Wednesday, April 29, 2009

I don't know what it's called, but I like it

I've recently started using JetBrains' Resharper. Today I was reviewing the code inspection rules and came across a few that had to do with using an operator with which I was unfamiliar. So I took a moment to learn about the ?? operator (link) which must have come out with the .NET 2.0 framework because it has to do with nullable types.

What it does is kind of like the old IsNull method from VB (you remember VB don't you?). Here's an example in two lines:

int? x = null;

int y = (null != x) ? x : -1;

The first line declares a nullable int variable named x which is assigned null.
The second line declares a non-nullable int variable named y. Because it's not nullable we've got to ensure a null value isn't being assigned (otherwise we'll raise an exception). To do this we're using the ternary operator. What the ?? operator does is allow us to write the second line like this:

int y = x ?? -1;

So if x is null y is set to -1. Nice, right? Especially if you replace x and y with more meaningful variable names, such as this:

int? someMeaningfulName = null;

int whatYouReallyWant = someMeaningfulName ?? -1;

Or, more common in my current job, getting values from a web form or querystring:

int desiredFormId = 0;

if (null != Request.Form["Activate_FormId"]) {
desiredFormId = Request.Form["Activate_FormId"];

can become:

int desiredFormId = Request.Form["Activate_FormId"] ?? 0;

Now if I could just figure out how to pronouce this operator I can tell people about it.

Monday, April 27, 2009

Mitigating web.config security vulnerabilities through scripting

After reading this post, .Net and Business Intelligence: Application Security Vulnerabilities in Web.config File, what occurred to me was all this could be mitigated by employing a strategy I refer to as composition scripting.

While I've done a bit with build automation I've also created NAnt scripts that I refer to as composition scripts. The purpose of a composition script is to automate all the tasks required to prepare an application for deployment. I've used them to create ClickOnce deployments, but for web applications a composition script generally grabs all the pages and binaries needed. But in addition to that, and this is the relevant bit, I make use of the XmlPeek and XmlPoke tasks to swap out web.config tags to use configuration values appropriate for the environment being composed.

You see, my script accepts a parameter called Target.Environment. The acceptable values for that parameter are QA, UAT, PROD - quality assurance, user acceptance testing and production, respectively. (Where's development, you may ask? Well, that's the default state of the web.config in the source code repository). Along side the web.config I have a few files named, web.config.uat and These are not repeats of the entire web.config file, though, but rather are the configuration values that need to change from environment to environment. These are the values swapped into the config using XmlPeek and XmlPoke.

Note: I believe a composition script should not recompile the application. It should compose the application deployment using the same pages and binaries as the application progresses from QA testing to UA testing and into production. This ensures the application being deployed is the same application which underwent testing.

So using composition scripts it's easy to mitigate the 10 security risks identified in the article.

Tuesday, April 14, 2009

Note to self... always read the instructions

I'm in the process of setting up a build machine at work. I firmly believe any shop doing production code with multiple developers needs to have both a source code repository (I like Subversion) and a build machine (sometimes called an integration server). I'm setting our build machine up to use CruiseControl.NET for our integration server. I used it at my last place, it's free and I like it. Since I'm the one doing the set up I get to decide.

It's good to be the king.

Anyway, I didn't install the OS, framework and all that on this box so was getting frustrated that I couldn't get the CC.NET web dashboard working. Turns out if I only read the FAQ I would have seen the first item talks about what to do if IIS gets installed after the .NET framework. Running the aspnet_regiis.exe as that document suggests fixed my problem. That's an hour or so of my life I would like back.

RTFM, indeed.