Code Smell 120 — Sequential IDs

Most IDS are code smells. Sequential IDs are also a vulnerability

Photo by Max Bender on Unsplash

Problems

Solutions

  1. Use non-obvious keys.
  2. Use dark keys or UUIDs.

Context

Sample Code

Wrong

class Book {
private Long bookId; //book knows its ID
private List<Long> authorIds; // book knows author IDs
}
Book harryPotter = new Book(1, {1, 2, 3});
Book cleanCode = new Book(2, {4});
Book donQuixote = new Book(3, {5});
//We can scrape from now on.

Right

class Author {    
//.. Author protocol
}
class Book {
private List<Author> authors; // book knows authors
// No strange behavior. just what a book can do
// Real books don't know about IDs
// ISBN is accidental to a book. Readers don't care
}
class BookResource {
private Book resource; // The resource knows the underlying book
private id; //The id is the link we provide to external world
}
Book harryPotter = new Book({new Author('J. K. Rowling'));
Book cleanCode = new Book({'Robert Martin'})
Book donQuixote = new Book({'Miguel Cervantes'});
BookResource harryPotterResource = new BookResource(harryPotter, UUID.randomUUID()); //Books don't know they id. Just the resource does

Detection

Tags

  • Security

Conclusion

More Info

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Maximiliano Contieri

I’m a senior software engineer specialized in declarative designs. S.O.L.I.D. and agile methodologies fan. Maximilianocontieri.com