- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
/frist/ User-supplied regex and eval of user input. What could possibly go wrong.
Admin
I would suggest that they should "hache" it out. Er. "hache" (fr) == "axe" (en), so I'm suggesting they should use an axe to cut off all eleven of the contractor's fingers so as to stop him producing more code.
Eleven? Sure, five on each hand (counting thumbs as fingers) plus the weird lumpy one that sticks up from between his shoulders. Some people call it a "head"...
Admin
TRWTF: "For legacy reasons, ..."
Admin
Looks like they just copied one of the solutions from StackOverflow here (https://stackoverflow.com/questions/17250815/how-to-check-if-the-input-string-is-a-valid-regular-expression).. including the variable names and line breaks are exact copy.
Admin
Time to update Ambrose Bierce's Devil's Dictionary:
contractor (n; -s): Person who looks up problems on stackoverflow and copies a low scoring solution.
Admin
"Here, we use string interpolation to generate some JavaScript code."
Yea, I'm gonna stop ya right there. Not only should it have been kicked back to the contractor, the contractor should have re-done it properly for free.
Admin
The contractor's response is TRWTF. If you can get away with pretending to work, that's one thing, but when you're caught pretending to work it's best not to tell the client that you've been charging them for nothing.
Admin
Strictly speaking, it's not nothing. ("It's not even wrong.") TRWTF is the way contractors are traditionally handled by management.
The obvious way to deal with a redevelopment at this granular level is to produce a set of tests and ensure that the solution passes them. I think you only need three tests here: a correct regexp without the slashes, a correct regexp without the slashes, and an incorrect regexp with the slashes.
Now, you could get internal staff to write up the tests (usually best, since they're the domain experts), or you could get the contractor to write them up. But without tests, you've effectively handed the contractor a blank check. (The check in the OP is particularly blank ...)
Nobody ever does this, of course. Even the guys to whom I contract don't do it. But then, in my case, the contract is fairly long-term, and they're fine with 90% of my work being correct first time and the other 10% needing rework -- so it all balances out. OTOH if you reverse the percentages and 90% of the work is incorrect ... time to terminate the contract.
Admin
Or Remy made up a story based on his reading a post on Stack Overflow.
Admin
That seems entirely plausible X-D
Off-topic: Love your username. Have you heard Tom Lehrer's comedy song "Lobachevsky" about the mathematician?
Admin
I thought you were going to go with a different "head", to be extra certain to stop him from producing more code.
Admin
You think that having a correct regexp without the slashes is such an important test, you put it in there twice?
I mean, you're not wrong.
Admin
It could actually be the other way around, that the contractor (or someone else who saw the code) posted it as an answer on StackOverflow. The date is quite recent (2020) compared to the others (2013). The StackOverflow post even mentions that code injection is possible.
Admin
Why the ever loving F would you even "outsource" a max. 2 minute job? It takes more time and budget to set up all the bureaucracy around that.