zhongwei/gh-dhofheinz-open-plugins-plugins-10x-fullstack-engineer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-29 18:20:21 +08:00
commit bbbaf7acad
63 changed files with 38552 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

704
commands/review/security.md Normal file
View File

@@ -0,0 +1,704 @@
# Security-Focused Code Review
Performs a comprehensive security audit focusing on authentication, authorization, input validation, data protection, and OWASP Top 10 vulnerabilities.
## Parameters
**Received from router**: `$ARGUMENTS` (after removing 'security' operation)
Expected format: `scope:"review-scope" [depth:"quick|standard|deep"]`
## Workflow
### 1. Parse Parameters
Extract from $ARGUMENTS:
- **scope**: What to review (required) - payment module, auth system, API endpoints, etc.
- **depth**: Security audit thoroughness (default: "deep" for security reviews)
### 2. Gather Context
**Understand the Security Surface**:
```bash
# Identify entry points
find . -name "*.ts" -o -name "*.js" -o -name "*.py" -o -name "*.go" | xargs grep -l "router\|app\.\(get\|post\|put\|delete\)\|@app\.route\|http\.HandleFunc" | head -20
# Check for authentication middleware
grep -r "auth\|jwt\|session" --include="*.ts" --include="*.js" --include="*.py" | head -20
# Find environment variable usage
grep -r "process\.env\|os\.getenv\|os\.environ" --include="*.ts" --include="*.js" --include="*.py" | head -15
# Check dependencies for known vulnerabilities
npm audit || pip-audit || go list -m all | nancy sleuth || echo "Check package security"
# Look for database queries
grep -r "query\|execute\|SELECT\|INSERT\|UPDATE\|DELETE" --include="*.ts" --include="*.js" --include="*.py" | head -20
```
### 3. Authentication & Authorization Security
**Authentication Checks**:
- [ ] All protected endpoints have authentication middleware
- [ ] Authentication tokens are validated properly
- [ ] Token expiration is enforced
- [ ] Refresh tokens implemented securely
- [ ] Multi-factor authentication available for sensitive operations
- [ ] Account lockout after failed login attempts
- [ ] Password complexity requirements enforced
- [ ] Rate limiting on authentication endpoints
**Authorization Checks**:
- [ ] Role-based access control (RBAC) implemented
- [ ] Permission checks on every protected resource
- [ ] Users can only access their own data (unless admin)
- [ ] Horizontal privilege escalation prevented
- [ ] Vertical privilege escalation prevented
- [ ] Authorization checks on backend (never trust client)
**Session Management**:
- [ ] Secure session configuration (HttpOnly, Secure, SameSite flags)
- [ ] Session timeout configured appropriately
- [ ] Session invalidation on logout
- [ ] No session fixation vulnerabilities
- [ ] Session tokens are cryptographically random
**Code Examples - Authentication**:
```typescript
// ❌ CRITICAL: No authentication check
app.get('/api/user/:id/profile', async (req, res) => {
const user = await User.findById(req.params.id);
res.json(user);
});
// ✅ GOOD: Authentication required
app.get('/api/user/:id/profile', requireAuth, async (req, res) => {
const user = await User.findById(req.params.id);
res.json(user);
});
// ✅ BETTER: Authentication + authorization
app.get('/api/user/:id/profile', requireAuth, async (req, res) => {
// User can only access their own profile (unless admin)
if (req.user.id !== req.params.id && req.user.role !== 'admin') {
return res.status(403).json({ error: 'Forbidden' });
}
const user = await User.findById(req.params.id);
res.json(user);
});
```
```typescript
// ❌ CRITICAL: Weak JWT verification
const decoded = jwt.decode(token); // No verification!
req.user = decoded;
// ✅ GOOD: Proper JWT verification with secret
const decoded = jwt.verify(token, process.env.JWT_SECRET, {
algorithms: ['HS256'],
maxAge: '1h'
});
req.user = decoded;
```
### 4. Input Validation & Injection Prevention
**Input Validation**:
- [ ] All user inputs validated on backend
- [ ] Whitelist validation used (not blacklist)
- [ ] Input length limits enforced
- [ ] Data types validated
- [ ] File uploads validated (type, size, content)
- [ ] Email addresses validated properly
- [ ] URLs validated and sanitized
**SQL Injection Prevention**:
- [ ] Parameterized queries used (never string concatenation)
- [ ] ORM used correctly (no raw queries with user input)
- [ ] Stored procedures with parameterization
- [ ] Input sanitization for database queries
- [ ] Principle of least privilege for database users
**XSS Prevention**:
- [ ] Output encoding for all user-generated content
- [ ] Content Security Policy (CSP) headers configured
- [ ] HTML sanitization for rich text input
- [ ] No innerHTML with user data (use textContent)
- [ ] Template engines auto-escape by default
- [ ] React JSX auto-escapes (but check dangerouslySetInnerHTML)
**Command Injection Prevention**:
- [ ] No shell command execution with user input
- [ ] If shell commands necessary, use safe APIs
- [ ] Input validation for any system calls
- [ ] Whitelist allowed commands
**Path Traversal Prevention**:
- [ ] No file system access with user-controlled paths
- [ ] Path validation and sanitization
- [ ] Use safe path joining methods
- [ ] Restrict file access to specific directories
**Code Examples - Injection Prevention**:
```typescript
// ❌ CRITICAL: SQL Injection vulnerability
const email = req.body.email;
const query = `SELECT * FROM users WHERE email = '${email}'`;
const users = await db.query(query);
// ✅ GOOD: Parameterized query
const email = req.body.email;
const query = 'SELECT * FROM users WHERE email = ?';
const users = await db.query(query, [email]);
// ✅ BETTER: Using ORM with validation
const email = validateEmail(req.body.email); // Throws if invalid
const users = await User.findAll({ where: { email } });
```
```typescript
// ❌ CRITICAL: XSS vulnerability
const username = req.query.name;
res.send(`<h1>Welcome ${username}</h1>`);
// ✅ GOOD: Proper escaping
const username = escapeHtml(req.query.name);
res.send(`<h1>Welcome ${username}</h1>`);
// ✅ BETTER: Use template engine with auto-escaping
res.render('welcome', { username: req.query.name }); // Template auto-escapes
```
```typescript
// ❌ CRITICAL: Command injection
const filename = req.body.filename;
exec(`cat ${filename}`, (err, stdout) => {
res.send(stdout);
});
// ✅ GOOD: Use safe file reading
const filename = path.basename(req.body.filename); // Remove path traversal
const safePath = path.join('/safe/directory', filename);
const content = await fs.readFile(safePath, 'utf8');
res.send(content);
```
```typescript
// ❌ CRITICAL: Path traversal vulnerability
const file = req.query.file;
res.sendFile(`/public/${file}`);
// ✅ GOOD: Validated and restricted path
const file = path.basename(req.query.file); // Remove directory traversal
const safePath = path.join(__dirname, 'public', file);
// Ensure path is within allowed directory
if (!safePath.startsWith(path.join(__dirname, 'public'))) {
return res.status(400).send('Invalid file path');
}
res.sendFile(safePath);
```
### 5. Data Protection & Cryptography
**Data at Rest**:
- [ ] Sensitive data encrypted in database
- [ ] Proper encryption algorithm (AES-256)
- [ ] Encryption keys stored securely (not in code)
- [ ] Key rotation strategy implemented
- [ ] PII data identified and protected
**Data in Transit**:
- [ ] HTTPS/TLS enforced for all connections
- [ ] TLS 1.2+ required (TLS 1.0/1.1 disabled)
- [ ] Strong cipher suites configured
- [ ] HTTP Strict Transport Security (HSTS) enabled
- [ ] Certificate validation proper
**Password Security**:
- [ ] Passwords hashed with strong algorithm (bcrypt, argon2, scrypt)
- [ ] Salt used for each password
- [ ] No password length maximum (only minimum)
- [ ] Passwords never logged or stored in plain text
- [ ] Password reset tokens are cryptographically secure
- [ ] Password reset tokens expire
**Secrets Management**:
- [ ] No hardcoded secrets in code
- [ ] API keys in environment variables or secret manager
- [ ] Database credentials not in version control
- [ ] .env files in .gitignore
- [ ] Secrets rotation process exists
**Sensitive Data Handling**:
- [ ] Credit card numbers handled per PCI DSS
- [ ] PII minimized and protected
- [ ] No sensitive data in logs
- [ ] No sensitive data in URLs or query parameters
- [ ] Sensitive data masked in UI when appropriate
**Code Examples - Data Protection**:
```typescript
// ❌ CRITICAL: Hardcoded API key (example only - not a real key)
const apiKey = "sk_live_EXAMPLE_KEY_DO_NOT_HARDCODE_SECRETS";
// ✅ GOOD: Environment variable
const apiKey = process.env.STRIPE_API_KEY;
if (!apiKey) {
throw new Error('STRIPE_API_KEY not configured');
}
```
```typescript
// ❌ CRITICAL: Weak password hashing
const hashedPassword = md5(password); // MD5 is broken!
