Skip to content

Instantly share code, notes, and snippets.

@tnightingale

tnightingale/20170911-ayura-code-review.md

Last active September 11, 2017 20:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tnightingale/f1dbd3a3006336ca824d12919439b122 to your computer and use it in GitHub Desktop.
Save tnightingale/f1dbd3a3006336ca824d12919439b122 to your computer and use it in GitHub Desktop.
Download ZIP
Ayura code review by Affinity Bridge
Raw
20170911-ayura-code-review.md

Ayura code review by Affinity Bridge

Issues

  • Vulnerable to SQL Injection (sql-vuln example 1, sql-vuln example 2). A request to a specially-crafted URL can cause arbitrary (and possibly destructive) changes to the database.
  • Cross-site Scripting/XSS vulnerabilities (cross-site scripting example 1). Interpolating variables directly into HTML can create cross-site-scripting vulnerabilities, particularly if the values of those variables come from the database or user-generated content (malicious data could be inserted via an SQL Injection or by inserting unsanitized form input directly into database).
  • Hard-coded Secrets/tokens for third-party services (hard-coded secret example 1, hard-coded secret example 2, hard-coded secret example 3). These are subject to change and should be in configuration.
  • Poor / little error handling (error handling example 1). When errors occur they should be logged for later review. The application should handle the situation in an appropriate way to avoid disruption to the user, eg: retry task, display explanation.
  • HTML generation mixed with unrelated application logic, this can result in unexpected issues that are very hard to debug.

The examples above are not an exhaustive list of issues. The entire codebase needs to be inspected for other occurences of these issues.

Recomendations

Use an application framework

Examples of popular recommended PHP frameworks:

Application frameworks provide many benefits:

  • Encourages/enforces secure-by-default idioms:
    • Input sanitization & validation (protection from cross-site scripting (XSS))
    • Secure database access (protection from SQL injections)
    • Secure form submissions (protection from cross-site request forgeries (CSRF))
  • Standard & secure methods of handling common web application tasks, eg:
    • HTTP request/response handling
    • Cookies & session management
    • User authentication
    • URL path routing
    • Database queries and management
    • Use HTML templating system
    • Form creation & submission handling
    • Interacting with filesystem, eg: user uploads
  • Consistent & organized source code layout improves maintainability and easier for new people to pick up and contribute

See Create your own PHP Framework for more info (but still use a ready-made framework!).

Use a templating system

Templating systems allow you to seperate your HTML generation from your application logic. Most will also provide escaping and sanitization to help prevent XSS vulnerabilities.

Twig is a popular templating system for PHP.

Follow recommendations outlined in "The Twelve-Factor App"

The Twelve-Factor App is a set of recommendations produced by developers at Heroku with the intent of formalizing the industry-standard best-practices for building modern web applications & software.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment