Caleb Cushing's blog

Log (CRLF) Injection with SLF4J

At my job we have a CIO installed policy of remediating issues found by a static analysis tool and what it finds are most targeted at finding security issues. Currently this tool is Veracode, and I don’t recommend it, it misses more problems than it finds, and what it finds, including this issue, are often false positives. Our most common issue, is CRLF (Carriage Return Line Feed) or other log injection, which we have mitigated in a custom log appender (which Veracode doesn’t recognize). Read more →

Falsehoods programmers believe about versions

given Jeff Atwoods recent blog post and an inspiration today for me to write a “falsehoods” about versions. If you’d like to contribute yours please feel free to send me a pull request, it’d be greatly appreciated. versions always increase versions are numbers versions are strings versions are semantic versions are decimals a major number of 1 or above means stable api versions with the same major number will have the same api versions have numbers, periods, and maybe a preceding v semantic is always the best way to go versions are consistent within a project semantic versions will never see double digits or triple digits within dots at least if you’re using a semantic version people can compare it correctly versions will be consistent amongst projects in a given language or community semantic versioning cannot be represented as number or decimal as long as the versions increase the length of the version doesn’t matter if versions have the same number they are equivalent in a given archive all code will have the same version semantic versions can only have 3 positions dates are bad for versions versions always increase by exactly one Read more →

Single Repository, one Aggregate

A Repository as defined in Domain Driven Design manages a single Aggregate. An aggregate may contain many entities, and value objects, but will have a single object as its root. Many of the Dao and even now some of the Repository implementations I see do not follow this, they are more likely to have a Repository per entity, than a Repository per aggregate, and of course in some cases this is required for various reasons. Read more →

Continuous Integration with Wercker and Maven

I’m going to walk you through getting mvn test running in wercker, on the new docker based api. First let’s talk about what Wercker is and why you’d want to use it. Wercker a continuous integration and deployment web application. It will all you to run any language or stack. It currently is free for both private and public repositories; I am hopeful that once it comes out of beta it will maintain reasonable pricing for small personal private projects (Most CI’s are ridiculously priced for hobby projects). Read more →

Premature optimization is not evil

Or rather people should stop saying this because most of the people that say it don’t actually seem to actually know what is meant by “Premature Optimization” or how to determine when it is evil. I’ve heard people say premature optimization is evil to asking. “Is there a 3rd party library that does this more efficiently?” (knowing if there are better options is premature optimization?), “Thinking about architecting your app for horizontal scalability is premature optimization” (it is if the design is significantly more complex, but if it’s just between using REST and ensuring stateless (which is about the same complexity up front, but it’d be harder to convert later)), “wanting to do Dependency Injection is. Read more →

10 ways of implementing Polymorphism

Firstly what is Polymorphism and why is it so important? Polymorphism is the ability to have a many implementations of a behavior that conform to a single interface. Put in perhaps slightly better, pragmatic terms, you have one implementations of a caller, that can operate on many implementations of a “parameter”, without conditionals, or changing the callers code. For instance the following, pseudo?, Perl 6-ism method handler( $obj ) { $obj. Read more →

REST, ROA, and HATEOAS often leads to bad webservice design

This is not to say that they are bad, but I find that all too frequently the resulting API’s are poorly designed due to forgetting one thing, RPC (Remote Procedure Call) is expensive. Now by RPC, I do not mean custom messaging formats such as SOAP, or XML-RPC, I mean calling a method on a remote server. Do not think that just because you are using HTTP as the message format with something like XML or JSON, that calling GET /resource, is significantly all that different from calling get_resource in a SOAP call. Read more →

Matching Hex characters in a Regex

I’ve noticed a common problem with regular expressions and Hex Characters, so I thought I’d blog about it. The most common way to regex a UUID, or SHA1 or some other hex encoded binary value is this (and I’ve seen this in Perl libraries and StackOverflow answers). [a-f0-9] or [A-F0-9] Neither of these are correct as Hex is case insensitive and both of these regex’s are. Hex is most commonly lowercase (unless you’re Data::UUID), but that’s an aesthetic, not a requirement. Read more →