Among those who learn to program, and some more experienced software developers, it is common practice to copy and paste code snippets from Stack Overflow, a question and answer forum to ask about coding problems.
There is even a fake O & # 39; Reilly-style book, "Copy and paste from the stack overflow", to highlight the practice, which turns out to be not only lazy but also a security risk.
In a research paper presented to the ArXiv prepress service, six scientific computers from Shiraz University, Iran, the Polytechnic University of Montreal, Quebec, Canada, and Chamran University, Iran – Morteza Verdi, Ashkan Sami, Jafar Akhondali, Foutse Khomh, Gias Uddin and Alireza Karami Motlagh – say they looked at more than 72,000 fragments of C ++ code in 1,325 Stack Overflow publications and found 69 vulnerable fragments of 29 different types.
That is not much in absolute terms, but those 69 vulnerable fragments appear in 2,589 GitHub projects. The researchers say they notified the authors of the affected projects and some, but not all, decided to correct the failures, which consist of known CWE.
The document, "An empirical study of C ++ vulnerabilities in multi-source code examples" is being reviewed for possible publication in the journal IEEE Transactions on Software Engineering.
In a telephone interview with The Register Ashkan Sami, associate professor of computer science, engineering and information technology at Shiraz University in Iran, said the research represents an attempt to see how the faulty code from Stack Overflow to GitHub.
"Basically, what we are trying to show is that using Stack Overflow without carefully checking it can generate potential vulnerabilities within applications." Sami said.
The research echoes a 2017 academic article that found that 1,161 insecure code snippets published in Stack Overflow had been copied and pasted into 1.3 million available Android applications. ble on Google Play.
The boffins were based on a Stack Overflow data set called SOTorrent data-set Version 2018-09-23. It covers publications from 2008 to 2018 and contains some duplicate code snippets.
The researchers chose to focus on C ++ because it is popular, particularly for integrated programs, with limited resources and large and distributed systems. They argue that vulnerabilities in such systems can have a significant impact.
The most frequently found CWE were CWE-1006 (Bad Coding Practices, CWE-754 (Incorrect check for unusual or exceptional conditions) and CWE-20 (Validation of incorrect entry).
The platoon of execution: Stack Exchange wrapped in & # 39; he said, she said, they said & # 39; row
"The stack overflow is just about asking and answering questions and a lot of time when developers They respond to give an answer, they may not be adequately educated in terms of safety or assume that those who ask questions will know what to do, "said Gias Uddin, a PhD in computer science from McGill University, who currently works in the technology industry. "But that's not a good guess."
Sami expressed similar feelings. "People who are using Stack Overflow, should not fully trust him," he said. "E It's better for programmers to do it the hard way and learn secure coding. "
Even so, researchers developed a Chrome extension to help developers take security into account when copying and pasting snippet code snippets. The extension verifies the code copied in the CWE database and generates an alert if the fragment is defective. Uddin said the plan is to publish it when the document is formally published.
Uddin said he hopes this research not only improves the quality of the responses in Stack Overflow, but also serves to remind developers that there are flaws in code sharing on social networks. ®
What follows after Netezza?