@schalkneethling/toolkit 0.5.1 → 0.6.0

package/skills/frontend-security/references/file-upload-security.md

@@ -18,9 +18,9 @@
 
 ```javascript
 const ALLOWED_EXTENSIONS = {
-  images: ['.jpg', '.jpeg', '.png', '.gif', '.webp'],
-  documents: ['.pdf', '.docx', '.xlsx'],
-  data: ['.csv', '.json']
+  images: [".jpg", ".jpeg", ".png", ".gif", ".webp"],
+  documents: [".pdf", ".docx", ".xlsx"],
+  data: [".csv", ".json"],
 };
 
 function validateExtension(filename, category) {
@@ -34,22 +34,50 @@ function validateExtension(filename, category) {
 ```javascript
 const DANGEROUS_EXTENSIONS = [
   // Server-side execution
-  '.php', '.php3', '.php4', '.php5', '.phtml',
-  '.asp', '.aspx', '.ascx', '.ashx',
-  '.jsp', '.jspx', '.jspa',
-  '.cgi', '.pl', '.py', '.rb',
+  ".php",
+  ".php3",
+  ".php4",
+  ".php5",
+  ".phtml",
+  ".asp",
+  ".aspx",
+  ".ascx",
+  ".ashx",
+  ".jsp",
+  ".jspx",
+  ".jspa",
+  ".cgi",
+  ".pl",
+  ".py",
+  ".rb",
 
   // Windows executable
-  '.exe', '.dll', '.bat', '.cmd', '.com', '.msi', '.ps1',
+  ".exe",
+  ".dll",
+  ".bat",
+  ".cmd",
+  ".com",
+  ".msi",
+  ".ps1",
 
   // Script files
-  '.js', '.vbs', '.wsf', '.hta',
+  ".js",
+  ".vbs",
+  ".wsf",
+  ".hta",
 
   // Config files
-  '.htaccess', '.htpasswd', '.config', '.ini',
+  ".htaccess",
+  ".htpasswd",
+  ".config",
+  ".ini",
 
   // Archive (can contain malicious files)
-  '.zip', '.tar', '.gz', '.rar', '.7z'
+  ".zip",
+  ".tar",
+  ".gz",
+  ".rar",
+  ".7z",
 ];
 ```
 
@@ -58,7 +86,7 @@ const DANGEROUS_EXTENSIONS = [
 ```javascript
 function sanitizeFilename(filename) {
   // Remove all extensions except the last
-  const parts = filename.split('.');
+  const parts = filename.split(".");
   if (parts.length > 2) {
     return `${parts[0]}.${parts[parts.length - 1]}`;
   }
@@ -74,13 +102,13 @@ function sanitizeFilename(filename) {
 
 ```javascript
 const ALLOWED_MIME_TYPES = {
-  '.jpg': ['image/jpeg'],
-  '.jpeg': ['image/jpeg'],
-  '.png': ['image/png'],
-  '.gif': ['image/gif'],
-  '.webp': ['image/webp'],
-  '.pdf': ['application/pdf'],
-  '.docx': ['application/vnd.openxmlformats-officedocument.wordprocessingml.document']
+  ".jpg": ["image/jpeg"],
+  ".jpeg": ["image/jpeg"],
+  ".png": ["image/png"],
+  ".gif": ["image/gif"],
+  ".webp": ["image/webp"],
+  ".pdf": ["application/pdf"],
+  ".docx": ["application/vnd.openxmlformats-officedocument.wordprocessingml.document"],
 };
 
 function validateMimeType(file) {
@@ -96,18 +124,21 @@ function validateMimeType(file) {
 
