Tuesday, June 9, 2009

Eliminating Bugs

Fantastic article...

Gustavo talks about eliminating software bugs by eliminating the possibility to create them.

I think Apex does a pretty good job on this front, as long as you don't start putting "execute immediate" statements in PL/SQL blocks. Not so good at preventing XSS though. Although it does have the "Strip HTML" option set by default in reports, it's over zealous and you often have to switch it off because it can't handle "<" and ">" symbols in legitimate text (really it should just convert them to harmless &lt; and &gt;). Normal display as text items have the "escape special characters" option, but this has the same problem.

In fact, Oracle already has the function required to render user data safely... HTF.escape_sc. It's probably a good idea to wrap every item in the report select statement with this, or create a view that serves this purpose and only use the view when displaying user data. I've toyed with using the function to sanitise user input, but the problem there is each time you save the same form, the escape sequences get longer and longer (ie. & becomes &amp; becomes &amp;amp;).

They should smarten that function up and include a default input sanitisation process for every form, then permit you to downgrade it's paranoia level for exceptional situations. Allowing for exceptional circumstances goes against what the article is saying. But the author doesn't discuss the downsides and tradeoffs of a Nazi development environment. I don't think it's possible to have an environment that completely guards against writing buggy code. It's just another impossible ideal. But there's nothing wrong with making steps towards it.

No comments: