switch statement in JavaScript is known to have bad effects as in other programming languages. In this post we discuss it's potential impact in server side JavaScript context like NodeJS. For more history on switch please refer Douglas Crockford's YUI blog post.
Let's look at a sample code snippet as in the screenshot below. This is an over-simplistic example. It is a funny little take on an app that reveals it's users the discount code based on their tiers. The logic that will determine the tier of the user and it's category is omitted for benefit of stressing on the issue at hand.
What should have happened was, the basic tier user Valued Customer should have been shown only 10% discount code. Now since our programmer forgot to apply the brakes (i.e. break highlighted in red in the previous case - in hurry or just human error or insufficient knowledge of switch may be), the second case code under case (dis < 5000) triggered leading to giving higher discount to a basic tier customer and showing a not so good message, as in the screenshot below.
Still in this fun app nothing really nasty happened. And the idea was exactly that to take a simple code and demo what switch could lead to.
In real world a similar mistake could lead to serious vulnerabilities - those are hard to detect. More I think of JavaScript, more I believe, coding best practices usually translate to security best practices. To be safe, anti-patterns like implied globals, with, eval, should be avoided.
Let's look at a sample code snippet as in the screenshot below. This is an over-simplistic example. It is a funny little take on an app that reveals it's users the discount code based on their tiers. The logic that will determine the tier of the user and it's category is omitted for benefit of stressing on the issue at hand.
What should have happened was, the basic tier user Valued Customer should have been shown only 10% discount code. Now since our programmer forgot to apply the brakes (i.e. break highlighted in red in the previous case - in hurry or just human error or insufficient knowledge of switch may be), the second case code under case (dis < 5000) triggered leading to giving higher discount to a basic tier customer and showing a not so good message, as in the screenshot below.
Still in this fun app nothing really nasty happened. And the idea was exactly that to take a simple code and demo what switch could lead to.
In real world a similar mistake could lead to serious vulnerabilities - those are hard to detect. More I think of JavaScript, more I believe, coding best practices usually translate to security best practices. To be safe, anti-patterns like implied globals, with, eval, should be avoided.
Posts
are u still work with yahoo..? It shows in the code... :) it is not node js security vulnerability. A bad programmer can bring any robust system to knees...
ReplyDeleteAbsolutely, and "switch" was as evil in C, as it was in PHP and as it is in Node.
ReplyDeleteIt is more likely to be abused. Thanks for the comment
switch is not evil, sleepy-coding is. The advice is no different than saying "don't use a knife, you can cut yourself."
ReplyDeleteYeah, I can cut myself... but I don't. :)
@hasanyasin: +1
ReplyDeleteI'm don't think "switch" statements are evil. Sure, I've already make some mistake as anyone with "switch" and statement, but I don't ever remember of a debugging nightmare. It was all pretty straightforward to fix.
On the other hand, a complex "if" statement is much harder to debug.
You are such an idiot.
ReplyDeleteAgain, it's nothing to do with Node JS or JS or switch.
Programming is not for an idiot like you.
You forgot something and you blamed on the statement.
What a loser!
I came here expecting to find articles about Node.js security problems. Instead I found the top 5 don't of JavaScript.
ReplyDeleteLiterally none of these things should ever be a problem for a competent JavaScript developer. Every language is going to have its best and worst practices. Not bothering to learn them and then acting like its the fault of (all of) the frameworks built on the language doesn't really match up with Node.js security problems.
It's not the switch statement, it's the implicit fallthough that the problem, using 'break' as the final destination in switch is just a terrible idea, it's ridiculously easy to overlook, even for a competent programmer, they only human just like us.
ReplyDeleteThe developer behind Go Programming Language got it right, they favoured explicit over implicit, the switch in Go will not fallthough unless you specify the keyword 'fallthough'. 'break' is only used for breaking loop and that how it should of been.
HI,
ReplyDeleteI would like to invite you to be a IT Security webinars at Times Group. Please write to me at mohini.chaudhary@timesgroup.com.
Do you normally serve as an author solely for this website or you do that for some other Internet or offline resources?
