September 26, 2023
Analyzing an e-commerce application using an AI code review tool
Below is what Metabob's AI code review found...
NOTE: the screenshots are always related to the text above them
The first problem that we chose as an example was related to logic within an if condition. In this example, Metabob discovered that the user is raising an error with the message “Please provide all the fields.” However, this is contradicting the actual code logic in the if statement. The if statement checks if the firstName field is missing by checking if it’s falsy (using !firstName) but then actually checks if the fields lastName, email, and phone are truthy. Metabob suggests that the logical NOT operator ‘!’ should be also placed in front of all the fields (namely lastName, email, and phone) to check that they have been provided.
The next finding is mostly related to making the output of the code as clear and easy to understand as possible using appropriate HTTP status codes. Here Metabob detects that the function used to delete a user is using the status code 204, which is used when the server has successfully fulfilled the request and there is no additional content to send in the response. Metabob recommends that in this case, given that it is about user deletion, a status code of 200 or 202 would be more appropriate.
Next, Metabob detected an incorrect argument order in a function defined to send a JSON Web Token. It communicated that this can lead to unexpected behavior or errors when running the code. Additionally, this can potentially expose the code to security vulnerabilities as well.
Further, Metabob detects a logical mistake where the condition in the isChanged method checks for a property called this.updateAt for the last time a user password was changed to update the timestamp. However, it should actually check for this.passwordChangedAt because earlier in the code this is the name of the property used storing the timestamp of a password change. Additionally, in this detection, Metabob (as it is an AI) shows a bit of an attitude and tells the developer that even if the updateAt was the correct property to check for, it should be updatedAt (check the parentheses in the description).
This example showcases the ability of AI code review to analyze the whole file and analyze the logic within it, as the passwordChangedAt is used earlier in the file than the lines that this detection relates to. This is an ability that rules-based tools lack.
In the next example, the detection is about an unhandled edge case. In this example, the function itself does the correct thing and checks that the user’s role is included in the provided roles before granting permission to perform the given action. However, Metabob detects that the code does not handle cases where the user’s role is not defined or is invalid and communicates that this could potentially lead to unauthorized access to certain actions. Therefore, the developer should handle the edge case.