Maxi Contieri

Posted on Mar 10, 2022 • Edited on Mar 12, 2022 • Originally published at maximilianocontieri.com

Code Smell 120 - Sequential IDs

Most IDS are code smells. Sequential IDs are also a vulnerability

TL;DR: Don't expose obvious consecutive IDs.

Problems

Bijection Fault
Security Problems
Collisions

Solutions

Use non-obvious keys.
Use dark keys or UUIDs.

Context

IDs are a problem when dealing with domain objects.

IDs do not exist in the real-world so, they break our bijection.

We should only use IDs when exposing internal resources to the outer world beyond system boundaries.

These are always accidental problems and should not interfere with our models.

Sample Code

Wrong

class Book {
    private Long bookId; //book knows its ID
    private List<Long> authorIds; // book knows author IDs
}

Book harryPotter = new Book(1, {1, 2, 3});
Book cleanCode = new Book(2, {4});
Book donQuixote = new Book(3, {5});

//We can scrap from now one.

Right

class Author {    
    //.. Author protocol
}

class Book {    
    private List<Author> authors; // book knows authors
    // No strange behavior. just what a book can do
    // Real books don't know about IDs
    // ISBN is accidental to a book. Readers don't care
}

class BookResource {    
    private Book resource; // The resource knows the underlying book
    private id; //The id is the link we provide to external world
}

Book harryPotter = new Book({new Author('J. K. Rowling'));
Book cleanCode = new Book({'Robert Martin'})
Book donQuixote = new Book({'Miguel Cervantes'});

BookResource harryPotterResource = new BookResource(harryPotter, UUID.randomUUID());                             

//Books don't know they id. Just the resource does

Detection

[X] Automatic

We can use Pentesting techniques against our system to detect this smell.

Conclusion

In case we need to expose internal objects to the external world, we should use non-obvious IDs.

In this way, we can detect (and block) brute force attacks monitoring the traffic and 404 errors.

More Info

Credits

Photo by Max Bender on Unsplash

Thanks @davidkroell for the KSUID tip.

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.

Gene Spafford

Software Engineering Great Quotes

Maxi Contieri ・ Dec 28 '20

#codenewbie #programming #quotes #software

This article is part of the CodeSmell Series.

How to Find the Stinky parts of your Code

Maxi Contieri ・ May 21 '21

#codenewbie #tutorial #codequality #beginners

Top comments (2)

David Kröll • Mar 12 '22

Besides that, I really like KSUID (originally implemented in Go, but now available for many languages). These are k-sortable based on time, such when saving to database the entities are in historical order.

Maxi Contieri • Mar 12 '22

didn't know about them
Thanks for the tip!!

DEV Community