Passbolt API Code Review results

Jan 11, 2018 · 5 min read

Passbolt uses a variety of open source technologies to underpin our software. You can see a full list of these technologies here. One of the technologies we use extensively is CakePHP, which is used to power the server side of the passbolt solution. We recently submitted passbolt for a code review from the brains behind CakePHP, CakeDC.

This audit was solely focused on the API (e.g. server side) code, and does not include a review of the Javascript code or high level design items such the API naming conventions or our use of the GPGAuth protocol.

This review was done in December, spanned across three weeks, with the code from passbolt version 2.0 development branch, based on CakePHP 3.5.

This code is available under the “development” branch on passbolt api github repository.

Image for post
Image for post
fig. original issue count

We are pleased to report that CakeDC did not find any critical flaws. Only three high ranking issues were found and close to 50 medium to low ranking ones. You can have a look at the full report here, or continue reading to have a quick look at the results in each area.


“We have not found any security flaws in the code base. Custom database queries are not used, leaving no place for SQL injection. User input and output are escaped.”

We invite security researchers to submit any new vulnerability, findings or suggestions for improvement to


Image for post
Image for post
Fig. passbolt API object relations, high level visualization

Cakephp Conventions

“In general, CakePHP conventions are well followed. Database table, object classes and files are named correctly. Controllers are kept simple and most of the business logic is in Models. No business logic in templates.”

Coding standards

Since we sniff around for coding standard issues, most issues found here were surrounding missing or mismatching of documentation blocks for functions and class signatures.

Code quality

“In general, the code is structured. Classes and methods are not too long or overly complex. Methods are documented.”


Framework usage

We’ve used the CakePHP framework mostly in the way the framework is intended. However, this part includes most of the recommended improvements, some are low hanging fruit, some requires a substantial investment in time.

Most notable issue relate to our design choice of using one Controller per API actions (for example, one controller with the user delete operation) instead of having all the actions related to an logical object in one file (for example, one controller with user delete, created, edit, etc.). We made this choice to facilitate and speed up testing and allow inheritance between similar actions (setting up a new account and recover an existing account share similar logic). However, this choice prevents us from leveraging some of the framework features such as RESTfull routes, therefore increasing the complexity of the file where we place our routes definitions.

Since default RESTfull routes are not always applicable to passbolt (e.g. for our most complex endpoints, such as password share that affect multiple objects) CakeDC suggested adopting another approach using Action classes (example 1, example 2). This is a reasonable tradeoff that we will be implementing in the middle/long-term future.

Separation of concern

“In general, we have not found big issues related with misuse of the framework or MVC pattern concepts.”

One notable suggested improvement would be to move some of the hardcoded access right logic (such as, you need to be an group owner to add a user to that group) into authorization adapters. This would allow us to create more flexible and configurable authorization rules in the future, so that you as the end user could potentially define some of this logic (such as: creating a new role and changing who can do what in passbolt).

Code Reuse and Modularity

Image for post
Image for post
Fig. complexity according to static analysis: Each file is symbolized by a circle. Size of the circle represents the Cyclomatic complexity. Color of the circle represents the Maintainability Index.

CakeDC’s recommendations in this area will help us reduce the amount of boilerplate code. It would also serve to improve maintainability and readability of passbolt’s codebase and ease the learning curve for developers joining the project.


“We have not found any performance issues in the code base.”

CakeDC also let us know that they didn’t find any performance issues even though they suggested some improvements related to missing indexes in the database tables definition. We also started working on some gatling tests to allow us to monitor any new changes impact on performance.


We have put a lot of effort into the migration to the new version CakePHP, and we’re happy and thankful that it would appear that we didn’t mess it up. Even though this effort did delay the rollout of some of the most expected features we believe this was the right time for passbolt, as it will serve as the foundations for some of the work in the following years to come. We will continue working on implementing the recommendations of this code reviews in the course of the next few months, we will keep track of all the issues and their status here.

Image for post
Image for post
fig. Status as of Jan 2018

We’re extremely thankful to CakeDC for their thorough review and for actively sharing their experiences and knowledge of the framework with us. Jorge, Andrej, Evgeny and Larry made clear and tangible proposals to improve the API and passbolt in general. This process has been a great learning opportunity for the team.

As for the next steps we are currently opening the v2-RC1 for testing to all volunteers, while the team now focuses on implementing long overdue new features such as Tags, Import and Exports. Feel free to get in touch with us at if you want to help with the testing!


open source password manager for teams

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store