@qball-inc/the-bulwark 1.0.0

package/skills/code-review/frameworks/flask.md

@@ -0,0 +1,298 @@
+# Flask Framework Patterns
+
+Security and quality patterns specific to Flask applications.
+
+---
+
+## Security Patterns
+
+### SQL Injection
+
+| Pattern | Risk | Detection |
+|---------|------|-----------|
+| String formatting in query | Critical | `f"SELECT...{user_input}"` |
+| `text()` with concat | Critical | `text("SELECT..." + user_input)` |
+| Raw cursor with % format | Critical | `cursor.execute(query % params)` |
+
+**Safe Pattern:**
+```python
+# BAD
+db.execute(f"SELECT * FROM users WHERE id = {user_id}")
+
+# GOOD - SQLAlchemy ORM
+User.query.filter_by(id=user_id).first()
+
+# GOOD - Parameterized query
+db.execute(text("SELECT * FROM users WHERE id = :id"), {"id": user_id})
+```
+
+### XSS Prevention
+
+| Pattern | Risk | Detection |
+|---------|------|-----------|
+| `|safe` filter | High | `{{ user_input|safe }}` |
+| `Markup()` | High | `Markup(user_content)` |
+| `render_template_string` | Critical | With user input |
+
+**Safe Pattern:**
+```html
+<!-- BAD -->
+{{ user_comment|safe }}
+
+<!-- GOOD - Jinja2 auto-escapes by default -->
+{{ user_comment }}
+
+<!-- If HTML needed -->
+{% import 'macros.html' as macros %}
+{{ macros.sanitized_html(user_comment) }}
+```
+
+```python
+# In macros.py
+import bleach
+
+def sanitize_html(html):
+    return Markup(bleach.clean(html, tags=['p', 'br', 'strong']))
+```
+
+### CSRF Protection
+
+```python
+from flask_wtf.csrf import CSRFProtect
+
+csrf = CSRFProtect()
+csrf.init_app(app)
+
+# In templates
+<form method="post">
+    <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
+    ...
+</form>
+```
+
+### Session Security
+
+```python
+# BAD
+app.secret_key = 'dev'
+
+# GOOD
+import os
+app.secret_key = os.environ['SECRET_KEY']
+
+# Session configuration
+app.config.update(
+    SESSION_COOKIE_SECURE=True,
+    SESSION_COOKIE_HTTPONLY=True,
+    SESSION_COOKIE_SAMESITE='Lax',
+)
+```
+
+### Authentication
+
+```python
+from flask_login import login_required, current_user
+from functools import wraps
+
+# BAD - No auth check
+@app.route('/admin')
+def admin_panel():
+    return render_template('admin.html')
+
+# GOOD - Login required
+@app.route('/admin')
+@login_required
+def admin_panel():
+    return render_template('admin.html')
+
+# GOOD - Role check
+def admin_required(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if not current_user.is_admin:
+            abort(403)
+        return f(*args, **kwargs)
+    return decorated_function
+
+@app.route('/admin')
+@login_required
+@admin_required
+def admin_panel():
+    return render_template('admin.html')
+```
+
+### File Upload
+
+```python
+from werkzeug.utils import secure_filename
+
+# BAD
+@app.route('/upload', methods=['POST'])
+def upload():
+    file = request.files['file']
+    file.save(f'/uploads/{file.filename}')  # Path traversal risk
+
+# GOOD
+ALLOWED_EXTENSIONS = {'txt', 'pdf', 'png', 'jpg'}
+
+def allowed_file(filename):
+    return '.' in filename and \
+           filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
+
+@app.route('/upload', methods=['POST'])
+def upload():
+    file = request.files['file']
+    if file and allowed_file(file.filename):
+        filename = secure_filename(file.filename)
+        file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
+```
+
+---
+
+## Type Safety Patterns
+
+### Route Typing
+
+```python
+from flask import Flask, Request, Response
+from typing import Union
+
+# BAD
+@app.route('/users/<user_id>')
+def get_user(user_id):
+    return User.query.get(user_id)
+
+# GOOD
+@app.route('/users/<int:user_id>')
+def get_user(user_id: int) -> Union[Response, tuple[dict, int]]:
+    user = User.query.get_or_404(user_id)
+    return jsonify(user.to_dict())
+```
+
+### Request Data Typing
+
+```python
+from pydantic import BaseModel, ValidationError
+from typing import Optional
+
+class UserCreate(BaseModel):
+    name: str
+    email: str
+    age: Optional[int] = None
+
+@app.route('/users', methods=['POST'])
+def create_user() -> tuple[dict, int]:
+    try:
+        data = UserCreate(**request.json)
+    except ValidationError as e:
+        return {'error': e.errors()}, 400
+
+    user = User(name=data.name, email=data.email, age=data.age)
+    db.session.add(user)
+    db.session.commit()
+    return {'id': user.id}, 201
+```
+
+### Model Typing
+
+```python
+from sqlalchemy.orm import Mapped, mapped_column
+from typing import Optional
+
+class User(db.Model):
+    id: Mapped[int] = mapped_column(primary_key=True)
+    name: Mapped[str] = mapped_column(String(100))
+    email: Mapped[Optional[str]] = mapped_column(String(255), nullable=True)
+
+    def to_dict(self) -> dict:
+        return {
+            'id': self.id,
+            'name': self.name,
+            'email': self.email,
+        }
+```
+
+---
+
+## Linting Patterns
+
+### Application Factory
+
+```python
+# BAD - Global app
+app = Flask(__name__)
+db = SQLAlchemy(app)
+
+# GOOD - Application factory
+def create_app(config_class=Config):
+    app = Flask(__name__)
+    app.config.from_object(config_class)
+
+    db.init_app(app)
+
+    from app.routes import main
+    app.register_blueprint(main)
+
+    return app
+```
+
+### Blueprint Organization
+
+```python
+# routes/users.py
+from flask import Blueprint
+
+users_bp = Blueprint('users', __name__, url_prefix='/users')
+
+@users_bp.route('/')
+def list_users():
+    ...
+
+@users_bp.route('/<int:user_id>')
+def get_user(user_id: int):
+    ...
+
+# app/__init__.py
+from routes.users import users_bp
+app.register_blueprint(users_bp)
+```
+
+---
+
+## Coding Standards
+
+### Naming Conventions
+
+| Element | Convention | Example |
+|---------|------------|---------|
+| Blueprint | snake_case | `users_bp` |
+| Route function | snake_case | `get_user` |
+| Model | PascalCase | `UserProfile` |
+| Config class | PascalCase | `ProductionConfig` |
+
+### File Organization
+
+```
+app/
+  __init__.py
+  models/
+    user.py
+  routes/
+    users.py
+    auth.py
+  services/
+    user_service.py
+  templates/
+  static/
+config.py
+run.py
+```
+
+---
+
+## What to Skip
+
+- Flask-Admin configuration
+- Development server settings
+- CLI commands
+- Test fixtures with test client

package/skills/code-review/frameworks/generic.md

@@ -0,0 +1,146 @@
+# Generic Framework Patterns
+
+Security and quality patterns applicable to any codebase when no specific framework is detected.
