Close Menu
    DevStackTipsDevStackTips
    • Home
    • News & Updates
      1. Tech & Work
      2. View All

      Report: 71% of tech leaders won’t hire devs without AI skills

      July 17, 2025

      Slack’s AI search now works across an organization’s entire knowledge base

      July 17, 2025

      In-House vs Outsourcing for React.js Development: Understand What Is Best for Your Enterprise

      July 17, 2025

      Tiny Screens, Big Impact: The Forgotten Art Of Developing Web Apps For Feature Phones

      July 16, 2025

      Too many open browser tabs? This is still my favorite solution – and has been for years

      July 17, 2025

      This new browser won’t monetize your every move – how to try it

      July 17, 2025

      Pokémon has partnered with one of the biggest PC gaming brands again, and you can actually buy these accessories — but do you even want to?

      July 17, 2025

      AMD’s budget Ryzen AI 5 330 processor will introduce a wave of ultra-affordable Copilot+ PCs with its mobile 50 TOPS NPU

      July 17, 2025
    • Development
      1. Algorithms & Data Structures
      2. Artificial Intelligence
      3. Back-End Development
      4. Databases
      5. Front-End Development
      6. Libraries & Frameworks
      7. Machine Learning
      8. Security
      9. Software Engineering
      10. Tools & IDEs
      11. Web Design
      12. Web Development
      13. Web Security
      14. Programming Languages
        • PHP
        • JavaScript
      Featured

      The details of TC39’s last meeting

      July 18, 2025
      Recent

      The details of TC39’s last meeting

      July 18, 2025

      Reclaim Space: Delete Docker Orphan Layers

      July 18, 2025

      Notes Android App Using SQLite

      July 17, 2025
    • Operating Systems
      1. Windows
      2. Linux
      3. macOS
      Featured

      KeySmith – SSH key management

      July 17, 2025
      Recent

      KeySmith – SSH key management

      July 17, 2025

      Pokémon has partnered with one of the biggest PC gaming brands again, and you can actually buy these accessories — but do you even want to?

      July 17, 2025

      AMD’s budget Ryzen AI 5 330 processor will introduce a wave of ultra-affordable Copilot+ PCs with its mobile 50 TOPS NPU

      July 17, 2025
    • Learning Resources
      • Books
      • Cheatsheets
      • Tutorials & Guides
    Home»News & Updates»CodeSOD: Format Identified

    CodeSOD: Format Identified

    May 28, 2025

    Many nations have some form of national identification number, especially around taxes. Argentina is no exception.

    Their “CUIT” (Clave Única de Identificación Tributaria) and “CUIL” (Código Único de Identificación Laboral) are formatted as “##-########-#”.

    Now, as datasets often don’t store things in their canonical representation, Nick‘s co-worker was given a task: “given a list of numbers, reformat them to look like CUIT/CUIL. That co-worker went off for five days, and produced this Java function.

    public String normalizarCuitCuil(String cuitCuilOrigen){
    	String valorNormalizado = new String();
    	
    	if (cuitCuilOrigen == null || "".equals(cuitCuilOrigen) || cuitCuilOrigen.length() < MINIMA_CANTIDAD_ACEPTADA_DE_CARACTERES_PARA_NORMALIZAR){
    		valorNormalizado = "";
    	}else{
    		StringBuilder numerosDelCuitCuil = new StringBuilder(13);
    		cuitCuilOrigen = cuitCuilOrigen.trim();
    		
    		// Se obtienen solo los números:
    		Matcher buscadorDePatron =  patternNumeros.matcher(cuitCuilOrigen);
    		while (buscadorDePatron.find()){
    			numerosDelCuitCuil.append(buscadorDePatron.group());
    		}
    		
    		// Se le agregan los guiones:
    		valorNormalizado = numerosDelCuitCuil.toString().substring(0,2) 
    							+ "-"
    							+ numerosDelCuitCuil.toString().substring(2,numerosDelCuitCuil.toString().length()-1) 
    							+ "-"
    							+ numerosDelCuitCuil.toString().substring(numerosDelCuitCuil.toString().length()-1, numerosDelCuitCuil.toString().length());
    		
    	}
    	return valorNormalizado;
    }
    

    We start with a basic sanity check that the string exists and is long enough. If it isn’t, we return an empty string, which already annoys me, because an empty result is not a good way to communicate “I failed to parse”.

    But assuming we have data, we construct a string builder and trim whitespace. And already we have a problem: we already validated that the string was long enough, but if the string contained more trailing whitespace than a newline, we’re looking at a problem. Now, maybe we can assume the data is good, but the next line implies that we can’t rely on that- they create a regex matcher to identify numeric values, and for each numeric value they find, they append it to our StringBuilder. This implies that the string may contain non-numeric values which need to be rejected, which means our length validation was still wrong.

    So either the data is clean and we’re overvalidating, or the data is dirty and we’re validating in the wrong order.

    But all of that’s a preamble to a terrible abuse of string builders, where they discard all the advantages of using a StringBuilder by calling toString again and again and again. Now, maybe the function caches results or the compiler can optimize it, but the result is a particularly unreadable blob of slicing code.

    Now, this is ugly, but at least it works, assuming the input data is good. It definitely should never pass a code review, but it’s not the kind of bad code that leaves one waking up in the middle of the night in a cold sweat.

    No, what gets me about this is that it took five days to write. And according to Nick, the responsible developer wasn’t just slacking off or going to meetings the whole time, they were at their desk poking at their Java IDE and looking confused for all five days.

    And of course, because it took so long to write the feature, management didn’t want to waste more time on kicking it back via a code review. So voila: it got forced through and released to production since it passed testing.

    [Advertisement]
    Keep all your packages and Docker containers in one place, scan for vulnerabilities, and control who can access different feeds. ProGet installs in minutes and has a powerful free version with a lot of great features that you can upgrade when ready.Learn more.

    Source: Read More 

    Facebook Twitter Reddit Email Copy Link
    Previous ArticlePanda3DS is an Nintendo 3DS emulator
    Next Article CVE-2025-5082 – “WordPress WP Attachments Reflected Cross-Site Scripting Vulnerability”

    Related Posts

    News & Updates

    Too many open browser tabs? This is still my favorite solution – and has been for years

    July 17, 2025
    News & Updates

    This new browser won’t monetize your every move – how to try it

    July 17, 2025
    Leave A Reply Cancel Reply

    For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

    Continue Reading

    AI May Soon Help You Understand What Your Pet Is Trying to Say

    Artificial Intelligence
    Pixtral Large is now available in Amazon Bedrock

    Pixtral Large is now available in Amazon Bedrock

    Machine Learning

    Final Fantasy XVI producer doubles down on multiplatform strategy for Xbox — comments on popularity ofturn-basedRPGS

    News & Updates

    CVE-2025-4910 – PHPGurukul Zoo Management System SQL Injection Vulnerability

    Common Vulnerabilities and Exposures (CVEs)

    Highlights

    CVE-2025-47938 – TYPO3 Password Change Without Verification

    May 20, 2025

    CVE ID : CVE-2025-47938

    Published : May 20, 2025, 2:15 p.m. | 34 minutes ago

    Description : TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend user management interface allows password changes without requiring the current password. When an administrator updates their own account or modifies other user accounts via the admin interface, the current password is not requested for verification. This behavior may lower the protection against unauthorized access in scenarios where an admin session is hijacked or left unattended, as it enables password changes without additional authentication. Users should update to TYPO3 version 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, or 13.4.12 LTS to fix the problem.

    Severity: 3.8 | LOW

    Visit the link for more details, such as CVSS details, affected products, timeline, and more…

    Building an AIOps chatbot with Amazon Q Business custom plugins

    April 11, 2025

    CVE-2025-52572 – Hikka Telegram Userbot Remote Code Execution and Account Takeover Vulnerability

    June 24, 2025

    CVE-2025-5160 – H3C SecCenter SMP-E1114P02 Remote Path Traversal Vulnerability

    May 25, 2025
    © DevStackTips 2025. All rights reserved.
    • Contact
    • Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.