@sylix/coworker 2.0.10 → 2.0.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/slash/config.d.ts.map +1 -1
- package/dist/commands/slash/config.js +23 -5
- package/dist/commands/slash/config.js.map +1 -1
- package/dist/commands/slash/todo.js +1 -1
- package/dist/commands/slash/todo.js.map +1 -1
- package/dist/core/CoWorkerAgent.d.ts.map +1 -1
- package/dist/core/CoWorkerAgent.js +6 -3
- package/dist/core/CoWorkerAgent.js.map +1 -1
- package/dist/permissions/PermissionInterceptor.js +1 -1
- package/dist/permissions/PermissionInterceptor.js.map +1 -1
- package/dist/skills/defaults/accessibility/screen-reader-testing.md +545 -0
- package/dist/skills/defaults/accessibility/wcag-audit-patterns.md +555 -0
- package/dist/skills/defaults/ai-ml/rag.md +276 -0
- package/dist/skills/defaults/backend-development/api-design-principles.md +528 -0
- package/dist/skills/defaults/backend-development/api-design.md +285 -0
- package/dist/skills/defaults/backend-development/architecture-patterns.md +494 -0
- package/dist/skills/defaults/backend-development/async-python.md +237 -0
- package/dist/skills/defaults/backend-development/auth-implementation-patterns.md +638 -0
- package/dist/skills/defaults/backend-development/bazel-build-optimization.md +387 -0
- package/dist/skills/defaults/backend-development/billing-automation/SKILL.md +566 -0
- package/dist/skills/defaults/backend-development/code-review-excellence.md +538 -0
- package/dist/skills/defaults/backend-development/cqrs-implementation.md +554 -0
- package/dist/skills/defaults/backend-development/database-design.md +305 -0
- package/dist/skills/defaults/backend-development/debugging-strategies.md +536 -0
- package/dist/skills/defaults/backend-development/e2e-testing-patterns.md +544 -0
- package/dist/skills/defaults/backend-development/error-handling-patterns.md +641 -0
- package/dist/skills/defaults/backend-development/fastapi-templates.md +559 -0
- package/dist/skills/defaults/backend-development/fastapi.md +309 -0
- package/dist/skills/defaults/backend-development/git-advanced-workflows.md +405 -0
- package/dist/skills/defaults/backend-development/microservices-patterns.md +595 -0
- package/dist/skills/defaults/backend-development/microservices.md +284 -0
- package/dist/skills/defaults/backend-development/monorepo-management.md +623 -0
- package/dist/skills/defaults/backend-development/nodejs-backend-patterns.md +1048 -0
- package/dist/skills/defaults/backend-development/nx-workspace-patterns.md +457 -0
- package/dist/skills/defaults/backend-development/paypal-integration/SKILL.md +478 -0
- package/dist/skills/defaults/backend-development/pci-compliance/SKILL.md +480 -0
- package/dist/skills/defaults/backend-development/python-anti-patterns.md +349 -0
- package/dist/skills/defaults/backend-development/python-background-jobs.md +364 -0
- package/dist/skills/defaults/backend-development/python-code-style.md +360 -0
- package/dist/skills/defaults/backend-development/python-configuration.md +368 -0
- package/dist/skills/defaults/backend-development/python-design-patterns.md +296 -0
- package/dist/skills/defaults/backend-development/python-error-handling.md +323 -0
- package/dist/skills/defaults/backend-development/python-packaging.md +887 -0
- package/dist/skills/defaults/backend-development/python-performance-optimization.md +874 -0
- package/dist/skills/defaults/backend-development/python-project-structure.md +252 -0
- package/dist/skills/defaults/backend-development/python-resilience.md +376 -0
- package/dist/skills/defaults/backend-development/python-resource-management.md +421 -0
- package/dist/skills/defaults/backend-development/python-type-safety.md +428 -0
- package/dist/skills/defaults/backend-development/sql-optimization-patterns.md +509 -0
- package/dist/skills/defaults/backend-development/stripe-integration/SKILL.md +522 -0
- package/dist/skills/defaults/backend-development/turborepo-caching.md +376 -0
- package/dist/skills/defaults/blockchain/defi-protocol-templates.md +430 -0
- package/dist/skills/defaults/blockchain/nft-standards.md +364 -0
- package/dist/skills/defaults/blockchain/solidity-security.md +514 -0
- package/dist/skills/defaults/blockchain/web3-testing.md +360 -0
- package/dist/skills/defaults/business/competitive-landscape/SKILL.md +527 -0
- package/dist/skills/defaults/business/market-sizing-analysis/SKILL.md +451 -0
