一段堆栈溢出的代码_为什么堆栈溢出的代码片段会破坏您的项目

一段堆栈溢出的代码

Stack Overflow has been the saviour of many programmers, including me. Some of us have never visited Stack Overflow’s home page. The only way we’ve accessed the site is through a Google search of our problem or bug.

堆栈溢出一直是包括我在内的许多程序员的救星。 我们中有些人从未访问过Stack Overflow的主页。 我们访问该网站的唯一方法是通过Google搜索我们的问题或错误。

This habit is convenient, but we might be unwittingly using code that contains some terrible bugs or security flaws. Even if it’s universally understood that copy-pasting code from StackOverflow is a bad idea, developers still do it.

这种习惯很方便，但是我们可能会不经意地使用包含一些严重错误或安全漏洞的代码。 即使已经普遍理解从StackOverflow复制粘贴代码是一个坏主意，开发人员仍然可以做到。

Copying code itself isn’t always a bad thing. Code reuse can promote efficiency in software development; why solve a problem that has already been solved well? But when the developers use example code without trying to understand the implications of it, that’s when problems can arise.

复制代码本身并不总是一件坏事。 代码重用可以提高软件开发的效率； 为什么要解决已经解决好的问题？ 但是，当开发人员使用示例代码而不试图理解其含义时，就会出现问题。

— Ryan Donovan

— 瑞安·多诺万 ( Ryan Donovan)

You might think that this security scare is an urban myth. I can assure you that it is not.

您可能会认为这种安全恐慌是城市神话。 我可以向您保证不是。

I recently came across several incidents that caught my attention and I will speak briefly about each of them.

我最近遇到了几起引起我注意的事件，我将简要介绍每一个事件。

Illustration by Mateusz Kupilas的 Mateusz Kupilas 插图

有史以来复制最多的StackOverflow Java代码段存在缺陷！ (The most copied StackOverflow Java snippet of all time is flawed!)

I first came across this reading a blog. This particular blog article was written by the author of the code himself. You can read it here.

我首先在阅读博客时遇到了这种情况。 这篇特别的博客文章是由代码作者自己撰写的。 您可以在这里阅读。

The author of the code, Andreas Lundblad, a Java developer at Palantir, and one of the highest-ranked contributors to StackOverflow, admitted to the flaw.

该代码的作者，Palantir的Java开发人员，也是StackOverflow排名最高的贡献者之一，Andreas Lundblad承认了该漏洞。

A research paper in 2018, by Sebastian Baltes, published in the journal “Empirical Software Engineering”, identified a code snippet Andreas posted on the site as the most copied Java code taken from StackOverflow and then re-used in open source projects. It has been copied and embedded in more than 6000 Github Java projects.

塞巴斯蒂安·巴尔特斯(Sebastian Baltes)在2018年发表的一篇研究论文发表在“ Empirical Software Engineering”杂志上，确定了该网站上发布的代码片段Andreas是从StackOverflow提取的复制最多的Java代码，然后在开源项目中重复使用。 它已被复制并嵌入到6000多个Github Java项目中。

This code snippet was provided as an answer to this question posted on Stack Overflow in 2010. Its function is to convert byte counts into a more human-readable format. For example, it converts 1024 bytes into 1kB or 104,8576 bytes into 1 MB.

提供此代码段是对2010年Stack Overflow上发布的此问题的解答。其功能是将字节数转换为更易理解的格式。 例如，它将1024字节转换为1kB或104,8576字节转换为1 MB。

Having been informed by Sebastian Baltes about the remarkable spread of his code snippet, Andreas revisited the code and published a corrected version on his blog.

在塞巴斯蒂安·巴尔特(Sebastian Baltes)得知他的代码片段广泛传播之后，安德烈亚斯(Andreas)重新访问了该代码，并在其博客上发布了更正的版本。

At the end of his article, Andreas laid out some valuable advice for developers:

在他的文章结尾，Andreas为开发人员提供了一些有价值的建议：

• Stack Overflow snippets can be buggy, even if they have thousands of upvotes.
  堆栈溢出摘录可能有漏洞，即使它们具有成千上万的赞成票。

• Test all edge cases, especially for code copied from Stack Overflow.

