Software quality at Microsoft

14 Sep 2017 in Rants

I'm a big fan of The Daily WTF and today this article popped out:

string isValidArticle(string article)

static StringBuilder vsb = new StringBuilder();
internal static string IsValidUrl(string value)
{
    if (value == null)
    {
        return "\"\"";
    }
    vsb.Length= 0;
    vsb.Append("@\"");
    for (int i=0; i<value.Length; i++)
    {
        if (value[i] == '\"')
            vsb.Append("\"\"");
        else
            vsb.Append(value[i]);
    }
    vsb.Append("\"");
    return vsb.ToString();
}

The code, taken on its own, is just bad. But when placed into context, it gets worse. This isn’t just code. It’s part of .NET's System.Runtime.Remoting package.

The method is named IsValidUrl, but it returns a string. It doesn't do any validation! All it appears to do is take any arbitrary string and return that string wrapped as if it were a valid C# string literal.

This entire file has one key job: generating a class capable of parsing data according to an input WSDL file... by using string concatenation.

The real WTF is the fact that you can embed SOAP links in RTF files and Word will attempt to use them, thus running the WSDL parser against the input data. This is code that’s a little bad, used badly, creating an exploited zero-day.

The full source code is available at referencesource.microsoft.com and I'm wondering, about the software quality at the time this code was written. Obviously nobody seemed to have reviewed this code.