• NULLPTR (unregistered)


  • P (unregistered)

    TRWTF is Remy again, missing the most obvious things:

    1. The regex is constructed directly without escaping the special characters, so you can bet that they only allow alphanumeric characters in the role names. Anything else would likely cause the regex to be malformed or does other stuff instead.
    2. Given that, doing a ReDoS is trivial...
  • doesntMatter (unregistered)

    Maybe you miss the point ... aka the round brackets around Role_4?

  • (nodebb)

    If I had a penny for every time I'd seen if (boolexpr) { return true; } else { return false; } (or occasionally return boolexpr ? true; false) I'd be a very rich man

  • (nodebb) in reply to P

    P: Your point 1 is invalid, since the code passes in a constant string to build the regex.

    This is just inefficient code. Since when is that a WTF?

  • Shannon (unregistered) in reply to thosrtanner

    I assume people do that because the expanded form is easier to debug. I know there are conditional breakpoints in modern debuggers, but they were a pain in the past.

  • DB (unregistered) in reply to Auction_God

    Point 1 is very valid: assume you supply the constant string "admin[GUI]" (when you go a bit more offroad you can also supply stuff like ".*")...

  • (nodebb)

    if (boolexpr) { return true; } else { return false; }

    can actually be useful for setting simple breakpoints.

  • (nodebb)

    I'm into role playing, too. #SaveTheFurries

  • Code Refactorer (unregistered)

    And if I had a penny for every time I'd seen these copy-and-paste code duplications, like "role.trim()", I'd be a very rich man, too! Falsehood programmers believe that these duplications always can be optimized away by the compiler, and that this unnecessary code clutter is easier and faster to read.

  • PenguinF (unregistered) in reply to Code Refactorer

    Like with music, repetition makes code more beautiful. (Except that it doesn't.)

  • Jaime (unregistered)

    I'm pretty sure the WTF here is that they rolled their own role system and it's insane. Why have generic names like ROLE_4_STRING when the fourth role is obviously treated special, while the other three are all treated the same? Why only allow one role, with hard-coded precedence?

    Also, the insistence of single-exit style turned five lines of code into eleven.

  • I dunno LOL ¯\(°_o)/¯ (unregistered)

    This is what you get when you use strings instead of enums, and maybe a table with columns that indicate what each role can do.

    The no brackets thing is also really bothering me

    if (error)
    goto fail;
    goto fail;

  • tbo (unregistered) in reply to P

    I don't know the language, but seems like Pattern.compile might do that, no?

  • I dunno LOL ¯\(°_o)/¯ (unregistered) in reply to TheCPUWizard

    It's useful for setting breakpoints? So is "volatile int x; x=0;" and it's a lot shorter.

  • BIG BOBBEH TABLES (unregistered)

    trtrtrtrtrwtf is not using some kind of identity management library/system which exists for like, every imaginable language and framework in the year of our dark lady two thousand nineteen

  • Paul Nickerson (google)

    The compiled regex is not quite right. It would actually be ^.(role_4).$ , as there's a toLowerCase in there.

    Addendum 2019-11-25 11:04: I mean ^.*(ROLE_4).*$

    I guess comments here us markup. Or markdown.

    Addendum 2019-11-25 11:04: Make that ^.*(role_4).*$

  • (nodebb)

    When asked, the original coder replied, "Hey, that's just the way I role."

  • Wyrm (unregistered)

    Speaking of "personal roles", I've been in a company where authorizations were granted by roles. Sounds good, except when you start reading the user "John Doe" is assigned the role "John Doe".

  • (nodebb) in reply to Wyrm

    That's the mechanism PostgreSQL uses. The only difference between CREATE USER and CREATE ROLE is that the former defaults to granting login privileges while the latter doesn't. John Doe does what John Doe does.

  • Olivier (unregistered) in reply to DB

    admin[GUI] would match adminG, adminU or adminI. Since we are not being told what role4 looks like, only that it is very mysterious, I would not dismiss the possibility that it is really the expected behaviour.

  • löchlein deluxe (unregistered) in reply to BIG BOBBEH TABLES

    xkcd 927 applies in its corollary: just as with passworm damagers, the field is so large by now that it's easier to write your own than make a qualified product decision about existing products. (Plus, brownfield permissions management is 1F92E 1F4A9)

  • (nodebb)

    It seems Nohemi's coworker is not exactly a role model…

  • K (unregistered)

    Is role management that complicated? After the whole leftpad debacle (and the security implications of large projects depending on thousands of such small libraries, some of which may suddenly contain malicious code if the wrong GitHub account gets compromised) I'm careful with the whole "should have used a library" thing. But then, I am working with Fortran where the built-in way of using strings are fixed size character arrays padded with spaces and a LOT of trim() calls. (The varying_string module would solve this. Sadly, while it is standardized, it isn't required by the standard.)

  • Little Bobby Tables (unregistered)

    Nobody's commented yet on the repetition of role.trim() rather than set up a variable at the start and set it to that. And then directly return if empty.

  • WTFguy (unregistered)

    @LBT: Other than Jaime you're correct. ;)

  • WTFguy (unregistered)

    Depending on which human languages are involved here, another subtle glitch is that roles 1-3 are compared using IgnoreCase, while the regex/contains comparison is done using toLowerCase.

    Those two transforms are not always equivalent.

  • owlstead (unregistered)

    And in case you do want to find a pattern within a string then Matcher#find(): boolean is your friend. It is often forgotten as it has no direct convenience method in String assigned to it. So there is absolutely no reason to use Matcher#matches() for this.

    Of course, in case that you do want to directly use specific characters in your regexp you can use "\Q" and "\E" or, in case you want to include a string from a variable then Pattern.quote(String) is the method to look at.

  • (nodebb)

    TRWTF is this phrase: "This isn't even the right way to do this is regular expressions..."

Leave a comment on “A Very Personal Role”

Log In or post as a guest

Replying to comment #:

« Return to Article