- package/dist/skills/defaults/business/startup-financial-modeling/SKILL.md +494 -0
- package/dist/skills/defaults/business/startup-metrics-framework/SKILL.md +564 -0
- package/dist/skills/defaults/business/team-composition-analysis.md +437 -0
- package/dist/skills/defaults/compliance/employment-contract-templates/SKILL.md +527 -0
- package/dist/skills/defaults/compliance/gdpr-data-handling/SKILL.md +630 -0
- package/dist/skills/defaults/data-engineering/airflow-dag-patterns.md +436 -0
- package/dist/skills/defaults/data-engineering/airflow.md +519 -0
- package/dist/skills/defaults/data-engineering/data-quality.md +583 -0
- package/dist/skills/defaults/data-engineering/dbt-transformation-patterns.md +482 -0
- package/dist/skills/defaults/data-engineering/dbt.md +556 -0
- package/dist/skills/defaults/data-engineering/ml-pipeline-workflow/SKILL.md +247 -0
- package/dist/skills/defaults/data-engineering/spark-optimization.md +348 -0
- package/dist/skills/defaults/data-engineering/spark.md +411 -0
- package/dist/skills/defaults/database/postgresql.md +202 -0
- package/dist/skills/defaults/debugging/systematic-debugging.md +249 -0
- package/dist/skills/defaults/devops/architecture-decision-records.md +448 -0
- package/dist/skills/defaults/devops/changelog-automation.md +580 -0
- package/dist/skills/defaults/devops/cicd.md +314 -0
- package/dist/skills/defaults/devops/cloud.md +263 -0
- package/dist/skills/defaults/devops/code-review-excellence.md +299 -0
- package/dist/skills/defaults/devops/cost-optimization.md +295 -0
- package/dist/skills/defaults/devops/deployment-pipeline-design.md +356 -0
- package/dist/skills/defaults/devops/docker.md +281 -0
- package/dist/skills/defaults/devops/git-workflows.md +205 -0
- package/dist/skills/defaults/devops/github-actions.md +311 -0
- package/dist/skills/defaults/devops/gitlab-ci-patterns.md +266 -0
- package/dist/skills/defaults/devops/hybrid-cloud-networking.md +241 -0
- package/dist/skills/defaults/devops/istio-traffic-management.md +327 -0
- package/dist/skills/defaults/devops/kubernetes.md +339 -0
- package/dist/skills/defaults/devops/linkerd-patterns.md +311 -0
- package/dist/skills/defaults/devops/multi-cloud-architecture.md +181 -0
- package/dist/skills/defaults/devops/observability.md +243 -0
- package/dist/skills/defaults/devops/openapi-spec-generation.md +1024 -0
- package/dist/skills/defaults/devops/postmortem-writing.md +396 -0
- package/dist/skills/defaults/devops/prometheus-configuration.md +265 -0
- package/dist/skills/defaults/devops/secrets-management.md +341 -0
- package/dist/skills/defaults/devops/service-mesh-observability.md +385 -0
- package/dist/skills/defaults/devops/terraform-module-library.md +244 -0
- package/dist/skills/defaults/finance/backtesting-frameworks/SKILL.md +663 -0
- package/dist/skills/defaults/finance/risk-metrics-calculation/SKILL.md +557 -0
- package/dist/skills/defaults/frontend/accessibility-compliance.md +420 -0
- package/dist/skills/defaults/frontend/design-system-patterns.md +337 -0
- package/dist/skills/defaults/frontend/interaction-design.md +327 -0
- package/dist/skills/defaults/frontend/javascript.md +311 -0
- package/dist/skills/defaults/frontend/modern-javascript-patterns.md +927 -0
- package/dist/skills/defaults/frontend/react-native-design.md +440 -0
- package/dist/skills/defaults/frontend/react.md +345 -0
- package/dist/skills/defaults/frontend/responsive-design.md +472 -0
- package/dist/skills/defaults/frontend/tailwind-design-system.md +337 -0
- package/dist/skills/defaults/frontend/typescript-advanced-types.md +724 -0
- package/dist/skills/defaults/frontend/typescript.md +334 -0
- package/dist/skills/defaults/frontend/visual-design-foundations.md +326 -0
- package/dist/skills/defaults/frontend/web-component-design.md +279 -0
- package/dist/skills/defaults/game-development/godot-gdscript-patterns.md +188 -0
- package/dist/skills/defaults/game-development/unity-ecs-patterns.md +594 -0
- package/dist/skills/defaults/kubernetes/gitops-workflow.md +285 -0
- package/dist/skills/defaults/kubernetes/gitops.md +280 -0
- package/dist/skills/defaults/kubernetes/helm-chart-scaffolding.md +553 -0
- package/dist/skills/defaults/kubernetes/helm.md +343 -0
- package/dist/skills/defaults/kubernetes/k8s-manifest-generator.md +501 -0
- package/dist/skills/defaults/kubernetes/k8s-security-policies.md +342 -0