// ❌ BAD: SHA-256 without salt
const hashedPassword = crypto.createHash('sha256').update(password).digest('hex');
// ✅ GOOD: bcrypt with salt
const hashedPassword = await bcrypt.hash(password, 12); // Cost factor 12
```
```typescript
// ❌ CRITICAL: Sensitive data in logs
logger.info('User login', { email, password, creditCard });
// ✅ GOOD: No sensitive data
logger.info('User login', { email, userId });
```
```typescript
// ❌ CRITICAL: Weak random token
const resetToken = Math.random().toString(36);
// ✅ GOOD: Cryptographically secure random token
const resetToken = crypto.randomBytes(32).toString('hex');
```
### 6. CSRF & CORS Security
**CSRF Protection**:
- [ ] CSRF tokens implemented for state-changing operations
- [ ] SameSite cookie attribute set
- [ ] Double-submit cookie pattern used
- [ ] Custom headers required for AJAX requests
- [ ] Origin/Referer validation
**CORS Configuration**:
- [ ] CORS whitelist configured (not wildcard in production)
- [ ] Credentials allowed only for trusted origins
- [ ] Preflight requests handled correctly
- [ ] Access-Control-Max-Age set appropriately
**Code Examples - CSRF/CORS**:
```typescript
// ❌ CRITICAL: CORS allows all origins
app.use(cors({ origin: '*', credentials: true }));
// ✅ GOOD: CORS whitelist
const allowedOrigins = ['https://app.example.com', 'https://admin.example.com'];
app.use(cors({
origin: (origin, callback) => {
if (!origin || allowedOrigins.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
},
credentials: true
}));
```
```typescript
// ❌ CRITICAL: No CSRF protection
app.post('/api/transfer-money', async (req, res) => {
await transferMoney(req.body);
res.json({ success: true });
});
// ✅ GOOD: CSRF token validation
app.post('/api/transfer-money', csrfProtection, async (req, res) => {
await transferMoney(req.body);
res.json({ success: true });
});
```
### 7. Security Headers
**Required Security Headers**:
- [ ] Content-Security-Policy (CSP)
- [ ] X-Content-Type-Options: nosniff
- [ ] X-Frame-Options: DENY or SAMEORIGIN
- [ ] X-XSS-Protection: 1; mode=block
- [ ] Strict-Transport-Security (HSTS)
- [ ] Referrer-Policy: strict-origin-when-cross-origin
- [ ] Permissions-Policy (formerly Feature-Policy)
**Code Example - Security Headers**:
```typescript
// ✅ GOOD: Security headers configured
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
scriptSrc: ["'self'"],
imgSrc: ["'self'", "data:", "https:"],
},
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true
},
frameguard: {
action: 'deny'
}
}));
```
### 8. Dependency Security
**Vulnerability Scanning**:
```bash
# Node.js
npm audit
npm audit fix
# Python
pip-audit
safety check
# Go
go list -m all | nancy sleuth
# Check for outdated packages
npm outdated
pip list --outdated
```
**Dependencies Review**:
- [ ] No known critical vulnerabilities
- [ ] Dependencies up to date
- [ ] Unnecessary dependencies removed
- [ ] Development dependencies separate from production
- [ ] Lock files committed (package-lock.json, poetry.lock, go.sum)
- [ ] Automated dependency updates configured (Dependabot, Renovate)
### 9. Error Handling & Information Disclosure
**Secure Error Handling**:
- [ ] Error messages don't leak sensitive information
- [ ] Stack traces not shown to users in production
- [ ] Database errors sanitized
- [ ] Generic error messages for authentication failures
- [ ] Detailed errors logged server-side only
- [ ] No verbose debug output in production
**Code Examples - Error Handling**:
```typescript
// ❌ CRITICAL: Information disclosure
app.get('/api/user/:id', async (req, res) => {
try {
const user = await User.findById(req.params.id);
res.json(user);
} catch (error) {
// Exposes database details and stack trace!
res.status(500).json({ error: error.message, stack: error.stack });
}
});
// ✅ GOOD: Generic error, detailed logging
app.get('/api/user/:id', async (req, res) => {
try {
const user = await User.findById(req.params.id);
res.json(user);
} catch (error) {
logger.error('Error fetching user', { userId: req.params.id, error });
res.status(500).json({ error: 'An error occurred processing your request' });
}
});
```
```typescript
// ❌ CRITICAL: Authentication error reveals if user exists
if (!user) {
return res.status(401).json({ error: 'User not found' });
}
if (!await bcrypt.compare(password, user.password)) {
return res.status(401).json({ error: 'Invalid password' });
}
// ✅ GOOD: Generic authentication error
const user = await User.findByEmail(email);
const isValidPassword = user && await bcrypt.compare(password, user.password);
if (!user || !isValidPassword) {
return res.status(401).json({ error: 'Invalid credentials' });
}
```
### 10. OWASP Top 10 Comprehensive Check
**A01: Broken Access Control**
- [ ] Authorization checks on all protected resources
- [ ] Users cannot access other users' data
- [ ] Insecure direct object references prevented
- [ ] API rate limiting implemented
**A02: Cryptographic Failures**
- [ ] Sensitive data encrypted at rest and in transit
- [ ] Strong encryption algorithms used
- [ ] No hardcoded encryption keys
- [ ] TLS/HTTPS enforced
**A03: Injection**
- [ ] Parameterized queries for SQL
- [ ] Input validation and sanitization
- [ ] NoSQL injection prevented
- [ ] Command injection prevented
- [ ] LDAP/XML injection prevented
**A04: Insecure Design**
- [ ] Threat modeling performed
- [ ] Security requirements defined
- [ ] Secure design patterns used
- [ ] Separation of concerns enforced
**A05: Security Misconfiguration**
- [ ] Security headers configured
- [ ] Default passwords changed
- [ ] Unnecessary features disabled
- [ ] Error messages don't leak information
- [ ] Security patches applied
**A06: Vulnerable and Outdated Components**
- [ ] Dependencies up to date
- [ ] No known vulnerable packages
- [ ] Unused dependencies removed
- [ ] Automated vulnerability scanning
**A07: Identification and Authentication Failures**
- [ ] Strong password policy
- [ ] MFA available
- [ ] Account lockout implemented
- [ ] Session management secure
- [ ] Credential stuffing prevented
**A08: Software and Data Integrity Failures**
- [ ] Digital signatures verified
- [ ] CI/CD pipeline secured
- [ ] Untrusted deserialization prevented
- [ ] Supply chain security considered
**A09: Security Logging and Monitoring Failures**
- [ ] Security events logged
- [ ] Failed login attempts logged
- [ ] Logs protected from tampering
- [ ] Alerting configured for anomalies
- [ ] Audit trail maintained
**A10: Server-Side Request Forgery (SSRF)**
- [ ] URLs validated before fetching
- [ ] Whitelist of allowed domains
- [ ] No access to internal networks
- [ ] DNS rebinding prevented
## Review Depth Implementation
**Quick Depth** (10-15 min):
- Focus only on critical vulnerabilities
- Check for common security mistakes
- Review authentication and authorization
- Check for SQL injection and XSS
**Standard Depth** (30-40 min):
- All OWASP Top 10 categories
- Review security headers
- Check dependency vulnerabilities
- Review error handling
- Validate input sanitization
**Deep Depth** (60-90+ min):
- Comprehensive security audit
- Threat modeling for reviewed scope
- Architecture security review
- Complete OWASP Top 10 assessment
- Penetration testing recommendations
- Security test coverage review
- Compliance considerations (GDPR, PCI DSS)
## Output Format
```markdown
# Security Review: [Scope]
## Executive Summary
**Reviewed**: [What was reviewed]
**Depth**: [Quick|Standard|Deep]
**Security Risk**: [Low|Medium|High|Critical]
### Overall Security Posture
**[Secure|Minor Issues|Significant Concerns|Critical Vulnerabilities]**
[Brief explanation]
### Immediate Actions Required
1. [Critical issue 1]
2. [Critical issue 2]
