<a href="https://colab.research.google.com/github/wjtopp3/CSIT-2033/blob/main/CSIT_2033_Week_3.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# 3. Secure Coding Basics


# Coding Style
- Good coding style is essential because it promotes clear, consistent, and readable code, making it easier to spot logic errors, unintended behavior, and security flaws during development and review.

# GotoFail: A Case Study in Style-Related Vulnerabilities
The **goto fail** bug was a critical security flaw in Apple’s SSL/TLS implementation (discovered in 2014)
  - It was caused by a duplicate goto statement in the C code.
  - The defect caused a certificate validation operation to prematurely exit, allowing attackers to impersonate secure websites and intercept encrypted communications.


```
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
    goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
    goto fail;
    goto fail;  // <- This accidental second 'goto fail;' is the bug
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
    goto fail;
```


# PEP 8 and Python Style Guidelines

- A Python Enhancement Proposal (PEP) describes a new feature, process, or  guideline for the Python community.
  - PEPs provide a structured way to propose, discuss, and document changes to the language.
    - PEP 1 (https://peps.python.org/pep-0001/) was written in March 2000 and defines what PEPs are for and how they should be used.
    - PEPs 2–7 set guidelines for Python's development, including the PEP index and workflow (PEP 2), PEP guidelines for informational proposals (PEP 3), procedures for Python releases (PEP 4 and 6), deprecation policy (PEP 5), and how to submit patches (PEP 7).
    - PEP 8 (https://peps.python.org/pep-0008/) provides Python coding style guidelines for maintainable code
  - As instructors of introductory programming courses, we have the opportunity to teach the need for code style discipline and best practices early in a student's learning journey.
  - By teaching established and consistent conventions we can help students develop habits that lead to more reliable and professional software.



# Guidelines

- These guidelines emphasize code readability and foster a mindset that prioritizes security and maintainability—critical skills for aspiring developers.

1. Formatting for Readability and Maintainability
2. Naming Conventions
3. Module Imports
4. Documentation and Comments

# Formatting for Readability and Maintainability

- Consistent Indentation (https://peps.python.org/pep-0008/#indentation)
  - Use 4 spaces (not tabs) per indentation level to avoid confusion that could lead to logical errors.
- Maximum Line Length (https://peps.python.org/pep-0008/#maximum-line-length)
  - 79 characters prevents the need for horizontal scrolling, making it easier to audit code for security flaws.



# Naming Conventions
- https://peps.python.org/pep-0008/#naming-conventions
- Use meaningful names for variables, functions, and classes.
- Avoid **shadowing**
  - Shadowing occurs when a local variable or function name in your code overrides a built-in name, making the original built-in temporarily inaccessible.
  - Don't use names that overwrite Python built-ins (e.g., don’t name a variable **id**, **list**, or **sum**).
- Use CAPITALIZED_NAMES for constants that shouldn’t be modified.

In [None]:
# shadowing and constants

TAX_RATE = 0.07 # FL sales tax, won't change without legislation
sum = 10  # Overwrites the built-in sum function

numbers = [1, 2, 3]
total = sum(numbers)

del sum # fixes it, comment out previous line first
total = sum(numbers)
print(total)

print(total + (1 + TAX_RATE))

# Module Imports

# 🛠️ Hands-On: Demonstrating Wildcard Import Issues
- Avoid wildcard imports

```
    from module import *
```

- This can introduce unintended variables and functions into the namespace, leading to unpredictable behavior.

In [None]:
# Create two module files dynamically with conflicting function names

# First module: math_tools with an add() function
# that performs numerical addition
with open('math_tools.py', 'w') as f:
    f.write("""
def add(x, y):
    return x + y
""")

# Second module: string_tools with an add() function
# that performs string concatenation
with open('string_tools.py', 'w') as f:
    f.write("""
def add(x, y):
    return x + " " + y
""")

# Import all contents from math_tools using wildcard import
from math_tools import *
print("Imported math_tools")
# Show memory address of the current add() function
print("id(add) after math_tools import:", id(add))

# Import all contents from string_tools — this silently
# overwrites the previous add()
from string_tools import *
print("Imported string_tools")
 # Show memory address has change — function was overwritten
print("id(add) after string_tools import:", id(add))

# Test which 'add' function is currently in scope
# (hint: it's the one from string_tools).
print("\nTesting add(2, 3):")
try:
    # Will raise a TypeError because string concatenation expects strings
    result = add(2, 3)
    print("Result of add(2, 3):", result)
except Exception as e:
    # Catch error caused by conflicting function definitions
    print("Error:", e)

# Clean up: delete dynamically created module files
import os
os.remove('math_tools.py')
os.remove('string_tools.py')