ReplyDeleteNo, just here. Would love to write more often. Have a lot to. Right now this blog is quite neglected. I hope to start righting some very interesting stuff soon.
DeleteGoogle why u still bring me here? :P
ReplyDeleteBut yes I do avoiding switch myself.
In the above example, you can simply use a big `if ... else if ... else if ... else ...` block, which is fewer lines of code.
In other situations (when you would have used == in your case statements) you can avoid switch and if-then-else like this:
var result = {
case1: function(){ action1(); },
case2: function(){ action2(); },
case3: function(){ action3(); }
}[switchVal]();
You may sometimes want to break that apart to handle the case where none of the cases match `switchVal`.
Alternatively, you could keep using switch, but follow Crockford's advice, and use a lint tool to check for any cases without breaks.
well I even intentionally not put break on some of my case for example
ReplyDeletecase 1: //do something
case 2: //do something
break;
case 3: //do something
break;
and this is not only a problem of nodejs but almost all languages that uses the switch statement. switch statement is really helpful and much more even easier to maintain than its if..else counterpart.
This is a funny example of the ugly side of NodeJS, because a PHP script behaves exactly the same way, when using switch that way. This is a general issue and not something special in Node. From my point of view a developer with some skills would use that feature, for his needs. At least I did it sometimes in the past and I don't know why I should not do it. Sorry but this post is just crap.
ReplyDeleteCrappie blog wasted time in reading.
ReplyDeleteWhy are so many trolls here? this blog is a trap!!! hahaha
ReplyDelete"switch (true)"
ReplyDeleteyeah right
Unbelievable! There really is people who create article about their lack of skill in JS?! `switch (true)` ... WTF Just learn how to use if/else if/else and maybe one day you'll be able to teach other people what's can be wrong with switch.
ReplyDeleteProtection Concepts provide you with customized solutions designed for your specific needs, monitor home security systems and commercial security systems,requirements and budget AND remember, our base monitoring starting at just $14.95 per month .
ReplyDeleteEPG Security Group’s Uniformed Security Services are the most visible due to the nature in which they are deployed. Our Officers regularly interact with the public at large and need to be held to a higher degree of professionalism.
ReplyDeleteNice post
ReplyDeleteI appreciate this
Safety Is Number One Priority Buy Safety Products Online shop | Hodexo
Hodexo Digita India's
Digita India's Shooping Login It's Free And Alwyas
Digita India's Industrial
Safety Equipments
Node.JS Courses Security TrainingNode.js Training Node js and server side JavaScript databases like MongoDB Courses Training Node js Online Course traditional server side programming Training Courses Node.js paradigms Node.js Essential Training WebDAV buffer overflow Node.js Online Training messing with global variables Courses Node.js Training in Chennai
ReplyDeleteThanks for sharing this information about Nodejs. Its really helpful. Nodejs Training in Bangalore
ReplyDeleteI am very happy when read this blog post because blog post written in good
ReplyDeletemanner and write on good topic. Thanks for sharing valuable information.
Web Design Company Bangalore,
Digital Marketing Company
Hey, Wow all the posts are very informative for the people who visit this site. Good work! We also have a Website. Please feel free to visit our site. Thank you for sharing. Well written article Thank You for Sharing with Us pmp training centers in chennai| pmp training in velachery | project management training in chennai | project management certification online | project management course online
ReplyDeleteThank You
ReplyDelete......................
goldenslot
golden slot
Thanks for sharing information about nodejs. Great effort!
ReplyDeleteArtificial Intelligence training in Bangalore
Artificial Intelligence training in India
Artificial Intelligence training course
Artificial Intelligence training institute in Bangalore
Thanks for sharing your ideas and view, this is appreciable.
ReplyDeleteGermany VPS Hosting
After you fill out the form and attach all the necessary documentation along with your photographs, you will then submit your form online to your specialist or in-person.
ReplyDeleteBlue world city Islamabad payment plan
park view lahore payment plan
Rudn Enclave payment plan
Nice articles! I see your blog daily, it is crispy to study. Your blog is very useful for me & i like so much and definitely i am sharing this information with my friends. Now in these days the internet is very important for us. Now a days its very hard to take right information from internet .It is provides you information about Server Hosting. which Gives you excellent performances for website. If you want to know about server hosting, i can help you. You must know about
ReplyDeleteUSA VPS hosting and how this could be important for this modern world. It is very helpful and I am really thankful of you.
Wow, In this post, you discussed the potential impact in server-side JavaScript contexts like NodeJS. I like your article. Nowadays, usage of the internet very higher for online services, so our Onlive Server provides the best USA VPS Hosting for your business which really helpful for you.
ReplyDeletefilm izle - sex hikayeleri - sex hikayesi - erotik hikaye -
ReplyDeleteankara escort - bornova escort - alsancak escort - çeşme escort - izmir escort - smm panel - instagram takipçi satın al - instagram takipçi satın al - instagram takipçi satın al - instagram takipçi satın al - haber - instagram takipçi hilesi - instagram takipçi satın al - izmir evden eve nakliyat - seocu - instagram takipçi hilesi - instagram takipçi satın al - izmir escort - takipçi satın al - instagram takipçi satın al - tiktok takipçi satın al - instagram takipçi satın al - instagram takipçi satın al - instagram takipçi satın al - instagram takibi bırakanlar - buca escort -
karşıyaka escort - instagram takipçi hilesi
This comment has been removed by the author.
ReplyDeleteI really enjoyed visiting your blog. I would also like to share with you something for your benefit
ReplyDeletewordpress online
ufa88kh.blogspot
youtube
SA GAMING
It's not the switch statement, it's the implicit fallthough that the problem, using 'break' as the final destination in switch is just a terrible idea, it's ridiculously easy to overlook, even for a competent programmer, they only human just like us, i read all your blog posts which are so much informative and helping me alot regarding product knowledge. we are the real estate firm and dealing in parkview islamabad lahore smart city location capital smart city payment plan Blue world city Islamabad payment plan Lahore Park View payment plan
ReplyDeleteI really appreciate your professional approach.These are pieces of very useful information that will be of great use for me in future.
ReplyDeletePlay Baccarat Online
រ៉ូឡែត កាស៊ីណូអនឡាញ
Hey this is awesome, you are spreading very informative blog, I am very happy to read this. Keep sharing
ReplyDeleteCheap Linux VPS Hosting
What are Aldi Video Interview questions that are asked? As a candidate you will need to prepare for the Aldi video interview questions. What can we expect from aldi video interview questions? How can artificial intelligence facilitate an Aldi interview and make the process efficient?
ReplyDeleteQuikieApps Video Analytics Solutions uses video surveillance systems to extract accessible, usable, and measurable information from live or stored video footage.
ReplyDeleteOur react js development company has over 7 years of experience in helping SMBs and Fortune 500 companies enhance their digital presence and scalability by embracing avant-garde technological innovations at just $10 per hour.
ReplyDeleteSmm panel
ReplyDeletesmm panel
İs ilanlari
İnstagram Takipçi Satın Al
HIRDAVATÇI BURADA
Https://www.beyazesyateknikservisi.com.tr/
SERVİS
tiktok jeton hilesi
Looking for a ReactJS development company? We offer ReactJS development services and can help you build amazing user interfaces and web applications.
ReplyDeleteHire Laravel Developers from the best Laravel development company. Square Tech is a leading Laravel development company. Square Tech is a team of 30+ Laravel developers.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteGood content. You write beautiful things.
ReplyDeletemrbahis
mrbahis
vbet
taksi
sportsbet
korsan taksi
hacklink
hacklink
sportsbet
elf bar
ReplyDeletebinance hesap açma
sms onay
ZİAVZ
Nice blog! Thanks for your reach-out efforts. This is a great blog. Keep sharing.I will try this. Europe VPS Hosting
ReplyDeletebetmatik
ReplyDeletekralbet
betpark
tipobet
slot siteleri
kibris bahis siteleri
poker siteleri
bonus veren siteler
mobil ödeme bahis
5O856D
bayrampaşa
ReplyDeletegüngören
hakkari
izmit
kumluca
S43
salt likit
ReplyDeletesalt likit
2PAMK