JSLint.VS2010: Automatic JavaScript Static Analysis

Recently, I was working on a project that used some asynchronous JSON-to-HTML databiding. Testers sent a bug that the site was working in Chrome, Firefox, Safari and IE9 but nothing was happening in IE8. The IE8 javascript debugger didn’t report any errors, it just didn’t do anything.

This sort of thing is no fun to debug and I spent an increasingly desperate evening staring at code that couldn’t possibly be wrong  failing to see the problem. Eventually, in desperation, I pasted the code into Douglas Crockford’s jslint and it quickly pointed out a stray comma which made all the difference.

I later discovered that there is a jslint extension available for Visual Studio 2010.

jslint-options

The really cool thing about the JSLint Visual Studio extension is that it reports its warnings and errors into the Visual Studio Error List window where they work just like other code errors. Even better, it has the option to cancel the build on error. That means if jslint finds an error, the project build dies. In my world, this is fantastic. It means I don’t even try to test something if jslint finds something wrong with it. I consider this to be a huge productivity win.skip-on-build

The following JSLint global options were key for me to use jslint as a build-time checker:

  • Output: Errors – causes Visual Studio to interpret JSLint output as errors
  • Run JSLint on build: true – causes JSLint to test all .JS files during build
  • Cancel build on error true– causes JSLint errors to cancel the build, just like C# compiler errors
  • Assume a browser: true
  • Predefined Vars: jQuery, $
  • Strict whitespace: false
  • Maximum line length: 999
    One issue with cancelling the build on error is that jslint is pedantic and some of its warnings are not strictly errors which means that standard libraries like jquery aren’t going to pass jslint. Fortunately, you can exclude individual .js files from build-time testing by right-clicking on the files you want to exclude in the Solution Explorer window. (Note that jslint doesn’t plug its menus into the Solution Navigator window from the “Productivity Power Tools” extension. You have to use the Solution Explorer.)
    Happy linting.

Really Least-Privilege Development: AppLocker and Visual Studio

AppLocker is a software execution policy tool in Windows 7 Enterprise and Ultimate and Windows Server 2008 R2. An AppLocker policy can be used to shift Windows from a  model where execution of code is permitted by default to a model where execution is denied by default. AppLocker is aware of binary exe, DLL/OCX, the scripting engines that ship with Windows and Windows Installer packages. The default rule sets for these categories will only allow code that is installed into the system or program files directories to execute. Once AppLocker is turned on, execution of code is denied by default and an unprivileged user cannot add executable code to the system.

If untrusted users can’t execute new code, then how can Visual Studio possibly work without making developers admin?

Grant Execute on Source/Build Tree: Fail

I thought this would be super simple and that all I would have to do was create Executable, DLL and Script path rules to grant execute on my source tree. At first, it seemed to work and I was off and running. Then I tried to build a big complicated project and the build failed all of a sudden. This solution had post-build rules but so what? I had script enabled for the build tree.

Build Actions Fail

Procmon shows that the pre- and post-build events are implemented as temporary batch scripts in %TEMP%. They are named <cryptic-number>.exec.cmd.

procmon-postbuild

Unfortunately %TEMP% is not a usable macro in AppLocker. You have to either create a generic Script rule to allow all *.exec.cmd scripts to execute or create rules for each Visual Studio user like C:\Users\<username>\AppData\Local\Temp\*.exec.cmd. Either way, post-build actions will start to work.

Web Apps Crash with Yellow Screen of Death

Another issue is that running Web apps with the built-in Visual Studio Development Web Server (aka Cassini) fails miserably. The obvious clue that this is AppLocker is “The program was blocked by group policy.”

webdev.webserver20-yellowdeath

The problem is that Cassini copies the DLLs and runs them from a subdirectory of %TEMP%\Temporary ASP.NET Files\.

webdev.webserver20-temp

 

In order for Cassini to work, you have to disable DLL rules or  create a DLL allow path rule for every developer in the form C:\Users\<username>\AppData\Local\Temp\Temporary ASP.NET Files\*.dll.

Visual Studio’s HelpLibAgent.exe Crashes

This one is a bit weirder and more surprising. Visual Studio 2010 has a new help system that operates as a local HTTP server. Invoking help with AppLocker DLL rules enabled generates a serious crash.

helplibagent-crash

I’m not sure why it does this but HelpLibAgent.exe generates a random string and then two .cs files based on that string and invokes the C# compiler to generate a DLL based on the random string which is dynamically loaded by HelpLibAgent. This seems weird on the face of it that and there’s nothing in that code that looks like it has to be generated on a per-user basis at all. Weird, weird, weird.

helplibagent-dll-compile

In order for this to work you have to allow any randomly named dll to load out of %TEMP% which means disabling DLL rules or modifying the rule that was necessary for Cassini:

C:\Users\<username>\AppData\Local\Temp\*.dll.

Summary

In order to run Visual Studio with AppLocker a user needs the following rules:

  • DLL, EXE and Script: Allow path on source tree / build directory structure
  • Script: Allow path on %TEMP%\*.cmd.exec
  • DLL: Allow path on %TEMP%\*.dll
  • Unfortunately %TEMP% is not available in AppLocker so a C:\Users\<username>\AppData\Local\Temp\* for every <username> needed has to exist. These are probably best implemented as local policies.
  • Optional: Allow script *.ps1. (This is pretty safe because PowerShell has its own tight script execution security model.)
  • It’s unfortunate that DLL rules have to be enabled for a well-known location like %TEMP% but that still doesn’t make the DLL rule useless.

