Andre has inherited a rather antique ASP .Net WebForms application. It's a large one, with many pages in it, but they all follow a certain pattern. Let's see if you can spot it.
protected void btnSearch_Click(object sender, EventArgs e)
{
ArrayList paramsRel = new ArrayList();
paramsRel["Name"] = txtNome.Text;
paramsRel["Date"] = txtDate.Text;
Session["paramsRel"] = paramsRel;
List<Client> clients = Controller.FindClients();
//Some other code
}
Now, at first glance, this doesn't look terrible. Using an ArrayList as a dictionary and frankly, storing a dictionary in the Session object is weird, but it's not an automatic red flag. But wait, why is it called paramsRel? They couldn't be… no, they wouldn't…
public List<Client> FindClients()
{
ArrayList paramsRel = (ArrayList)Session["paramsRel"];
string name = (string)paramsRel["Name"];
string dateStr = (string)paramsRel["Date"];
DateTime date = DateTime.Parse(dateStr);
//More code...
}
Now there's the red flag. paramsRel is how they pass parameters to functions. They stuff it into the Session, then call a function which retrieves it from that Session.
This pattern is used everywhere in the application. You can see that there's a vague gesture in the direction of trying to implement some kind of Model-View-Controller pattern (as FindClients is a member of the Controller object), but that modularization gets undercut by everything depending on Session as a pseudoglobal for passing state information around.
The only good news is that the Session object is synchronized so there's no thread safety issue here, though not for want of trying.
[Advertisement]
Keep all your packages and Docker containers in one place, scan for vulnerabilities, and control who can access different feeds. ProGet installs in minutes and has a powerful free version with a lot of great features that you can upgrade when ready.Learn more.
This post originally appeared on The Daily WTF.