npm - @mytechtoday/augment-extensions - Versions diffs - 0.1.0 → 0.1.2 - Mend

@mytechtoday/augment-extensions 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (102) hide show

package/augment-extensions/domain-rules/security/rules/owasp-top-10.md ADDED Viewed

@@ -0,0 +1,339 @@
+# OWASP Top 10 Vulnerabilities
+Mitigations for the OWASP Top 10 web application security risks.
+## A01:2021 - Broken Access Control
+Unauthorized access to resources or functions.
+```typescript
+// Bad - No authorization check
+app.get('/api/users/:id', async (req, res) => {
+  const user = await db.users.findOne(req.params.id);
+  res.json(user);
+});
+// Good - Check authorization
+app.get('/api/users/:id', authenticate, async (req, res) => {
+  const user = await db.users.findOne(req.params.id);
+  // Users can only access their own data (unless admin)
+  if (user.id !== req.user.id && req.user.role !== 'admin') {
+    return res.status(403).json({ error: 'Forbidden' });
+  }
+  res.json(user);
+});
+// Good - Use middleware for authorization
+const authorize = (permission: string) => {
+  return (req, res, next) => {
+    if (!req.user.permissions.includes(permission)) {
+      return res.status(403).json({ error: 'Insufficient permissions' });
+    }
+    next();
+  };
+};
+app.delete('/api/users/:id', authenticate, authorize('delete:users'), async (req, res) => {
+  await db.users.delete(req.params.id);
+  res.status(204).send();
+});
+```
+## A02:2021 - Cryptographic Failures
+Sensitive data exposure due to weak cryptography.
+```typescript
+// Bad - Storing passwords in plain text
+await db.users.create({
+  email: 'user@example.com',
+  password: 'secret123'  // ❌ Never store plain text passwords
+});
+// Good - Hash passwords with bcrypt
+import bcrypt from 'bcrypt';
+const hashedPassword = await bcrypt.hash(password, 10);
+await db.users.create({
+  email: 'user@example.com',
+  password: hashedPassword
+});
+// Good - Verify password
+const isValid = await bcrypt.compare(inputPassword, user.password);
+// Bad - Weak encryption
+const encrypted = Buffer.from(data).toString('base64');  // ❌ Not encryption
+// Good - Use proper encryption
+import crypto from 'crypto';
+const algorithm = 'aes-256-gcm';
+const key = crypto.randomBytes(32);
+const iv = crypto.randomBytes(16);
+const cipher = crypto.createCipheriv(algorithm, key, iv);
+let encrypted = cipher.update(data, 'utf8', 'hex');
+encrypted += cipher.final('hex');
+const authTag = cipher.getAuthTag();
+```
+## A03:2021 - Injection
+SQL, NoSQL, OS command injection attacks.
+```typescript
+// Bad - SQL injection vulnerability
+app.get('/users', async (req, res) => {
+  const query = `SELECT * FROM users WHERE name = '${req.query.name}'`;
+  const users = await db.query(query);  // ❌ Vulnerable to SQL injection
+});
+// Good - Use parameterized queries
+app.get('/users', async (req, res) => {
+  const users = await db.query(
+    'SELECT * FROM users WHERE name = $1',
+    [req.query.name]
+  );
+});
+// Good - Use ORM
+const users = await db.users.findMany({
+  where: { name: req.query.name }
+});
+// Bad - Command injection
+const { exec } = require('child_process');
+exec(`ping ${req.query.host}`);  // ❌ Vulnerable to command injection
+// Good - Validate and sanitize input
+const host = req.query.host;
+if (!/^[a-zA-Z0-9.-]+$/.test(host)) {
+  return res.status(400).json({ error: 'Invalid host' });
+}
+exec(`ping ${host}`);
+// Better - Use safe alternatives
+import { ping } from 'ping';
+const result = await ping.promise.probe(req.query.host);
+```
+## A04:2021 - Insecure Design
+Flaws in design and architecture.
+```typescript
+// Bad - No rate limiting
+app.post('/api/login', async (req, res) => {
+  const user = await authenticate(req.body.email, req.body.password);
+  // ❌ Allows brute force attacks
+});
+// Good - Implement rate limiting
+import rateLimit from 'express-rate-limit';
+const loginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 5, // 5 attempts
+  message: 'Too many login attempts, please try again later'
+});
+app.post('/api/login', loginLimiter, async (req, res) => {
+  const user = await authenticate(req.body.email, req.body.password);
+});
+// Good - Implement account lockout
+const MAX_ATTEMPTS = 5;
+const LOCKOUT_TIME = 15 * 60 * 1000; // 15 minutes
+if (user.loginAttempts >= MAX_ATTEMPTS) {
+  const timeSinceLastAttempt = Date.now() - user.lastLoginAttempt;
+  if (timeSinceLastAttempt < LOCKOUT_TIME) {
+    return res.status(429).json({ error: 'Account locked' });
+  }
+}
+```
+## A05:2021 - Security Misconfiguration
+Insecure default configurations.
+```typescript
+// Bad - Exposing error details in production
+app.use((err, req, res, next) => {
+  res.status(500).json({
+    error: err.message,
+    stack: err.stack  // ❌ Exposes internal details
+  });
+});
+// Good - Hide details in production
+app.use((err, req, res, next) => {
+  console.error(err);  // Log server-side
+  if (process.env.NODE_ENV === 'production') {
+    res.status(500).json({ error: 'Internal server error' });
+  } else {
+    res.status(500).json({ error: err.message, stack: err.stack });
+  }
+});
+// Bad - Default credentials
+const dbConfig = {
+  user: 'admin',
+  password: 'admin'  // ❌ Default credentials
+};
+// Good - Use environment variables
+const dbConfig = {
+  user: process.env.DB_USER,
+  password: process.env.DB_PASSWORD
+};
+// Good - Security headers
+import helmet from 'helmet';
+app.use(helmet());
+```
+## A06:2021 - Vulnerable and Outdated Components
+Using components with known vulnerabilities.
+```bash
+# Good - Regularly update dependencies
+npm audit
+npm audit fix
+# Good - Use automated tools
+npm install -g npm-check-updates
+ncu -u
+npm install
+# Good - Monitor for vulnerabilities
+# Use Dependabot, Snyk, or similar tools
+```
+## A07:2021 - Identification and Authentication Failures
+Weak authentication mechanisms.
+```typescript
+// Bad - Weak password requirements
+if (password.length < 6) {  // ❌ Too weak
+  return res.status(400).json({ error: 'Password too short' });
+}
+// Good - Strong password requirements
+const passwordRegex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{12,}$/;
+if (!passwordRegex.test(password)) {
+  return res.status(400).json({
+    error: 'Password must be at least 12 characters with uppercase, lowercase, number, and special character'
+  });
+}
+// Good - Implement MFA
+const mfaToken = speakeasy.totp({
+  secret: user.mfaSecret,
+  encoding: 'base32'
+});
+if (req.body.mfaCode !== mfaToken) {
+  return res.status(401).json({ error: 'Invalid MFA code' });
+}
+```
+## A08:2021 - Software and Data Integrity Failures
+Insecure CI/CD, updates, or deserialization.
+```typescript
+// Bad - Unsafe deserialization
+const userData = eval(req.body.data);  // ❌ Never use eval
+// Good - Safe JSON parsing
+try {
+  const userData = JSON.parse(req.body.data);
+} catch (error) {
+  return res.status(400).json({ error: 'Invalid JSON' });
+}
+// Good - Verify package integrity
+# package-lock.json ensures integrity
+npm ci  # Use in CI/CD instead of npm install
+```
+## A09:2021 - Security Logging and Monitoring Failures
+Insufficient logging and monitoring.
+```typescript
+// Good - Log security events
+import winston from 'winston';
+const logger = winston.createLogger({
+  level: 'info',
+  format: winston.format.json(),
+  transports: [
+    new winston.transports.File({ filename: 'security.log' })
+  ]
+});
+// Log authentication attempts
+logger.info('Login attempt', {
+  email: req.body.email,
+  ip: req.ip,
+  userAgent: req.headers['user-agent'],
+  success: true
+});
+// Log authorization failures
+logger.warn('Authorization failed', {
+  userId: req.user.id,
+  resource: req.path,
+  action: req.method,
+  ip: req.ip
+});
+```
+## A10:2021 - Server-Side Request Forgery (SSRF)
+Fetching remote resources without validation.
+```typescript
+// Bad - SSRF vulnerability
+app.get('/fetch', async (req, res) => {
+  const response = await fetch(req.query.url);  // ❌ Allows SSRF
+  res.send(await response.text());
+});
+// Good - Validate URL
+const allowedDomains = ['api.example.com', 'cdn.example.com'];
+const url = new URL(req.query.url);
+if (!allowedDomains.includes(url.hostname)) {
+  return res.status(400).json({ error: 'Invalid domain' });
+}
+// Good - Block private IPs
+import isPrivateIp from 'private-ip';
+if (isPrivateIp(url.hostname)) {
+  return res.status(400).json({ error: 'Private IPs not allowed' });
+}
+```
+## Best Practices
+1. **Implement proper access control** - Check authorization
+2. **Use strong encryption** - Protect sensitive data
+3. **Prevent injection** - Use parameterized queries
+4. **Design securely** - Security by design
+5. **Configure securely** - No default credentials
+6. **Update dependencies** - Patch vulnerabilities
+7. **Strong authentication** - MFA, strong passwords
+8. **Verify integrity** - Check package integrity
+9. **Log security events** - Monitor for attacks
+10. **Prevent SSRF** - Validate URLs and IPs

package/augment-extensions/domain-rules/security/rules/secure-coding.md ADDED Viewed

@@ -0,0 +1,293 @@
+# Secure Coding Practices
+General secure coding practices for building secure applications.
+## Principle of Least Privilege
+Grant minimum necessary permissions.
+```typescript
+// Bad - Overly permissive
+const user = {
+  id: '123',
+  role: 'admin',  // ❌ Everyone is admin
+  permissions: ['*']  // ❌ All permissions
+};
+// Good - Specific permissions
+const user = {
+  id: '123',
+  role: 'editor',
+  permissions: ['read:posts', 'write:posts', 'read:users']
+};
+// Good - Check specific permission
+const hasPermission = (user: User, permission: string): boolean => {
+  return user.permissions.includes(permission);
+};
+if (!hasPermission(req.user, 'delete:posts')) {
+  return res.status(403).json({ error: 'Forbidden' });
+}
+```
+## Defense in Depth
+Implement multiple layers of security.
+```typescript
+// Layer 1: Input validation
+const schema = z.object({
+  email: z.string().email(),
+  content: z.string().max(1000)
+});
+const data = schema.parse(req.body);
+// Layer 2: Authentication
+if (!req.user) {
+  return res.status(401).json({ error: 'Unauthorized' });
+}
+// Layer 3: Authorization
+if (req.user.id !== post.authorId && req.user.role !== 'admin') {
+  return res.status(403).json({ error: 'Forbidden' });
+}
+// Layer 4: Rate limiting
+// Layer 5: Sanitization
+const sanitized = DOMPurify.sanitize(data.content);
+// Layer 6: Logging
+logger.info('Post updated', { userId: req.user.id, postId: post.id });
+```
+## Secure Defaults
+Use secure configurations by default.
+```typescript
+// Good - Secure defaults
+const config = {
+  https: true,
+  httpOnly: true,
+  sameSite: 'strict',
+  secure: true,
+  maxAge: 3600000,
+  ...userConfig  // Allow override if needed
+};
+// Bad - Insecure defaults
+const config = {
+  https: false,  // ❌
+  httpOnly: false,  // ❌
+  ...userConfig
+};
+```
+## Fail Securely
+Handle errors without exposing sensitive information.
+```typescript
+// Bad - Exposing internal details
+try {
+  const user = await db.users.findOne(userId);
+} catch (error) {
+  res.status(500).json({
+    error: error.message,  // ❌ May expose DB details
+    stack: error.stack  // ❌ Exposes code structure
+  });
+}
+// Good - Generic error message
+try {
+  const user = await db.users.findOne(userId);
+} catch (error) {
+  logger.error('Database error', { error, userId });  // Log internally
+  res.status(500).json({ error: 'Internal server error' });  // Generic message
+}
+```
+## Don't Trust Client Data
+Always validate on server side.
+```typescript
+// Bad - Trusting client
+app.post('/purchase', async (req, res) => {
+  const { productId, price } = req.body;  // ❌ Client sends price
+  await processPayment(price);
+});
+// Good - Verify on server
+app.post('/purchase', async (req, res) => {
+  const { productId } = req.body;
+  const product = await db.products.findOne(productId);
+  await processPayment(product.price);  // ✅ Use server price
+});
+```
+## Avoid Security by Obscurity
+Don't rely on secrecy of implementation.
+```typescript
+// Bad - Security by obscurity
+const isAdmin = (user) => {
+  return user.secretAdminFlag === 'xK9mP2qL';  // ❌ Weak
+};
+// Good - Proper authorization
+const isAdmin = (user) => {
+  return user.role === 'admin' && user.verified === true;
+};
+```
+## Secure Error Messages
+Don't leak information through error messages.
+```typescript
+// Bad - Information leakage
+app.post('/login', async (req, res) => {
+  const user = await db.users.findOne({ email: req.body.email });
+  if (!user) {
+    return res.status(401).json({ error: 'Email not found' });  // ❌ Reveals email exists
+  }
+  if (!await bcrypt.compare(req.body.password, user.password)) {
+    return res.status(401).json({ error: 'Incorrect password' });  // ❌ Reveals email exists
+  }
+});
+// Good - Generic error message
+app.post('/login', async (req, res) => {
+  const user = await db.users.findOne({ email: req.body.email });
+  if (!user || !await bcrypt.compare(req.body.password, user.password)) {
+    return res.status(401).json({ error: 'Invalid credentials' });  // ✅ Generic
+  }
+});
+```
+## Secure Logging
+Log security events without exposing sensitive data.
+```typescript
+// Bad - Logging sensitive data
+logger.info('User login', {
+  email: user.email,
+  password: req.body.password,  // ❌ Never log passwords
+  creditCard: user.creditCard  // ❌ Never log PII
+});
+// Good - Log relevant info only
+logger.info('User login', {
+  userId: user.id,
+  ip: req.ip,
+  userAgent: req.headers['user-agent'],
+  success: true
+});
+// Good - Mask sensitive data
+const maskEmail = (email: string) => {
+  const [local, domain] = email.split('@');
+  return `${local.slice(0, 2)}***@${domain}`;
+};
+logger.info('Password reset requested', {
+  email: maskEmail(user.email),
+  ip: req.ip
+});
+```
+## Dependency Security
+Keep dependencies updated and secure.
+```bash
+# Check for vulnerabilities
+npm audit
+# Fix vulnerabilities
+npm audit fix
+# Update dependencies
+npm update
+# Use lock files
+npm ci  # In CI/CD
+# Monitor dependencies
+# Use Dependabot, Snyk, or similar
+```
+## Environment Variables
+Store secrets in environment variables.
+```typescript
+// Bad - Hardcoded secrets
+const dbPassword = 'mypassword123';  // ❌
+const apiKey = 'sk_live_abc123';  // ❌
+// Good - Environment variables
+const dbPassword = process.env.DB_PASSWORD;
+const apiKey = process.env.API_KEY;
+// Good - Validate required env vars
+const requiredEnvVars = ['DB_PASSWORD', 'API_KEY', 'JWT_SECRET'];
+for (const envVar of requiredEnvVars) {
+  if (!process.env[envVar]) {
+    throw new Error(`Missing required environment variable: ${envVar}`);
+  }
+}
+// .env (never commit)
+DB_PASSWORD=strong_password
+API_KEY=sk_live_abc123
+JWT_SECRET=random_secret
+// .gitignore
+.env
+.env.local
+.env.*.local
+```
+## Code Review
+Implement security-focused code reviews.
+```markdown
+# Security Review Checklist
+- [ ] Input validation on all user input
+- [ ] Authentication required for protected endpoints
+- [ ] Authorization checks for resource access
+- [ ] Parameterized queries (no SQL injection)
+- [ ] No hardcoded secrets
+- [ ] Sensitive data encrypted
+- [ ] Error messages don't leak information
+- [ ] Rate limiting on sensitive endpoints
+- [ ] HTTPS enforced
+- [ ] Security headers set
+- [ ] Dependencies up to date
+- [ ] Logging doesn't expose sensitive data
+```
+## Best Practices
+1. **Least privilege** - Minimum necessary permissions
+2. **Defense in depth** - Multiple security layers
+3. **Secure defaults** - Secure by default
+4. **Fail securely** - Don't expose internals
+5. **Validate server-side** - Never trust client
+6. **Generic errors** - Don't leak information
+7. **Secure logging** - Mask sensitive data
+8. **Update dependencies** - Patch vulnerabilities
+9. **Use env vars** - No hardcoded secrets
+10. **Code review** - Security-focused reviews