---
## Critical Security Issues 🚨
### [Issue 1 Title]
**File**: `path/to/file.ts:42`
**Vulnerability Type**: [SQL Injection|XSS|Authentication Bypass|etc.]
**OWASP Category**: [A01-A10]
**Risk Level**: Critical
**Attack Vector**: [How this could be exploited]
**Impact**: [Data breach, unauthorized access, etc.]
**Remediation**: [Specific fix]
```typescript
// Current code (vulnerable)
[vulnerable code]
// Secure implementation
[secure code]
```
**Testing**: [How to verify the fix]
[Repeat for each critical issue]
---
## High Risk Issues ⚠️
[Similar format for high risk issues]
---
## Medium Risk Issues
[Similar format for medium risk issues]
---
## Low Risk Issues 💡
[Similar format for low risk issues]
---
## OWASP Top 10 Assessment
| Category | Status | Findings |
|----------|--------|----------|
| A01: Broken Access Control | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A02: Cryptographic Failures | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A03: Injection | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A04: Insecure Design | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A05: Security Misconfiguration | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A06: Vulnerable Components | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A07: Authentication Failures | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A08: Software Integrity Failures | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A09: Logging Failures | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A10: SSRF | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
---
## Security Strengths ✅
- ✅ [Security practice done well]
- ✅ [Security practice done well]
---
## Dependency Vulnerabilities
**Scan Results**:
```
[Output from npm audit, pip-audit, etc.]
```
**Critical Vulnerabilities**: [Count]
**High Vulnerabilities**: [Count]
**Recommendations**: [Update strategy]
---
## Security Headers Analysis
| Header | Configured | Recommendation |
|--------|-----------|----------------|
| Content-Security-Policy | ✅ / ❌ | [Details] |
| Strict-Transport-Security | ✅ / ❌ | [Details] |
| X-Content-Type-Options | ✅ / ❌ | [Details] |
| X-Frame-Options | ✅ / ❌ | [Details] |
---
## Remediation Roadmap
### Immediate (This Week)
- [ ] [Critical fix 1]
- [ ] [Critical fix 2]
### Short-term (This Month)
- [ ] [High priority fix 1]
- [ ] [High priority fix 2]
### Long-term (This Quarter)
- [ ] [Strategic improvement 1]
- [ ] [Security hardening 2]
---
## Security Testing Recommendations
1. [Penetration testing for X]
2. [Security automation for Y]
3. [Ongoing monitoring for Z]
---
## Compliance Considerations
- **GDPR**: [Relevant considerations]
- **PCI DSS**: [If handling payment data]
- **HIPAA**: [If handling health data]
- **SOC 2**: [If enterprise software]
---
## Review Metadata
- **Reviewer**: 10x Fullstack Engineer (Security Focus)
- **Review Date**: [Date]
- **Security Issues**: Critical: X, High: X, Medium: X, Low: X
```
## Agent Invocation
This operation MUST leverage the **10x-fullstack-engineer** agent with security expertise.
## Best Practices
1. **Assume Breach Mindset**: Think like an attacker
2. **Defense in Depth**: Multiple layers of security
3. **Principle of Least Privilege**: Minimal permissions necessary
4. **Fail Securely**: Default to denial of access
5. **Don't Trust User Input**: Validate everything
6. **Keep Security Simple**: Complexity is the enemy of security