|
picking up a thing from the closed threadErIog posted:I got passed some code for security audit, and now the dev is arguing he doesn't need to validate this user input at all (for what should be an all-caps alphanumeric string) because the framework is making sure it's safe. It doesn't matter that this is being passed to things outside the dependency which don't check input at all. I should just sign off on it because, you see, this web framework said it was good input and that means you can drop it to the shell or just put it in a SQL query or do whatever with it. that's 9 more lines than you should need but this dude is still completely in the right. you do not need to re-validate things the framework has validated for you. this is half the value of a web framework. if you insist on doing things that the framework has already done for you, why even bother using it
|
#
¿
May 2, 2018 22:08
|
|
|
|
| # ¿ May 18, 2024 02:00 |
|
|
Rufus Ping posted:what risk is it adding to other aws customers exactly i assume it's that the agencies in question are perfectly willing to block all of aws or google or whoever if they don't comply, and their other customers who don't give a poo poo about signal don't want to get blocked
|
|
#
¿
May 2, 2018 22:12
|
|