Lee Andrews' claim he has 'adopted' Katie Price's five children is branded 'yet another lie'
Jude Bellingham accused of X-rated outburst by Ghana manager Carlos Queiroz after furious half-time bust-up... as lip reader reveals foul-mouthed exchange between ex-Man United assistant and Thomas Tuchel
Sienna Miller wears bizarre fur coat in the scorching heatwave as she joins dazzling Rosie Huntington-Whiteley and Maya Jama at star-studded Serpentine Gallery Summer Party
Urgent recall on apples and kiwi fruit sold at supermarkets across the country over Salmonella fears
Rare red heat warning to be in place for Essex TODAY as temperatures soar to 39C
Rare red heat warning to be in place for Essex TODAY as temperatures soar to 39C
A woman tragically plunged to her death from a cliff 20 years ago.. now her husband is charged with MURDER after cops received a tip
It's getting serious! Kendall Jenner and Jacob Elordi pictured going on a romantic walk in Byron Bay as she joins him in his native Australia to 'celebrate his birthday with family and friends'
Full list of Essex schools closed today amid 'extreme heat' warning
Notorious Liverpool gangster killed in Holland nine years after 'committing a double murder' was shot dead while trying to collect a debt
INSIDE THE ENGLAND CAMP: Thomas Tuchel is having NONE of the storm around Jude Bellingham's x-rated blast
Angela Rayner issues desperate pitch for top job under Andy Burnham - and calls for next prime minister to keep paying Labour's sky-high benefits bill
NIGEL FARAGE: Burnham's coup is so brazen it would make commanders of a banana republic blush
PM and Burnham at war over defence: Starmer bid to settle military cash blueprint BEFORE No10 changeover
How to protect your money from Andy Burnham: What to do now to fight potential tax raids
Lammy is facing the sack as Burnham rewards Lucy Powell - and seeks to boost number of women at top of his team
LETTS: Exit the Duchess of Delusion. Yet even as the tumbril jolts her towards Burnham's guillotine, Rachel Reeves refuses to accept what a honking failure she's been
Nicola Peltz 'takes a swipe' at the Beckhams in cryptic post about forgiveness after claims Brooklyn was 'furious' with Victoria and David's Father's Day posts
World Cup Breakfast: England's new route through the knock-outs emerges after Ghana draw, match highlights and Luka Modric's incredible milestone - plus watch out for Scotland today!
CodeSOD: Authorized Logger
Gretchen's company recently got purchased by Initech. Specifically, they were bought for their dev team, of all things. They had a few software products that were high performers, and Initech wanted that secret sauce. They bought the company, and then split the dev team up and migrated the developers to new products.
That actually worked out okay for Gretchen, most of the time. For a few projects, the dev team was given some requirements and a free hand to figure out how to deliver them. They were free to reuse code that existed or rewrite entirely, based on their own judgement. They were free to pick the tools they wanted to use, and the results worked out well.
But there were some projects that… were a different story. After those successes, Gretchen got moved onto a project that was 90% firefighting. The app had code like this:
req.body.externalId = !!req.body.externalId ? req.body.externalId + "" : "";How's that for some null handling.
The whole thing can't run on a version of NodeJS newer than 14: a version that last got an update in 2023.
"The code follows no conventions," Gretchen writes, "there's no logging."
exports.create = (req, res) => { logger.debug('creating new staffClient'); logger.debug(req.body) // let staffClient = new StaffClient({}); // // run through and create all fields on the model // for(var k in req.body) { // if(req.body.hasOwnProperty(k)) { // staffClient[k] = req.body[k]; // } // } StaffClient.query().insert(req.body) .returning('*') .then(staffClient => { if(staffClient) { res.send({success: true, staffClient}) } else { res.send({ success: false, message: "Could not save StaffClient"}) } }); }Now, you may say to yourself, "What do you mean there's no logging? I see it right there!" There is a logger utility class, and do you know what it prints when you call logger.debug("some message")? It prints DEBUG.
This code handles an HTTP request, and stuffs the body of the request into the database; here's hoping that it's a well formed request. Somebody's got a lot of faith in their front end. WHat's interesting about this one is they've tried two different ways of copying the request object into the database, the first one focusing on making sure they only copied non-inherited properties, and the second just YOLOing the data into the database.
Now, this particular segment goes through their ORM to write data into the database. But not all the code does that. Many places write data through direct SQL, and guess what happens there: SQL injection vulnerabilities.
You may also notice that this function doesn't do any authorization checks, which is fine, that should be configured in the middleware. Should be- but isn't. Most endpoints have no authorization checks at all. Even the endpoints that do, like their admin API, have copies of the same endpoint with no authentication configured.