Monday, December 1, 2008

Crank it to 11 (or the importance of validation)

So there I was, thinking about stuff to put on my shiny new blog when the funniest excuse for a topic about validation fell into my lap. I was browsing the SQL Developer feature request site (which just so happens to be powered by Application Express) when I found a very nice feature. I'd already voted 10 for a few features I liked. This one was far superior.

I couldn't help myself so I modified the DOM node for the vote and set it to 11. *smirk* "Surely this isn't going to work" I thought as I submitted my vote, but I was wrong...

There it is, my vote of 11. Do the math, it even contributes to the average score for the feature. So kiddies, at this stage need I say more? Probably not. Is it even kosher to patronise Oracle this soon in my blogging career? Well... we'll soon find out boys and girls. Stuff like this just doesn't cut it as far as I'm concerned. I could digress into a rant about processes very easily here, but I think it would be more productive to use this as an example to learn from so I'll give that a go first.

I'm sure what the developer intended to do was create an item level validation to confirm the expected bounds on the input. If it's outside the expected range, display a polite message along the lines of "Invalid Input" so when Captain XSS comes along and tries to get a bit cheeky he quickly looses interest. Small flaws like this are going to provide the incentive for bad guys to dig a little deeper. While we're on the topic of script injection, I'll just say you should always follow up the validation with a low sequence process that cleanses the input. The simplest way to do this is to use the inbuilt HTF.escape_sc(variable) function to reassign the value of all your page variables.

Sure, you could argue this stuff isn't always necessary, for instance if a particular column uses a LOV select list with referential integrity then you can leave the database to throw an ugly error for you if you like. As long as you are gauging the consequences of omitting validation then that's good stuff. If you're ever in doubt, please don't just ignore it. The above example may seem relatively harmless, but these sorts of things happen embarrassingly frequently. If we can't get it right on a small scale, how are we going to convince people they are safe when it really counts, such as with voting systems used in national elections. Please don't allow your self to get complacent. This sort of thing is shameful. Not just for the developer, but the entire industry.

Application Express is simple yet powerful. This combination can get you in to trouble unless you are prepared to be a bit careful. Perhaps the title could have been "the importance of keeping grads away from outward facing web applications"? ...or "the importance of peer review"? ...or maybe "the importance of allocating QA time to projects". Whatever the reason, the 2nd largest software company in the world should know better. 'Nuff said?

1 comment:

Edenist said...

haha good work captain meat!