Friday, February 8, 2019

Self @deprecation -- My life as a Javadoc comment

My current job for the past 5+ years involves doing security code reviews.

During the past 2 days, we had been having a lengthy conversation of how we map a third party assessment finding for Server-Side Request Forgery (SSRF) to one of our team's categories...essentially a task of pounding a square peg into a round hole. A mini-debate ensued when a colleague asked for an example or two of SSRF, which I offered. That colleague then decided to write up a small code snippet to test one of our internal proprietary tools to see if he could get it to recognize SSRF. One of the lines from his example code snippet had this gem in it:

     request.getFromKevin("url");

My Reply

For some reason—perhaps simply in an attempt to put the seemingly endless email thread to bed—I decided to poke fun at myself in a self deprecating way. Here was my response to the email. (It's probably too long, and no one will read it though. :)

Wait, what? HttpServletRequest.getFromKevin(String) ???  I want to see the Javadoc for that one.

It probably reads something like:

getFromKevin
String getFromKevin(String url)
A promising sounding method that in fact does nothing, much like Kevin. In fact, the url parameter is completely ignored and the contents of /dev/urandom are read from for 3GB or until the application crashes, whichever comes first. This is method is used to simulate reading Kevin’s random babble that he posts to simple Yes/No questions and instead makes you forced to drink from a fire hose until your insides burst.
Parameters:
url - a String which is ignored, just like we try to do with Kevin
Returns:
a String containing random babble or a PleaseMakeHimStopException is thrown if the application runs out of memory trying to process the request

Anyway, let me know what you think. For those who are familiar with my TL;DR tendencies, you're probably thinking this fits me to a tee.

-kevin
P.S.- Follow me on Twitter @KevinWWall and RT if you enjoyed this. (Of course, others are saying "No, no. Don't encourage him or he will never shut up.")