Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
max1993137380dMultiple regex is because of component buildout which each check the input. So 7 components to handle passwords. Just think about that kind of bloat. Long cleanup ahead!
-
@jestdotty yeah I am baffled at how this thing even passed penetration tests. Pentesters must have also been incompetent. Or bribed.
-
@max19931 nope, it's vanilla JS, no components so to speak. Plain old ES5 and 6 mixed, with some SCSS and HTML. My one friend didn't believe me when I said this app isn't built with any framework, it's actually a home-brewed pseudo-framework.
-
@max19931 yes, they seemed to have reinvented the wheel, but it's a really fucked up wheel
-
Nmeri1716743dIt's not something I do or encourage but I really hate it when devs bitch in an alarmed tone over how the worst atrocity a software engineer could ever commit is some trivial thing. They exaggerate the issue to astronomical proportions and the pliable herd just chime along
I wish to fish out the last occurrence some prick used but I don't want to open the group messages. Yea, absence of server side validation is bad practice but certainly not as unforgivable as you're making it. They're OBVIOUSLY junior developers, no reason to claim they have no future -
@Nmeri17 why is it not unforgivable? In this instance, the program allowed a user to create blank passwords in the database, because there were no backend rules checking password validation rules. Not even the front end did that. And they store plain text passwords in the database, when the lead programmer rolls his eyes and "Cybersecurity 101" suggestions to make apps more secure.
And no, these people aren't juniors, the lead programmer on this (who built the backend) has over two decades' experience in software and IT and they can't even get password validation right. They are indeed incompetent and shouldn't be writing code, because their incompetence puts businesses and users at risk.
This is not some trivial thing, this poorly written code can put companies out of business and destroy people's lives.
Related Rants
These motherfucking incompetent programmers... Demon spaghetti code base saga continues.
So they have a password change functionality in their web app.
We have to change the length of it for cybersecurity insurance. I found a regex in the front end spaghetti and changed it to match the required length.
Noticed 7 regexes that validate the password input field. Wtf, why not just use one?! REGEX ABUSE! Also, why not just do a string length check, it's fucking easy in JS. I guess regex makes you look smart.
So we test it out and the regexes was only there for vanity, like display a nicely designed error that the password doesn't have x amount of characters, doesn't have a this and that, etc.
I check the backend ColdFusion mess that this charismatic asshole built. Finally find the method that handles password updates. THERE'S NO BACKEND VALIDATION. It at least sanitises the user input...
What's worse is that I could submit a blank new password and it accepts it. No errors. I can submit a password of "123" and it works.
The button that the user clicks when the password is changed, is some random custom HTML element called <btn> so you can't even disable it.
I really don't enjoy insulting people, but this... If you're one of the idiots who built this shit show and you're reading this, change your career, because you're incompetent and I don't think you should EVER write code again.
rant
legacy