Many coders save time with the quick technique of copying and pasting snippets of code from crowd-sourcing ‘Q&A’ websites and forums like Stack Overflow. But is this procedure safe? Although most of the time it is fine, a new research paper opens the process to doubt.
In a study by computer scientists at Shiraz University, Iran, it was found that some of this code introduces bugs that compromise the security of the software its used in.
The problem, as a new study called An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples defines it, is that some users of Stack Overflow are not qualified to know if code is safe or not. After analyzing real code from Stack Overflow, the researchers found a small, but still significant, number of examples of unsafe code copied from Stack Overflow over a ten-year period to 2018.
72,483 C++ code snippets were analyzed for weaknesses defined by the industry Common Weakness Enumeration (CWE) guidelines. 69 bugs were found, representing 29 different types of security flaw. Most often CWE-150 (‘Improper neutralization of space, meta, or control sequence’).
This sounds like a small percentage, but those 69 vulnerable snippets found their way into a total of 2,859 projects on the Microsoft-owned software development platform, GitHub.
It’s hardly news that vulnerable code is floating around on sites such as Stack Overflow. An academic paper from 2017 found that insecure code snippets from Stack Overflow had been copied and pasted into over a million Android applications on Google Play.
The researchers chose to look at C++, as this language remains popular for specialized programming tasks.
Crome extension
The researchers questioned whether Q&A code sharing is a good idea, suggesting it was better to learn secure coding rather than trusting sites like Stack Overflow completely.
But most developers are unlikely to stop using code sharing because of a few bad snippets. When the researchers alerted GitHub project developers that the borrowed data they had used was flawed, only some chose to fix the problem.
It may be that some coders are not bothered about using flawed or insecure code. Or accept the possibility as a small price to pay for the shortcuts it allows.
However, this may not be a problem much longer.
The researchers’ have developed a new tool to test code quality. This should be released once the research paper is publicized, in the form of a Chrome extension, which can be used to check copied code and shows an alert if the code is flawed:
”The extension then recommends similar, non-vulnerable code snippets from other Stack Overflow posts, so that the developer can reuse those safe code snippets instead of the vulnerable code snippets.”