 ```javascript
 const FILE_SIGNATURES = {
-  jpg: Buffer.from([0xFF, 0xD8, 0xFF]),
-  png: Buffer.from([0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A]),
+  jpg: Buffer.from([0xff, 0xd8, 0xff]),
+  png: Buffer.from([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a]),
   gif: Buffer.from([0x47, 0x49, 0x46, 0x38]),
   pdf: Buffer.from([0x25, 0x50, 0x44, 0x46]),
-  zip: Buffer.from([0x50, 0x4B, 0x03, 0x04])
+  zip: Buffer.from([0x50, 0x4b, 0x03, 0x04]),
 };
 
 async function validateFileSignature(filePath, expectedType) {
   const buffer = Buffer.alloc(8);
-  const fd = await fs.open(filePath, 'r');
-  await fd.read(buffer, 0, 8, 0);
-  await fd.close();
+  const fd = await fs.open(filePath, "r");
+  try {
+    await fd.read(buffer, 0, 8, 0);
+  } finally {
+    await fd.close();
+  }
 
   const signature = FILE_SIGNATURES[expectedType];
   if (!signature) return false;
@@ -119,17 +150,17 @@ async function validateFileSignature(filePath, expectedType) {
 ## Safe Storage
 
 ```javascript
-const multer = require('multer');
-const path = require('path');
-const crypto = require('crypto');
+const multer = require("multer");
+const path = require("path");
+const crypto = require("crypto");
 
 // Store OUTSIDE webroot
-const UPLOAD_DIR = '/var/app/uploads';  // Not in /public/
+const UPLOAD_DIR = "/var/app/uploads"; // Not in /public/
 
 const storage = multer.diskStorage({
   destination: (req, file, cb) => {
     // Organize by date
-    const date = new Date().toISOString().split('T')[0];
+    const date = new Date().toISOString().split("T")[0];
     const dir = path.join(UPLOAD_DIR, date);
     fs.mkdirSync(dir, { recursive: true });
     cb(null, dir);
@@ -137,24 +168,24 @@ const storage = multer.diskStorage({
   filename: (req, file, cb) => {
     // Generate random filename
     const ext = path.extname(file.originalname).toLowerCase();
-    const name = crypto.randomBytes(16).toString('hex');
+    const name = crypto.randomBytes(16).toString("hex");
     cb(null, `${name}${ext}`);
-  }
+  },
 });
 
 const upload = multer({
   storage,
   limits: {
-    fileSize: 5 * 1024 * 1024,  // 5MB
-    files: 1
+    fileSize: 5 * 1024 * 1024, // 5MB
+    files: 1,
   },
   fileFilter: (req, file, cb) => {
     if (!validateMimeType(file)) {
-      cb(new Error('Invalid file type'));
+      cb(new Error("Invalid file type"));
       return;
     }
     cb(null, true);
-  }
+  },
 });
 ```
 
@@ -162,20 +193,20 @@ const upload = multer({
 
 ```javascript
 // Serve files through application, not directly
-app.get('/files/:id', async (req, res) => {
+app.get("/files/:id", async (req, res) => {
   // Verify user authorization
   if (!req.user || !canAccessFile(req.user, req.params.id)) {
-    return res.status(403).send('Forbidden');
+    return res.status(403).send("Forbidden");
   }
 
   // Get file from database (not from user input)
   const fileRecord = await db.getFile(req.params.id);
-  if (!fileRecord) return res.status(404).send('Not found');
+  if (!fileRecord) return res.status(404).send("Not found");
 
   // Set safe headers
-  res.setHeader('Content-Type', fileRecord.mimeType);
-  res.setHeader('Content-Disposition', `attachment; filename="${fileRecord.safeName}"`);
-  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader("Content-Type", fileRecord.mimeType);
+  res.setHeader("Content-Disposition", `attachment; filename="${fileRecord.safeName}"`);
+  res.setHeader("X-Content-Type-Options", "nosniff");
 
   // Stream file
   const stream = fs.createReadStream(fileRecord.path);
@@ -188,12 +219,12 @@ app.get('/files/:id', async (req, res) => {
 Destroy potential malicious content by re-encoding images:
 
 ```javascript
-const sharp = require('sharp');
+const sharp = require("sharp");
 
 async function sanitizeImage(inputPath, outputPath) {
   await sharp(inputPath)
-    .rotate()  // Apply EXIF orientation
-    .toFormat('jpeg', { quality: 90 })  // Re-encode
+    .rotate() // Apply EXIF orientation
+    .toFormat("jpeg", { quality: 90 }) // Re-encode
     .toFile(outputPath);
 }
 ```
@@ -201,8 +232,8 @@ async function sanitizeImage(inputPath, outputPath) {
 ## ZIP File Handling
 
 ```javascript
-const AdmZip = require('adm-zip');
-const path = require('path');
+const AdmZip = require("adm-zip");
+const path = require("path");
 
 function safeExtractZip(zipPath, destDir, maxSize = 100 * 1024 * 1024) {
   const zip = new AdmZip(zipPath);
@@ -216,20 +247,20 @@ function safeExtractZip(zipPath, destDir, maxSize = 100 * 1024 * 1024) {
     const resolvedEntry = path.resolve(destDir, entry.entryName);
     const relativeEntry = path.relative(resolvedDest, resolvedEntry);
 
-    if (relativeEntry.startsWith('..') || path.isAbsolute(relativeEntry)) {
-      throw new Error('Path traversal detected');
+    if (relativeEntry.startsWith("..") || path.isAbsolute(relativeEntry)) {
+      throw new Error("Path traversal detected");
     }
 
     // Check for zip bomb
     totalSize += entry.header.size;
     if (totalSize > maxSize) {
-      throw new Error('Extracted size exceeds limit');
+      throw new Error("Extracted size exceeds limit");
     }
 
     // Check compression ratio (zip bomb indicator)
     const ratio = entry.header.size / entry.header.compressedSize;
     if (ratio > 100) {
-      throw new Error('Suspicious compression ratio');
+      throw new Error("Suspicious compression ratio");
     }
   }
 
@@ -240,18 +271,18 @@ function safeExtractZip(zipPath, destDir, maxSize = 100 * 1024 * 1024) {
 ## Express.js Complete Example
 
 ```javascript
-const express = require('express');
-const multer = require('multer');
-const path = require('path');
-const crypto = require('crypto');
-const fs = require('fs').promises;
+const express = require("express");
+const multer = require("multer");
+const path = require("path");
+const crypto = require("crypto");
+const fs = require("fs").promises;
 
 const app = express();
 
 // Configuration
-const UPLOAD_DIR = '/var/app/uploads';
+const UPLOAD_DIR = "/var/app/uploads";
 const MAX_FILE_SIZE = 5 * 1024 * 1024;
-const ALLOWED_TYPES = ['image/jpeg', 'image/png', 'image/gif'];
+const ALLOWED_TYPES = ["image/jpeg", "image/png", "image/gif"];
 
 // Multer setup
 const upload = multer({
@@ -259,26 +290,27 @@ const upload = multer({
   limits: { fileSize: MAX_FILE_SIZE },
   fileFilter: (req, file, cb) => {
     if (!ALLOWED_TYPES.includes(file.mimetype)) {
-      cb(new multer.MulterError('LIMIT_UNEXPECTED_FILE'));
+      cb(new multer.MulterError("LIMIT_UNEXPECTED_FILE"));
       return;
     }
     cb(null, true);
-  }
+  },
 });
 
 // Upload endpoint
-app.post('/upload',
-  requireAuth,           // Authentication
-  verifyToken,           // CSRF token
-  upload.single('file'), // File handling
+app.post(
+  "/upload",
+  requireAuth, // Authentication
+  verifyToken, // CSRF token
+  upload.single("file"), // File handling
   async (req, res) => {
     try {
       const file = req.file;
-      if (!file) return res.status(400).json({ error: 'No file' });
+      if (!file) return res.status(400).json({ error: "No file" });
 
       // Validate magic bytes
       if (!validateMagicBytes(file.buffer, file.mimetype)) {
-        return res.status(400).json({ error: 'Invalid file' });
+        return res.status(400).json({ error: "Invalid file" });
       }
 
       // Generate safe filename
@@ -295,15 +327,15 @@ app.post('/upload',
         filename,
         originalName: file.originalname,
         mimeType: file.mimetype,
-        size: file.size
+        size: file.size,
       });
 
       res.json({ id: fileRecord.id });
     } catch (error) {
       console.error(error);
-      res.status(500).json({ error: 'Upload failed' });
+      res.status(500).json({ error: "Upload failed" });
     }
-  }
+  },
 );
 ```
 

