Refactor all "Magic Numbers" in the baseline to use ESAPI.properties configurations #403
Comments
|
Using the regex |
|
What about hex-encoded ones? I know there are a few in the crypto, but I
think most of those need to be constants, not parameters.
…-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
On Jul 29, 2017 13:11, "Matt Seil" ***@***.***> wrote:
Using the regex \(.*[0-9]+.*\) to find the rest of these.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#403 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3nmxh2x13K1SgxYAnfNsXNEMBjOlWdks5sS2engaJpZM4OZZ5h>
.
|
|
hardcoded numbers in crypto? :-D
|
|
LOL. Sssshhhh. You don't reveal magicians' secrets.
…-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
On Jul 29, 2017 14:09, "Matt Seil" ***@***.***> wrote:
hardcoded numbers in crypto? :-D
[image: image]
<https://user-images.githubusercontent.com/9502785/28747207-6b1a23ce-744e-11e7-9abd-06b7146dca4c.png>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#403 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3nm0DJq1Dr0QRJmE2JgcXHHZJuZ36zks5sS3VwgaJpZM4OZZ5h>
.
|
|
Besides, obviously not *my* code. I would have used 0x4 instead. Hex is
obviously more magical. ;-)
…-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
On Jul 29, 2017 2:12 PM, "Kevin W. Wall" ***@***.***> wrote:
LOL. Sssshhhh. You don't reveal magicians' secrets.
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
On Jul 29, 2017 14:09, "Matt Seil" ***@***.***> wrote:
> hardcoded numbers in crypto? :-D
>
> [image: image]
> <https://user-images.githubusercontent.com/9502785/28747207-6b1a23ce-744e-11e7-9abd-06b7146dca4c.png>
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <#403 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AB3nm0DJq1Dr0QRJmE2JgcXHHZJuZ36zks5sS3VwgaJpZM4OZZ5h>
> .
>
|
|
Jokes aside, just to be clear, I maybe misnamed the issue. I'm hunting for any numbers that ought to be configurable.. not necessarily wrapped into well-named constants. looks at the codecs yeah, I'm fine with char values in there... |
|
I've run into a host of nasty issues with unit tests after refactoring the crypto classes. @kwwall , how much longer do you have on the crypto changes? |
|
Undo,. Please undo. More later.
…-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
On Jul 30, 2017 03:07, "Matt Seil" ***@***.***> wrote:
I've run into a host of nasty issues with unit tests after refactoring the
crypto classes. @kwwall <https://github.com/kwwall> , how much longer do
you have on the crypto changes?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#403 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AB3nm7dZ4eGCWDm9pQhFhpUBSMnz1B6yks5sTCuhgaJpZM4OZZ5h>
.
|
|
Well, in regards to your email, I was scratching my head that the crypto unit tests were failing because they were grabbing Strings from the recommended (FWIW: I had planned on delaying the merge until after you had pushed your crypto changes, but it sounds like the wiser path is just to have you handle the deprecation when you're ready. ) |
|
Magic numbers are taken care of. Ditching the part of the ticket that tacked on removing deprecated methods. |
Also includes removing all deprecated security configuration calls.
The text was updated successfully, but these errors were encountered: