{"id":901,"date":"2005-05-11T00:15:02","date_gmt":"2005-05-11T00:15:02","guid":{"rendered":"https:\/\/www.joelonsoftware.com\/?p=901"},"modified":"2016-12-05T19:13:57","modified_gmt":"2016-12-05T19:13:57","slug":"making-wrong-code-look-wrong","status":"publish","type":"post","link":"https:\/\/www.joelonsoftware.com\/2005\/05\/11\/making-wrong-code-look-wrong\/","title":{"rendered":"Making Wrong Code Look Wrong"},"content":{"rendered":"

Way back in September 1983, I started my first real job, working at Oranim, a big bread factory in Israel that made something like 100,000 loaves of bread every night in six giant ovens the size of aircraft carriers.<\/p>\n

The first time I walked into the bakery I couldn\u2019t believe what a mess it was. The sides of the ovens were yellowing, machines were rusting, there was grease everywhere.<\/p>\n

\u201cIs it always this messy?\u201d I asked.<\/p>\n

\u201cWhat? What are you talking about?\u201d the manager said. \u201cWe just finished cleaning. This is the cleanest it\u2019s been in weeks.\u201d<\/p>\n

Oh boy.<\/p>\n

It took me a couple of months of cleaning the bakery every morning before I realized what they meant. In the bakery, clean meant no dough on the machines. Clean meant no fermenting dough in the trash. Clean meant no dough on the floors.<\/p>\n

Clean did not mean the paint on the ovens was nice and white. Painting the ovens was something you did every decade, not every day. Clean did not mean no grease. In fact there were a lot of machines that needed to be greased or oiled regularly and a thin layer of clean oil was usually a sign of a machine that had just been cleaned.<\/p>\n

\"ThisThe whole concept of clean in the bakery was something you had to learn. To an outsider, it was impossible to walk in and judge whether the place was clean or not. An outsider would never think of looking at the inside surfaces of the dough rounder (a machine that rolls square blocks of dough into balls, shown in the picture at right) to see if they had been scraped clean. An outsider would obsess over the fact that the old oven had discolored panels, because those panels were huge<\/em>. But a baker couldn\u2019t care less whether the paint on the outside of their oven was starting to turn a little yellow. The bread still tasted just as good.<\/p>\n

After two months in the bakery, you learned how to \u201csee\u201d clean.<\/p>\n

Code is the same way.<\/p>\n

When you start out as a beginning programmer or you try to read code in a new language it all looks equally inscrutable. Until you understand the programming language itself you can\u2019t even see obvious syntactic errors.<\/p>\n

During the first phase of learning, you start to recognize the things that we usually refer to as \u201ccoding style.\u201d So you start to notice code that doesn\u2019t conform to indentation standards and Oddly-Capitalized variables.<\/p>\n

It\u2019s at this point you typically say, \u201cBlistering Barnacles, we\u2019ve got<\/em> to get some consistent coding conventions around here!\u201d and you spend the next day writing up coding conventions for your team and the next six days arguing about the One True Brace Style and the next three weeks rewriting old code to conform to the One True Brace Style until a manager catches you and screams at you for wasting time on something that can never make money, and you decide that it\u2019s not really a bad thing to only reformat code when you revisit it, so you have about half of a True Brace Style and pretty soon you forget all about that and then you can start obsessing about something else irrelevant to making money like replacing one kind of string class with another kind of string class.<\/p>\n

As you get more proficient at writing code in a particular environment, you start to learn to see other things. Things that may be perfectly legal and perfectly OK according to the coding convention, but which make you worry.<\/p>\n

For example, in C:<\/p>\n

\n

char* dest, src;<\/strong><\/tt><\/p>\n<\/blockquote>\n

This is legal code; it may conform to your coding convention, and it may even be what was intended, but when you\u2019ve had enough experience writing C code, you\u2019ll notice that this declares dest<\/strong><\/tt> as a char<\/strong><\/tt> pointer<\/i> while declaring src<\/strong><\/tt> as merely a char<\/strong><\/tt>, and even if this might<\/em> be what you wanted, it probably isn\u2019t. That code smells a little bit dirty. <\/p>\n

Even more subtle:<\/p>\n

\n

if (i != 0)
    foo(i);<\/strong><\/tt><\/p>\n<\/blockquote>\n

In this case the code is 100% correct; it conforms to most coding conventions and there\u2019s nothing wrong with it, but the fact that the single-statement body of the if<\/tt>statement is not enclosed in braces may be bugging you, because you might be thinking in the back of your head, gosh, somebody might insert another line of code there<\/p>\n

\n

if (i != 0)
    bar(i);<\/span>
    foo(i);<\/strong><\/tt><\/p>\n<\/blockquote>\n