  测试所有边缘情况， 尤其是对于从Stack Overflow复制的代码。

• Do include proper attribution when copying code. Someone might just call you out on it.
  复制代码时，请包括适当的归属。 有人可能会叫你出来。

Although this bug was a trivial edge case and would only cause minor inaccurate estimations in file size, things could have been much worse. Let's see some more examples.

尽管此错误是微不足道的情况，只会导致文件大小的微小错误估计，但情况可能会更糟。 让我们来看更多示例。

StackOverflow上最受欢迎的C ++代码片段中的主要安全缺陷 (Major Security Flaws in the Most Popular C++ Code Snippets on StackOverflow)

A research paper published in 2019 by Morteza Verdi et al, found that 69 of the most popular C++ code snippets posted on StackOverflow in the past ten years contain major security flaws.

Morteza Verdi等人在2019年发表的一篇研究论文发现，过去十年中在StackOverflow上发布的69个最流行的C ++代码片段包含重大安全漏洞。

The 69 identified vulnerable code snippets are used in 2589 GitHub projects. The most common vulnerability propagated from Stack Overflow to GitHub, according to researchers, is CWE150:

识别出的69个易受攻击的代码段已在2589个GitHub项目中使用。 研究人员称，从Stack Overflow传播到GitHub的最常见漏洞是CWE150 ：

CWE is a community-developed list of common software and hardware security weaknesses. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.

CWE是社区开发的常见软件和硬件安全漏洞列表。 它是一种通用语言，是安全工具的量尺，并且是弱点识别，缓解和预防工作的基准。

CWE150 is where improper neutralization of space, meta, or control space takes place.

CWE150是发生空间，元数据或控制空间不适当地中和的地方。

The researchers of the paper have developed a chrome extension that alerts developers whether the Stack Overflow code snippet they are viewing has any security vulnerabilities. Although this extension isn’t available for general use, you can check its source code out here.

本文的研究人员开发了一个chrome扩展程序，用于警告开发人员正在查看的Stack Overflow代码片段是否存在任何安全漏洞。 尽管此扩展名不通用，但是您可以在此处查看其源代码。

您无法同时运行Docker for Windows和Razer Synapse驱动程序管理工具，因为它们包含堆栈溢出错误 (You Cannot Run Docker for Windows and Razer Synapse Driver Management Tool at the Same Time Because They Contain a Stack Overflow Bug)

Two years ago, there was a strange issue with Docker for windows. People were unable to get Docker started on their windows computers. This strange issue was opened by a user in Github and several other users said they also had faced it. No one knew what was actually wrong until this Reddit post popped up.

两年前，用于Windows的Docker出现了一个奇怪的问题。 人们无法在Windows计算机上启动Docker。 这个奇怪的问题是由Github中的一个用户打开的，其他一些用户则表示他们也已经遇到了这个问题。 在弹出此Reddit帖子之前，没有人知道实际上是什么问题。

It was identified that the problem occurred when you tried to run Docker for windows while Razor Synapse is running in the background. If you have Razer Synapse running, Docker thinks that there’s already an instance running and it won’t start.

已确定在Razor Synapse在后台运行时尝试为Windows运行Docker时出现了问题。 如果您正在运行Razer Synapse，则Docker会认为已经有一个实例在运行，它将无法启动。

Both applications want only one instance of themselves running. Although this seems to be a legitimate requirement, the implementation seemed to be the root cause of the bug. The buggy code that caused the problem:

两个应用程序都只希望自己运行一个实例。 尽管这似乎是合理的要求，但实现似乎是该错误的根本原因。 导致问题的错误代码：

var name = string.Format("Global\{0}", (object) Assembly.GetExecutingAssembly().GetType().GUID);

The problem is that the GUID returned is the GUID for the type System.Reflection.RuntimeAssembly and not a GUID for a type defined in the Docker for Windows assembly.

问题在于返回的GUID是System.Reflection.RuntimeAssembly类型的GUID，而不是Docker for Windows程序集中定义的类型的GUID。

有趣的事情 (Something interesting)

If only one of the applications had used the above incorrect code snippet, there would not have been an issue in the first place. But, as it turns out, both applications used the incorrect code snippet, thereby not letting both instances run at the same time.

如果只有一个应用程序使用了上面不正确的代码段，那么一开始就不会有问题。 但是，事实证明，两个应用程序都使用了不正确的代码段，因此不能让两个实例同时运行。

But where do you think those two applications got their code snippet from?

但是您认为这两个应用程序从哪里获得了代码片段？

You’ve already guessed it — Stack Overflow.

您已经猜到了-堆栈溢出。

Here’s the flawed Stack Overflow post that both applications got their code snippet from.

这是有缺陷的Stack Overflow帖子，两个应用程序都从中获取了代码片段。

You won’t see the flawed answer if you visit the page now, as they’ve edited the answer. If you want to see it for yourself, visit an old archive of the page using the Wayback Machine.

如果您现在访问页面，您将不会看到有问题的答案，因为他们已经编辑了答案。 如果您想亲自观看，请使用Wayback Machine访问该页面的旧存档。

Кекек Мачан КекекМачан的屏幕截图

Key takeaways for developers by Foone Turing:

Foone Turing对开发人员的主要收获：

• Think about how you would find this bug in your own programs.
  考虑一下如何在自己的程序中发现此错误。
• You copy and paste the code and it seems to work. What you don’t realize is it’s broken — because you don’t run either of these programs which made the same mistake.
  您复制并粘贴代码，它似乎可以工作。 您没有意识到它已损坏-因为您没有运行这两个程序中的同一错误。

我应该避免复制吗？ (Should I Avoid Copying?)

并不是的 (Not really)

Stack Overflow is totally essential for any developer today. But most of the issues found in projects are basic security errors. If you understand what you are copying, there’s no harm in using it. But for the code to be production-ready, there should be adequate tests, especially for edge cases.

对于当今的任何开发人员来说，堆栈溢出都是至关重要的。 但是项目中发现的大多数问题都是基本的安全错误。 如果您了解要复制的内容，则使用它不会有任何危害。 但是为了使代码能够投入生产，应该进行适当的测试，尤其是对于边缘情况。

“If you borrow things and you don’t understand the content of what you’re borrowing, then you fall in this trap of reusing code that has potential vulnerabilities. Then you are just spreading those things around.”

“如果您借用东西而您不了解所借内容的内容，那么您将陷入这种重用具有潜在漏洞的代码的陷阱。 然后，您只是在散布这些东西。”

If you’re going to reuse code, you need to understand that code.

如果要重用代码，则需要了解该代码。

Ryan Donovan

瑞安·多诺万(Ryan Donovan)

Happy coding!

编码愉快！

资源资源 (Resources)

• World’s Most Copied SO Snippet by Andreas Lundblad.

  Andreas Lundblad撰写的《 世界上最复制的SO摘录》 。

• The Most Copied Stackoverflow Java Code Snippet Contains a Bug by Catalin Cimpanu.

  最复制的Stackoverflow Java代码片段包含 Catalin Cimpanu 的错误 。

• Twitter status by Foone Turing.

  Foone Turing的Twitter状态 。

• Copying code from Stack Overflow? You might paste security vulnerabilities, too by Stack Overflow Blog.

  从堆栈溢出复制代码？ 您也可以通过Stack Overflow Blog 粘贴安全漏洞 。

• Usage and attribution of Stack Overflow code snippets in GitHub projects by Sebastian Baltes.

  Sebastian Baltes 在GitHub项目中使用Stack Overflow代码段并进行归因 。

• An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples by Morteza Verdi et al.

  Morteza Verdi等人对人群源代码示例中C ++漏洞的经验研究 。

翻译自: https://medium.com/better-programming/why-code-snippets-from-stack-overflow-can-break-your-project-ced579a48ddb

一段堆栈溢出的代码