20 KiB
20 KiB
Security-Focused Code Review
Performs a comprehensive security audit focusing on authentication, authorization, input validation, data protection, and OWASP Top 10 vulnerabilities.
Parameters
Received from router: $ARGUMENTS (after removing 'security' operation)
Expected format: scope:"review-scope" [depth:"quick|standard|deep"]
Workflow
1. Parse Parameters
Extract from $ARGUMENTS:
- scope: What to review (required) - payment module, auth system, API endpoints, etc.
- depth: Security audit thoroughness (default: "deep" for security reviews)
2. Gather Context
Understand the Security Surface:
# Identify entry points
find . -name "*.ts" -o -name "*.js" -o -name "*.py" -o -name "*.go" | xargs grep -l "router\|app\.\(get\|post\|put\|delete\)\|@app\.route\|http\.HandleFunc" | head -20
# Check for authentication middleware
grep -r "auth\|jwt\|session" --include="*.ts" --include="*.js" --include="*.py" | head -20
# Find environment variable usage
grep -r "process\.env\|os\.getenv\|os\.environ" --include="*.ts" --include="*.js" --include="*.py" | head -15
# Check dependencies for known vulnerabilities
npm audit || pip-audit || go list -m all | nancy sleuth || echo "Check package security"
# Look for database queries
grep -r "query\|execute\|SELECT\|INSERT\|UPDATE\|DELETE" --include="*.ts" --include="*.js" --include="*.py" | head -20
3. Authentication & Authorization Security
Authentication Checks:
- All protected endpoints have authentication middleware
- Authentication tokens are validated properly
- Token expiration is enforced
- Refresh tokens implemented securely
- Multi-factor authentication available for sensitive operations
- Account lockout after failed login attempts
- Password complexity requirements enforced
- Rate limiting on authentication endpoints
Authorization Checks:
- Role-based access control (RBAC) implemented
- Permission checks on every protected resource
- Users can only access their own data (unless admin)
- Horizontal privilege escalation prevented
- Vertical privilege escalation prevented
- Authorization checks on backend (never trust client)
Session Management:
- Secure session configuration (HttpOnly, Secure, SameSite flags)
- Session timeout configured appropriately
- Session invalidation on logout
- No session fixation vulnerabilities
- Session tokens are cryptographically random
Code Examples - Authentication:
// ❌ CRITICAL: No authentication check
app.get('/api/user/:id/profile', async (req, res) => {
const user = await User.findById(req.params.id);
res.json(user);
});
// ✅ GOOD: Authentication required
app.get('/api/user/:id/profile', requireAuth, async (req, res) => {
const user = await User.findById(req.params.id);
res.json(user);
});
// ✅ BETTER: Authentication + authorization
app.get('/api/user/:id/profile', requireAuth, async (req, res) => {
// User can only access their own profile (unless admin)
if (req.user.id !== req.params.id && req.user.role !== 'admin') {
return res.status(403).json({ error: 'Forbidden' });
}
const user = await User.findById(req.params.id);
res.json(user);
});
// ❌ CRITICAL: Weak JWT verification
const decoded = jwt.decode(token); // No verification!
req.user = decoded;
// ✅ GOOD: Proper JWT verification with secret
const decoded = jwt.verify(token, process.env.JWT_SECRET, {
algorithms: ['HS256'],
maxAge: '1h'
});
req.user = decoded;
4. Input Validation & Injection Prevention
Input Validation:
- All user inputs validated on backend
- Whitelist validation used (not blacklist)
- Input length limits enforced
- Data types validated
- File uploads validated (type, size, content)
- Email addresses validated properly
- URLs validated and sanitized
SQL Injection Prevention:
- Parameterized queries used (never string concatenation)
- ORM used correctly (no raw queries with user input)
- Stored procedures with parameterization
- Input sanitization for database queries
- Principle of least privilege for database users
XSS Prevention:
- Output encoding for all user-generated content
- Content Security Policy (CSP) headers configured
- HTML sanitization for rich text input
- No innerHTML with user data (use textContent)
- Template engines auto-escape by default
- React JSX auto-escapes (but check dangerouslySetInnerHTML)
Command Injection Prevention:
- No shell command execution with user input
- If shell commands necessary, use safe APIs
- Input validation for any system calls
- Whitelist allowed commands
Path Traversal Prevention:
- No file system access with user-controlled paths
- Path validation and sanitization
- Use safe path joining methods
- Restrict file access to specific directories
Code Examples - Injection Prevention:
// ❌ CRITICAL: SQL Injection vulnerability
const email = req.body.email;
const query = `SELECT * FROM users WHERE email = '${email}'`;
const users = await db.query(query);
// ✅ GOOD: Parameterized query
const email = req.body.email;
const query = 'SELECT * FROM users WHERE email = ?';
const users = await db.query(query, [email]);
// ✅ BETTER: Using ORM with validation
const email = validateEmail(req.body.email); // Throws if invalid
const users = await User.findAll({ where: { email } });
// ❌ CRITICAL: XSS vulnerability
const username = req.query.name;
res.send(`<h1>Welcome ${username}</h1>`);
// ✅ GOOD: Proper escaping
const username = escapeHtml(req.query.name);
res.send(`<h1>Welcome ${username}</h1>`);
// ✅ BETTER: Use template engine with auto-escaping
res.render('welcome', { username: req.query.name }); // Template auto-escapes
// ❌ CRITICAL: Command injection
const filename = req.body.filename;
exec(`cat ${filename}`, (err, stdout) => {
res.send(stdout);
});
// ✅ GOOD: Use safe file reading
const filename = path.basename(req.body.filename); // Remove path traversal
const safePath = path.join('/safe/directory', filename);
const content = await fs.readFile(safePath, 'utf8');
res.send(content);
// ❌ CRITICAL: Path traversal vulnerability
const file = req.query.file;
res.sendFile(`/public/${file}`);
// ✅ GOOD: Validated and restricted path
const file = path.basename(req.query.file); // Remove directory traversal
const safePath = path.join(__dirname, 'public', file);
// Ensure path is within allowed directory
if (!safePath.startsWith(path.join(__dirname, 'public'))) {
return res.status(400).send('Invalid file path');
}
res.sendFile(safePath);
5. Data Protection & Cryptography
Data at Rest:
- Sensitive data encrypted in database
- Proper encryption algorithm (AES-256)
- Encryption keys stored securely (not in code)
- Key rotation strategy implemented
- PII data identified and protected
Data in Transit:
- HTTPS/TLS enforced for all connections
- TLS 1.2+ required (TLS 1.0/1.1 disabled)
- Strong cipher suites configured
- HTTP Strict Transport Security (HSTS) enabled
- Certificate validation proper
Password Security:
- Passwords hashed with strong algorithm (bcrypt, argon2, scrypt)
- Salt used for each password
- No password length maximum (only minimum)
- Passwords never logged or stored in plain text
- Password reset tokens are cryptographically secure
- Password reset tokens expire
Secrets Management:
- No hardcoded secrets in code
- API keys in environment variables or secret manager
- Database credentials not in version control
- .env files in .gitignore
- Secrets rotation process exists
Sensitive Data Handling:
- Credit card numbers handled per PCI DSS
- PII minimized and protected
- No sensitive data in logs
- No sensitive data in URLs or query parameters
- Sensitive data masked in UI when appropriate
Code Examples - Data Protection:
// ❌ CRITICAL: Hardcoded API key (example only - not a real key)
const apiKey = "sk_live_EXAMPLE_KEY_DO_NOT_HARDCODE_SECRETS";
// ✅ GOOD: Environment variable
const apiKey = process.env.STRIPE_API_KEY;
if (!apiKey) {
throw new Error('STRIPE_API_KEY not configured');
}
// ❌ CRITICAL: Weak password hashing
const hashedPassword = md5(password); // MD5 is broken!