    • OCX is still not permitted from %TEMP%
    • AppLocker DLL rules are complementary to CWDIllegalInDllSearch for mitigating DLL Hijacking because it provides a more granular options. This is particularly important if you need to use a global CWDIllegalInDllSearch setting of 1 or 2 for compatibility reasons.
    Once these rules are in place, the experience is seamless. The rules don’t get in the way of anything.
    Note that AppLocker script rules only apply to the scripting hosts that ship with Windows: CMD, Windows Scripting Host (.vbs and .js) and PowerShell). Perl, Python, Ruby, etc interpreters are not affected by AppLocker policy. Similarly, execution of Java jar files are not affected by AppLocker.
    It would be nice if DLL rules were a little smarter. For instance, I would like to be able to allow managed DLLs on some path but not native code.

Best Visual Studio 2010 Extension Feature

The coolest Visual Studio 2010 extension feature that I have seen is the Solution Navigator which is a component of the Productivity Power Tools extension.

Solution Navigator combines the Solution Explorer and Class Explorer with search and some useful predefined filters: All, Open, Unsaved and Edited. It’s fantastic for navigating large solutions.

Types Shown in Files

class-all

Filter to Open Files

class-open

Search Types

class-search

MSFT Help Viewer Duplicate Entries

update-helpMicrosoft Help Viewer 1.0 is a new document database that ships with Visual Studio 2010. It is basically an offline version of the “lightweight” view of the MSDN library online. It even runs in its own little web server and is accessed through a browser.

It ships with a number of categories of documentation including documentation for the .NET Framework version 4.0. You can install additional documentation from online or offline sources, including the .NET Framework 3.5 documentation.

Unfortunately, it doesn’t make much sense if you install both the v3.5 and 4.0 documentation. Firstly, the 4.0 documentation seems to be a superset of the entire 3.5 library. Secondly, installing both inserts two links for every article into all the navigation but both links resolve to the same document and that document specifies which version of the Framework the API is supported in.

doubled-navigation

I don’t see much point in installing more than one version of the .NET Framework documentation. Just stick with the .NET Framework 4 documentation that ships as part of the default options. It will update from online sources when changes are published.

Visual Studio 2010 Professional Should be Free

Microsoft has created yet another SKU for Visual Studio 2010, Ultimate Edition.

This is out of hand.

  • Visual Studio Express editions Basic CMYK
  • Visual Studio Professional
  • Visual Studio Premium
  • Visual Studio Ultimate
  • Visual Studio Test Professional
  • Visual Studio Team Foundation Server
  • Visual Studio Lab Management

The express editions are free of charge but weirdly crippled:

  1. Rather than being features extending the base IDE, there are entirely separate Express IDEs for each language.
  2. The source control plugin API is missing
  3. Extremely limited refactoring (at a time when the refactorings in the full edition don’t compare well to Eclipse or Netbeans)
  4. No conditional breakpoints
  5. No remote debugging
  6. No thread debugging
  7. No support for compiling 64-bit native images
  8. No support for setup projects
  9. No support for solutions which contain projects written in different languages (because of item #1).
  10.   No MS Office development support.
  11.   No VSIX extensions (like this spell checker).

And apparently, you don’t have access to F# and IronPython languages with any Express edition. What?

Visual Studio Professional is the vanilla full-featured version of Visuals Studio 2010.

Visual Studio is really the mechanism by which developers add value to Microsoft’s platforms. It is used to build applications that people actually use. We are not living in the gay 90s anymore when compilers were generally very expensive and IDEs were new and a huge value-add. Now, every platform vendor I can think of except for Microsoft gives away the best development tools it can in order to draw developers to it.

Here are some examples:

  • Apple gives away XCode and all its developer tools and documentations to anyone that registers.
  • Eclipse is free and open source.
  • Netbeans is free and open source

Visual Studio Express editions do not have parity with the features of XCode, Netbeans and Eclipse. Visual Studio Professional is much closer.

But to get Visual Studio Professional, you have to be student or faculty at an institution participating in the Microsoft Academic Alliance program, an employee of a Microsoft Certified Partner or you or your employer have to buy an MSDN subscription every year. There are now 6 MSDN subscription SKUs.

  • MSDN Operating Systems
  • MSDN Embedded
  • Visual Studio Professional with MSDN
  • Visual Studio Test Professional with MSDN
  • Visuals Studio Premium with MSDN
  • Visual Studio Ultimate with MSDN

These range in price from $699 to $11,899 retail with the “Professional” version weighing in at $1,199 ($799 for a renewal). The Operating Systems one doesn’t even come with Visual Studio which makes no sense at all. Why offer developers a subscription to your operating systems without giving them the tools to develop applications on the operating systems?

This state of affairs is out of control.

I don’t have any issue with Microsoft selling value-adds over and above of Visual Studio Professional (e.g. Premium, Ultimate, Professional Tester, Team Server, etc.) to compete with IBM Rational and Perforce et al in the application lifecycle management and enterprise architecture modeling stuff and build management and testing.

But rather than trying to squeeze 800 bucks a year out of developers, Microsoft should discard the Express editions of Visual Studio and make Visual Studio 2010 Professional available at no cost to anyone with a valid copy of Windows.

Otherwise, Microsoft is literally driving startups and young developers to other platforms which offer fully functional free tools from vendors like Apple, IBM, Oracle (Sun), Novell, Red Hat and Canonical.

And when I say free I don’t mean crippled or ad supported. In order to keep the Windows platform relevant, Microsoft needs to make credible modern tools available to anyone that might be interested. That means Visual Studio 2010 Professional should be a free download.

Seriously.

%d bloggers like this: