Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How should dangerous code snippets be published?

When discussing (asking/answering questions about, writing blog posts about, etc.) some programming matters, it may be desirable to give source code examples of what you're talking about; but in some cases these snippets may be dangerous, not because they are directly harmful but because they seem to work at first but only set up for problems later. Two examples would be when discussing concurrency issues, where the code works most of the time but rarely and non-deterministically fails, and when discussing security issues, where the code seems to work but can in fact be exploited; and there could be other examples.

It is necessary to be able to discuss such issues, to foster awareness of them at least. However, I am always worried that someone will come from a search engine, barely read the post, copy and paste the snippet and use it for something; more subtly, someone may read the post, try out the code in a test project and confirm it can indeed be exploited (as he is encouraged to do), then some time later reuse the dangerous code, as he has forgotten the code is dangerous and there is no longer a blog post explaining why the code is dangerous around the snippet.

So I am wondering how to mark such code so that no part of it somehow makes it to production (or if it ever does, then the responsible party could not plausibly deny awareness).

One way I came up with is to put:

  1. an #error (or similar) directive inside each of the functions, as well as
  2. repeated comments warning of the dangerousness of the code (since someone who will try out the code in a test project to confirm the issue will have removed the #error directive).

But since these comments would only clutter up the snippet when reading on the web, I make them the same color as the background (or at least I am trying to; see how I put it in action here, I incidentally have a question on doctype.com asking how to best do this).

If that seems completely overkill, remember that concurrency (and security) issues are very dangerous so I want to do all I can (within reason) to prevent my snippets from causing issues in real software; I am sometimes comparing this to fissile material handling.

(I honestly don't know whether it would be best suited for programmers.stackexchange.com or here, so I'm asking here first; feel free to move to programmers.stackexchange.com if it turns out it would be better there.)

like image 286
Pierre Lebeaupin Avatar asked Nov 13 '22 21:11

Pierre Lebeaupin


1 Answers

You make a very good point and I think that you handle it pretty well right now. However, the #error lines show up in the blog post for me, they are not white.

I think that you shouldn't worry so much about it being picked up by a feed or something like that. If the code is pulled away from the warning message on your blog, it's more important to have the #error lines visible.

But overall, I like your system. I might be good idea to set some standard for this, though, as programmers. I would however add a link to the original post explaining why it is bad, too. That is way more important than just saying it is.

So to summarize: good idea, we should think of a standard. Make sure to include a link to a why.

like image 191
Tim van Dalen Avatar answered Jan 20 '23 11:01

Tim van Dalen