Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "wk160"
a stored XSS vuln in a banner-like component, visible in ALL the pages in the portal. Anyone can attack anyone.
HOWEVER this was not discovered by 3rd-party security specialists during latest security audit. I have escalated this to my manager and got replied that unless client actively requests this to be fixed should I do anything about it.
FFS.. it's only 2 lines of code.. And there's nothing I can do about it.
Eventualy I was transfered to another project. Now it's not my problem anymore.5
I've found and fixed any kind of "bad bug" I can think of over my career from allowing negative financial transfers to weird platform specific behaviour, here are a few of the more interesting ones that come to mind...
#1 - Most expensive lesson learned
Almost 10 years ago (while learning to code) I wrote a loyalty card system that ended up going national. Fast forward 2 years and by some miracle the system still worked and had services running on 500+ POS servers in large retail stores uploading thousands of transactions each second - due to this increased traffic to stay ahead of any trouble we decided to add a loadbalancer to our backend.
This was simply a matter of re-assigning the IP and would cause 10-15 minutes of downtime (for the first time ever), we made the switch and everything seemed perfect. Too perfect...
After 10 minutes every phone in the office started going beserk - calls where coming in about store servers irreparably crashing all over the country taking all the tills offline and forcing them to close doors midday. It was bad and we couldn't conceive how it could possibly be us or our software to blame.
Turns out we made the local service write any web service errors to a log file upon failure for debugging purposes before retrying - a perfectly sensible thing to do if I hadn't forgotten to check the size of or clear the log file. In about 15 minutes of downtime each stores error log proceeded to grow and consume every available byte of HD space before crashing windows.
#2 - Hardest to find
This was a true "Nessie" bug.. We had a single codebase powering a few hundred sites. Every now and then at some point the web server would spontaneously die and vommit a bunch of sql statements and sensitive data back to the user causing huge concern but I could never remotely replicate the behaviour - until 4 years later it happened to one of our support staff and I could pull out their network & session info.
Turns out years back when the server was first setup each domain was added as an individual "Site" on IIS but shared the same root directory and hence the same session path. It would have remained unnoticed if we had not grown but as our traffic increased ever so often 2 users of different sites would end up sharing a session id causing the server to promptly implode on itself.
#3 - Most elegant fix
Same bastard IIS server as #2. Codebase was the most unsecure unstable travesty I've ever worked with - sql injection vuns in EVERY URL, sql statements stored in COOKIES... this thing was irreparably fucked up but had to stay online until it could be replaced. Basically every other day it got hit by bots ended up sending bluepill spam or mining shitcoin and I would simply delete the instance and recreate it in a semi un-compromised state which was an acceptable solution for the business for uptime... until we we're DDOS'ed for 5 days straight.
My hands were tied and there was no way to mitigate it except for stopping individual sites as they came under attack and starting them after it subsided... (for some reason they seemed to be targeting by domain instead of ip). After 3 days of doing this manually I was given the go ahead to use any resources necessary to make it stop and especially since it was IIS6 I had no fucking clue where to start.
So I stuck to what I knew and deployed a $5 vm running an Nginx reverse proxy with heavy caching and rate limiting linked to a custom fail2ban plugin in in front of the insecure server. The attacks died instantly, the server sped up 10x and was never compromised by bots again (presumably since they got back a linux user agent). To this day I marvel at this miracle $5 fix.1
Since the beginning of this year our IT department has a new boss. He has no idea about IT, but worked with the other departments and CEO + management on an new business strategy. The other department bosses recogniced that this guy is stupid and only talking hot air, but not the CEO and management.
The IT part of the strategy is abstract and bullshit. The IT Team (we) was not included in building this. We only got the "finished" presented.
So our Team should integrate 6 big new systems (ERP, CRM,...) within 1,5 years. No system is actually fixed and the IT boss is only saying: "Its easy, just some interfaces to connect".
Nice additional: CEO says: Either we go with the strategy or we can leave the company.
