I have been trying to detect hard coded passwords in source code files.
Currently I am checking for variable assignments and comparison for identifiers with a sub-string matching with password,pswd.
But it is leading to lots of false positives like in this case(Reading passwords from a config file)
String PASSWORD_KEY = "server.password";
String password = prop.getProperty(PASSWORD_KEY);
I can flag out some sub-strings like Key,location,path for which i can skip the error generation but apart from this I cannot think of a better approach.
All suggestions are appreciated.
Real world cases of hidden backdoors learn that the code is typically far more obscured to use a variable name that indicates the purpose.
So to get to something foolproof, you'd need to do a full static analysis and have "intelligence" in the code checker to understand the code and find where the authentication happens and then work backwards to verify there are no hidden ways to achieve this.
IMHO it's cheaper to hire somebody to do (security) code reviews than to try to automate this.
Related
I have been going through the Java interview questions asked by my company and came across one that I can't seem to find the solution.
Here is the question:
Please write a method (function) accepting as single parameter a
string and reversing the order of the words in this string.
The " " is the word separator and any other char is considered as being part of a word. In order to simplify, please consider that there is always one space between the words.
Important - You are NOT allowed to use other strings or arrays or other data structures containing several elements - just plain atomic variables such as integers, chars etc.
Also, it is not allowed to use any other language specific string function other than the function giving you the length of the string.
Expected result:
"hello my beautiful world" -> "world beautiful my hello"
So, I can't use: chars[], str.split(), str.charAt(), str.substring(), StringBuilder, another declaration of String.
Should I use recursion to do it?
Since, String is Immutable and uses encapsulation,
There is no solution to your problem. You can't update the values directly, no setters are available and without the access to the getters (since you can only use .length), you can't read the value.
So, I would suggest to respond that Immutability and encapsulation prevent you from doing so.
In real life as a software engineer, you'll sometimes be asked to do things that are technically impossible or even nonsensical. Sometimes the person asking will be someone important like your boss or a big customer.
If someone actually asks you this interview question, then you're in one of those situations. That makes this question pretty interesting, and you might want to figure out what the best way to answer really is.
If someone asked me, this is how I would answer, and as an interviewer, this is the kind of answer I would award the most points for:
1) Explain how it's technically impossible to meet the requirements, but do it without making me feel stupid. This shows diplomacy.
2) Figure out what I really want. In this case, the interviewer probably wants to see if you know how to reverse the words in a string using low-level operations. This is a perfectly reasonable C language question, for example. Figuring out what the interviewer really wants shows experience and judgement.
3) Provide an answer that gives me what I want. Write this method in Java, but take a StringBuilder instead of a string, and call only length(), charAt(), and setCharAt(). This shows the expertise that the interviewer wants to see.
Hy,
Lets say you have Varchar-Database values in a column that are cAmeLCaSe and you always want to display them UPPERCASE in a view.
Is it now better to select those entrys using the (for example) UPPER-Function of Oracle
or to loop the results and call the .toUpperCase() Method from within the Java Code after the selection has been made?
I know its a bit of a general question and i will of corse comment after having made performance messurments of the above two possibilitys. But i am more after a good source of information that addresses such questions in general (like for example "is it better do run sorting db- side or in programm-code?" and questions like this for common Solutions like .Net/Java and Oracle/ MSSQL Server.
Many thanks you took the time to read this questions, i appreciate any input and wish you a great day.
Regards
Jan
It depends on where and how the uppercased value is used.
If this is only used in the frontend (I assume with "view" you did not mean a database view) then I'd go for a toUpperCase() ideally using the user's locale.
If you are using the uppercase value for comparison I'd use the Oracle function to ensure that the you have a consistent behaviour. I'm think of e.g. a condition where you compare the column value to a string constant: WHERE upper(foobar) = upper('SomeValue') If you used Java's toUpperCase() that might apply different (locale dependent) rules than Oracle would use.
I believe always my code should be database independent.
String upper = string.toUpperCase();
Because,it's database independent.If I shift my database to some other,I need not to change my code.
In a nutshell your specific requirements should take in to consideration.
Now this is a tricky problem for which I'm not able to figure out a good solution. Suppose we have a String in Java:- "He ate 3 apples today." Now the digit 3 can be easily identified in Java using isNumeric function or using regular expressions. But what if I have a String like: "He ate three apples today."? How can I identify that three is actually a number? I used OpenNlp and used its POS tagger but the time it takes to do is really too much! Can anyone suggest a better solution for this? Also among the ".bin" of OpenNlp, there is one file-"num.bin", but I don't know how to use this file. OpenNlp documentation also say nothing about it. Can anyone tell me if this is exactly what I've been looking for, and if yes then how to use it.
/*********************************************************************************************************************************/
I'm actually short of time here, so I've settled on a temporary solution here. Make a file/dictionary and take all the entries in a hashtable. Then I'll tokenize my sentence and check word by word for numbers, similar to what you guys suggested. I'll keep on updating the file as and when required. Thanks for your valuable suggestions guys, and if you have got something better than this I'd be really glad. OpenNlp implements this in a very good way, the only problem with it is time complexity and I want to do this in minimum time possible.
Create a dictionary of numbers. Search for elements from that dictionary in the text.