+
+---
+
+## Security Patterns (OWASP Top 10)
+
+### A01: Broken Access Control
+
+| Pattern | Detection | Severity |
+|---------|-----------|----------|
+| Missing authorization | Resource access without permission check | Critical |
+| IDOR | User ID from input used directly | Critical |
+| Path traversal | User input in file paths | Critical |
+
+**Check:**
+- Every database query has a preceding authorization check
+- User-supplied IDs are validated against session user
+- File paths are restricted to allowed directories
+
+### A02: Cryptographic Failures
+
+| Pattern | Detection | Severity |
+|---------|-----------|----------|
+| Hardcoded secrets | Strings matching key/password patterns | Critical |
+| Weak algorithms | MD5, SHA1 for passwords | Critical |
+| Missing encryption | Sensitive data in plaintext | Critical |
+
+**Check:**
+- No API keys, passwords, or tokens in source
+- Password hashing uses bcrypt, argon2, or scrypt
+- Sensitive data encrypted at rest and in transit
+
+### A03: Injection
+
+| Pattern | Detection | Severity |
+|---------|-----------|----------|
+| SQL injection | String concatenation in queries | Critical |
+| Command injection | User input in shell commands | Critical |
+| XSS | User input in HTML output | Critical |
+
+**Check:**
+- All queries use parameterization
+- Shell commands use array form or escape input
+- Output is escaped for context (HTML, JS, URL)
+
+### A04: Insecure Design
+
+| Pattern | Detection | Severity |
+|---------|-----------|----------|
+| No rate limiting | Auth endpoints unrestricted | Important |
+| Weak tokens | Predictable patterns | Critical |
+| Missing business logic validation | Edge cases not handled | Important |
+
+### A05: Security Misconfiguration
+
+| Pattern | Detection | Severity |
+|---------|-----------|----------|
+| Debug mode | Verbose errors, stack traces | Important |
+| Default credentials | admin/admin patterns | Critical |
+| Unnecessary features | Unused endpoints exposed | Suggestion |
+
+### A06: Vulnerable Components
+
+**Note:** Defer to package audit tools:
+- `npm audit` / `yarn audit`
+- `pip-audit`
+- `cargo audit`
+
+### A07: Auth Failures
+
+| Pattern | Detection | Severity |
+|---------|-----------|----------|
+| Session fixation | No regeneration after login | Critical |
+| Weak passwords | No complexity requirements | Important |
+| Credential exposure | Logging passwords | Critical |
+
+### A08: Data Integrity
+
+| Pattern | Detection | Severity |
+|---------|-----------|----------|
+| Insecure deserialization | Deserializing untrusted data | Critical |
+| Missing integrity checks | Data modification undetected | Important |
+
+### A09: Logging Failures
+
+| Pattern | Detection | Severity |
+|---------|-----------|----------|
+| Missing audit logs | No security event logging | Important |
+| Sensitive data logged | Passwords, tokens in logs | Critical |
+| Log injection | Unsanitized input in logs | Important |
+
+### A10: SSRF
+
+| Pattern | Detection | Severity |
+|---------|-----------|----------|
+| Unvalidated URL fetch | User URL without allowlist | Critical |
+| Internal access | Requests to internal services | Critical |
+
+---
+
+## Type Safety Patterns
+
+| Pattern | Issue | Fix |
+|---------|-------|-----|
+| `any` type | Bypasses type checking | Define proper interface |
+| Missing null checks | Runtime null errors | Use optional chaining |
+| Unsafe assertions | Type lies to compiler | Use type guards |
+| Implicit any | Missing type annotations | Enable strict mode |
+
+---
+
+## Linting Patterns
+
+| Pattern | Threshold | Action |
+|---------|-----------|--------|
+| Cyclomatic complexity | >15 | Refactor |
+| Nesting depth | >4 | Use early returns |
+| Function length | >50 lines | Split function |
+| Magic numbers | Any | Use named constants |
+
+---
+
+## Coding Standards
+
+### CS1: Single Responsibility
+Each function should have one purpose.
+
+### CS2: No Magic
+All values and behaviors should be explicit.
+
+### CS3: Fail Fast
+Validate inputs early, throw on errors.
+
+### CS4: Clean Code
+No unused code, no commented blocks.
+
+---
+
+## What to Skip
+
+- Test fixtures with intentional issues
+- Documentation examples
+- Generated code
+- Third-party integrations following external patterns

package/skills/code-review/frameworks/react.md

@@ -0,0 +1,152 @@
+# React Framework Patterns
+
+Security and quality patterns specific to React applications.
+
+---
+
+## Security Patterns
+
+### XSS Prevention
+
+| Pattern | Risk | Detection |
+|---------|------|-----------|
+| `dangerouslySetInnerHTML` | High | Direct use without sanitization |
+| String interpolation in JSX | Medium | `{userInput}` in href, src attributes |
+| `eval()` with props/state | Critical | Dynamic code execution |
+
+**Safe Pattern:**
+```tsx
+// BAD
+<div dangerouslySetInnerHTML={{ __html: userComment }} />
+
+// GOOD
+import DOMPurify from 'dompurify';
+<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userComment) }} />
+
+// BETTER
+<div>{userComment}</div>  // React escapes by default
+```
+
+### URL Injection
+
+| Pattern | Risk | Detection |
+|---------|------|-----------|
+| `javascript:` in href | Critical | User input in anchor href |
+| User-controlled `src` | High | Dynamic image/iframe sources |
+
+**Safe Pattern:**
+```tsx
+// BAD
+<a href={userProvidedUrl}>Link</a>
+
+// GOOD
+const sanitizeUrl = (url: string) => {
+  const parsed = new URL(url);
+  if (!['http:', 'https:'].includes(parsed.protocol)) {
+    throw new Error('Invalid URL protocol');
+  }
+  return url;
+};
+<a href={sanitizeUrl(userProvidedUrl)}>Link</a>
+```
+
+### State Exposure
+
+| Pattern | Risk | Detection |
+|---------|------|-----------|
+| Secrets in state | Critical | API keys, tokens in useState/Redux |
+| PII in localStorage | High | User data persisted client-side |
+
+---
+
+## Type Safety Patterns
+
+### Props Typing
+
+| Pattern | Issue | Fix |
+|---------|-------|-----|
+| `props: any` | Bypasses type checking | Define interface |
+| Missing children type | Unclear component API | Use `React.ReactNode` |
+| Event handler `any` | Loses event type | Use specific event type |
+
+**Example:**
+```tsx
+// BAD
+function Button(props: any) {
+  return <button onClick={props.onClick}>{props.children}</button>;
+}
+
+// GOOD
+interface ButtonProps {
+  onClick: (event: React.MouseEvent<HTMLButtonElement>) => void;
+  children: React.ReactNode;
+  disabled?: boolean;
+}
+
+function Button({ onClick, children, disabled }: ButtonProps) {
+  return <button onClick={onClick} disabled={disabled}>{children}</button>;
+}
+```
+
+### Ref Typing
+
+```tsx
+// BAD
+const inputRef = useRef(null);  // RefObject<null>
+
+// GOOD
+const inputRef = useRef<HTMLInputElement>(null);
+```
+
+---
+
+## Linting Patterns
+
+### Component Complexity
+
+| Metric | Threshold | Action |
+|--------|-----------|--------|
+| Lines per component | >150 | Split into sub-components |
+| Props count | >7 | Consider composition or context |
+| useEffect dependencies | >4 | Extract custom hook |
+
+### Hook Rules
+
+| Violation | Detection |
+|-----------|-----------|
+| Conditional hooks | `if (condition) { useEffect(...) }` |
+| Loop hooks | `items.map(() => useState(...))` |
+| Nested hooks | Hook called inside callback |
+
+---
+
+## Coding Standards
+
+### Naming Conventions
+
+| Element | Convention | Example |
+|---------|------------|---------|
+| Component | PascalCase | `UserProfile` |
+| Hook | camelCase with `use` prefix | `useUserProfile` |
+| Handler | `handle` prefix | `handleSubmit` |
+| Boolean prop | `is`, `has`, `should` prefix | `isLoading` |
+
+### File Organization
+
+```
+components/
+  Button/
+    Button.tsx          # Component
+    Button.test.tsx     # Tests
+    Button.module.css   # Styles
+    index.ts            # Re-export
+```
+
+---
+
+## What to Skip
+
+- Third-party component library patterns
+- React DevTools annotations
+- Storybook-specific code
+- Test utilities using `any` for mock flexibility