- package/dist/skills/defaults/kubernetes/manifests.md +330 -0
- package/dist/skills/defaults/kubernetes/security.md +337 -0
- package/dist/skills/defaults/llm-application/embedding-strategies.md +608 -0
- package/dist/skills/defaults/llm-application/hybrid-search-implementation.md +570 -0
- package/dist/skills/defaults/llm-application/hybrid-search.md +570 -0
- package/dist/skills/defaults/llm-application/langchain-architecture.md +666 -0
- package/dist/skills/defaults/llm-application/langchain.md +259 -0
- package/dist/skills/defaults/llm-application/llm-evaluation.md +695 -0
- package/dist/skills/defaults/llm-application/prompt-engineering-patterns.md +449 -0
- package/dist/skills/defaults/llm-application/prompt-engineering.md +219 -0
- package/dist/skills/defaults/llm-application/rag-implementation.md +434 -0
- package/dist/skills/defaults/llm-application/similarity-search-patterns.md +560 -0
- package/dist/skills/defaults/llm-application/similarity-search.md +560 -0
- package/dist/skills/defaults/llm-application/vector-index-tuning.md +523 -0
- package/dist/skills/defaults/mobile/mobile-android-design.md +440 -0
- package/dist/skills/defaults/mobile/mobile-ios-design.md +266 -0
- package/dist/skills/defaults/monitoring/distributed-tracing.md +436 -0
- package/dist/skills/defaults/monitoring/grafana-dashboards.md +370 -0
- package/dist/skills/defaults/monitoring/prometheus-configuration.md +379 -0
- package/dist/skills/defaults/monitoring/slo-implementation.md +323 -0
- package/dist/skills/defaults/refactoring/code-refactoring.md +349 -0
- package/dist/skills/defaults/security/anti-reversing-techniques/SKILL.md +559 -0
- package/dist/skills/defaults/security/auditor.md +168 -0
- package/dist/skills/defaults/security/binary-analysis-patterns/SKILL.md +438 -0
- package/dist/skills/defaults/security/memory-forensics/SKILL.md +483 -0
- package/dist/skills/defaults/security/mtls-configuration.md +349 -0
- package/dist/skills/defaults/security/protocol-reverse-engineering/SKILL.md +520 -0
- package/dist/skills/defaults/security/sast-configuration.md +182 -0
- package/dist/skills/defaults/security/security.md +313 -0
- package/dist/skills/defaults/security/stride-analysis.md +273 -0
- package/dist/skills/defaults/security/threat-mitigation-mapping.md +290 -0
- package/dist/skills/defaults/systems/bash-defensive-patterns/SKILL.md +539 -0
- package/dist/skills/defaults/systems/bats-testing-patterns/SKILL.md +631 -0
- package/dist/skills/defaults/systems/go-concurrency-patterns.md +657 -0
- package/dist/skills/defaults/systems/memory-safety-patterns.md +605 -0
- package/dist/skills/defaults/systems/rust-async-patterns.md +519 -0
- package/dist/skills/defaults/systems/shellcheck-configuration/SKILL.md +456 -0
- package/dist/skills/defaults/team-collaboration/multi-reviewer-patterns.md +126 -0
- package/dist/skills/defaults/team-collaboration/parallel-feature-development.md +151 -0
- package/dist/skills/defaults/testing/javascript-testing-patterns.md +1021 -0
- package/dist/skills/defaults/testing/python-testing-patterns.md +351 -0
- package/dist/skills/defaults/testing/testing.md +332 -0
- package/dist/skills/defaults/workflows/context-driven-development.md +384 -0
- package/dist/skills/defaults/workflows/track-management.md +592 -0
- package/dist/skills/defaults/workflows/workflow-patterns.md +622 -0
- package/dist/skills/index.d.ts +11 -0
- package/dist/skills/index.d.ts.map +1 -0
- package/dist/skills/index.js +129 -0
- package/dist/skills/index.js.map +1 -0
- package/dist/utils/character.js +6 -9
- package/dist/utils/character.js.map +1 -1
- package/dist/utils/contextManager.js +3 -7
- package/dist/utils/contextManager.js.map +1 -1
- package/dist/utils/inputbar.d.ts.map +1 -1
- package/dist/utils/inputbar.js +8 -1
- package/dist/utils/inputbar.js.map +1 -1
- package/dist/utils/output.d.ts.map +1 -1
- package/dist/utils/output.js +3 -35
- package/dist/utils/output.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,313 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: security
|
|
3
|
+
description: Implement application security with authentication, authorization, input validation, and common vulnerability prevention.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Application Security — CoWorker Edition
|
|
7
|
+
|
|
8
|
+
Build secure applications by default.
|
|
9
|
+
|
|
10
|
+
## When to Use This Skill
|
|
11
|
+
|
|
12
|
+
- Implementing authentication
|
|
13
|
+
- Setting up authorization
|
|
14
|
+
- Securing APIs
|
|
15
|
+
- Preventing common vulnerabilities
|
|
16
|
+
- Handling sensitive data
|
|
17
|
+
|
|
18
|
+
## Core Concepts
|
|
19
|
+
|
|
20
|
+
### 1. Authentication
|
|
21
|
+
|
|
22
|
+
```typescript
|
|
23
|
+
// JWT implementation
|
|
24
|
+
import jwt from 'jsonwebtoken';
|
|
25
|
+
import bcrypt from 'bcrypt';
|
|
26
|
+
|
|
27
|
+
const JWT_SECRET = process.env.JWT_SECRET!;
|
|
28
|
+
const JWT_EXPIRY = '7d';
|
|
29
|
+
|
|
30
|
+
interface TokenPayload {
|
|
31
|
+
userId: string;
|
|
32
|
+
email: string;
|
|
33
|
+
roles: string[];
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
function generateToken(user: User): string {
|
|
37
|
+
const payload: TokenPayload = {
|
|
38
|
+
userId: user.id,
|
|
39
|
+
email: user.email,
|
|
40
|
+
roles: user.roles
|
|
41
|
+
};
|
|
42
|
+
|
|
43
|
+
return jwt.sign(payload, JWT_SECRET, {
|
|
44
|
+
expiresIn: JWT_EXPIRY,
|
|
45
|
+
issuer: 'coworker-app'
|
|
46
|
+
});
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
function verifyToken(token: string): TokenPayload {
|
|
50
|
+
return jwt.verify(token, JWT_SECRET, {
|
|
51
|
+
issuer: 'coworker-app'
|
|
52
|
+
}) as TokenPayload;
|
|
53
|
+
}
|
|
54
|
+
|
|
55
|
+
// Password hashing
|
|
56
|
+
async function hashPassword(password: string): Promise<string> {
|
|
57
|
+
return bcrypt.hash(password, 12);
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
async function verifyPassword(password: string, hash: string): Promise<boolean> {
|
|
61
|
+
return bcrypt.compare(password, hash);
|
|
62
|
+
}
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
### 2. Authorization (RBAC)
|
|
66
|
+
|
|
67
|
+
```typescript
|
|
68
|
+
// Role definitions
|
|
69
|
+
enum Role {
|
|
70
|
+
ADMIN = 'admin',
|
|
71
|
+
USER = 'user',
|
|
72
|
+
GUEST = 'guest'
|
|
73
|
+
}
|
|
74
|
+
|
|
75
|
+
// Permission system
|
|
76
|
+
enum Permission {
|
|
77
|
+
READ_USERS = 'read:users',
|
|
78
|
+
WRITE_USERS = 'write:users',
|
|
79
|
+
READ_ORDERS = 'read:orders',
|
|
80
|
+
WRITE_ORDERS = 'write:orders',
|
|
81
|
+
ADMIN_ALL = 'admin:all'
|
|
82
|
+
}
|
|
83
|
+
|
|
84
|
+
const rolePermissions: Record<Role, Permission[]> = {
|
|
85
|
+
[Role.ADMIN]: Object.values(Permission),
|
|
86
|
+
[Role.USER]: [
|
|
87
|
+
Permission.READ_USERS,
|
|
88
|
+
Permission.READ_ORDERS,
|
|
89
|
+
Permission.WRITE_ORDERS
|
|
90
|
+
],
|
|
91
|
+
[Role.GUEST]: [
|
|
92
|
+
Permission.READ_ORDERS
|
|
93
|
+
]
|
|
94
|
+
};
|
|
95
|
+
|
|
96
|
+
// Middleware
|
|
97
|
+
function authorize(...requiredPermissions: Permission[]) {
|
|
98
|
+
return (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
|
|
99
|
+
const user = req.user;
|
|
100
|
+
|
|
101
|
+
if (!user) {
|
|
102
|
+
return res.status(401).json({ error: 'Unauthorized' });
|
|
103
|
+
}
|
|
104
|
+
|
|
105
|
+
const userPermissions = rolePermissions[user.role as Role] || [];
|
|
106
|
+
|
|
107
|
+
const hasPermission = requiredPermissions.every(
|
|
108
|
+
perm => userPermissions.includes(perm)
|
|
109
|
+
);
|
|
110
|
+
|
|
111
|
+
if (!hasPermission) {
|
|
112
|
+
return res.status(403).json({ error: 'Forbidden' });
|
|
113
|
+
}
|
|
114
|
+
|
|
115
|
+
next();
|
|
116
|
+
};
|
|
117
|
+
}
|
|
118
|
+
|
|
119
|
+
// Usage
|
|
120
|
+
router.get('/users',
|
|
121
|
+
authenticate,
|
|
122
|
+
authorize(Permission.READ_USERS),
|
|
123
|
+
getUsers
|
|
124
|
+
);
|
|
125
|
+
```
|
|
126
|
+
|
|
127
|
+
### 3. Input Validation
|
|
128
|
+
|
|
129
|
+
```typescript
|
|
130
|
+
import { z } from 'zod';
|
|
131
|
+
|
|
132
|
+
// Validate API inputs
|
|
133
|
+
const CreateUserSchema = z.object({
|
|
134
|
+
email: z.string().email(),
|
|
135
|
+
password: z.string().min(8).max(100),
|
|
136
|
+
name: z.string().min(1).max(100),
|
|
137
|
+
age: z.number().int().positive().optional()
|
|
138
|
+
});
|
|
139
|
+
|
|
140
|
+
function validateCreateUser(data: unknown): CreateUserInput {
|
|
141
|
+
return CreateUserSchema.parse(data);
|
|
142
|
+
}
|
|
143
|
+
|
|
144
|
+
// SQL injection prevention - use parameterized queries
|
|
145
|
+
async function getUserByEmail(email: string): Promise<User | null> {
|
|
146
|
+
// GOOD: Parameterized query
|
|
147
|
+
const result = await db.query(
|
|
148
|
+
'SELECT * FROM users WHERE email = $1',
|
|
149
|
+
[email]
|
|
150
|
+
);
|
|
151
|
+
|
|
152
|
+
// BAD: String interpolation (never do this!)
|
|
153
|
+
// const result = await db.query(
|
|
154
|
+
// `SELECT * FROM users WHERE email = '${email}'`
|
|
155
|
+
// );
|
|
156
|
+
|
|
157
|
+
return result.rows[0] || null;
|
|
158
|
+
}
|
|
159
|
+
```
|
|
160
|
+
|
|
161
|
+
### 4. Rate Limiting
|
|
162
|
+
|
|
163
|
+
```typescript
|
|
164
|
+
import rateLimit from 'express-rate-limit';
|
|
165
|
+
import RedisStore from 'rate-limit-redis';
|
|
166
|
+
|
|
167
|
+
const generalLimiter = rateLimit({
|
|
168
|
+
windowMs: 15 * 60 * 1000, // 15 minutes
|
|
169
|
+
max: 100, // limit each IP to 100 requests per windowMs
|
|
170
|
+
message: { error: 'Too many requests' },
|
|
171
|
+
standardHeaders: true,
|
|
172
|
+
legacyHeaders: false
|
|
173
|
+
});
|
|
174
|
+
|
|
175
|
+
const authLimiter = rateLimit({
|
|
176
|
+
windowMs: 60 * 60 * 1000, // 1 hour
|
|
177
|
+
max: 5, // 5 login attempts per hour
|
|
178
|
+
skipSuccessfulRequests: true
|
|
179
|
+
});
|
|
180
|
+
|
|
181
|
+
const apiLimiter = rateLimit({
|
|
182
|
+
store: new RedisStore({
|
|
183
|
+
prefix: 'rl:api:',
|
|
184
|
+
client: redis
|
|
185
|
+
}),
|
|
186
|
+
windowMs: 60 * 1000, // 1 minute
|
|
187
|
+
max: 60
|
|
188
|
+
});
|
|
189
|
+
|
|
190
|
+
app.use('/api', apiLimiter);
|
|
191
|
+
app.use('/auth/login', authLimiter);
|
|
192
|
+
```
|
|
193
|
+
|
|
194
|
+
### 5. Security Headers
|
|
195
|
+
|
|
196
|
+
```typescript
|
|
197
|
+
import helmet from 'helmet';
|
|
198
|
+
|
|
199
|
+
app.use(helmet());
|
|
200
|
+
|
|
201
|
+
// Custom configuration
|
|
202
|
+
app.use(helmet.contentSecurityPolicy({
|
|
203
|
+
directives: {
|
|
204
|
+
defaultSrc: ["'self'"],
|
|
205
|
+
scriptSrc: ["'self'", "'unsafe-inline'"],
|
|
206
|
+
styleSrc: ["'self'", "'unsafe-inline'"],
|
|
207
|
+
imgSrc: ["'self'", 'data:', 'https:'],
|
|
208
|
+
connectSrc: ["'self'", 'https://api.example.com'],
|
|
209
|
+
fontSrc: ["'self'"],
|
|
210
|
+
objectSrc: ["'none'"],
|
|
211
|
+
mediaSrc: ["'self'"],
|
|
212
|
+
frameSrc: ["'none'"]
|
|
213
|
+
}
|
|
214
|
+
}));
|
|
215
|
+
|
|
216
|
+
app.use(helmet.hsts({
|
|
217
|
+
maxAge: 31536000,
|
|
218
|
+
includeSubDomains: true,
|
|
219
|
+
preload: true
|
|
220
|
+
}));
|
|
221
|
+
```
|
|
222
|
+
|
|
223
|
+
### 6. Secure API Design
|
|
224
|
+
|
|
225
|
+
```typescript
|
|
226
|
+
// Input sanitization
|
|
227
|
+
import DOMPurify from 'isomorphic-dompurify';
|
|
228
|
+
|
|
229
|
+
function sanitizeInput(input: string): string {
|
|
230
|
+
return DOMPurify.sanitize(input, {
|
|
231
|
+
ALLOWED_TAGS: [],
|
|
232
|
+
ALLOWED_ATTR: []
|
|
233
|
+
});
|
|
234
|
+
}
|
|
235
|
+
|
|
236
|
+
// Command injection prevention
|
|
237
|
+
import { execFile } from 'child_process';
|
|
238
|
+
|
|
239
|
+
async function getFileInfo(filename: string): Promise<string> {
|
|
240
|
+
// GOOD: Use execFile instead of exec
|
|
241
|
+
return new Promise((resolve, reject) => {
|
|
242
|
+
execFile('stat', [filename], (error, stdout) => {
|
|
243
|
+
if (error) reject(error);
|
|
244
|
+
else resolve(stdout);
|
|
245
|
+
});
|
|
246
|
+
});
|
|
247
|
+
|
|
248
|
+
// BAD: Never use exec with user input
|
|
249
|
+
// exec(`stat ${filename}`);
|
|
250
|
+
}
|
|
251
|
+
|
|
252
|
+
// CORS configuration
|
|
253
|
+
import cors from 'cors';
|
|
254
|
+
|
|
255
|
+
app.use(cors({
|
|
256
|
+
origin: process.env.ALLOWED_ORIGINS?.split(',') || [],
|
|
257
|
+
credentials: true,
|
|
258
|
+
methods: ['GET', 'POST', 'PUT', 'DELETE'],
|
|
259
|
+
allowedHeaders: ['Content-Type', 'Authorization']
|
|
260
|
+
}));
|
|
261
|
+
```
|
|
262
|
+
|
|
263
|
+
### 7. Secrets Management
|
|
264
|
+
|
|
265
|
+
```typescript
|
|
266
|
+
// Environment validation
|
|
267
|
+
import { z } from 'zod';
|
|
268
|
+
|
|
269
|
+
const envSchema = z.object({
|
|
270
|
+
DATABASE_URL: z.string().url(),
|
|
271
|
+
JWT_SECRET: z.string().min(32),
|
|
272
|
+
REDIS_URL: z.string().url(),
|
|
273
|
+
AWS_ACCESS_KEY_ID: z.string().min(16),
|
|
274
|
+
AWS_SECRET_ACCESS_KEY: z.string().min(30),
|
|
275
|
+
ENCRYPTION_KEY: z.string().length(32)
|
|
276
|
+
});
|
|
277
|
+
|
|
278
|
+
function loadEnv() {
|
|
279
|
+
const result = envSchema.safeParse(process.env);
|
|
280
|
+
|
|
281
|
+
if (!result.success) {
|
|
282
|
+
console.error('Invalid environment:', result.error.flatten());
|
|
283
|
+
process.exit(1);
|
|
284
|
+
}
|
|
285
|
+
|
|
286
|
+
return result.data;
|
|
287
|
+
}
|
|
288
|
+
|
|
289
|
+
const env = loadEnv();
|
|
290
|
+
```
|
|
291
|
+
|
|
292
|
+
## Best Practices
|
|
293
|
+
|
|
294
|
+
1. **Defense in depth** - Multiple security layers
|
|
295
|
+
2. **Least privilege** - Minimal permissions
|
|
296
|
+
3. **Input validation** - Validate all inputs
|
|
297
|
+
4. **Parameterized queries** - Prevent SQL injection
|
|
298
|
+
5. **HTTPS only** - Always use TLS
|
|
299
|
+
6. **Secret management** - Never commit secrets
|
|
300
|
+
7. **Rate limiting** - Prevent abuse
|
|
301
|
+
8. **Security headers** - Use helmet
|
|
302
|
+
9. **Audit logging** - Track security events
|
|
303
|
+
|
|
304
|
+
## Common Vulnerabilities
|
|
305
|
+
|
|
306
|
+
- SQL Injection
|
|
307
|
+
- XSS (Cross-Site Scripting)
|
|
308
|
+
- CSRF
|
|
309
|
+
- Command Injection
|
|
310
|
+
- Path Traversal
|
|
311
|
+
- Insecure Dependencies
|
|
312
|
+
- Weak Authentication
|
|
313
|
+
- Information Disclosure
|
|
@@ -0,0 +1,273 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: stride-analysis-patterns
|
|
3
|
+
description: Apply STRIDE methodology to systematically identify threats. Use when analyzing system security, conducting threat modeling sessions, or creating security documentation.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# STRIDE Analysis Patterns
|
|
7
|
+
|
|
8
|
+
Systematic threat identification using the STRIDE methodology.
