Close Menu

    CodeSOD: IsValidToken

    To ensure that several services could only be invoked by trusted parties, someone at Ricardo P‘s employer had the brilliant idea of requiring a token along with each request. Before servicing a request, they added this check:

    <span class="hljs-function"><span class="hljs-keyword">private</span> <span class="hljs-built_in">bool</span> <span class="hljs-title">IsValidToken</span>(<span class="hljs-params"><span class="hljs-built_in">string</span>? token</span>)</span>
{
    <span class="hljs-keyword">if</span> (<span class="hljs-built_in">string</span>.Equals(<span class="hljs-string">"xxxxxxxx-xxxxxx+xxxxxxx+xxxxxx-xxxxxx-xxxxxx+xxxxx"</span>, token)) <span class="hljs-keyword">return</span> <span class="hljs-literal">true</span>;
    <span class="hljs-keyword">return</span> <span class="hljs-literal">false</span>;
}

    The token is anonymized here, but it’s hard-coded into the code, because checking security tokens into source control, and having tokens that never expire has never caused anyone any trouble.

    Which, in the company’s defense, they did want the token to expire. The problem there is that they wanted to be able to roll out the new token to all of their services over time, which meant the system had to be able to support both the old and new token for a period of time. And you know exactly how they handled that.

    <span class="hljs-function"><span class="hljs-keyword">private</span> <span class="hljs-built_in">bool</span> <span class="hljs-title">IsValidToken</span>(<span class="hljs-params"><span class="hljs-built_in">string</span>? token</span>)</span>
{
    <span class="hljs-keyword">if</span> (<span class="hljs-built_in">string</span>.Equals(<span class="hljs-string">"xxxxxxxx-xxxxxx+xxxxxxx+xxxxxx-xxxxxx-xxxxxx+xxxxx"</span>, token)) <span class="hljs-keyword">return</span> <span class="hljs-literal">true</span>;
    <span class="hljs-keyword">else</span> <span class="hljs-keyword">if</span> (<span class="hljs-built_in">string</span>.Equals(<span class="hljs-string">"yyyyyyy-yyyyyy+yyyyy+yyyyy-yyyyy-yyyyy+yyyy"</span>, token)) <span class="hljs-keyword">return</span> <span class="hljs-literal">true</span>;
    <span class="hljs-keyword">return</span> <span class="hljs-literal">false</span>;
}

    For a change, I’m more mad about this insecurity than the if(cond) return true pattern, but boy, I hate that pattern.

    [Advertisement]
    Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

    Source: Read More 

    Related Posts

    Leave A Reply

    For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.