tags:

views:

376

answers:

3
+4  Q: 

Malicious Code Examples/Snippets

What is the best way to prevent introduction of malicious code when using snippets, skins, etc.?

Obviously this is less of a problem with sites like StackOverflow; however, how often have you run into Malicious Code Snippets? I don't just mean careless or wrong. I mean actively malicious. For example, I have used Wordpress a lot lately for local charity groups who need a quick site. I've noticed an increasing number of skins for WP that contain inappropriate scripts in them.

I'm interested knowing how widespread this is, and the most efficient ways for reviewing code to find hidden "features". In the case of something like a Wordpress skin, there can be quite a large amount of code in the background to be reviewed. Since the sites are for charity organizations, they are often not paying gigs, and I cannot afford to spend a huge amount of time poring over every plug-in/skin.

+8  A: 

You have to. If you don't have time to review all of the code, you sure as heck don't have time to deal with the problems that can result from using it. It's that simple.

lod3n  2009-09-24 17:28:56
It's a very valid point. And in the end, I probably don't have a problem spending the time, since it's my responsibility. To follow up though, where does that leave non-technical, or pseudo-technical users? Is there really nothing out there that says "this skin for xyz blog software is clean?"
Russell Steen  2009-09-24 17:52:56
That sounds like a neat business idea.
lod3n  2009-09-24 18:16:11
A: 

That's the case with free code snippets. If you use it in your product, I'd check it very carefully. If something would go wrong with the application nobody will listen to your "It's not my code. I wouldn't write something like this". You use this code, so for your clear conscience you have to check the code. I wouldn't give some piece of code to my client without checking it.

Lukasz Lysik  2009-09-24 17:35:56
The problem is that it's not a client. It's a case where someone is getting something for free. You're saying you wouldn't put up a wordpress for your local (insert hobby here) group without doing a thorough code review on the widget? We're not talking clients who are paying money for a product, or sites that would every pull in tons of cash. We're talking quick sites for social groups who don't have $x000+ to spend (or the desire to spend, even if they did).
Russell Steen  2009-10-16 18:44:39
+1  A: 

Either don't use them or make sure you understanding exactly what they're doing!

ennuikiller  2009-09-24 17:43:21

related questions

Proprietary plug-ins for GPL programs: what about interpreted languages?
Source Versioning for Visual Studio Express
Mysql: Using "AND" Operation on tags and categories tables in Wordpress
Where is the best jQuery "plugins" library on the web?
Cannot add a launch shortcut (Eclipse Plug-in)
How to create a pluginable Java program?
Family Website CMS
Inserting at the very end in FCKeditor
eclipse javascript editor
Acts-as-readable Rails plugin Issue
Views in separate assemblies in ASP.NET MVC
DLL plugin that creates a parented window doesn't handle messages correctly
.Net Dynamic Plugin Loading with Authority
How to load plugins in .NET?
Looking for Reviews of VS.PHP (Visual Studio Plugin for PHP)
Picasa Plugin
Firefox plugin - sockets
Suggestions for Adding Plugin Capability?
Developing addins for World of Warcraft - Getting started?
Tabbed file browsing in Windows
Plugin for Visual Studio to Mimic Eclipse's "Open Type" or "Open Resource" Keyboard Access
Do you have any recommended plugins for Eclipse?
Do you have any recommended add-ons/plugins for Microsoft Visual Studio?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Best way to allow plugins for a PHP application