Monday, February 13, 2012

NodeJS: Switch is EVIL

switch statement in JavaScript is known to have bad effects as in other programming languages. In this post we discuss it's potential impact in server side JavaScript context like NodeJS. For more history on switch please refer Douglas Crockford's YUI blog post.

Let's look at a sample code snippet as in the screenshot below. This is an over-simplistic example. It is a funny little take on an app that reveals it's users the discount code based on their tiers. The logic that will determine the tier of the user and it's category is omitted for benefit of stressing on the issue at hand.


What should have happened was, the basic tier user Valued Customer should have been shown only 10% discount code. Now since our programmer forgot to apply the brakes (i.e. break highlighted in red in the previous case - in hurry or just human error or insufficient knowledge of switch may be), the second case code under case (dis < 5000) triggered leading to giving higher discount to a basic tier customer and showing a not so good message, as in the screenshot below.


Still in this fun app nothing really nasty happened. And the idea was exactly that to take a simple code and demo what switch could lead to.

In real world a similar mistake could lead to serious vulnerabilities - those are hard to detect. More I think of JavaScript, more I believe, coding best practices usually translate to security best practices. To be safe, anti-patterns like implied globals, with, eval, should be avoided. 


50 comments:

  1. are u still work with yahoo..? It shows in the code... :) it is not node js security vulnerability. A bad programmer can bring any robust system to knees...

    ReplyDelete
  2. Absolutely, and "switch" was as evil in C, as it was in PHP and as it is in Node.

    It is more likely to be abused. Thanks for the comment

    ReplyDelete
  3. switch is not evil, sleepy-coding is. The advice is no different than saying "don't use a knife, you can cut yourself."

    Yeah, I can cut myself... but I don't. :)

    ReplyDelete
  4. @hasanyasin: +1
    I'm don't think "switch" statements are evil. Sure, I've already make some mistake as anyone with "switch" and statement, but I don't ever remember of a debugging nightmare. It was all pretty straightforward to fix.

    On the other hand, a complex "if" statement is much harder to debug.

    ReplyDelete
  5. You are such an idiot.
    Again, it's nothing to do with Node JS or JS or switch.

    Programming is not for an idiot like you.
    You forgot something and you blamed on the statement.

    What a loser!

    ReplyDelete
  6. I came here expecting to find articles about Node.js security problems. Instead I found the top 5 don't of JavaScript.

    Literally none of these things should ever be a problem for a competent JavaScript developer. Every language is going to have its best and worst practices. Not bothering to learn them and then acting like its the fault of (all of) the frameworks built on the language doesn't really match up with Node.js security problems.

    ReplyDelete
  7. It's not the switch statement, it's the implicit fallthough that the problem, using 'break' as the final destination in switch is just a terrible idea, it's ridiculously easy to overlook, even for a competent programmer, they only human just like us.

    The developer behind Go Programming Language got it right, they favoured explicit over implicit, the switch in Go will not fallthough unless you specify the keyword 'fallthough'. 'break' is only used for breaking loop and that how it should of been.

    ReplyDelete
  8. HI,

    I would like to invite you to be a IT Security webinars at Times Group. Please write to me at mohini.chaudhary@timesgroup.com.

    ReplyDelete
  9. Do you normally serve as an author solely for this website or you do that for some other Internet or offline resources?

    ReplyDelete
    Replies
    1. No, just here. Would love to write more often. Have a lot to. Right now this blog is quite neglected. I hope to start righting some very interesting stuff soon.

      Delete
  10. Google why u still bring me here? :P

    But yes I do avoiding switch myself.

    In the above example, you can simply use a big `if ... else if ... else if ... else ...` block, which is fewer lines of code.

    In other situations (when you would have used == in your case statements) you can avoid switch and if-then-else like this:

    var result = {
    case1: function(){ action1(); },
    case2: function(){ action2(); },
    case3: function(){ action3(); }
    }[switchVal]();

    You may sometimes want to break that apart to handle the case where none of the cases match `switchVal`.

    Alternatively, you could keep using switch, but follow Crockford's advice, and use a lint tool to check for any cases without breaks.

    ReplyDelete
  11. well I even intentionally not put break on some of my case for example

    case 1: //do something
    case 2: //do something
    break;
    case 3: //do something
    break;

    and this is not only a problem of nodejs but almost all languages that uses the switch statement. switch statement is really helpful and much more even easier to maintain than its if..else counterpart.

    ReplyDelete
  12. This is a funny example of the ugly side of NodeJS, because a PHP script behaves exactly the same way, when using switch that way. This is a general issue and not something special in Node. From my point of view a developer with some skills would use that feature, for his needs. At least I did it sometimes in the past and I don't know why I should not do it. Sorry but this post is just crap.

    ReplyDelete
  13. Crappie blog wasted time in reading.

    ReplyDelete
  14. Why are so many trolls here? this blog is a trap!!! hahaha

    ReplyDelete
  15. "switch (true)"
    yeah right

    ReplyDelete
  16. Unbelievable! There really is people who create article about their lack of skill in JS?! `switch (true)` ... WTF Just learn how to use if/else if/else and maybe one day you'll be able to teach other people what's can be wrong with switch.

    ReplyDelete
  17. Protection Concepts provide you with customized solutions designed for your specific needs, monitor home security systems and commercial security systems,requirements and budget AND remember, our base monitoring starting at just $14.95 per month .

    ReplyDelete
  18. EPG Security Group’s Uniformed Security Services are the most visible due to the nature in which they are deployed. Our Officers regularly interact with the public at large and need to be held to a higher degree of professionalism.

    ReplyDelete
  19. Node.JS Courses Security TrainingNode.js Training Node js and server side JavaScript databases like MongoDB Courses Training Node js Online Course traditional server side programming Training Courses Node.js paradigms Node.js Essential Training WebDAV buffer overflow Node.js Online Training messing with global variables Courses Node.js Training in Chennai

    ReplyDelete
  20. Thanks for sharing this information about Nodejs. Its really helpful. Nodejs Training in Bangalore

    ReplyDelete
  21. I am very happy when read this blog post because blog post written in good
    manner and write on good topic. Thanks for sharing valuable information.

    Web Design Company Bangalore,
    Digital Marketing Company

    ReplyDelete
  22. Hey, Wow all the posts are very informative for the people who visit this site. Good work! We also have a Website. Please feel free to visit our site. Thank you for sharing. Well written article Thank You for Sharing with Us pmp training centers in chennai| pmp training in velachery | project management training in chennai | project management certification online | project management course online

    ReplyDelete
  23. Thanks for sharing your ideas and view, this is appreciable.
    Germany VPS Hosting

    ReplyDelete
  24. After you fill out the form and attach all the necessary documentation along with your photographs, you will then submit your form online to your specialist or in-person.
    Blue world city Islamabad payment plan
    park view lahore payment plan
    Rudn Enclave payment plan

    ReplyDelete
  25. Nice articles! I see your blog daily, it is crispy to study. Your blog is very useful for me & i like so much and definitely i am sharing this information with my friends. Now in these days the internet is very important for us. Now a days its very hard to take right information from internet .It is provides you information about Server Hosting. which Gives you excellent performances for website. If you want to know about server hosting, i can help you. You must know about
    USA VPS hosting and how this could be important for this modern world. It is very helpful and I am really thankful of you.

    ReplyDelete
  26. Wow, In this post, you discussed the potential impact in server-side JavaScript contexts like NodeJS. I like your article. Nowadays, usage of the internet very higher for online services, so our Onlive Server provides the best USA VPS Hosting for your business which really helpful for you.

    ReplyDelete
  27. This comment has been removed by the author.

    ReplyDelete
  28. I really enjoyed visiting your blog. I would also like to share with you something for your benefit
    wordpress online
    ufa88kh.blogspot
    youtube
    SA GAMING

    ReplyDelete
  29. I love your posts and everything looks wonderful. I love your idea thanks for sharing.
    casino online in cambodia

    ReplyDelete
  30. It's not the switch statement, it's the implicit fallthough that the problem, using 'break' as the final destination in switch is just a terrible idea, it's ridiculously easy to overlook, even for a competent programmer, they only human just like us, i read all your blog posts which are so much informative and helping me alot regarding product knowledge. we are the real estate firm and dealing in parkview islamabad lahore smart city location capital smart city payment plan Blue world city Islamabad payment plan Lahore Park View payment plan

    ReplyDelete
  31. I really appreciate your professional approach.These are pieces of very useful information that will be of great use for me in future.
    Play Baccarat Online
    រ៉ូឡែត កាស៊ីណូអនឡាញ

    ReplyDelete
  32. Hey this is awesome, you are spreading very informative blog, I am very happy to read this. Keep sharing
    Cheap Linux VPS Hosting

    ReplyDelete
  33. What are Aldi Video Interview questions that are asked? As a candidate you will need to prepare for the Aldi video interview questions. What can we expect from aldi video interview questions? How can artificial intelligence facilitate an Aldi interview and make the process efficient?

    ReplyDelete
  34. QuikieApps Video Analytics Solutions uses video surveillance systems to extract accessible, usable, and measurable information from live or stored video footage.

    ReplyDelete
  35. Our react js development company has over 7 years of experience in helping SMBs and Fortune 500 companies enhance their digital presence and scalability by embracing avant-garde technological innovations at just $10 per hour.

    ReplyDelete
  36. Looking for a ReactJS development company? We offer ReactJS development services and can help you build amazing user interfaces and web applications.

    ReplyDelete
  37. Hire Laravel Developers from the best Laravel development company. Square Tech is a leading Laravel development company. Square Tech is a team of 30+ Laravel developers.

    ReplyDelete
  38. This comment has been removed by the author.

    ReplyDelete
  39. Nice blog! Thanks for your reach-out efforts. This is a great blog. Keep sharing.I will try this. Europe VPS Hosting

    ReplyDelete