@brunosps00/dev-workflow 0.0.5 → 0.0.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/dev-workflow.js +6 -4
- package/lib/constants.js +11 -0
- package/lib/init.js +36 -12
- package/lib/wrappers.js +8 -2
- package/package.json +1 -1
- package/scaffold/pt-br/commands/dw-analyze-project.md +3 -3
- package/scaffold/pt-br/commands/dw-bugfix.md +6 -6
- package/scaffold/pt-br/commands/dw-code-review.md +2 -2
- package/scaffold/pt-br/commands/dw-create-tasks.md +4 -4
- package/scaffold/pt-br/commands/dw-generate-pr.md +3 -3
- package/scaffold/pt-br/commands/dw-help.md +50 -50
- package/scaffold/pt-br/commands/dw-review-implementation.md +3 -3
- package/scaffold/pt-br/commands/dw-run-plan.md +8 -8
- package/scaffold/pt-br/commands/dw-run-task.md +3 -3
- package/scaffold/pt-br/templates/tasks-template.md +2 -2
- package/scaffold/skills/agent-browser/SKILL.md +750 -0
- package/scaffold/skills/agent-browser/references/authentication.md +303 -0
- package/scaffold/skills/agent-browser/references/commands.md +295 -0
- package/scaffold/skills/agent-browser/references/profiling.md +120 -0
- package/scaffold/skills/agent-browser/references/proxy-support.md +194 -0
- package/scaffold/skills/agent-browser/references/session-management.md +193 -0
- package/scaffold/skills/agent-browser/references/snapshot-refs.md +219 -0
- package/scaffold/skills/agent-browser/references/video-recording.md +173 -0
- package/scaffold/skills/agent-browser/templates/authenticated-session.sh +105 -0
- package/scaffold/skills/agent-browser/templates/capture-workflow.sh +69 -0
- package/scaffold/skills/agent-browser/templates/form-automation.sh +62 -0
- package/scaffold/skills/humanizer/README.md +143 -0
- package/scaffold/skills/humanizer/SKILL.md +488 -0
- package/scaffold/skills/humanizer/WARP.md +53 -0
- package/scaffold/skills/remotion-best-practices/SKILL.md +61 -0
- package/scaffold/skills/remotion-best-practices/rules/3d.md +86 -0
- package/scaffold/skills/remotion-best-practices/rules/animations.md +27 -0
- package/scaffold/skills/remotion-best-practices/rules/assets/charts-bar-chart.tsx +173 -0
- package/scaffold/skills/remotion-best-practices/rules/assets/text-animations-typewriter.tsx +100 -0
- package/scaffold/skills/remotion-best-practices/rules/assets/text-animations-word-highlight.tsx +103 -0
- package/scaffold/skills/remotion-best-practices/rules/assets.md +78 -0
- package/scaffold/skills/remotion-best-practices/rules/audio-visualization.md +198 -0
- package/scaffold/skills/remotion-best-practices/rules/audio.md +169 -0
- package/scaffold/skills/remotion-best-practices/rules/calculate-metadata.md +134 -0
- package/scaffold/skills/remotion-best-practices/rules/can-decode.md +75 -0
- package/scaffold/skills/remotion-best-practices/rules/charts.md +120 -0
- package/scaffold/skills/remotion-best-practices/rules/compositions.md +154 -0
- package/scaffold/skills/remotion-best-practices/rules/display-captions.md +184 -0
- package/scaffold/skills/remotion-best-practices/rules/extract-frames.md +229 -0
- package/scaffold/skills/remotion-best-practices/rules/ffmpeg.md +38 -0
- package/scaffold/skills/remotion-best-practices/rules/fonts.md +152 -0
- package/scaffold/skills/remotion-best-practices/rules/get-audio-duration.md +58 -0
- package/scaffold/skills/remotion-best-practices/rules/get-video-dimensions.md +68 -0
- package/scaffold/skills/remotion-best-practices/rules/get-video-duration.md +60 -0
- package/scaffold/skills/remotion-best-practices/rules/gifs.md +141 -0
- package/scaffold/skills/remotion-best-practices/rules/images.md +134 -0
- package/scaffold/skills/remotion-best-practices/rules/import-srt-captions.md +69 -0
- package/scaffold/skills/remotion-best-practices/rules/light-leaks.md +73 -0
- package/scaffold/skills/remotion-best-practices/rules/lottie.md +70 -0
- package/scaffold/skills/remotion-best-practices/rules/maps.md +412 -0
- package/scaffold/skills/remotion-best-practices/rules/measuring-dom-nodes.md +34 -0
- package/scaffold/skills/remotion-best-practices/rules/measuring-text.md +140 -0
- package/scaffold/skills/remotion-best-practices/rules/parameters.md +109 -0
- package/scaffold/skills/remotion-best-practices/rules/sequencing.md +118 -0
- package/scaffold/skills/remotion-best-practices/rules/sfx.md +26 -0
- package/scaffold/skills/remotion-best-practices/rules/subtitles.md +36 -0
- package/scaffold/skills/remotion-best-practices/rules/tailwind.md +11 -0
- package/scaffold/skills/remotion-best-practices/rules/text-animations.md +20 -0
- package/scaffold/skills/remotion-best-practices/rules/timing.md +179 -0
- package/scaffold/skills/remotion-best-practices/rules/transcribe-captions.md +70 -0
- package/scaffold/skills/remotion-best-practices/rules/transitions.md +197 -0
- package/scaffold/skills/remotion-best-practices/rules/transparent-videos.md +106 -0
- package/scaffold/skills/remotion-best-practices/rules/trimming.md +51 -0
- package/scaffold/skills/remotion-best-practices/rules/videos.md +171 -0
- package/scaffold/skills/remotion-best-practices/rules/voiceover.md +99 -0
- package/scaffold/skills/security-review/LICENSE +22 -0
- package/scaffold/skills/security-review/SKILL.md +312 -0
- package/scaffold/skills/security-review/infrastructure/docker.md +432 -0
- package/scaffold/skills/security-review/languages/javascript.md +388 -0
- package/scaffold/skills/security-review/languages/python.md +363 -0
- package/scaffold/skills/security-review/references/api-security.md +519 -0
- package/scaffold/skills/security-review/references/authentication.md +353 -0
- package/scaffold/skills/security-review/references/authorization.md +372 -0
- package/scaffold/skills/security-review/references/business-logic.md +443 -0
- package/scaffold/skills/security-review/references/cryptography.md +329 -0
- package/scaffold/skills/security-review/references/csrf.md +398 -0
- package/scaffold/skills/security-review/references/data-protection.md +378 -0
- package/scaffold/skills/security-review/references/deserialization.md +410 -0
- package/scaffold/skills/security-review/references/error-handling.md +436 -0
- package/scaffold/skills/security-review/references/file-security.md +457 -0
- package/scaffold/skills/security-review/references/injection.md +259 -0
- package/scaffold/skills/security-review/references/logging.md +433 -0
- package/scaffold/skills/security-review/references/misconfiguration.md +435 -0
- package/scaffold/skills/security-review/references/modern-threats.md +475 -0
- package/scaffold/skills/security-review/references/ssrf.md +415 -0
- package/scaffold/skills/security-review/references/supply-chain.md +405 -0
- package/scaffold/skills/security-review/references/xss.md +336 -0
- package/scaffold/skills/vercel-react-best-practices/AGENTS.md +3648 -0
- package/scaffold/skills/vercel-react-best-practices/README.md +123 -0
- package/scaffold/skills/vercel-react-best-practices/SKILL.md +146 -0
- package/scaffold/skills/vercel-react-best-practices/rules/_sections.md +46 -0
- package/scaffold/skills/vercel-react-best-practices/rules/_template.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/scaffold/skills/vercel-react-best-practices/rules/advanced-init-once.md +42 -0
- package/scaffold/skills/vercel-react-best-practices/rules/advanced-use-latest.md +39 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-api-routes.md +38 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-cheap-condition-before-await.md +37 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-defer-await.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-dependencies.md +51 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-parallel.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-barrel-imports.md +60 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-conditional.md +31 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-preload.md +50 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-event-listeners.md +74 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-swr-dedup.md +56 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-cache-function-results.md +80 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-cache-property-access.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-cache-storage.md +70 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-combine-iterations.md +32 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-early-exit.md +50 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-flatmap-filter.md +60 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-index-maps.md +37 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-length-check-first.md +49 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-min-max-loop.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-request-idle-callback.md +105 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-activity.md +26 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-resource-hints.md +85 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-script-defer-async.md +68 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-dependencies.md +45 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-derived-state.md +29 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-memo.md +44 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-no-inline-components.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-split-combined-hooks.md +64 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-transitions.md +40 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-use-deferred-value.md +59 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-auth-actions.md +96 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-cache-lru.md +41 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-cache-react.md +76 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-dedup-props.md +65 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-hoist-static-io.md +149 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-parallel-nested-fetching.md +34 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-serialization.md +38 -0
- package/scaffold/skills/webapp-testing/SKILL.md +133 -0
- package/scaffold/skills/webapp-testing/assets/test-helper.js +56 -0
|
@@ -0,0 +1,378 @@
|
|
|
1
|
+
# Data Protection Reference
|
|
2
|
+
|
|
3
|
+
## Overview
|
|
4
|
+
|
|
5
|
+
Data protection encompasses safeguarding sensitive information throughout its lifecycle: collection, processing, storage, transmission, and disposal. Security failures at any stage can lead to data breaches.
|
|
6
|
+
|
|
7
|
+
## Sensitive Data Categories
|
|
8
|
+
|
|
9
|
+
### Personal Identifiable Information (PII)
|
|
10
|
+
- Full names, addresses, phone numbers
|
|
11
|
+
- Email addresses
|
|
12
|
+
- Social Security Numbers, national IDs
|
|
13
|
+
- Dates of birth
|
|
14
|
+
- Biometric data
|
|
15
|
+
|
|
16
|
+
### Financial Information
|
|
17
|
+
- Credit card numbers (PAN)
|
|
18
|
+
- Bank account numbers
|
|
19
|
+
- Financial transactions
|
|
20
|
+
- Payment credentials
|
|
21
|
+
|
|
22
|
+
### Authentication Credentials
|
|
23
|
+
- Passwords (plaintext or weakly hashed)
|
|
24
|
+
- API keys and tokens
|
|
25
|
+
- Session identifiers
|
|
26
|
+
- Private keys
|
|
27
|
+
|
|
28
|
+
### Health Information (PHI/HIPAA)
|
|
29
|
+
- Medical records
|
|
30
|
+
- Health conditions
|
|
31
|
+
- Treatment information
|
|
32
|
+
- Insurance data
|
|
33
|
+
|
|
34
|
+
---
|
|
35
|
+
|
|
36
|
+
## Sensitive Data Exposure Prevention
|
|
37
|
+
|
|
38
|
+
### 1. Data Classification
|
|
39
|
+
|
|
40
|
+
Classify all data by sensitivity level:
|
|
41
|
+
|
|
42
|
+
| Level | Examples | Handling |
|
|
43
|
+
|-------|----------|----------|
|
|
44
|
+
| **Public** | Marketing content | No restrictions |
|
|
45
|
+
| **Internal** | Employee directory | Access controls |
|
|
46
|
+
| **Confidential** | Customer data | Encryption + access controls |
|
|
47
|
+
| **Restricted** | Passwords, keys, PCI data | Strong encryption + audit logs |
|
|
48
|
+
|
|
49
|
+
### 2. Minimize Data Collection
|
|
50
|
+
|
|
51
|
+
```python
|
|
52
|
+
# VULNERABLE: Collecting unnecessary data
|
|
53
|
+
user_data = {
|
|
54
|
+
'name': form.name,
|
|
55
|
+
'email': form.email,
|
|
56
|
+
'ssn': form.ssn, # Why do you need this?
|
|
57
|
+
'mother_maiden_name': form.mother_maiden_name, # Security risk
|
|
58
|
+
'password': form.password, # Never store plaintext
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
# SAFE: Collect only what's needed
|
|
62
|
+
user_data = {
|
|
63
|
+
'name': form.name,
|
|
64
|
+
'email': form.email,
|
|
65
|
+
}
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
### 3. Encryption at Rest
|
|
69
|
+
|
|
70
|
+
```python
|
|
71
|
+
# Database-level encryption
|
|
72
|
+
# Configure in database settings (TDE for SQL Server, etc.)
|
|
73
|
+
|
|
74
|
+
# Application-level encryption for specific fields
|
|
75
|
+
from cryptography.fernet import Fernet
|
|
76
|
+
|
|
77
|
+
def encrypt_ssn(ssn):
|
|
78
|
+
f = Fernet(get_encryption_key())
|
|
79
|
+
return f.encrypt(ssn.encode())
|
|
80
|
+
|
|
81
|
+
def decrypt_ssn(encrypted_ssn):
|
|
82
|
+
f = Fernet(get_encryption_key())
|
|
83
|
+
return f.decrypt(encrypted_ssn).decode()
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
### 4. Encryption in Transit
|
|
87
|
+
|
|
88
|
+
```python
|
|
89
|
+
# VULNERABLE: HTTP endpoint
|
|
90
|
+
app.run(host='0.0.0.0', port=80)
|
|
91
|
+
|
|
92
|
+
# SAFE: HTTPS required
|
|
93
|
+
app.run(host='0.0.0.0', port=443, ssl_context='adhoc')
|
|
94
|
+
|
|
95
|
+
# BETTER: Proper TLS configuration
|
|
96
|
+
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
|
|
97
|
+
ssl_context.load_cert_chain('cert.pem', 'key.pem')
|
|
98
|
+
ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
|
|
99
|
+
```
|
|
100
|
+
|
|
101
|
+
---
|
|
102
|
+
|
|
103
|
+
## Information Disclosure Prevention
|
|
104
|
+
|
|
105
|
+
### Error Messages
|
|
106
|
+
|
|
107
|
+
```python
|
|
108
|
+
# VULNERABLE: Detailed error messages
|
|
109
|
+
@app.errorhandler(Exception)
|
|
110
|
+
def handle_error(e):
|
|
111
|
+
return {
|
|
112
|
+
'error': str(e),
|
|
113
|
+
'traceback': traceback.format_exc(),
|
|
114
|
+
'sql_query': last_query,
|
|
115
|
+
'server': socket.gethostname()
|
|
116
|
+
}, 500
|
|
117
|
+
|
|
118
|
+
# SAFE: Generic error messages
|
|
119
|
+
@app.errorhandler(Exception)
|
|
120
|
+
def handle_error(e):
|
|
121
|
+
# Log full details server-side
|
|
122
|
+
app.logger.error(f"Error: {e}", exc_info=True)
|
|
123
|
+
|
|
124
|
+
# Return generic message to client
|
|
125
|
+
return {'error': 'An unexpected error occurred'}, 500
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
### Stack Traces
|
|
129
|
+
|
|
130
|
+
```python
|
|
131
|
+
# VULNERABLE: Debug mode in production
|
|
132
|
+
app.run(debug=True)
|
|
133
|
+
|
|
134
|
+
# SAFE: Debug off, custom error pages
|
|
135
|
+
app.run(debug=False)
|
|
136
|
+
|
|
137
|
+
@app.errorhandler(404)
|
|
138
|
+
def not_found(e):
|
|
139
|
+
return render_template('404.html'), 404
|
|
140
|
+
|
|
141
|
+
@app.errorhandler(500)
|
|
142
|
+
def server_error(e):
|
|
143
|
+
return render_template('500.html'), 500
|
|
144
|
+
```
|
|
145
|
+
|
|
146
|
+
### API Response Filtering
|
|
147
|
+
|
|
148
|
+
```python
|
|
149
|
+
# VULNERABLE: Returning all fields
|
|
150
|
+
@app.route('/api/users/<id>')
|
|
151
|
+
def get_user(id):
|
|
152
|
+
user = User.query.get(id)
|
|
153
|
+
return jsonify(user.__dict__) # Includes password_hash, internal_id, etc.
|
|
154
|
+
|
|
155
|
+
# SAFE: Explicit field selection
|
|
156
|
+
@app.route('/api/users/<id>')
|
|
157
|
+
def get_user(id):
|
|
158
|
+
user = User.query.get(id)
|
|
159
|
+
return jsonify({
|
|
160
|
+
'id': user.public_id,
|
|
161
|
+
'name': user.name,
|
|
162
|
+
'email': user.email
|
|
163
|
+
})
|
|
164
|
+
```
|
|
165
|
+
|
|
166
|
+
### Server Headers
|
|
167
|
+
|
|
168
|
+
```python
|
|
169
|
+
# VULNERABLE: Technology disclosure
|
|
170
|
+
# Response headers reveal:
|
|
171
|
+
# Server: Apache/2.4.41 (Ubuntu)
|
|
172
|
+
# X-Powered-By: PHP/7.4.3
|
|
173
|
+
# X-AspNet-Version: 4.0.30319
|
|
174
|
+
|
|
175
|
+
# SAFE: Remove or genericize headers
|
|
176
|
+
# In nginx:
|
|
177
|
+
# server_tokens off;
|
|
178
|
+
|
|
179
|
+
# In Express.js:
|
|
180
|
+
app.disable('x-powered-by');
|
|
181
|
+
|
|
182
|
+
# In Flask:
|
|
183
|
+
@app.after_request
|
|
184
|
+
def remove_headers(response):
|
|
185
|
+
response.headers.pop('Server', None)
|
|
186
|
+
return response
|
|
187
|
+
```
|
|
188
|
+
|
|
189
|
+
---
|
|
190
|
+
|
|
191
|
+
## Logging Security
|
|
192
|
+
|
|
193
|
+
### What NOT to Log
|
|
194
|
+
|
|
195
|
+
```python
|
|
196
|
+
# VULNERABLE: Logging sensitive data
|
|
197
|
+
logger.info(f"User login: {username}, password: {password}")
|
|
198
|
+
logger.info(f"API call with key: {api_key}")
|
|
199
|
+
logger.info(f"Credit card: {card_number}")
|
|
200
|
+
logger.debug(f"Session token: {session_id}")
|
|
201
|
+
|
|
202
|
+
# SAFE: Sanitized logging
|
|
203
|
+
logger.info(f"User login: {username}")
|
|
204
|
+
logger.info(f"API call with key: {api_key[:4]}****")
|
|
205
|
+
logger.info(f"Credit card: ****{card_number[-4:]}")
|
|
206
|
+
logger.debug(f"Session token: {hash_for_logging(session_id)}")
|
|
207
|
+
```
|
|
208
|
+
|
|
209
|
+
### Sensitive Data Patterns to Avoid in Logs
|
|
210
|
+
|
|
211
|
+
| Data Type | Pattern |
|
|
212
|
+
|-----------|---------|
|
|
213
|
+
| Passwords | `password`, `passwd`, `pwd`, `secret` |
|
|
214
|
+
| API Keys | `api_key`, `apikey`, `token`, `bearer` |
|
|
215
|
+
| Credit Cards | 16-digit numbers, `card_number` |
|
|
216
|
+
| SSN | `\d{3}-\d{2}-\d{4}`, `ssn`, `social` |
|
|
217
|
+
| Session IDs | `session`, `sess_id`, `jsessionid` |
|
|
218
|
+
|
|
219
|
+
### Log Injection Prevention
|
|
220
|
+
|
|
221
|
+
```python
|
|
222
|
+
# VULNERABLE: User input directly in logs
|
|
223
|
+
logger.info(f"Search query: {user_input}")
|
|
224
|
+
# Attack: user_input = "test\nINFO: Admin logged in"
|
|
225
|
+
|
|
226
|
+
# SAFE: Sanitize before logging
|
|
227
|
+
def sanitize_for_log(text):
|
|
228
|
+
return text.replace('\n', '\\n').replace('\r', '\\r')
|
|
229
|
+
|
|
230
|
+
logger.info(f"Search query: {sanitize_for_log(user_input)}")
|
|
231
|
+
```
|
|
232
|
+
|
|
233
|
+
---
|
|
234
|
+
|
|
235
|
+
## Secure Data Disposal
|
|
236
|
+
|
|
237
|
+
### Memory Handling
|
|
238
|
+
|
|
239
|
+
```python
|
|
240
|
+
# Python strings are immutable - difficult to clear
|
|
241
|
+
# Use bytearray for sensitive data when possible
|
|
242
|
+
|
|
243
|
+
# BETTER: Clear sensitive data
|
|
244
|
+
import ctypes
|
|
245
|
+
|
|
246
|
+
def secure_zero(data):
|
|
247
|
+
"""Zero out sensitive data in memory."""
|
|
248
|
+
if isinstance(data, bytearray):
|
|
249
|
+
for i in range(len(data)):
|
|
250
|
+
data[i] = 0
|
|
251
|
+
elif isinstance(data, bytes):
|
|
252
|
+
# Can't modify bytes, but can overwrite the reference
|
|
253
|
+
pass
|
|
254
|
+
|
|
255
|
+
# In Java:
|
|
256
|
+
# char[] password = getPassword();
|
|
257
|
+
# try { ... }
|
|
258
|
+
# finally { Arrays.fill(password, '\0'); }
|
|
259
|
+
```
|
|
260
|
+
|
|
261
|
+
### File Deletion
|
|
262
|
+
|
|
263
|
+
```python
|
|
264
|
+
# VULNERABLE: Simple delete (data recoverable)
|
|
265
|
+
os.remove(sensitive_file)
|
|
266
|
+
|
|
267
|
+
# SAFER: Overwrite before delete
|
|
268
|
+
def secure_delete(filepath):
|
|
269
|
+
with open(filepath, 'ba+') as f:
|
|
270
|
+
length = f.tell()
|
|
271
|
+
f.seek(0)
|
|
272
|
+
f.write(os.urandom(length)) # Random overwrite
|
|
273
|
+
f.flush()
|
|
274
|
+
os.fsync(f.fileno())
|
|
275
|
+
os.remove(filepath)
|
|
276
|
+
```
|
|
277
|
+
|
|
278
|
+
### Database Retention
|
|
279
|
+
|
|
280
|
+
```python
|
|
281
|
+
# Implement data retention policies
|
|
282
|
+
def cleanup_old_data():
|
|
283
|
+
cutoff = datetime.now() - timedelta(days=RETENTION_DAYS)
|
|
284
|
+
|
|
285
|
+
# Delete old records
|
|
286
|
+
OldRecord.query.filter(OldRecord.created_at < cutoff).delete()
|
|
287
|
+
|
|
288
|
+
# Or anonymize instead of delete
|
|
289
|
+
User.query.filter(User.last_login < cutoff).update({
|
|
290
|
+
'email': func.concat('deleted_', User.id, '@example.com'),
|
|
291
|
+
'name': 'Deleted User',
|
|
292
|
+
'phone': None
|
|
293
|
+
})
|
|
294
|
+
```
|
|
295
|
+
|
|
296
|
+
---
|
|
297
|
+
|
|
298
|
+
## Cache Security
|
|
299
|
+
|
|
300
|
+
```python
|
|
301
|
+
# VULNERABLE: Caching sensitive data
|
|
302
|
+
@cache.cached(timeout=3600)
|
|
303
|
+
def get_user_with_ssn(user_id):
|
|
304
|
+
return User.query.get(user_id) # Includes SSN
|
|
305
|
+
|
|
306
|
+
# SAFE: Don't cache sensitive data
|
|
307
|
+
def get_user_with_ssn(user_id):
|
|
308
|
+
return User.query.get(user_id) # Not cached
|
|
309
|
+
|
|
310
|
+
# Or cache only non-sensitive parts
|
|
311
|
+
@cache.cached(timeout=3600)
|
|
312
|
+
def get_user_profile(user_id):
|
|
313
|
+
user = User.query.get(user_id)
|
|
314
|
+
return {
|
|
315
|
+
'id': user.id,
|
|
316
|
+
'name': user.name,
|
|
317
|
+
# SSN excluded
|
|
318
|
+
}
|
|
319
|
+
```
|
|
320
|
+
|
|
321
|
+
### Cache Headers
|
|
322
|
+
|
|
323
|
+
```python
|
|
324
|
+
# For sensitive pages
|
|
325
|
+
response.headers['Cache-Control'] = 'no-cache, no-store, must-revalidate'
|
|
326
|
+
response.headers['Pragma'] = 'no-cache'
|
|
327
|
+
response.headers['Expires'] = '0'
|
|
328
|
+
```
|
|
329
|
+
|
|
330
|
+
---
|
|
331
|
+
|
|
332
|
+
## Grep Patterns for Detection
|
|
333
|
+
|
|
334
|
+
```bash
|
|
335
|
+
# Sensitive data in logs
|
|
336
|
+
grep -rn "logger.*password\|log.*password\|print.*password" --include="*.py" --include="*.js"
|
|
337
|
+
grep -rn "logger.*token\|log.*api_key\|print.*secret" --include="*.py" --include="*.js"
|
|
338
|
+
|
|
339
|
+
# Debug mode
|
|
340
|
+
grep -rn "debug.*[Tt]rue\|DEBUG.*=.*1" --include="*.py" --include="*.js" --include="*.env"
|
|
341
|
+
|
|
342
|
+
# Stack traces in responses
|
|
343
|
+
grep -rn "traceback\|stack_trace\|exc_info" --include="*.py" | grep -i "return\|response\|json"
|
|
344
|
+
|
|
345
|
+
# Verbose errors
|
|
346
|
+
grep -rn "str(e)\|str(exception)" --include="*.py" | grep -i "return\|response"
|
|
347
|
+
|
|
348
|
+
# Technology disclosure
|
|
349
|
+
grep -rn "X-Powered-By\|Server:" --include="*.py" --include="*.js" --include="*.conf"
|
|
350
|
+
|
|
351
|
+
# Missing cache headers
|
|
352
|
+
grep -rn "Set-Cookie\|session" --include="*.py" | grep -v "Cache-Control"
|
|
353
|
+
```
|
|
354
|
+
|
|
355
|
+
---
|
|
356
|
+
|
|
357
|
+
## Testing Checklist
|
|
358
|
+
|
|
359
|
+
- [ ] Sensitive data encrypted at rest
|
|
360
|
+
- [ ] All transmissions over TLS 1.2+
|
|
361
|
+
- [ ] Error messages are generic (no stack traces, SQL errors, paths)
|
|
362
|
+
- [ ] Logging excludes sensitive data (passwords, tokens, PII)
|
|
363
|
+
- [ ] API responses filtered to necessary fields only
|
|
364
|
+
- [ ] Server headers don't reveal technology stack
|
|
365
|
+
- [ ] Sensitive pages have no-cache headers
|
|
366
|
+
- [ ] Data retention policies implemented
|
|
367
|
+
- [ ] Secure deletion procedures for sensitive files
|
|
368
|
+
- [ ] Debug mode disabled in production
|
|
369
|
+
|
|
370
|
+
---
|
|
371
|
+
|
|
372
|
+
## References
|
|
373
|
+
|
|
374
|
+
- [OWASP Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)
|
|
375
|
+
- [OWASP Error Handling Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html)
|
|
376
|
+
- [CWE-200: Information Exposure](https://cwe.mitre.org/data/definitions/200.html)
|
|
377
|
+
- [CWE-532: Information Exposure Through Log Files](https://cwe.mitre.org/data/definitions/532.html)
|
|
378
|
+
- [CWE-209: Error Message Information Leak](https://cwe.mitre.org/data/definitions/209.html)
|