Code Review Looking for a vulnerable code. Vlad Savitsky.

Code ReviewLooking for a vulnerable code

Vlad Savitsky

http://donetsk.drupal.ua

Code ReviewCode ReviewLooking for a vulnerable codeLooking for a vulnerable code

Twitter:

У нас ввели code-review.

– А это как?

– Ну как, сидишь, читаешь код, ревёшь...

http://twitter.com/#!/dallaylaen/status/129887114576920577

OverviewOverview

● Why review code?● Who should do code review?● Code Review or Person Review● How to find a vulnerability?● How to report about security problem?

Why review code?Why review code?

● Increase code quality.● Developers can learn new code.● Learn new code best practices.● To check if code is clear and easy to

understand.● Find vulnerable code.

What you shouldn't review?What you shouldn't review?

● Bugs and mistakes.● Coding Standard compliance.

WhenWhen code codeshould be reviewed?should be reviewed?

● Before merging to trunk.● Easy to review small pieces of code.● Often is better.

WhenWhen code codeshould be reviews?should be reviews?

● Before adding new code to project.● Contrib modules/themes● Custom modules/themes

● Easy to review small pieces of code.● Often is better.

Who should do code review?Who should do code review?

● Team Lead● Other developers

Code Review Code Review or Person Reviewor Person Review

● Developers associate themselves with their code.

● Team Conflicts● Ability to learn best

practices.

Golden RuleGolden Ruleof Code Reviewof Code Review

Do others code review

as you want they

do your code review.

Goal of Code ReviewGoal of Code Review

Perfect code made by

not perfect developers.

How to find a vulnerability?How to find a vulnerability?

Find XSSFind XSS

● Find and inspect theme() functions.● Does t() function used with proper placeholders.● Does check_plain() or theme('placeholder')

used for plain text?● Does check_markup() or filter_xss() used for

markup containing text?

SQL injectionSQL injection

● Bad code:● db_query('SELECT foo FROM {table} t WHERE

t.name = '. $_GET['user']);● Good code:● db_query("SELECT foo FROM {table} t

WHERE t.name = '%s' ", $_GET['user']);● Does Database API used correctly?

Bad smelling codeBad smelling code

● Bad smelling code in most cases should be refactored.

● http://sourcemaking.com/refactoring/bad-smells-in-code

Drupal Security TeamDrupal Security Team

Goals of the security teamGoals of the security team

● Resolve reported security issues.● Provide assistance for contributed module

maintainers in resolving security issues.● Provide documentation on how to write

secure code .● Provide documentation on securing your site

How to reportHow to reporta security issuea security issue

● Do not post in the issue tracker or discuss it in IRC.

● Mail to [email protected]● Provide as many details as you can. At least:

● Drupal version and/or module version.● Steps to reproduce the problem.

● Do not disclose the vulnerability to anyone before the advisory is issued.

● You will be credited in the security announcement

How the security team works How the security team works with issueswith issues

● Review the issue and evaluate the potential impact on all supported releases of Drupal.

● If it is indeed a valid problem, the security team is mobilized to eliminate it.

● New versions are created and tested.● New packages are created and uploaded to

Drupal.org.● When an issue has been fixed, use all available

communication channels to inform users of steps that must be taken to protect themselves.

Issues withIssues withcontributed modulescontributed modules

● The module maintainer is contacted with a deadline.

● When the maintainer fixes the problem, the security team issues an advisory.

● If the maintainer does not fix the problem within the deadline, an advisory is issued, recommending disabling the module and the project on Drupal.org is unpublished.

Happy Code Review!!!Happy Code Review!!!

Questions?Questions?

● Question #1● Question #2● Question #3