DEV Community

Cover image for Code Smell 262 - Not Replaced Constants
Maxi Contieri
Maxi Contieri

Posted on • Originally published at maximilianocontieri.com

Code Smell 262 - Not Replaced Constants

#webdev #beginners #programming #security

Yet Another Security Code Smell Because Nobody Ever Reads the Documentation

TL;DR: Ignoring constant replacement leads to severe security risks.

Problems

  • Vulnerable endpoints

  • Lack of Testing

  • Documentation Nobody Reads

Solutions

  1. Enforce constant key replacement

  2. Audit upstream vendors

  3. Automate security checks

  4. Enforce your Documentation with tests

  5. Use invalid defaults to ensure they are always replaced

Context

A major security flaw, PKfail, persisted unnoticed for 12 years, compromising hundreds of devices.

The vulnerability stems from vendors failing to replace a "DO NOT TRUST" Secure Boot master key, a critical step that was neglected despite clear instructions.

This oversight left countless devices open to exploitation, allowing threat actors to bypass security measures and install malicious software.

Sample Code

Wrong 

fn generate_pk() -> String {
    "DO NOT TRUST".to_string()
}

// Vendor forgets to replace PK
fn use_default_pk() -> String {
    let pk = generate_pk();
    pk // "DO NOT TRUST" PK used in production
}
Enter fullscreen mode Exit fullscreen mode

Right 

fn generate_pk() -> String {
    "DO NOT TRUST".to_string()
    // The documentation tells vendors to replace this value
}

fn use_default_pk() -> String {
    let pk = generate_pk();

    if pk == "DO NOT TRUST" {
        panic!("Error: PK must be replaced before use.");
    }

    pk // Valid PK used in production
}
Enter fullscreen mode Exit fullscreen mode

Detection

[X] Automatic

You can detect this smell by checking for default values that must be replaced before deployment.

Tools like static analyzers and manual code reviews help you identify hardcoded or placeholder keys that should be updated.

Tags

  • Security

Level

[X] Intermediate

AI Generation

AI generators might create this smell unless instructed for context-specific security steps.

You must provide clear instructions to ensure proper key replacement.

AI Detection

AI tools can catch this smell with rules that flag placeholder values through testing and reviews.

Conclusion

Ignoring crucial steps in the security process, such as replacing default keys, can lead to severe vulnerabilities.

This long-lasting flaw emphasizes the need for diligent security practices.

Replace all your documentation with acceptance tests.

Relations

mcsee

Code Smell 02 - Constants and Magic Numbers

Maxi Contieri ・ Oct 21 '20

#beginners #codenewbie #100daysofcode #codequality
mcsee

Refactoring 011 - Replace Comments with Tests

Maxi Contieri ・ Apr 23 '23

#webdev #beginners #programming #tutorial

More Info

Tech Radar

Disclaimer

Code Smells are my opinion.

Credits

Photo by Jason Leung on Unsplash

It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.

Stephane Nappo

mcsee

Software Engineering Great Quotes

Maxi Contieri ・ Dec 28 '20

#codenewbie #programming #quotes #software

This article is part of the CodeSmell Series.

mcsee

How to Find the Stinky parts of your Code

Maxi Contieri ・ May 21 '21

#codenewbie #tutorial #codequality #beginners

Top comments (0)

Read next

airtucha profile image

Book: Learning JavaScript Design Patterns

Alexey Tukalo -

robort_smith profile image

Selenium 3 vs Selenium 4: What’s New and Improved in Test Automation

Robort -

poornima545 profile image

Getting started with react

Poornima Gowda -

vdelitz profile image

Payment Passkeys @ Mastercard: Revolution for Payment Security

vdelitz -