Just found this in production code:

var fa = new FileAsset
    Hash = tempFile.Hash,
    Length = tempFile.Length,
    CreatedOn = DateTime.UtcNow,
    Data = tempFile.Data,
    CompressedLength = tempFile.Length,
    Name = tempFile.FileName,
    CompressionScheme = CompressionSchemeType.None,
    CreatedBy = 666

So, some unsuspecting user whose Id happens to be 666 is now the owner of all those files. His name is Ashour, by the way. I guess this number was entered as a stub since it was not obvious for the author how to get the ID of current user, and then was forgotten and made its way to production. Needless to say, this code has zero unit tests.


  1. Maybe it was intended as the permissions bitmask (0666 is RW for everyone, but here it’s 666, not 0666)?


    1. Yes, this thought crossed my mind briefly. However, we are a Windows shop, we don’t use UNIX access masks.


Leave a Reply

Your email address will not be published. Required fields are marked *