16
netikras
34d

1. a client asks you to create an API for their system
2. you do what's requested
3. a year later you are curious how's that API doing. Client's devs decided to

[
"com.client.app.some.Datamodel$Subclass",
{
"someField": [
"java.util.ArrayList",
["SMTH","SMTH_ELSE"]
]}
]

sure, why not, right.....?

Comments
  • 3
  • 11
    It's always a good idea to provide another languages datatypes and then hardcode your generic handlers to them. This helps you reach peak stringly-typed integrity. When you decide to change the server platform you don't just get to bill to update the work in one place, it becomes work for everybody.

    And customers who might be on other platforms with no understanding of your platforms data types? Absolute plebs, if they can't see the inherent superiority in your frameworks language, no amount of effort will get them there.

    This is an essential part of learning which clients are good enough for you. You are a princess, and damnit you deserve to be treated like one.
  • 1
    Soooo, why is there java in a json?!
    Sounds like fucking heresy to me.
  • 3
    @Ranchu It's called polymorphic (de)serialization in jackson's terms (https://medium.com/@david.truong510...).

    Basically json serializer leaves a hint in the json which JAVA object is that. And vice versa -- when deserializing json into POJOs jackson uses those hints to choose which class to wire those json fields into.

    This is a hugging RCE as it allows users to construct any classes they want in remote APIs... I believe it even had a CVE assigned a while ago. I saw there was a fix -- blacklisting some classes.

    [BLACKLISTING]
    Oh come on... They should teach this in security 101s: only use WHITELISTS!
  • 1
    @netikras .....but y tho.
    It's existence makes no sense to me personally.
  • 1
    @Ranchu prolly to mitigate some tech debt.

    Knowing that project and the lead dev's attitude I'm almost certain that's the reason :)

    After all my examples and explanation how to fix all their crap by adding a few levels of indirection and introducing a Composite pattern which would've solved most of their problems.... They do THAT.
  • 1
  • 1
    @netikras ......I'm no guy for abstraction layers as I haven't covered they yet, but it does look painful.
    Also what the fuck is that java code.
  • 1
    @Ranchu that's lack of abstractions :)
Add Comment