My decision is made.4
Part of a product I used to work on contained a one time password generator that randomly strung together a few words from a word list.
Nothing wrong with the security, but this word list hadn't been filtered, so we did have a "bug report" from a customer who had a one time password that contained a questionable phrase:
"fucking pork Muslim"
...Call me a terrible person, but I never did get around to fixing that...3
It was a nice day when we were coding with friends and working on an arduino project to monitor the temperature and all that shit.
But all the values coming out were just few numbers off.
We coudlnt figure out why.
We spent weeks trying to figure it out.
Until a friend gave up and just commited "Fix the fucking bug"
And all it did was value - 5.
We never solved it properly but it works.
The project is long dead and all parts were used in different project but the memory is still with us and we always joke about it when we have similar bug.7
The only serious, as in customer affecting, bug I never git fixed was an indexing bug that caused an exception requiring manual intervention by one of us.
Despite going at it for many years I never found the root cause before I left the company.
The reason it was so difficult was that it only occurred every second month or less and with different customers.
It was also not triggering directly when the error occurred but a while later once the error had caused accumulated errors until one value got negative.
Also, it was a combination SQL, backend code and frontend js and the time from initial error until an invalid value could be hours, days or even weeks.
And we never ever managed to replicate it our self and found no common pattern between occasions.
We think it was some kind of race condition when updating the db that caused duplicate values or a hole in the index series (db transaction or db index was not an option for various reason that would require a redesign of the central tables and most if the central code).
This then grew into multiple error on consecutive updates until one f them resulted in a negative number that then caused a regex in js to fail.2
Our system never had sessions that expired. A recent hack at the client caused us to revisit the security measures we had in place.
The person who was on the project since it's start 8 years ago was tasked with fixing this issue. It has a simple solution: add session expiration, and extend the session to an hour from now with each request.
This week I found out how he did it🤦🏻♂️. He added session expirations, but extended the session by an hour with each request. By making 10 requests in quick succession, your session is extended by 10 hours.3
Maybe not worst, but most frustrating. One of the systems I helped maintain at my first job had a few different bugs that caused bad data in the database. The "solution" to the problem was to write SQL queries to directly fix the production data. This would take one member of our team (it rotated weekly) about an hour every day to fix because there were literally dozens of these errors.
All the devs knew that we could identify the root cause and fix it in, probably, 3-4 days tops. Management would never approve the time because it would take longer to fix the root cause than it took to fix the data.
I worked at that company for 7 years. The bug was there when I came on, and it was there when I left.2
There was a bug in "Change email" module. When the functionality is called, it sends 2 emails:
1. to a current email w/ a link to 'reject email change'
2. to a new email w/ a link to 'confirm email change'
The flaw was in how these links worked (the clockwork behind them). If one link is clicked, another one is NOT deactivated in the bkend :)
Now the task for you is to figure out why this is wrong :)4
So, I'm still not certain if it's actually a bug or merely my lack of experience, but I've been working on a 2D platformer game (using only C++ and SDL2) for roughly 2 years now (on and off; sometimes off for months) and I'm extremely embarrassed about this, but for the life of me, I cannot seem to get the player character's movement and collision physics working properly. It's driving me absolutely insane.
I've read articles and tutorials, referenced books, and posted about it in game development communities (e.g., gamedev.com, Discord servers, etc.), but even though the fundamental structure and explanations made sense, getting the code to work has been unsuccessful, albeit not completely so, but if I get one thing working, another thing breaks. It feels like I'm trying to repair a vase that fell off of a skyscraper and turned to dust on the street below.
I've always been a very tech savvy person with a fiery passion for programming, electronics and game/software/embedded/web development, but to be honest, having such a difficult time with things like this that — in theory, at least — seem like trivial bumps in the road have made me feel like I'm never going to be successful in this field. But regardless of the depressing thoughts of worthlessness, my passion doesn't let me stop trying. Who knows, maybe it'll have to remain just a hobby. 😕6
Guys checkout the new developer survey 2019 on stack overflow it shows amazing results :- https://insights.stackoverflow.com/...9
Well... I can think of several bugs that I found on a previous project, but one of the worst (if not the worst, because the damage scope) it's one bug that only appears for a couple of days at the end of every month.
