SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

Trust But Verify

By Steve Jones,

Npm is the default package manager for the Node.js runtime. Most of us have heard of of Javascript, which is used extensively in writing applications. When developers write code using this framework, they often include code from other packages and developers, just referring to the functions they need. This allows applications to build on the work of others, without having to re-implement functionality that is commonly used.

Many languages have libraries that are available for use, but most require that a developer download them, include them in their software and then publish the resulting software. In many node.js applications, the developer does some of this, but when they publish the application, the users pull down the versions of the packages that they need at that time. This allows developers to avoid including a lot of code in their applications, reducing file sizes, bandwidth, etc.

Recently an issue arose with a popular package that is included in many applications. I first noticed this on Twitter, then saw it called out in a Visual Studio User Group meeting and then even more online. A programmer made some helpful changes to the package and was given rights to make more by the maintainer. This user when altered the package to include some malware that would attempt to steal bitcoins from users that ran an application using the package.

This is much different than how our T-SQL code is structured, with all the code contained inside the database. There are some exceptions, but for the most part we can look at all the code that will be executed as a part of our batch. That doesn't mean that we aren't responsible for reviewing and checking out code.

This might not be easy in the Javascript world, but it should be easy(ier) for us. I know the warnings about testing code exist, but I'm always somewhat surprised when users ask questions on the SQLServerCentral forums, and then can't understand why simple code (select count(total) from mytable) doesn't work on their system because they don't have a mytable. That causes me to think that too few people actually look at code before they run it. If they don't check a 10-30 line set of code, do they ever check something as complex as Ola's script? Likely not.

Part of our duty as professionals is to be careful with code that we get from others, run it in a sandbox, test it, make sure this is code that will work well for us. Not many of us can download code from the web and have it run on our SQL Server without modification, but if we're asking questions on a forum, we might just do that. If the problem is complex and the code is large, we might not pay enough attention. As SQL Server expands to get code in R, Python, Java, and more, we may need to be more diligent in scanning code to look for problems such as data leakage.

Can you imagine getting some Python code from the web that should break strings apart into works and find out that somewhere in the complex class structures this code also sends a copy of your data to some malicious website? I can, and it's why I'd be very careful vetting code on the data platform.

 
Total article views: 36 | Views in the last 30 days: 1
 
Related Articles
ARTICLE

Packaged-Application Database Nightmares - A Horror Story

The business decides on a packaged application and buys it. After installation, you look at the sch...

ARTICLE

Developer Deployment Frustrations

SQL Server should work to make it easy for developers to work with it, and include versions like Exp...

FORUM

Running a Remote SSIS Package from the client Web application.

Running a Remote SSIS Package from the client Web application.

ARTICLE

Application Developers don’t own their data

As a data guy, I always smile when application developers refer to ‘their’ data. If only it were tha...

FORUM

Call SSIS package residing on DB Server from a web application ASP.NET residing on Web server

Call SSIS package residing on DB Server from a web application ASP.NET residing on Web server

Tags
editorial    
security    
 
Contribute