Article 4NB5V CodeSOD: A Devil With a Date

CodeSOD: A Devil With a Date

by
Remy Porter
from The Daily WTF on (#4NB5V)

Jim was adding a feature to the backend. This feature updated a few fields on an object, and then handed the object off as JSON to the front-end.

Adding the feature seemed pretty simple, but when Jim went to check out its behavior in the front-end, he got validation errors. Something in the data getting passed back by his web service was fighting with the front end.

On its surface, that seemed like a reasonable problem, but when looking into it, Jim discovered that it was the record_update_date field which was causing validation issues. The front-end displayed this as a read only field, so there was no reason to do any client-side validation in the first place, and that field was never sent to the backend, so there was even less than no reason to do validation.

Worse, the field had, at least to the eye, a valid date: 2019-07-29T00:00:00.000Z. Even weirder, if Jim changed the backend to just return 2019-07-29, everything worked. He dug into the validation code to see what might be wrong about it:

/** * Custom validation * * This is a callback function for ajv custom keywords * * @param {object} wsFormat aiFormat property content * @param {object} data Data (of element type) from document where validation is required * @param {object} itemSchema Schema part from wsValidation keyword * @param {string} dataPath Path to document element * @param {object} parentData Data of parent object * @param {string} key Property name * @param {object} rootData Document data */function wsFormatFunction(wsFormat, data, itemSchema, dataPath, parentData, key, rootData) { let valid; switch (aiFormat) { case 'date': { let regex = /^\d\d\d\d-[0-1]\d-[0-3](T00:00:00.000Z)?\d$/; valid = regex.test(data); break; } case 'date-time': { let regex = /^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d:\d\d)$/i; valid = regex.test(data); break; } case 'time': { let regex = /^(0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]$/; valid = regex.test(data); break; } default: throw 'Unknown wsFormat: ' + wsFormat; } if (!valid) { wsFormatFunction['errors'] = wsFormatFunction['errors'] || []; wsFormatFunction['errors'].push({ keyword: 'wsFormat', dataPath: dataPath, message: 'should match format "' + wsFormat + '"', schema: itemSchema, data: data }); } return valid;}

When it starts with "Custom validation" and it involves dates, you know you're in for a bad time. Worse, it's custom validation, dates, and regular expressions written by someone who clearly didn't understand regular expressions.

Let's take a peek at the branch which was causing Jim's error, and examine the regex:

/^\d\d\d\d-[0-1]\d-[0-3](T00:00:00.000Z)?\d$/

It should start with four digits, followed by a dash, followed by a value between 0 and 1. Then another digit, then a dash, then a number between 0 and 3, then the time (optionally), then a final digit.

It's obvious why Jim's perfectly reasonable date wasn't working: it needed to be 2019-07-2T00:00:00.000Z9. Or, if Jim just didn't include the timestamp, not only would 2019-07-29 be a valid date, but so would 2019-19-39, which just so happens to be my birthday. Mark your calendars for the 39th of Undevigintiber.

buildmaster-icon.png [Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how! TheDailyWtf?d=yIl2AUoC8zAJc92jgUVJAk
External Content
Source RSS or Atom Feed
Feed Location http://syndication.thedailywtf.com/TheDailyWtf
Feed Title The Daily WTF
Feed Link http://thedailywtf.com/
Reply 0 comments