\u2026 and forget to add the braces, and thus accidentally make foo(i)<\/strong><\/tt>unconditional! So when you see blocks of code that aren\u2019t in braces, you might sense just a tiny, wee, soup\u00e7on of uncleanliness which makes you uneasy.<\/p>\n

OK, so far I\u2019ve mentioned three levels of achievement as a programmer:<\/p>\n

1. You don\u2019t know clean from unclean.<\/p>\n

2. You have a superficial idea of cleanliness, mostly at the level of conformance to coding conventions.<\/p>\n

3. You start to smell subtle hints of uncleanliness beneath the surface and they bug you enough to reach out and fix the code.<\/p>\n

There\u2019s an even higher level, though, which is what I really want to talk about:<\/p>\n

4. You deliberately architect your code in such a way that your nose for uncleanliness makes your code more likely to be correct.<\/p>\n

This is the real art: making robust code by literally inventing conventions<\/em> that make errors stand out on the screen.<\/p>\n

So now I\u2019ll walk you through a little example, and then I\u2019ll show you a general rule you can use for inventing these code-robustness conventions, and in the end it will lead to a defense of a certain type of Hungarian Notation, probably not the type that makes people carsick, though, and a criticism of exceptions in certain circumstances, though probably not the kind of circumstances you find yourself in most of the time. <\/p>\n

But if you\u2019re so convinced that Hungarian Notation is a Bad Thing and that exceptions are the best invention since the chocolate milkshake and you don\u2019t even want to hear any other opinions, well, head on over to Rory\u2019s and read the excellent comix<\/a> instead; you probably won\u2019t be missing much here anyway; in fact in a minute I\u2019m going to have actual code samples which are likely to put you to sleep even before they get a chance to make you angry. Yep. I think the plan will be to lull you almost completely to sleep and then to sneak the Hungarian=good, Exceptions=bad thing on you when you\u2019re sleepy and not really putting up much of a fight.<\/p>\n

An Example<\/strong><\/font><\/p>\n

\"Somewhere<\/p>\n

Right. On with the example. Let\u2019s pretend that you\u2019re building some kind of a web-based application, since those seem to be all the rage with the kids these days.<\/p>\n

Now, there\u2019s a security vulnerability called the Cross Site Scripting Vulnerability, a.k.a. XSS<\/a>. I won\u2019t go into the details here: all you have to know is that when you build a web application you have to be careful never to repeat back any strings that the user types into forms.<\/p>\n

So for example if you have a web page that says \u201cWhat is your name?\u201d with an edit box and then submitting that page takes you to another page that says, Hello, Elmer! (assuming the user\u2019s name is Elmer), well, that\u2019s a security vulnerability, because the user could type in all kinds of weird HTML and JavaScript instead of \u201cElmer\u201d and their weird JavaScript could do narsty things, and now those narsty things appear to come from you, so for example they can read cookies that you put there and forward them on to Dr. Evil\u2019s evil site.<\/p>\n

Let\u2019s put it in pseudocode. Imagine that<\/p>\n

\n

s = Request(\"name\")<\/strong><\/tt><\/p>\n<\/blockquote>\n

reads input (a POST argument) from the HTML form. If you ever write this code:<\/p>\n

\n

Write \"Hello, \" & Request(\"name\")<\/tt><\/strong><\/p>\n<\/blockquote>\n

your site is already vulnerable to XSS attacks. That\u2019s all it takes.<\/p>\n

Instead you have to encode it before you copy it back into the HTML. Encoding it means replacing \"<\/tt> with &quot;<\/tt>, replacing ><\/tt> with &gt;<\/tt>, and so forth. So<\/p>\n

\n

Write \"Hello, \" & Encode(Request(\"name\"))<\/strong><\/tt><\/p>\n<\/blockquote>\n

is perfectly safe.<\/p>\n

All strings that originate from the user are unsafe<\/em>. Any unsafe string must not be output without encoding it.<\/p>\n

Let\u2019s try to come up with a coding convention that will ensure that if you ever make this mistake, the code will just look<\/em> wrong. If wrong code, at least, looks<\/em> wrong, then it has a fighting chance of getting caught by someone working on that code or reviewing that code.<\/p>\n

Possible Solution #1<\/font><\/strong><\/p>\n

One solution is to encode all strings right away, the minute they come in from the user:<\/p>\n

\n

s = Encode(Request(\"name\"))<\/strong><\/tt><\/p>\n<\/blockquote>\n

So our convention says this: if you ever see Request<\/strong><\/tt> that is not surrounded by Encode<\/strong><\/tt>, the code must be wrong.<\/p>\n

You start to train your eyes to look for naked Request<\/strong><\/tt>s, because they violate the convention.<\/p>\n

That works, in the sense that if you follow this convention you\u2019ll never have a XSS bug, but that\u2019s not necessarily the best architecture. For example maybe you want to store these user strings in a database somewhere, and it doesn\u2019t make sense to have them stored HTML-encoded in the database, because they might have to go somewhere that is not an HTML page, like to a credit card processing application that will get confused if they are HTML-encoded. Most web applications are developed under the principle that all strings internally are not<\/em> encoded until the very last moment <\/em>before they are sent to an HTML page, and that\u2019s probably the right architecture.<\/p>\n

We really need to be able to keep things around in unsafe format for a while.<\/p>\n

OK. I\u2019ll try again. <\/p>\n

Possible Solution #2<\/font><\/strong><\/p>\n

What if we made a coding convention that said that when you write out <\/em>any string you have to encode it?<\/p>\n

\n

s = Request(\"name\")
<\/strong><\/tt>
\/\/ much later:
<\/strong><\/tt>Write Encode(s)<\/tt><\/strong><\/p>\n<\/blockquote>\n

Now whenever you see a naked Write<\/strong><\/tt> without the Encode<\/strong><\/tt> you know something is amiss.<\/p>\n

Well, that doesn\u2019t quite work\u2026 sometimes you have little bits of HTML around in your code and you can\u2019t<\/em> encode them:<\/p>\n

\n

If mode = \"linebreak\" Then prefix = \"<br>\"<\/tt><\/strong><\/p>\n

\/\/ much later:
<\/tt>Write prefix<\/tt><\/strong><\/p>\n<\/blockquote>\n

This looks wrong according to our convention, which requires us to encode strings on the way out:<\/p>\n

\n

Write Encode(prefix)<\/tt><\/strong><\/p>\n<\/blockquote>\n

But now the \"<br><\/strong>\"<\/tt>, which is supposed to start a new line, gets encoded to &lt;br&gt;<\/strong><\/tt> and appears to the user as a literal < b r ><\/strong><\/tt>. That\u2019s not right either.<\/p>\n

So, sometimes you can\u2019t encode a string when you read it in, and sometimes you can\u2019t encode it when you write it out, so neither of these proposals works. And without a convention, we\u2019re still running the risk that you do this:<\/p>\n

\n

s = Request(\"name\")<\/strong><\/tt><\/p>\n

...pages later...
<\/tt>name = s<\/tt><\/strong><\/p>\n

...pages later...
<\/tt>recordset(\"name\") = name \/\/ store name in db in a column \"name\"<\/tt><\/strong><\/p>\n

...days later...
<\/tt>theName = recordset(\"name\") <\/tt><\/strong><\/p>\n

...pages or even months later...
<\/tt>Write theName<\/strong><\/tt><\/p>\n<\/blockquote>\n

Did we remember to encode the string? There\u2019s no single place where you can look to see the bug. There\u2019s no place to sniff. If you have a lot of code like this, it takes a ton of detective work to trace the origin of every string that is ever written out to make sure it has been encoded.<\/p>\n

The Real Solution<\/font><\/strong><\/p>\n

So let me suggest a coding convention that works. We\u2019ll have just one rule:<\/p>\n

All strings that come from the user must be stored in variables (or database columns) with a name starting with the prefix “us” (for Unsafe String). All strings that have been HTML encoded or which came from a known-safe location must be stored in variables with a name starting with the prefix “s” (for Safe string).<\/p>\n

Let me rewrite that same code, changing nothing but the variable names to match our new convention.<\/p>\n

\n

us = Request(\"name\")<\/tt><\/strong><\/p>\n

...pages later...
usName = us<\/strong><\/tt><\/p>\n

...pages later...
recordset(\"usName\") = usName <\/strong><\/tt><\/p>\n

...days later...
sName = Encode(recordset(\"usName\"))<\/strong><\/tt><\/p>\n

...pages or even months later...
Write sName<\/strong><\/tt><\/p>\n<\/blockquote>\n

The thing I want you to notice about the new convention is that now, if you make a mistake with an unsafe string, you can always see it on some single line of code<\/em>, as long as the coding convention is adhered to:<\/p>\n

\n

s = Request(\"name\")<\/strong><\/tt><\/p>\n<\/blockquote>\n

is a priori wrong, because you see the result of Request<\/tt> being assigned to a variable whose name begins with s<\/tt>, which is against the rules. The result of Request<\/tt> is always unsafe so it must always be assigned to a variable whose name begins with \u201cus\u201d.<\/p>\n

\n

us = Request(\"name\")<\/tt><\/strong><\/p>\n<\/blockquote>\n

is always OK.<\/p>\n

\n

usName = us<\/strong><\/tt><\/p>\n<\/blockquote>\n

is always OK.<\/p>\n

\n

sName = us<\/strong><\/tt><\/p>\n<\/blockquote>\n

is certainly wrong.<\/p>\n

\n

sName = Encode(us)<\/strong><\/tt><\/p>\n<\/blockquote>\n

is certainly correct.<\/p>\n

\n

Write usName<\/strong><\/tt><\/p>\n<\/blockquote>\n

is certainly wrong.<\/p>\n

\n

Write sName<\/strong><\/tt><\/p>\n<\/blockquote>\n

is OK, as is<\/p>\n

\n

Write Encode(usName)<\/strong><\/tt><\/p>\n<\/blockquote>\n

Every line of code can be inspected by itself<\/em>, and if every line of code is correct, the entire body of code is correct.<\/p>\n

Eventually, with this coding convention, your eyes learn to see the Write usXXX<\/strong><\/tt> and know that it\u2019s wrong, and you instantly know how to fix it, too. I know, it\u2019s a little bit hard to see the wrong code at first, but do this for three weeks, and your eyes will adapt, just like the bakery workers who learned to look at a giant bread factory and instantly say, \u201cjay-zuss, nobody cleaned insahd rounduh fo-ah! What the hayl kine a opparashun y\u2019awls runnin’ heey-uh?\u201d <\/p>\n

In fact we can extend the rule a bit, and rename (or wrap) the Request<\/strong><\/tt> and Encode<\/strong><\/tt>functions to be UsRequest<\/strong><\/tt> and SEncode<\/strong><\/tt>… in other words, functions that return an unsafe string or a safe string will start with Us<\/strong><\/tt> and S<\/strong><\/tt>, just like variables. Now look at the code:<\/p>\n

\n

us = UsRequest(\"name\")
<\/strong><\/tt>usName = us
<\/strong><\/tt>recordset(\"usName\") = usName
<\/strong><\/tt>sName = SEncode(recordset(\"usName\"))
<\/tt>Write sName<\/tt><\/strong><\/p>\n<\/blockquote>\n

See what I did? Now you can look to see that both sides of the equal sign start with the same prefix to see mistakes.<\/p>\n

\n

<\/span>us<\/u> = Us<\/u>Request(\"name\") <\/strong>\/\/ ok, both sides start with US
<\/span><\/tt><\/span>s<\/u> = Us<\/u>Request(\"name\") <\/strong>\/\/ bug
<\/span><\/tt><\/span>us<\/u>Name = us<\/u> <\/strong>\/\/ ok
<\/span><\/tt><\/span>s<\/u>Name = us<\/u> <\/strong>\/\/ certainly wrong.
<\/tt>s<\/u>Name = S<\/u>Encode(us) <\/strong>\/\/ certainly correct.<\/tt><\/span><\/p>\n<\/blockquote>\n

Heck, I can take it one step further, by naming Write<\/strong><\/tt> to WriteS<\/strong><\/tt> and renaming SEncode<\/strong><\/tt> to SFromUs<\/tt><\/strong>:<\/p>\n

\n

us<\/u> = Us<\/u>Request(\"name\")
<\/strong><\/tt>us<\/u>Name = us<\/u>
<\/strong><\/tt>recordset(\"us<\/u>Name\") = us<\/u>Name
<\/strong><\/tt>s<\/u>Name = S<\/u>FromUs<\/u>(recordset(\"us<\/u>Name\"))
<\/tt>WriteS<\/u> s<\/u>Name<\/tt><\/strong><\/p>\n<\/blockquote>\n

This makes mistakes even more <\/em>visible. Your eyes will learn to \u201csee\u201d smelly code, and this will help you find obscure security bugs just through the normal process of writing code and reading code.<\/p>\n

Making wrong code look wrong is nice, but it\u2019s not necessarily the best possible solution to every security problem. It doesn\u2019t catch every possible bug or mistake, because you might not look at every line of code. But it\u2019s sure a heck of a lot better than nothing, and I\u2019d much rather have a coding convention where wrong code, at least, looked wrong. You instantly gain the incremental benefit that every time a programmer\u2019s eyes pass over a line of code, that particular bug is checked for and prevented.<\/p>\n

A General Rule<\/strong><\/font><\/p>\n

This business of making wrong code look wrong depends on getting the right things close together in one place on the screen. When I\u2019m looking at a string, in order to get the code right, I need to know, everywhere I see that string, whether it\u2019s safe or unsafe. I don\u2019t want that information to be in another file or on another page that I would have to scroll to. I have to be able to see it right there<\/em> and that means a variable naming convention.<\/p>\n

There are a lot of other examples where you can improve code by moving things next to each other. Most coding conventions include rules like:<\/p>\n