|
|
9
|
+
|
|
10
|
+
## When to Use This Skill
|
|
11
|
+
|
|
12
|
+
- Starting new threat modeling sessions
|
|
13
|
+
- Analyzing existing system architecture
|
|
14
|
+
- Reviewing security design decisions
|
|
15
|
+
- Creating threat documentation
|
|
16
|
+
- Training teams on threat identification
|
|
17
|
+
- Compliance and audit preparation
|
|
18
|
+
|
|
19
|
+
## Core Concepts
|
|
20
|
+
|
|
21
|
+
### 1. STRIDE Categories
|
|
22
|
+
|
|
23
|
+
```
|
|
24
|
+
S - Spoofing → Authentication threats
|
|
25
|
+
T - Tampering → Integrity threats
|
|
26
|
+
R - Repudiation → Non-repudiation threats
|
|
27
|
+
I - Information → Confidentiality threats
|
|
28
|
+
Disclosure
|
|
29
|
+
D - Denial of → Availability threats
|
|
30
|
+
Service
|
|
31
|
+
E - Elevation of → Authorization threats
|
|
32
|
+
Privilege
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
### 2. Threat Analysis Matrix
|
|
36
|
+
|
|
37
|
+
| Category | Question | Control Family |
|
|
38
|
+
| ------------------- | ----------------------------------------- | -------------- |
|
|
39
|
+
| **Spoofing** | Can attacker pretend to be someone else? | Authentication |
|
|
40
|
+
| **Tampering** | Can attacker modify data in transit/rest? | Integrity |
|
|
41
|
+
| **Repudiation** | Can attacker deny actions? | Logging/Audit |
|
|
42
|
+
| **Info Disclosure** | Can attacker access unauthorized data? | Encryption |
|
|
43
|
+
| **DoS** | Can attacker disrupt availability? | Rate limiting |
|
|
44
|
+
| **Elevation** | Can attacker gain higher privileges? | Authorization |
|
|
45
|
+
|
|
46
|
+
## Templates
|
|
47
|
+
|
|
48
|
+
### Template 1: STRIDE Threat Model Document
|
|
49
|
+
|
|
50
|
+
```markdown
|
|
51
|
+
# Threat Model: [System Name]
|
|
52
|
+
|
|
53
|
+
## 1. System Overview
|
|
54
|
+
|
|
55
|
+
### 1.1 Description
|
|
56
|
+
|
|
57
|
+
[Brief description of the system and its purpose]
|
|
58
|
+
|
|
59
|
+
### 1.2 Data Flow Diagram
|
|
60
|
+
|
|
61
|
+
[User] --> [Web App] --> [API Gateway] --> [Backend Services]
|
|
62
|
+
|
|
|
63
|
+
v
|
|
64
|
+
[Database]
|
|
65
|
+
|
|
66
|
+
### 1.3 Trust Boundaries
|
|
67
|
+
- **External Boundary**: Internet to DMZ
|
|
68
|
+
- **Internal Boundary**: DMZ to Internal Network
|
|
69
|
+
- **Data Boundary**: Application to Database
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
### Template 2: STRIDE Analysis Code
|
|
73
|
+
|
|
74
|
+
```python
|
|
75
|
+
from dataclasses import dataclass, field
|
|
76
|
+
from enum import Enum
|
|
77
|
+
from typing import List, Dict
|
|
78
|
+
|
|
79
|
+
class StrideCategory(Enum):
|
|
80
|
+
SPOOFING = "S"
|
|
81
|
+
TAMPERING = "T"
|
|
82
|
+
REPUDIATION = "R"
|
|
83
|
+
INFORMATION_DISCLOSURE = "I"
|
|
84
|
+
DENIAL_OF_SERVICE = "D"
|
|
85
|
+
ELEVATION_OF_PRIVILEGE = "E"
|
|
86
|
+
|
|
87
|
+
|
|
88
|
+
class Impact(Enum):
|
|
89
|
+
LOW = 1
|
|
90
|
+
MEDIUM = 2
|
|
91
|
+
HIGH = 3
|
|
92
|
+
CRITICAL = 4
|
|
93
|
+
|
|
94
|
+
|
|
95
|
+
class Likelihood(Enum):
|
|
96
|
+
LOW = 1
|
|
97
|
+
MEDIUM = 2
|
|
98
|
+
HIGH = 3
|
|
99
|
+
CRITICAL = 4
|
|
100
|
+
|
|
101
|
+
|
|
102
|
+
@dataclass
|
|
103
|
+
class Threat:
|
|
104
|
+
id: str
|
|
105
|
+
category: StrideCategory
|
|
106
|
+
title: str
|
|
107
|
+
description: str
|
|
108
|
+
target: str
|
|
109
|
+
impact: Impact
|
|
110
|
+
likelihood: Likelihood
|
|
111
|
+
mitigations: List[str] = field(default_factory=list)
|
|
112
|
+
status: str = "open"
|
|
113
|
+
|
|
114
|
+
@property
|
|
115
|
+
def risk_score(self) -> int:
|
|
116
|
+
return self.impact.value * self.likelihood.value
|
|
117
|
+
|
|
118
|
+
@property
|
|
119
|
+
def risk_level(self) -> str:
|
|
120
|
+
score = self.risk_score
|
|
121
|
+
if score >= 12:
|
|
122
|
+
return "Critical"
|
|
123
|
+
elif score >= 6:
|
|
124
|
+
return "High"
|
|
125
|
+
elif score >= 3:
|
|
126
|
+
return "Medium"
|
|
127
|
+
return "Low"
|
|
128
|
+
|
|
129
|
+
|
|
130
|
+
@dataclass
|
|
131
|
+
class Asset:
|
|
132
|
+
name: str
|
|
133
|
+
sensitivity: str
|
|
134
|
+
description: str
|
|
135
|
+
|
|
136
|
+
|
|
137
|
+
@dataclass
|
|
138
|
+
