A Checklist for Code Review
What is Code Review:
Code review is systematic examination (sometimes referred to as peer review) of computer source code. It is intended to find mistakes overlooked in software development, improving the overall quality of software. — Wikipedia
Important Keywords:
- systematic examination
- to find mistakes overlooked
- improving the overall quality
Checklist for development and Code review
In regards to “Systematic examination” and “finding mistakes overlooked”, the following checklist can be incorporated:
✅ Ensure the application does not contain format string vulnerabilities: format string exploits
✅ Avoid race conditions scenarios
✅ Is there memory leak possibilities: memory leaks
✅ No buffer overflows.
✅ Logical errors or transitional errors
✅ Avoid Cross-Site Scripting [XSS]
✅ Avoid SQL/XML Injection
✅ Excessive Disclosure: https://www.acunetix.com/blog/articles/source-code-disclosure-dangerous/
✅ No extraneous code: If something can be used later let it be built letter
Additional checkpoint for batches
✅ Mutually exclusiveness: Consider the following questions
- ✅ Can multiple instances of the same batch run simultaneously?
- ✅ Can multiple instances of the same batch with different argument run simultaneously?
✅ Properly handle missing inputs and dependent files and if they don’t exist
✅ Check cron setting set for all environments: DEV, STG, PRO
✅ Check configuration settings for all environments: DEV, STG, PRO
✅ Can the batch exit gracefully?
✅ Proper log level:
- use fatal: If batch exits/terminates
- use error: something wrong but continue execution
- use warn: No influence but something wrong
- use info: Show state change / informative info
✅ Log: do not leave debug logs in commit
In regards to “Improving the overall quality”, the followings:
✅ Code format/indentation/spaces (Use PHP storm auto reformat to confirm all rules followed)
✅ Proper variable naming: meaningful names and understandable so that after 1 year can be understood
✅ Proper Access assigns to member methods and variables
✅ Avoid if-else and try to check the negative condition and exit immediately
✅ Avoid using long If else ladder and switch
✅ Inspect the code with static code analysis tool with IDE
For instance, if you are working with PHP you can refer
- https://www.jetbrains.com/help/phpstorm/code-inspection.html
- PHP: https://plugins.jetbrains.com/plugin/7622-php-inspections-ea-extended- or https://plugins.jetbrains.com/plugin/10215-php-inspections-ea-ultimate-
Objectives of Code Review
Also, note that the main objectives of code-review are:
- Best Practice ~ A more efficient, less error-prone, or more elegant way to accomplish a given task.
- Error Detection ~ Discovering logical or transitional errors.
- Vulnerability Exposure ~ Identifying and averting common vulnerabilities like Cross-Site Scripting [XSS], Injection, Buffer Overflow, Excessive Disclosure, etc. Although many controls are inapplicable and can be ignored, a STIG [e.g., Application Security STIG 4.3] provides an excellent vulnerability checklist.
- Malware Discovery ~ This often-overlooked and very special code-review objective looks for segments of code that appear extraneous, questionable, or flat-out weird. The intent is to discover back doors, Trojans, and time bombs.