What happens is the following: this bug occurs in a submodule designed (heh) to control the monthly production according the client requirements (client says "I want 1000 thoot picks", that submodule calculates the daily production requirements in order to full fill the order).
Ideally, that programming need to be done once a week (for the current month), because the quantities are updated by client on the same schedule, and one of the edge cases is that when the current date is >= 16th of the month, the user can start programming the production of the following month.
So, according to this specific case, there's an unidentified, elusive, and nasty bug that only shows up on the two last days of every month, when it doesn't allow to modify/create anything for the following month. I mean, normally, whenever you try to edit/create new data, the application shows either an estimated of the quantities to produce, or the previous saved data. But on those specific days it doesn't show any information at all, disregarding of there's something saved or not.
The worst thing is that such process involves both a very overcomplicated stored procedure, and an overcomplicated functionality on the client side (did I mentioned that it dynamically generates a pseudo-spreadsheet with the procedure dataset? Cell by cell), that absolutely no one really fully understands, and the dude that made those artifacts is no longer available (and by now, I'm not so sure that he even remember what he done there).
One of the worst thing is that at this point, it's easier to handle with that error rather to redesign all of that (not because technical limitations, but for bureaucratic and management issues).
The another worst thing (the most important none) is that this specific bug can create a HUGE mess as it prevents the programming of the production to be done the next day (you know, people tends to procrastinate and start doing things at the very end of the day/week/month)... And considering that the company could lose a huge amount of money by every minute without production, you can guess the damage scope of this single bug.
Anyway, this bug has existed since, I don't know, 2015 (Q4?) and we have tried so many things trying to solve it, but that spaghettis refuse to be understood (specially the stored procedure, as it has dynamically generated queries). During my tenure (that ended last year) I spent a good amount of time (considering what I mentioned on the last rant, about the toxic environment) trying to solve that, just giving up after the first couple of weeks.
Anyway... I'm guessing that this particular bug will survive another 4-ish years, or even outlive the current full development team... But, who knows ¯\_(ツ)_/¯ ?
So when someone rings at my door the music volume is set to zero and the previous volume is cached to restore it ten seconds later. When then this person rings another time within this 10 seconds, the zero volume is cached an the fun begins.4
Integrating Google recaptcha into my web service. For some reason it always errors, both on a production and development environment, correct domains configured, and with he simplest setup. I'm fucking lost, documentation assumes it actually works. Similar errors on stack overflow and Google groups either got no answers or have obvious issues.
Fuck this man4
The bug I never fixed isn't a bug in code I wrote, but rather an OS problem I've given up on fixing.
I dual-boot Windows and Linux on my desktop PC. Every time Windows updates, it switches from grub to the Windows bootloader, making it impossible to boot into Linux. I've fixed it three times (each time requiring a different fix, from disabling fast startup to reinstalling Grub from a live USB), then gave up. My desktop PC is now a Windows machine. I'm upgrading some parts soon (including replacing my boot drive with an NVMe SSD) so I decided when I do that, I'm just going to reinstall Linux on the new drive and see how long I can last without installing Windows at all.5
I don't think it could be more .net core than this: Several parts of the application ended up failing because of a too long URL. For example we used a List to store selected items in an array and they each looked like this:
The server side made more sense but we were running late with the project so we just went with it and hoped no one would use this feature.
1 CEO, 3 CTO and 2 Polytechnicien (French engineers from a big French school)
They all deserved that their project called "life" were cancelled. It's a clear and indisputable failure!
So to give you a feel for what evil, clusterfuck code it was in: this projects largest part was coded by a maniac, witty physicist confined in the factory for a month, intended as a 'provisional' solution of course it ran for years. The style was like C with a bit of classes.. and a big chunk of shared memory as a global mud of storage, communication and catastrophe. Optimistic or no locking of the memory between process barriers, arrays with self implemented boundary checks that would give you the zeroth element on failure and write an error log of which there were often dozens in the log. But if that sounds terrifying already, it is only baseline uneasyness which was largely surpassed by the shear mass of code, special units, undocumented madness. And I had like three month to write a simulator of the physical factory and sensors to feed that behemoth with the 'right' inputs. Still I don't know how I stood it through, but I resigned little time afterwards.
Well, lastly to the bug: there was some central map in that shared memory that hold like view of the central customer data. And somehow - maybe not that surprisingly giving the surrounding codebase - it sometimes got corrupted. Once in a month or two times a day. Tried to put in logging, more checks - but never really could pinpoint the problem... Till today I still get the haunting feeling of a luring memory corruption beneath my feet, if I get closer to the metal core of pure C.1
In some cases only emojis are not encoded properly - dont know how to replicate - dont know why its happening (made sure im setting to utf8)3
I have started to hate stackoverflow
How stupid can some dumbasses be? Yes a similar question was asked and answered
The duplicate post they’ve marked used to work,USED to , that code doesn’t work anymore.
I mean come on I’ve specifically written I tried that and it doesn’t work anymore. But some fuckers just want to look cool by downvoting other.4
Never fixed? lol.
Maybe I took hell of a time, maybe I've ignored it for long but at least I've always fixed bug which I came across and will fix if I come across any new (as there might be many hidden :P ).
As I mostly work on eCom and integrations, it's way too risky keeping bug.
double-clicking bugs in web application.
They keep happening and generate double actions.
Instead of fixing the bugs, I created a script that check periodically for double actions and delete them from db.
I also gave db access to first level support and the query to delete double actions.
So I can be free on weekends and avoid the stress of fighting for resources
"this chatting feature is completely fine people just have to learn how to close and reopen the app whenever they want to chat with somebody"
Had a legacy web forms app to maintain. With some generic event handler. There is a variable called "aDirtyHack" inside the query resolver for the grid. It adds a extra column for one customer.
I was developing a c# project as a final project on my university and I had a NullPointer error supposedly because the Class didn't exist... I never knew what was the problem because the only I did was create another project then I copied and pasted the code from the first project1
Some of my previous rants mention a web application that I wrote for my then-employer. As it is still in use and I have the whole code, too, I figured to check on security a little with a friend. It's all fine, except for one page, were I was sloppy and didn't escape strings, thus allowing for SQL injection.
This is however only possible if already logged in, which has shown to be secure (and the tool is for employees only).
Nobody is ever going to find out, as the only one who knew what injection even is was me. I left 2 years ago.
We use ActiveMQ as a broker in one of our system but the messages sent between applications are in query string format, God knows why. Then when one of our new features requires a JSON structure, we had to URL encode the JSON so it can be part of the message . Now the log growth is significantly higher than the version before and no longer human readable.1
Deadline was 2-3 days for product launch and doing distributed transactions was not an opinion as it requires heavy modifications.
I was doing money transfer app between one transactional system and one not transactional system so the way I did it was :
1. transfer money from one system to my app that was using Akka STM ( software transactional memory)
2. try to transfer money to second system
3. transfer money back on failure
There was no database, no state only transactional log as installing database would require to much time and paper work.
Sometimes transfer back failed so we need to look back at logs and search for money, it was quite easy cause there was error and there were not so many failed transactions like this.
About one or two in a month and everyone accepted that.
I started to write some sort of reconciliation thread but then was assigned to other work and it worked like this for couple of years transferring couple millions worth of transactions.1
Virtualbox stopped working on my pc at some point and I have no clue why. I've tried a lot of things, it just doesn't work14
I had implemented an interval that was added when the viewport was active, and removed when inactive. This was to lessen the amount of ajax requests being done.
Though the little radio player was embedded at places, and thus the pictures didn't change at times.
I had to remove the inactivation of that interval.