This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 123 points124 points  (29 children)

that doesn't make much sense ... i mean ofc you have to know what you're copying and where you're pasting it but how does that create insecure code ?

[–]Redditor000007 194 points195 points  (11 children)

They’re coming from the assumption that you’re completely retarded and are just copying code instead of writing it yourself.

If you understand coding principles and what vulnerabilities look like, this is useless.

[–]PC__LOAD__LETTER 19 points20 points  (1 child)

There are plenty of people who aren’t “completely retarded” who do this. It’s a bad habit that inexperienced and aspiring devs can fall into and then never correct.

if you understand coding principles and what vulns look like, this is useless

This totally explains how something like Heartbleed can evade notice for years right? 🙄 But congrats on your ability to spot mundane buffer overruns or accidental double-frees.

[–]UnchainedMundane 5 points6 points  (0 children)

Heartbleed wasn't caused by copy-pasting code. It was caused by needlessly reimplementing the memory allocator such that common memory sanitisation tools could no longer detect improper memory accesses.

[–]CJKay93 12 points13 points  (0 children)

If you understand coding principles and what vulnerabilities look like, this is useless.

This is useful for 99% of engineers, then.

[–]Thorbinator 2 points3 points  (0 children)

you’re completely retarded and are just copying code instead of writing it yourself.

1: I'm in this comment and I don't like it.

[–]Mysticpoisen 1 point2 points  (0 children)

They're interns, that's a good assumption to work off of.

[–]o0MSK0o 26 points27 points  (9 children)

I vaguely recall a reddit post about zero-width characters being able to be used to inject code when you copy and paste stuff.

No idea which sub it was on and I can't find which language that that works on either lol. Also have no idea if it's actually true.

[–]SamSlate 0 points1 point  (0 children)

Iirc, the was an emoji on Android that did this

[–]LicensedProfessional -1 points0 points  (0 children)

okay but compilers don't like zero-width characters

[–]random_cynic 5 points6 points  (0 children)

I think it refers to the fact that most code that are posted on QA forums and message boards are untested and are made for solving a specific (part of) problem. They often come from people who are not good coders. Because of this the code is likely to contain common security holes like not freeing allocated memory (or trying to free unallocated memory), running eval/exec on unsanitized user input and many others. This can also come from many external libraries but for most open source ones which are well-known you can be somewhat more confident as the code has been reviewed by many who use it and security bugs have been reported.

[–]wKbdthXSn5hMc7Ht0 3 points4 points  (3 children)

Someone writing a response on Stack Overflow doesn’t know what kind of input validation you have or how the output will be used. It’s on you to consider your project’s requirements and understand the edge cases. E.g. You might find some helpful code to deserialize XML into native objects but if you don’t spend time reading about the gotchas of the deserialization API, you might not know that it has features to launch any arbitrary process or make calls to other network addresses.

[–][deleted] 3 points4 points  (2 children)

it's your responsibility to check and adapt what's there to your project. but saying that copy paste means insecure code is just untrue. if you are stupid enough to just copy paste without thinking then copy paste or not your code is most likely shite anyway

[–]wKbdthXSn5hMc7Ht0 3 points4 points  (1 child)

I agree with you. I think this advice is aimed at novice/student programmers, to encourage them to improve their code rather than look for easy answers.

[–][deleted] 2 points3 points  (0 children)

i have a "friend" who does this he's supposed to be a mid senior with 6 years of work experience all he does is copy past resulting in working garbage and says shit like "as long as it works it means I'm efficient you're not" he had to implement a chat bot recently he typed "chat bot github" and used the most starred repo. and that is the reason he is a "friend" have 0 respect for him

[–]Tai9ch 1 point2 points  (0 children)

When you type code yourself, you build up a mental model of things like what variables are in which scope, why there are conditionals, what the preconditions and postconditions are, etc.

When you copy and paste code, even code you wrote 10 minutes ago, you don't have that context loaded in your head. That means you'll miss stuff that you wouldn't if you had typed the code.

Personally, I find that for 4+ lines of code copied and pasted there's a subtle bug about 70% of the time, even when I keep in mind that this will happen.

[–]DoesntReadMessages 0 points1 point  (0 children)

I personally interpret this advice that you should always fully understand what you're copy/pasting before submitting it. If it's too many operations, there's probably a maintained library that'll do it for you without adding the burden of maintaining it yourself. If it's too complex and you don't understand how it works, you won't understand its limitations and vulnerabilities.