Check asympotic complexity, it may be cheaper to sort the text first.
You have to keep all that words in arrays and then use it. Here is an example how to convert number to string. It may help you... I think you have to split your text into words and check if a word is a number (three). If yes check the next word because it can be say "million", then check the next word and so on. It's not easy and seems like a little library.I think you'll spend a lot of time writing this. Or try to search in google for a library like this. Maybe someone have already got this problem, wrote a library and shares it for free )) Good luck.
Are there any Java API(s) which will provide plural form of English words (e.g. cacti for cactus)?
Check Evo Inflector which implements English pluralization algorithm based on Damian Conway paper "An Algorithmic Approach to English Pluralization".
The library is tested against data from Wiktionary and reports 100% success rate for 1000 most used English words and 70% success rate for all the words listed in Wiktionary.
If you want even more accuracy you can take Wiktionary dump and parse it to create the database of singular to plural mappings. Take into account that due to the open nature of Wiktionary some data there might by incorrect.
Example Usage:
English.plural("Facility", 1)); // == "Facility"
English.plural("Facility", 2)); // == "Facilities"
jibx-tools provides a convenient pluralizer/depluralizer.
Groovy test:
NameConverter nameTools = new DefaultNameConverter();
assert nameTools.depluralize("apples") == "apple"
nameTools.pluralize("apple") == "apples"
I know there is simple pluralize() function in Ruby on Rails, maybe you could get that through JRuby. The problem really isn't easy, I saw pages of rules on how to pluralize and it wasn't even complete. Some rules are not algorithmic - they depend on stem origin etc. which isn't easily obtained. So you have to decide how perfect you want to be.
considering java, have a look at modeshapes Inflector-Class as member of the package org.modeshape.common.text. Or google for "inflector" and "randall hauch".
Its hard to find this kind of API. rather you need to find out some websservice which can serve your purpose. Check this. I am not sure if this can help you..
(I tried to put word cacti and got cactus somewhere in the response).
If you can harness javascript, I created a lightweight (7.19 KB) javascript for this. Or you could port my script over to Java. Very easy to use:
pluralizer.run('goose') --> 'geese'
pluralizer.run('deer') --> 'deer'
pluralizer.run('can') --> 'cans'
https://github.com/rhroyston/pluralizer-js
BTW: It looks like cacti to cactus is a super special conversion (most ppl are going to say '1 cactus' anyway). Easy to add that if you want to. The source code is easy to read / update.
Wolfram|Alpha return a list of inflection forms for a given word.
See this as an example:
http://www.wolframalpha.com/input/?i=word+cactus+inflected+forms
And here is their API:
http://products.wolframalpha.com/api/
I was just wandering why is the prefix XXX ?
As far as I know its used for notes/reminders (or at least this is what I use it for and that is what the people on most of the links I googled use it for).
So does anyone know where the XXX prefix come from ?
From Sun/Oracle's Java code conventions, section 10.5.4:
Use XXX in a comment to flag something that is bogus but works. Use FIXME to flag something that is bogus and broken.
From the Hacker's Dictionary entry for "XXX":
A marker that attention is needed.
Commonly used in program comments to
indicate areas that are kluged up or
need to be. Some hackers liken `XXX'
to the notional heavy-porn movie
rating. Compare FIXME.
XXX, along with FIXME and TODO, is known in Eclipse as a task tag, and is indexed by the IDE to let you find the spots marked with those tags easily. You can edit such tags in the Eclipse Preferences -> Java -> Compiler -> Task Tags.
As to where it comes from: it probably emerged form the "tags" that programmers spontaneously wrote in their code to quickly mark a given line. While FIXME and TODO are explicit enough, the reason XXX was used could be a combination of these reasons:
The string "XXX" does not usually occur in regular source code and is easy to look for with tools such as grep or a simple text search in an editor;
Traditionally, "X marks the spot" which needs attention; triple X even more so;
The X key is very close to the Command/Alt/Windows keys and is easy to reach, being on the lower row of the keyboard.
I can't think of anything else...
Various reasons:
It's easy to search for.
No collision, as no sane person would use it as a variable.
It can used to mark code that needs e*X*tra special attention, dangerous code, not to be seen by underaged, etc.
I've worked with a team where XXX was used to point out a "bug or task that was not yet entered in Trac.". After it was entered in Trac the comment would be changed to TODO with the ID appended.
To Eclipse though, it's just a marker like TODO and FIXME. I imagine that it's originally used as a strong form of TODO. You usually see comments like this:
// TODO: Need to optimize this once n becomes greater than 1000.
But sometimes you'll have a comment like:
// TODO: Fix SQL injection bug before production release!
Unfortunately a quick grep wont make that SQL injection bug stand out among the 1000s of other TODOs. Using XXX here would help mark things that must be done before a milestone/release etc.
There's also a reference to it on Wikipedia:
XXX to warn other programmers of problematic or misguiding code.
It bugs me too, because XXX may also be used for masking input or format numbers,
Thus creating multi markers warning when you describe amount format:
/**
* #param amount (XXX or XXX.XX)
*/
public doSomething(String amount) {
Multiple markers at this line
-XXX or
-XXX.XX)
As #Jean-PhilippePellet suggested, you can remove it from
Preferences -> Java -> Compiler -> Task Tags