package/skills/frontend-security/references/framework-patterns.md

@@ -20,18 +20,18 @@ import DOMPurify from 'dompurify';
 
 ```jsx
 // DANGEROUS - javascript: URLs in href
-<a href={userInput}>Link</a>
+<a href={userInput}>Link</a>;
 
 // SAFE - validate URL protocol
 function SafeLink({ href, children }) {
   const safeHref = useMemo(() => {
     try {
       const url = new URL(href, window.location.origin);
-      if (['http:', 'https:', 'mailto:'].includes(url.protocol)) {
+      if (["http:", "https:", "mailto:"].includes(url.protocol)) {
         return href;
       }
     } catch {}
-    return '#';
+    return "#";
   }, [href]);
 
   return <a href={safeHref}>{children}</a>;
@@ -55,17 +55,15 @@ function SafeLink({ href, children }) {
 
 ```jsx
 // DANGEROUS - injecting user data into SSR without escaping
-<script>
-  window.__INITIAL_STATE__ = {JSON.stringify(userControlledData)}
-</script>
+<script>window.__INITIAL_STATE__ = {JSON.stringify(userControlledData)}</script>;
 
 // SAFE - serialize with escaping
-import serialize from 'serialize-javascript';
+import serialize from "serialize-javascript";
 <script
   dangerouslySetInnerHTML={{
-    __html: `window.__INITIAL_STATE__ = ${serialize(data, { isJSON: true })}`
+    __html: `window.__INITIAL_STATE__ = ${serialize(data, { isJSON: true })}`,
   }}
-/>
+/>;
 ```
 
 ## Astro Security
@@ -116,20 +114,20 @@ const Component = await loadComponent();
 // src/pages/api/data.js
 export async function POST({ request }) {
   // Validate Content-Type
-  const contentType = request.headers.get('content-type');
-  if (!contentType?.includes('application/json')) {
-    return new Response('Invalid content type', { status: 415 });
+  const contentType = request.headers.get("content-type");
+  if (!contentType?.includes("application/json")) {
+    return new Response("Invalid content type", { status: 415 });
   }
 
   // Validate and sanitize input
   const body = await request.json();
   if (!validateInput(body)) {
-    return new Response('Invalid input', { status: 400 });
+    return new Response("Invalid input", { status: 400 });
   }
 
   // Process request
   return new Response(JSON.stringify(result), {
-    headers: { 'Content-Type': 'application/json' }
+    headers: { "Content-Type": "application/json" },
   });
 }
 ```
@@ -177,12 +175,12 @@ export async function POST({ request }) {
 twig:
   sandbox:
     policy:
-      tags: ['if', 'for', 'set']
-      filters: ['escape', 'upper', 'lower']
+      tags: ["if", "for", "set"]
+      filters: ["escape", "upper", "lower"]
       methods:
-        Symfony\Component\Routing\Generator\UrlGeneratorInterface: ['generate']
+        Symfony\Component\Routing\Generator\UrlGeneratorInterface: ["generate"]
       properties: []
-      functions: ['path', 'url']
+      functions: ["path", "url"]
 ```
 
 ### CSRF in Forms
@@ -207,31 +205,35 @@ Bun.serve({
     const url = new URL(req.url);
 
     // Validate origin for CORS
-    const origin = req.headers.get('origin');
+    const origin = req.headers.get("origin");
     if (origin && !isAllowedOrigin(origin)) {
-      return new Response('Forbidden', { status: 403 });
+      return new Response("Forbidden", { status: 403 });
     }
 
     // Rate limiting
     if (isRateLimited(req)) {
-      return new Response('Too Many Requests', { status: 429 });
+      return new Response("Too Many Requests", { status: 429 });
     }
 
     return handleRequest(req);
-  }
+  },
 });
 ```
 
