DEV Community

Cover image for A Good Reason to NOT Copy and Paste Code
Glenn Faison
Glenn Faison

Posted on • Edited on

A Good Reason to NOT Copy and Paste Code

Many beginners are advised to “type code yourself instead of copy-pasting” because it enables one to internalize the process and the code more quickly. But as programmers gain more experience and attain the level where they need to get things done rather than ensure they learn, they get comfortable with CTRL+C, CTRL+V from Stack Overflow and other sources. As an experienced developer, I recently saw first-hand why I should never copy and paste any code I found online (or anywhere, for that matter)

Consider the code below (see https://certitude.consulting/blog/en/invisible-backdoor/):

const [ ENV_PROD, ENV_DEV ] = [ 'PRODUCTION', 'DEVELOPMENT'];
const environment = 'PRODUCTION';
function isUserAdmin(user) {
    if(environmentǃ=ENV_PROD){
        return true;
    }
    return false;
}
isUserAdmin();
Enter fullscreen mode Exit fullscreen mode

Looks benign, right? And we would expect this code to always return false, yes? Unfortunately, no. Now open a browser console, copy this code, and paste in the console. You may be shocked that it returns true. Copying the above code into a browser console gives us an unexpected result!

To cut the long story short, what looks like a loose inequality check on line #4, is deceptively an assignment operation, which reads like (environmentǃ = ENV_PROD)! In JavaScript, assignment operations return the assigned value, which in this case is truthy (will be treated as true wherever a boolean value is expected) Here we have an assignment, rather than an inequality check

But isn’t environmentǃ an invalid variable name in JavaScript, you ask? It’s complicated. You’d be right to say an exclamation sign cannot be part of a variable name. However, the ǃ you see there is in fact not the everyday exclamation sign you know. It’s an obscure character that happens to be accepted as regular text by the JavaScript interpreter, and thus can be a valid part of a variable name

So while a programmer looks at line #4 and sees environment != ENV_PROD, the JavaScript interpreter sees environmentǃ = ENV_PRODSome insight into how this bug hides in plain sight

There! I hope this is a compelling enough reason to not take copy-pasted code lightly. And I hope you see how typing code snippets yourself can save you from bugs that hide in plain sight!

Top comments (8)

Collapse
 
ivenpoker profile image
Happi Yvan

Interesting... fell for the bug you pointed out. I think the bug comes more from a formatting issue. Linting tools like eslint should easily pick this up with approriate rules being setup. Also, copying and pasting code isn't a bad idea ... it becomes one when the dev lacks good foundations in the PL alongside the discipline to read others code and test it. As @bogdan Olteanu pointed out ... it has more than formatting issues.

Collapse
 
erickwilder profile image
Erick Wilder

Suggestion: perhaps citing the sources for your post gives not only more credibility and also helps people interested in diving more into the subject.

I saw the exact same code snippet a while ago in another blog before, covering this even more in depth:

certitude.consulting/blog/en/invis...

I find hard to believe in such big similarities in the same problem domain.

Nevertheless, thanks for posting and helping in creating awareness about invisible characters.

Collapse
 
glennfaison profile image
Glenn Faison

Thanks, Erick. I'm going to make an edit
Someone in my local community shared this snippet of code and needed help finding the reason why the code didn't behave as expected
Typing out the code he shared worked as expected, so it's when I copy-pasted their code that the "bug" was reproduced. It inspired me to write this article, and I didn't ask for the source of their code snippet

Thanks for the link, by the way. Makes for interesting reading

Collapse
 
bogdaniel profile image
Bogdan Olteanu

That code has more than formatting issues.

Collapse
 
glennfaison profile image
Glenn Faison

True, but I also think that the poor formatting allows the impostor text to hide more easily.
I now believe that more than formatting, I prefer to have good syntax highlighting. If you look at the last image in the post, you can see a difference in highlighting of the ! between the first and second lines
Anyway, my intention was just to show the kind of thing a human eye would miss/overlook while copying code

Collapse
 
bogdaniel profile image
Bogdan Olteanu

Actually at the beginning I've read the code first before everything else and I didn't spot the mistake cuz of the font / color / size. took me some time to finally see it haha.
Yeah a good IDE setup makes the difference between wasted time and performance.

Collapse
 
astorrer profile image
Aaron Storrer

Yep, I read that and made the exact mistake you pointed out. It really does look like 'does not equal'. The question is - what about copy and pasting code your wrote yourself?

Collapse
 
glennfaison profile image
Glenn Faison

Well, most people trust themselves more than anyone else, so if you're going to copy and paste someone's code, it could as well be yours. But that is assuming you know for a fact that you don't routinely leave tricky code lying around for sport... It'd be harder to trust your old code