Many beginners are advised to “type code yourself instead of copy-pasting” because it enables one to internalize the process and the code more quickly. But as programmers gain more experience and attain the level where they need to get things done rather than ensure they learn, they get comfortable with CTRL+C
, CTRL+V
from Stack Overflow and other sources. As an experienced developer, I recently saw first-hand why I should never copy and paste any code I found online (or anywhere, for that matter)
Consider the code below (see https://certitude.consulting/blog/en/invisible-backdoor/):
const [ ENV_PROD, ENV_DEV ] = [ 'PRODUCTION', 'DEVELOPMENT'];
const environment = 'PRODUCTION';
function isUserAdmin(user) {
if(environmentǃ=ENV_PROD){
return true;
}
return false;
}
isUserAdmin();
Looks benign, right? And we would expect this code to always return false, yes? Unfortunately, no. Now open a browser console, copy this code, and paste in the console. You may be shocked that it returns true.
To cut the long story short, what looks like a loose inequality check on line #4, is deceptively an assignment operation, which reads like (environmentǃ = ENV_PROD
)! In JavaScript, assignment operations return the assigned value, which in this case is truthy (will be treated as true wherever a boolean value is expected)
But isn’t environmentǃ
an invalid variable name in JavaScript, you ask? It’s complicated. You’d be right to say an exclamation sign cannot be part of a variable name. However, the ǃ
you see there is in fact not the everyday exclamation sign you know. It’s an obscure character that happens to be accepted as regular text by the JavaScript interpreter, and thus can be a valid part of a variable name
So while a programmer looks at line #4 and sees environment != ENV_PROD
, the JavaScript interpreter sees environmentǃ = ENV_PROD
There! I hope this is a compelling enough reason to not take copy-pasted code lightly. And I hope you see how typing code snippets yourself can save you from bugs that hide in plain sight!
Top comments (8)
Interesting... fell for the bug you pointed out. I think the bug comes more from a formatting issue. Linting tools like
eslint
should easily pick this up with approriate rules being setup. Also, copying and pasting code isn't a bad idea ... it becomes one when the dev lacks good foundations in the PL alongside the discipline to read others code and test it. As @bogdan Olteanu pointed out ... it has more than formatting issues.Suggestion: perhaps citing the sources for your post gives not only more credibility and also helps people interested in diving more into the subject.
I saw the exact same code snippet a while ago in another blog before, covering this even more in depth:
certitude.consulting/blog/en/invis...
I find hard to believe in such big similarities in the same problem domain.
Nevertheless, thanks for posting and helping in creating awareness about invisible characters.
Thanks, Erick. I'm going to make an edit
Someone in my local community shared this snippet of code and needed help finding the reason why the code didn't behave as expected
Typing out the code he shared worked as expected, so it's when I copy-pasted their code that the "bug" was reproduced. It inspired me to write this article, and I didn't ask for the source of their code snippet
Thanks for the link, by the way. Makes for interesting reading
That code has more than formatting issues.
True, but I also think that the poor formatting allows the impostor text to hide more easily.
I now believe that more than formatting, I prefer to have good syntax highlighting. If you look at the last image in the post, you can see a difference in highlighting of the
!
between the first and second linesAnyway, my intention was just to show the kind of thing a human eye would miss/overlook while copying code
Actually at the beginning I've read the code first before everything else and I didn't spot the mistake cuz of the font / color / size. took me some time to finally see it haha.
Yeah a good IDE setup makes the difference between wasted time and performance.
Yep, I read that and made the exact mistake you pointed out. It really does look like 'does not equal'. The question is - what about copy and pasting code your wrote yourself?
Well, most people trust themselves more than anyone else, so if you're going to copy and paste someone's code, it could as well be yours. But that is assuming you know for a fact that you don't routinely leave tricky code lying around for sport... It'd be harder to trust your old code