that disable security features
Questions to ask:
  • What happens with timeout=0? max_attempts=0? key=""?
  • Is the default the most secure option?
  • Can any default value disable security entirely?
APIs that expose raw bytes instead of meaningful types invite type confusion.The Libsodium vs. Halite Pattern:
// Libsodium (primitives): bytes are bytes
sodium_crypto_box($message, $nonce, $keypair);
// Easy to: swap nonce/keypair, reuse nonces, use wrong key type

// Halite (semantic): types enforce correct usage
Crypto::seal($message, new EncryptionPublicKey($key));
// Wrong key type = type error, not silent failure
One wrong setting creates catastrophic failure, with no warning.Examples:
# One typo = disaster
verify_ssl: fasle  # Typo silently accepted as truthy?

# Magic values
session_timeout: -1  # Does this mean "never expire"?

# Dangerous combinations accepted silently
auth_required: true
bypass_auth_for_health_checks: true
health_check_path: "/"  # Oops
Errors that don’t surface, or success that masks failure.Detection patterns:
  • Functions returning booleans instead of throwing on security failures
  • Empty catch blocks around security operations
  • Default values substituted on parse errors
  • Verification functions that “succeed” on malformed input
Example:
# Silent bypass
def verify_signature(sig, data, key):
    if not key:
        return True  # No key = skip verification?!
Security-critical values as plain strings enable injection and confusion.Detection patterns:
  • SQL/commands built from string concatenation
  • Permissions as comma-separated strings
  • Roles/scopes as arbitrary strings instead of enums
  • URLs constructed by joining strings
The permission accumulation footgun:
permissions = "read,write"
permissions += ",admin"  # Too easy to escalate

# vs. type-safe
permissions = {Permission.READ, Permission.WRITE}
permissions.add(Permission.ADMIN)  # At least it's explicit

Analysis Workflow

Phase 1: Surface Identification

  1. Map security-relevant APIs: authentication, authorization, cryptography, session management, input validation
  2. Identify developer choice points: Where can developers select algorithms, configure timeouts, choose modes?
  3. Find configuration schemas: Environment variables, config files, constructor parameters

Phase 2: Edge Case Probing

For each choice point, ask:

Zero/Empty/Null

What happens with 0, "", null, []?

Negative Values

What does -1 mean? Infinite? Error?

Type Confusion

Can different security concepts be swapped?

Default Values

Is the default secure? Is it documented?

Phase 3: Threat Modeling

Consider three adversaries:
AdversaryThreat Model
The ScoundrelActively malicious developer or attacker controlling config. Can they disable security via configuration? Can they downgrade algorithms? Can they inject malicious values?
The Lazy DeveloperCopy-pastes examples, skips documentation. Will the first example they find be secure? Is the path of least resistance secure? Do error messages guide toward secure usage?
The Confused DeveloperMisunderstands the API. Can they swap parameters without type errors? Can they use the wrong key/algorithm/mode by accident? Are failure modes obvious or silent?

Phase 4: Validate Findings

For each identified sharp edge:
  1. Reproduce the misuse: Write minimal code demonstrating the footgun
  2. Verify exploitability: Does the misuse create a real vulnerability?
  3. Check documentation: Is the danger documented?
  4. Test mitigations: Can the API be used safely with reasonable effort?

Severity Classification

SeverityCriteriaExamples
CriticalDefault or obvious usage is insecureverify: false default; empty password allowed
HighEasy misconfiguration breaks securityAlgorithm parameter accepts “none”
MediumUnusual but possible misconfigurationNegative timeout has unexpected meaning
LowRequires deliberate misuseObscure parameter combination

Rationalizations to Reject

These shortcuts lead to missed findings. Do not accept them:
RationalizationWhy It’s WrongRequired Action
”It’s documented”Developers don’t read docs under deadline pressureMake the secure choice the default or only option
”Advanced users need flexibility”Flexibility creates footguns; most “advanced” usage is copy-pasteProvide safe high-level APIs; hide primitives
”It’s the developer’s responsibility”Blame-shifting; you designed the footgunRemove the footgun or make it impossible to misuse
”Nobody would actually do that”Developers do everything imaginable under pressureAssume maximum developer confusion
”It’s just a configuration option”Config is code; wrong configs ship to productionValidate configs; reject dangerous combinations

Language-Specific Guides

The plugin includes detailed language-specific footgun catalogs:

C/C++

Memory safety, integer overflow, format strings

Go

Error handling, crypto API misuse

Rust

Unsafe blocks, FFI boundaries

Java/Kotlin

Serialization, crypto defaults

C#

XML parsing, crypto modes

PHP

Type juggling, hash algorithms

JavaScript/TypeScript

eval(), prototype pollution

Python

pickle, YAML deserialize

Ruby

Marshal.load, symbol DoS

Constant-Time Analysis

Detect timing side-channels in cryptographic code

Differential Review

Security-focused code change review

Quality Checklist

Before concluding analysis:
  • Probed all zero/empty/null edge cases
  • Verified defaults are secure
  • Checked for algorithm/mode selection footguns
  • Tested type confusion between security concepts
  • Considered all three adversary types
  • Verified error paths don’t bypass security
  • Checked configuration validation
  • Constructor params validated (not just defaulted)