// ❌ BAD: SHA-256 without salt
const hashedPassword = crypto.createHash('sha256').update(password).digest('hex');
// ✅ GOOD: bcrypt with salt
const hashedPassword = await bcrypt.hash(password, 12); // Cost factor 12
// ❌ CRITICAL: Sensitive data in logs
logger.info('User login', { email, password, creditCard });
// ✅ GOOD: No sensitive data
logger.info('User login', { email, userId });
// ❌ CRITICAL: Weak random token
const resetToken = Math.random().toString(36);
// ✅ GOOD: Cryptographically secure random token
const resetToken = crypto.randomBytes(32).toString('hex');
6. CSRF & CORS Security
CSRF Protection:
- CSRF tokens implemented for state-changing operations
- SameSite cookie attribute set
- Double-submit cookie pattern used
- Custom headers required for AJAX requests
- Origin/Referer validation
CORS Configuration:
- CORS whitelist configured (not wildcard in production)
- Credentials allowed only for trusted origins
- Preflight requests handled correctly
- Access-Control-Max-Age set appropriately
Code Examples - CSRF/CORS:
// ❌ CRITICAL: CORS allows all origins
app.use(cors({ origin: '*', credentials: true }));
// ✅ GOOD: CORS whitelist
const allowedOrigins = ['https://app.example.com', 'https://admin.example.com'];
app.use(cors({
origin: (origin, callback) => {
if (!origin || allowedOrigins.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
},
credentials: true
}));
// ❌ CRITICAL: No CSRF protection
app.post('/api/transfer-money', async (req, res) => {
await transferMoney(req.body);
res.json({ success: true });
});
// ✅ GOOD: CSRF token validation
app.post('/api/transfer-money', csrfProtection, async (req, res) => {
await transferMoney(req.body);
res.json({ success: true });
});
7. Security Headers
Required Security Headers:
- Content-Security-Policy (CSP)
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY or SAMEORIGIN
- X-XSS-Protection: 1; mode=block
- Strict-Transport-Security (HSTS)
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy (formerly Feature-Policy)
Code Example - Security Headers:
// ✅ GOOD: Security headers configured
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
scriptSrc: ["'self'"],
imgSrc: ["'self'", "data:", "https:"],
},
},
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true
},
frameguard: {
action: 'deny'
}
}));
8. Dependency Security
Vulnerability Scanning:
# Node.js
npm audit
npm audit fix
# Python
pip-audit
safety check
# Go
go list -m all | nancy sleuth
# Check for outdated packages
npm outdated
pip list --outdated
Dependencies Review:
- No known critical vulnerabilities
- Dependencies up to date
- Unnecessary dependencies removed
- Development dependencies separate from production
- Lock files committed (package-lock.json, poetry.lock, go.sum)
- Automated dependency updates configured (Dependabot, Renovate)
9. Error Handling & Information Disclosure
Secure Error Handling:
- Error messages don't leak sensitive information
- Stack traces not shown to users in production
- Database errors sanitized
- Generic error messages for authentication failures
- Detailed errors logged server-side only
- No verbose debug output in production
Code Examples - Error Handling:
// ❌ CRITICAL: Information disclosure
app.get('/api/user/:id', async (req, res) => {
try {
const user = await User.findById(req.params.id);
res.json(user);
} catch (error) {
// Exposes database details and stack trace!
res.status(500).json({ error: error.message, stack: error.stack });
}
});
// ✅ GOOD: Generic error, detailed logging
app.get('/api/user/:id', async (req, res) => {
try {
const user = await User.findById(req.params.id);
res.json(user);
} catch (error) {
logger.error('Error fetching user', { userId: req.params.id, error });
res.status(500).json({ error: 'An error occurred processing your request' });
}
});
// ❌ CRITICAL: Authentication error reveals if user exists
if (!user) {
return res.status(401).json({ error: 'User not found' });
}
if (!await bcrypt.compare(password, user.password)) {
return res.status(401).json({ error: 'Invalid password' });
}
// ✅ GOOD: Generic authentication error
const user = await User.findByEmail(email);
const isValidPassword = user && await bcrypt.compare(password, user.password);
if (!user || !isValidPassword) {
return res.status(401).json({ error: 'Invalid credentials' });
}
10. OWASP Top 10 Comprehensive Check
A01: Broken Access Control
- Authorization checks on all protected resources
- Users cannot access other users' data
- Insecure direct object references prevented
- API rate limiting implemented
A02: Cryptographic Failures
- Sensitive data encrypted at rest and in transit
- Strong encryption algorithms used
- No hardcoded encryption keys
- TLS/HTTPS enforced
A03: Injection
- Parameterized queries for SQL
- Input validation and sanitization
- NoSQL injection prevented
- Command injection prevented
- LDAP/XML injection prevented
A04: Insecure Design
- Threat modeling performed
- Security requirements defined
- Secure design patterns used
- Separation of concerns enforced
A05: Security Misconfiguration
- Security headers configured
- Default passwords changed
- Unnecessary features disabled
- Error messages don't leak information
- Security patches applied
A06: Vulnerable and Outdated Components
- Dependencies up to date
- No known vulnerable packages
- Unused dependencies removed
- Automated vulnerability scanning
A07: Identification and Authentication Failures
- Strong password policy
- MFA available
- Account lockout implemented
- Session management secure
- Credential stuffing prevented
A08: Software and Data Integrity Failures
- Digital signatures verified
- CI/CD pipeline secured
- Untrusted deserialization prevented
- Supply chain security considered
A09: Security Logging and Monitoring Failures
- Security events logged
- Failed login attempts logged
- Logs protected from tampering
- Alerting configured for anomalies
- Audit trail maintained
A10: Server-Side Request Forgery (SSRF)
- URLs validated before fetching
- Whitelist of allowed domains
- No access to internal networks
- DNS rebinding prevented
Review Depth Implementation
Quick Depth (10-15 min):
- Focus only on critical vulnerabilities
- Check for common security mistakes
- Review authentication and authorization
- Check for SQL injection and XSS
Standard Depth (30-40 min):
- All OWASP Top 10 categories
- Review security headers
- Check dependency vulnerabilities
- Review error handling
- Validate input sanitization
Deep Depth (60-90+ min):
- Comprehensive security audit
- Threat modeling for reviewed scope
- Architecture security review
- Complete OWASP Top 10 assessment
- Penetration testing recommendations
- Security test coverage review
- Compliance considerations (GDPR, PCI DSS)
Output Format
# Security Review: [Scope]
## Executive Summary
**Reviewed**: [What was reviewed]
**Depth**: [Quick|Standard|Deep]
**Security Risk**: [Low|Medium|High|Critical]
### Overall Security Posture
**[Secure|Minor Issues|Significant Concerns|Critical Vulnerabilities]**
[Brief explanation]
### Immediate Actions Required
1. [Critical issue 1]
2. [Critical issue 2]
---
## Critical Security Issues 🚨
### [Issue 1 Title]
**File**: `path/to/file.ts:42`
**Vulnerability Type**: [SQL Injection|XSS|Authentication Bypass|etc.]
**OWASP Category**: [A01-A10]
**Risk Level**: Critical
**Attack Vector**: [How this could be exploited]
**Impact**: [Data breach, unauthorized access, etc.]
**Remediation**: [Specific fix]
```typescript
// Current code (vulnerable)
[vulnerable code]
// Secure implementation
[secure code]
Testing: [How to verify the fix]
[Repeat for each critical issue]
High Risk Issues ⚠️
[Similar format for high risk issues]
Medium Risk Issues ℹ️
[Similar format for medium risk issues]
Low Risk Issues 💡
[Similar format for low risk issues]
OWASP Top 10 Assessment
| Category | Status | Findings |
|---|---|---|
| A01: Broken Access Control | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A02: Cryptographic Failures | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A03: Injection | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A04: Insecure Design | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A05: Security Misconfiguration | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A06: Vulnerable Components | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A07: Authentication Failures | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A08: Software Integrity Failures | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A09: Logging Failures | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
| A10: SSRF | ✅ Pass / ⚠️ Issues / ❌ Fail | [Details] |
Security Strengths ✅
- ✅ [Security practice done well]
- ✅ [Security practice done well]
Dependency Vulnerabilities
Scan Results:
[Output from npm audit, pip-audit, etc.]
Critical Vulnerabilities: [Count] High Vulnerabilities: [Count] Recommendations: [Update strategy]
Security Headers Analysis
| Header | Configured | Recommendation |
|---|---|---|
| Content-Security-Policy | ✅ / ❌ | [Details] |
| Strict-Transport-Security | ✅ / ❌ | [Details] |
| X-Content-Type-Options | ✅ / ❌ | [Details] |
| X-Frame-Options | ✅ / ❌ | [Details] |
Remediation Roadmap
Immediate (This Week)
- [Critical fix 1]
- [Critical fix 2]
Short-term (This Month)
- [High priority fix 1]
- [High priority fix 2]
Long-term (This Quarter)
- [Strategic improvement 1]
- [Security hardening 2]
Security Testing Recommendations
- [Penetration testing for X]
- [Security automation for Y]
- [Ongoing monitoring for Z]
Compliance Considerations
- GDPR: [Relevant considerations]
- PCI DSS: [If handling payment data]
- HIPAA: [If handling health data]
- SOC 2: [If enterprise software]
Review Metadata
- Reviewer: 10x Fullstack Engineer (Security Focus)
- Review Date: [Date]
- Security Issues: Critical: X, High: X, Medium: X, Low: X
## Agent Invocation
This operation MUST leverage the **10x-fullstack-engineer** agent with security expertise.
## Best Practices
1. **Assume Breach Mindset**: Think like an attacker
2. **Defense in Depth**: Multiple layers of security
3. **Principle of Least Privilege**: Minimal permissions necessary
4. **Fail Securely**: Default to denial of access
5. **Don't Trust User Input**: Validate everything
6. **Keep Security Simple**: Complexity is the enemy of security