Skip to content

S06:2023 - Broken or Redundant Code 🚧👷‍♂️

Overview

Manifestations of broken code can serve as significant indicators of a system's overall quality. Code that is non-functional, contains residual or redundant functionality frequently becomes a source of security issues when interacting with other vulnerabilities. Maintaining a clean and easily manageable codebase is crucial, but the reality of encountering situations where this is not the case is evident, as reflected by the placement of this vulnerability at #6 in the Snap Security Top 10.

Description

This section addresses the risks associated with broken or redundant code, emphasizing the importance of regular code reviews, refactoring, and eliminating unnecessary code to enhance the extension's security and performance.

Broken or redundant code refers to portions of the codebase that are either non-functional, contain vulnerabilities, or are unnecessary for the operation of the Snap. Such code can introduce security vulnerabilities, increase the attack surface, and impact the overall performance and maintainability of the application. It is imperative to adopt practices that promote clean, efficient, and secure coding to mitigate these risks.

  • Unused imports.
  • Functions that don't do anything.
  • RPC calls that lead to errors.
  • Redundant functionality.
  • Unnecessary conversions.
  • Code Style issues.
  • Confusing naming.
  • Code Performance and inefficient implementations.
  • Misleading return values. Misleading Function names.
  • Front-end and test suite do not use all RPC handles.
  • Unexpected user flow.
  • Confusing if-branching.
  • Snap queries information but never uses it.

How to Prevent

  • Conduct regular code reviews to identify and address broken or redundant code. Encourage collaboration among team members to ensure code quality and security.
  • Utilize static code analysis tools to automatically identify potential issues, security vulnerabilities, and areas of redundant or unused code and importas. Integrate these tools into the development process.
  • Periodically review and refactor the codebase to eliminate redundancies, improve readability, and address any deprecated or insecure coding practices.
  • Regularly update and manage third-party dependencies to ensure compatibility with the latest security patches and to eliminate redundant or unused libraries.
  • Implement a comprehensive suite of automated tests to identify and rectify issues related to broken or redundant code, ensuring the continued reliability of the extension.
  • Maintain clear and updated documentation that provides insights into the purpose of each code segment. Use meaningful comments to enhance code readability and assist in understanding its functionality.

Example Misuse Scenarios

Scenario #1: Unused Functionality Exploitation

Attackers may exploit dormant or redundant code that remains in the codebase, using it to perform unauthorized actions or exploit security vulnerabilities.

Scenario #2: Security Vulnerabilities in Deprecated Code

Deprecated code that has not been removed may contain security vulnerabilities that could be exploited by attackers to compromise the security of the extension.

Scenario #3: Excessive Privileges

Unused or redundant code segments may inadvertently grant excessive privileges, leading to security risks such as unauthorized access or unintended functionality.

Scenario #4: Increased Attack Surface

Redundant or broken code increases the overall attack surface of the extension, providing more opportunities for attackers to find and exploit vulnerabilities.

Scenario #5: Performance Degradation

Redundant code can impact the performance of the extension, leading to slower response times, increased resource consumption, and potential denial-of-service scenarios. Regular maintenance and code optimization are crucial to prevent these issues.