I’ll give an example. At my previous company there was a program where you basically select a start date, select an end date, select the system and press a button and it reaches out to a database and pulls all the data following that matches those parameters. The horrors of this were 1. The queries were hard coded.

  1. They were stored in a configuration file, in xml format.

  2. The queries were not 1 entry. It was 4, a start, the part between start date and end date, the part between end date and system and then the end part. All of these were then concatenated in the program intermixed with variables.

  3. This was then sent to the server as pure sql, no orm.

  4. Here’s my favorite part. You obviously don’t want anyone modifying the configuration file so they encrypted it. Now I know what you’re thinking at some point you probably will need to modify or add to the configuration so you store an unencrypted version in a secure location. Nope! The program had the ability to encrypt and decrypt but there were no visible buttons to access those functions. The program was written in winforms. You had to open the program in visual studio, manually expand the size of the window(locked size in regular use) and that shows the buttons. Now run the program in debug. Press the decrypt button. DO NOT EXIT THE PROGRAM! Edit the file in a text editor. Save file. Press the encrypt button. Copy the encrypted file to any other location on your computer. Close the program. Manually email the encrypted file to anybody using the file.

  • Hasherm0n@lemmy.world
    1·
    3 hours ago

    There are a couple that come to mind.

    Definitely the worst, a C# .net mvc application with multiple controllers that were 10s of thousands of lines long. I ran sonarqube on this at one point and it reported over 70% code duplication.

    This code base actively ignored features in the framework that would have made things easier and instead opted to do things in ways that were both worse, and harder to do. For example, all SQL queries were done using antiquated methods that, as an added benefit, also made them all injectable.

    Reading the code itself was like looking at old school PHP, but c#. I know that statement probably doesn’t make sense, but neither did the code.

    Lastly, there was no auth on any of the endpoints. None. There was a login, but you could supply whatever data you wanted on any call and the system would just accept it.

    At the time I was running an internal penetration test team and this app was from a recent acquisition. After two weeks I had to tell my team to stop testing so we could just write up what we had already and schedule another test a couple months down the line.

    • vrek@programming.devOPEnglish
      1·
      3 hours ago

      What is a sonarqube? I never heard that term before. Could you also provide the names of some software to run them?

      • AliasVortex@lemmy.worldEnglish
        1·
        2 hours ago

        Sonarqube is a kind of like an automated code quality checker that works for a bunch of programming languages. It’s pretty configurable (though I’ve never configured it myself), so it can be set up to check a code base for a wide range of things.

        There’s a couple of different ways to run it, in my experience bigger companies usually have a dedicated server on their internal networks that connects to their CI/CD pipelines so that code gets checked before it gets merged in.

        On a smaller scale, it’s also possible to run locally (either on metal or inside a docker container). From there you’d install a plugin to your IDE of choice.

        More info: