@qball-inc/the-bulwark 1.0.0

package/skills/code-review/frameworks/django.md

@@ -0,0 +1,235 @@
+# Django Framework Patterns
+
+Security and quality patterns specific to Django applications.
+
+---
+
+## Security Patterns
+
+### SQL Injection
+
+| Pattern | Risk | Detection |
+|---------|------|-----------|
+| `.raw()` with string format | Critical | `Model.objects.raw(f"SELECT...")` |
+| `.extra()` with user input | Critical | `.extra(where=[user_input])` |
+| Cursor with string concat | Critical | `cursor.execute(query % params)` |
+
+**Safe Pattern:**
+```python
+# BAD
+User.objects.raw(f"SELECT * FROM users WHERE id = {user_id}")
+
+# GOOD - Parameterized query
+User.objects.raw("SELECT * FROM users WHERE id = %s", [user_id])
+
+# BEST - Use ORM
+User.objects.filter(id=user_id)
+```
+
+### XSS Prevention
+
+| Pattern | Risk | Detection |
+|---------|------|-----------|
+| `|safe` filter | High | `{{ user_input|safe }}` |
+| `mark_safe()` | High | `mark_safe(user_content)` |
+| `{% autoescape off %}` | High | Block disabling autoescape |
+
+**Safe Pattern:**
+```html
+<!-- BAD -->
+{{ user_comment|safe }}
+
+<!-- GOOD - Django auto-escapes by default -->
+{{ user_comment }}
+
+<!-- If HTML needed, sanitize first -->
+{% load bleach_tags %}
+{{ user_comment|bleach }}
+```
+
+### CSRF Protection
+
+```python
+# Ensure CSRF middleware is enabled
+MIDDLEWARE = [
+    'django.middleware.csrf.CsrfViewMiddleware',
+    # ...
+]
+
+# In templates
+<form method="post">
+    {% csrf_token %}
+    ...
+</form>
+
+# For AJAX
+const csrftoken = document.querySelector('[name=csrfmiddlewaretoken]').value;
+```
+
+### Authentication/Authorization
+
+```python
+# BAD - No permission check
+def get_document(request, doc_id):
+    return Document.objects.get(id=doc_id)
+
+# GOOD - Check ownership
+from django.core.exceptions import PermissionDenied
+
+def get_document(request, doc_id):
+    doc = Document.objects.get(id=doc_id)
+    if doc.owner_id != request.user.id:
+        raise PermissionDenied
+    return doc
+
+# BEST - Use built-in permissions
+from django.contrib.auth.decorators import permission_required
+
+@permission_required('app.view_document')
+def get_document(request, doc_id):
+    return Document.objects.get(id=doc_id)
+```
+
+### Secret Management
+
+```python
+# BAD
+SECRET_KEY = 'django-insecure-abc123'
+DATABASE_PASSWORD = 'password123'
+
+# GOOD
+import os
+SECRET_KEY = os.environ['DJANGO_SECRET_KEY']
+DATABASE_PASSWORD = os.environ['DB_PASSWORD']
+
+# Or use django-environ
+import environ
+env = environ.Env()
+SECRET_KEY = env('SECRET_KEY')
+```
+
+---
+
+## Type Safety Patterns
+
+### Model Typing
+
+```python
+# BAD - No type hints
+class User(models.Model):
+    name = models.CharField(max_length=100)
+
+    def get_display_name(self):
+        return self.name.title()
+
+# GOOD - With type hints
+from typing import Optional
+
+class User(models.Model):
+    name: models.CharField[str] = models.CharField(max_length=100)
+
+    def get_display_name(self) -> str:
+        return self.name.title()
+
+    def get_email(self) -> Optional[str]:
+        return self.email if self.email else None
+```
+
+### View Typing
+
+```python
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.views import View
+
+# Function-based view
+def user_detail(request: HttpRequest, user_id: int) -> HttpResponse:
+    user = get_object_or_404(User, id=user_id)
+    return render(request, 'user_detail.html', {'user': user})
+
+# Class-based view
+class UserDetailView(View):
+    def get(self, request: HttpRequest, user_id: int) -> HttpResponse:
+        user = get_object_or_404(User, id=user_id)
+        return render(request, 'user_detail.html', {'user': user})
+```
+
+### Form Typing
+
+```python
+from django import forms
+from typing import Any, Dict
+
+class UserForm(forms.Form):
+    name = forms.CharField(max_length=100)
+    email = forms.EmailField()
+
+    def clean(self) -> Dict[str, Any]:
+        cleaned_data = super().clean()
+        # Type-safe access to cleaned data
+        name: str = cleaned_data.get('name', '')
+        return cleaned_data
+```
+
+---
+
+## Linting Patterns
+
+### Query Optimization
+
+```python
+# BAD - N+1 query problem
+users = User.objects.all()
+for user in users:
+    print(user.profile.avatar)  # Query per user
+
+# GOOD - Prefetch related
+users = User.objects.select_related('profile').all()
+for user in users:
+    print(user.profile.avatar)  # No additional queries
+```
+
+### View Complexity
+
+| Metric | Threshold | Action |
+|--------|-----------|--------|
+| View function lines | >50 | Extract to service layer |
+| Business logic in view | Any | Move to model or service |
+| Multiple model operations | >3 | Create service class |
+
+---
+
+## Coding Standards
+
+### Naming Conventions
+
+| Element | Convention | Example |
+|---------|------------|---------|
+| Model | PascalCase | `UserProfile` |
+| View function | snake_case | `user_detail` |
+| View class | PascalCase + View suffix | `UserDetailView` |
+| URL name | snake_case with dashes | `user-detail` |
+
+### File Organization
+
+```
+app/
+  models/
+    __init__.py
+    user.py
+  views/
+    __init__.py
+    user.py
+  services/
+    user_service.py
+  tests/
+    test_user.py
+```
+
+---
+
+## What to Skip
+
+- Django admin customization
+- Management commands
+- Migration files
+- Settings for different environments

package/skills/code-review/frameworks/express.md

@@ -0,0 +1,207 @@
+# Express/Node Framework Patterns
+
+Security and quality patterns specific to Express.js and Node.js applications.
+
+---
+
+## Security Patterns
+
+### Injection Attacks
+
+| Pattern | Risk | Detection |
+|---------|------|-----------|
+| SQL in string concat | Critical | `query + req.body.x` |
+| NoSQL operator injection | Critical | `{ $where: userInput }` |
+| Command injection | Critical | `exec(userInput)` |
+| Path traversal | High | `path.join(base, userInput)` |
+
+**Safe Patterns:**
+```typescript
+// SQL: Use parameterized queries
+const user = await db.query('SELECT * FROM users WHERE id = ?', [req.params.id]);
+
+// NoSQL: Sanitize operators
+import mongoSanitize from 'express-mongo-sanitize';
+app.use(mongoSanitize());
+
+// Commands: Use array form
+const { spawn } = require('child_process');
+spawn('ls', ['-la', sanitizedPath]);  // Not: exec(`ls -la ${path}`)
+
+// Paths: Validate within allowed directory
+const safePath = path.resolve(uploadDir, userFilename);
+if (!safePath.startsWith(uploadDir)) throw new Error('Invalid path');
+```
+
+### Authentication/Authorization
+
+| Pattern | Risk | Detection |
+|---------|------|-----------|
+| Missing auth middleware | Critical | Route without `isAuthenticated` |
+| JWT in URL | High | Token in query string |
+| Weak session config | Medium | Missing secure/httpOnly flags |
+
+**Safe Pattern:**
+```typescript
+// Middleware chain
+router.get('/admin',
+  isAuthenticated,    // Verify JWT/session
+  requireRole('admin'),  // Check role
+  adminController.dashboard
+);
+
+// Session config
+app.use(session({
+  secret: process.env.SESSION_SECRET,
+  cookie: {
+    secure: true,      // HTTPS only
+    httpOnly: true,    // No JS access
+    sameSite: 'strict' // CSRF protection
+  }
+}));
+```
+
+### Input Validation
+
+| Pattern | Risk | Detection |
+|---------|------|-----------|
+| Unvalidated body | High | Direct use of req.body |
+| Missing sanitization | Medium | No express-validator/joi |
+| Type coercion issues | Medium | `req.query.id` used as number |
+
+**Safe Pattern:**
+```typescript
+import { body, validationResult } from 'express-validator';
+
+router.post('/users',
+  body('email').isEmail().normalizeEmail(),
+  body('password').isLength({ min: 8 }),
+  (req, res) => {
+    const errors = validationResult(req);
+    if (!errors.isEmpty()) {
+      return res.status(400).json({ errors: errors.array() });
+    }
+    // Proceed with validated data
+  }
+);
+```
+
+### Security Headers
+
+| Header | Purpose | Check |
+|--------|---------|-------|
+| Content-Security-Policy | XSS prevention | `helmet.contentSecurityPolicy()` |
+| X-Frame-Options | Clickjacking prevention | `helmet.frameguard()` |
+| Strict-Transport-Security | Force HTTPS | `helmet.hsts()` |
+
+```typescript
+import helmet from 'helmet';
+app.use(helmet());  // Enables all security headers
+```
+
+---
+
+## Type Safety Patterns
+
+### Request Typing
+
+```typescript
+// BAD: Untyped request
+app.post('/users', (req, res) => {
+  const { name, email } = req.body;  // any
+});
+
+// GOOD: Typed request
+interface CreateUserBody {
+  name: string;
+  email: string;
+}
+
+app.post('/users', (req: Request<{}, {}, CreateUserBody>, res) => {
+  const { name, email } = req.body;  // Typed
+});
+```
+
+### Response Typing
+
+```typescript
+// Define response types
+interface ApiResponse<T> {
+  success: boolean;
+  data?: T;
+  error?: string;
+}
+
+function sendSuccess<T>(res: Response, data: T): void {
+  res.json({ success: true, data } as ApiResponse<T>);
+}
+
+function sendError(res: Response, status: number, error: string): void {
+  res.status(status).json({ success: false, error } as ApiResponse<never>);
+}
+```
+
+---
+
+## Error Handling
+
+### Async Error Handling
+
+```typescript
+// BAD: Unhandled promise rejection
+app.get('/users', async (req, res) => {
+  const users = await db.users.findAll();  // If throws, crashes
+  res.json(users);
+});
+
+// GOOD: Wrapped async handler
+const asyncHandler = (fn: RequestHandler) => (req, res, next) =>
+  Promise.resolve(fn(req, res, next)).catch(next);
+
+app.get('/users', asyncHandler(async (req, res) => {
+  const users = await db.users.findAll();
+  res.json(users);
+}));
+
+// Error middleware
+app.use((err: Error, req: Request, res: Response, next: NextFunction) => {
+  console.error(err);
+  res.status(500).json({ error: 'Internal server error' });
+});
+```
+
+---
+
+## Linting Patterns
+
+### Middleware Order
+
+Correct order:
+1. Security middleware (helmet, cors)
+2. Body parsers
+3. Session/auth
+4. Routes
+5. Error handlers
+
+### Route Organization
+
+```typescript
+// routes/users.ts
+const router = Router();
+router.get('/', userController.list);
+router.get('/:id', userController.get);
+router.post('/', userController.create);
+export default router;
+
+// app.ts
+app.use('/api/users', usersRouter);
+```
+
+---
+
+## What to Skip
+
+- Development-only middleware (`morgan` in dev mode)
+- Test fixtures with intentional vulnerabilities
+- Mock servers for testing
+- Documentation routes (Swagger)