CodeSOD: Random Comparison

Justin's co-worker needed to validate a UUID/GUID in C#. So they wrote this:

if (objectId == null || objectId.ToString() == (new Guid()).ToString())
        result = new Error(Error.ERR_REQUEST_INVALID);

The first thing to note here is that Guid objects in C# are non-nullable value types. That is to say, objectId cannot possibly be null. Oddly, you can still compare it against null, which is fine, but meaningless.

But that's not the worst thing here, as the second clause in that condition is… something.

If objectId happens to be the same as a new GUID converted to a string, this is an invalid request. Which, I suppose that's true- the odds of the input GUID matching a randomly generated GUID are so low, we'd need to assume that we're living in the Matrix, or that the heat death of the universe is rapidly approaching or, probably more likely, your random number generator is really bad.

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

This post originally appeared on The Daily WTF.

Leave a Reply

Your email address will not be published. Required fields are marked *