 ### File Handling
 
 ```javascript
+const path = require("path");
+
 // Validate file paths
 function safeReadFile(userPath) {
-  const baseDir = '/app/public';
-  const resolved = Bun.resolveSync(userPath, baseDir);
+  const baseDir = "/app/public";
+  const safeBaseDir = path.resolve(baseDir);
+  const resolved = path.resolve(safeBaseDir, userPath);
+  const relativePath = path.relative(safeBaseDir, resolved);
 
-  if (!resolved.startsWith(baseDir)) {
-    throw new Error('Path traversal detected');
+  if (relativePath.startsWith("..") || path.isAbsolute(relativePath)) {
+    throw new Error("Path traversal detected");
   }
 
   return Bun.file(resolved).text();
@@ -244,34 +246,34 @@ function safeReadFile(userPath) {
 
 ```javascript
 // NEVER store sensitive data in localStorage
-localStorage.setItem('token', jwt);  // DANGEROUS
+localStorage.setItem("token", jwt); // DANGEROUS
 
 // Use httpOnly cookies for tokens instead
 // Or store in memory with short expiration
 
 // If localStorage is necessary, encrypt
-import { encrypt, decrypt } from './crypto';
-localStorage.setItem('data', encrypt(sensitiveData, key));
+import { encrypt, decrypt } from "./crypto";
+localStorage.setItem("data", encrypt(sensitiveData, key));
 ```
 
 ### postMessage
 
 ```javascript
 // Always validate origin and data
-window.addEventListener('message', (event) => {
+window.addEventListener("message", (event) => {
   // Validate origin
-  const allowedOrigins = ['https://trusted.com'];
+  const allowedOrigins = ["https://trusted.com"];
   if (!allowedOrigins.includes(event.origin)) return;
 
   // Validate data structure
-  if (typeof event.data !== 'object') return;
-  if (!['action1', 'action2'].includes(event.data.type)) return;
+  if (typeof event.data !== "object") return;
+  if (!["action1", "action2"].includes(event.data.type)) return;
 
   handleMessage(event.data);
 });
 
 // Always specify target origin when sending
-iframe.contentWindow.postMessage(data, 'https://specific-origin.com');
+iframe.contentWindow.postMessage(data, "https://specific-origin.com");
 // NEVER use '*' for sensitive data
 ```
 
@@ -282,23 +284,23 @@ iframe.contentWindow.postMessage(data, 'https://specific-origin.com');
 const wss = new WebSocket.Server({
   server,
   verifyClient: ({ origin, req }, callback) => {
-    const allowed = ['https://myapp.com'];
+    const allowed = ["https://myapp.com"];
     callback(allowed.includes(origin));
-  }
+  },
 });
 
 // Validate messages
-wss.on('connection', (ws) => {
-  ws.on('message', (data) => {
+wss.on("connection", (ws) => {
+  ws.on("message", (data) => {
     try {
       const msg = JSON.parse(data);
       if (!isValidMessage(msg)) {
-        ws.close(1008, 'Invalid message');
+        ws.close(1008, "Invalid message");
         return;
       }
       handleMessage(msg);
     } catch {
-      ws.close(1008, 'Invalid JSON');
+      ws.close(1008, "Invalid JSON");
     }
   });
 });