class ThreatModel:
|
|
139
|
+
name: str
|
|
140
|
+
version: str
|
|
141
|
+
description: str
|
|
142
|
+
assets: List[Asset] = field(default_factory=list)
|
|
143
|
+
threats: List[Threat] = field(default_factory=list)
|
|
144
|
+
|
|
145
|
+
def add_threat(self, threat: Threat) -> None:
|
|
146
|
+
self.threats.append(threat)
|
|
147
|
+
|
|
148
|
+
def get_threats_by_category(self, category: StrideCategory) -> List[Threat]:
|
|
149
|
+
return [t for t in self.threats if t.category == category]
|
|
150
|
+
|
|
151
|
+
def get_critical_threats(self) -> List[Threat]:
|
|
152
|
+
return [t for t in self.threats if t.risk_level in ("Critical", "High")]
|
|
153
|
+
|
|
154
|
+
def generate_report(self) -> Dict:
|
|
155
|
+
return {
|
|
156
|
+
"summary": {
|
|
157
|
+
"name": self.name,
|
|
158
|
+
"total_threats": len(self.threats),
|
|
159
|
+
"critical_threats": len([t for t in self.threats if t.risk_level == "Critical"]),
|
|
160
|
+
},
|
|
161
|
+
"top_risks": [
|
|
162
|
+
{"id": t.id, "title": t.title, "risk_score": t.risk_score}
|
|
163
|
+
for t in sorted(self.threats, key=lambda x: x.risk_score, reverse=True)[:10]
|
|
164
|
+
]
|
|
165
|
+
}
|
|
166
|
+
```
|
|
167
|
+
|
|
168
|
+
## Risk Assessment
|
|
169
|
+
|
|
170
|
+
### Risk Matrix
|
|
171
|
+
|
|
172
|
+
```
|
|
173
|
+
IMPACT
|
|
174
|
+
Low Med High Crit
|
|
175
|
+
Low 1 2 3 4
|
|
176
|
+
|
|
177
|
+
L Med 2 4 6 8
|
|
178
|
+
I High 3 6 9 12
|
|
179
|
+
K Crit 4 8 12 16
|
|
180
|
+
```
|
|
181
|
+
|
|
182
|
+
### Prioritized Risks
|
|
183
|
+
|
|
184
|
+
| Rank | Threat | Risk Score | Priority |
|
|
185
|
+
|------|--------|------------|----------|
|
|
186
|
+
| 1 | SQL Injection | 12 | Critical |
|
|
187
|
+
| 2 | IDOR | 9 | High |
|
|
188
|
+
| 3 | Credential Stuffing | 9 | High |
|
|
189
|
+
| 4 | Data Breach | 8 | High |
|
|
190
|
+
|
|
191
|
+
## STRIDE Questions by Category
|
|
192
|
+
|
|
193
|
+
### Spoofing
|
|
194
|
+
- Can an attacker impersonate a legitimate user?
|
|
195
|
+
- Are authentication tokens properly validated?
|
|
196
|
+
- Can session identifiers be predicted or stolen?
|
|
197
|
+
|
|
198
|
+
### Tampering
|
|
199
|
+
- Can data be modified in transit?
|
|
200
|
+
- Can data be modified at rest?
|
|
201
|
+
- Are input validation controls sufficient?
|
|
202
|
+
|
|
203
|
+
### Repudiation
|
|
204
|
+
- Are all security-relevant actions logged?
|
|
205
|
+
- Can logs be tampered with?
|
|
206
|
+
- Is there sufficient attribution for actions?
|
|
207
|
+
|
|
208
|
+
### Information Disclosure
|
|
209
|
+
- Is sensitive data encrypted at rest?
|
|
210
|
+
- Is sensitive data encrypted in transit?
|
|
211
|
+
- Can error messages reveal sensitive information?
|
|
212
|
+
|
|
213
|
+
### Denial of Service
|
|
214
|
+
- Are rate limits implemented?
|
|
215
|
+
- Can resources be exhausted by malicious input?
|
|
216
|
+
- Are there single points of failure?
|
|
217
|
+
|
|
218
|
+
### Elevation of Privilege
|
|
219
|
+
- Are authorization checks performed consistently?
|
|
220
|
+
- Can users access other users' resources?
|
|
221
|
+
- Is the principle of least privilege followed?
|
|
222
|
+
|
|
223
|
+
## Common Mitigations
|
|
224
|
+
|
|
225
|
+
### Spoofing
|
|
226
|
+
- Implement multi-factor authentication
|
|
227
|
+
- Use secure session management
|
|
228
|
+
- Use cryptographically secure tokens
|
|
229
|
+
|
|
230
|
+
### Tampering
|
|
231
|
+
- Implement input validation
|
|
232
|
+
- Use parameterized queries
|
|
233
|
+
- Apply integrity checks (HMAC, signatures)
|
|
234
|
+
|
|
235
|
+
### Repudiation
|
|
236
|
+
- Enable comprehensive audit logging
|
|
237
|
+
- Protect log integrity
|
|
238
|
+
- Implement digital signatures
|
|
239
|
+
|
|
240
|
+
### Information Disclosure
|
|
241
|
+
- Encrypt data at rest and in transit
|
|
242
|
+
- Implement proper access controls
|
|
243
|
+
- Sanitize error messages
|
|
244
|
+
|
|
245
|
+
### Denial of Service
|
|
246
|
+
- Implement rate limiting
|
|
247
|
+
- Use auto-scaling
|
|
248
|
+
- Deploy DDoS protection
|
|
249
|
+
|
|
250
|
+
### Elevation of Privilege
|
|
251
|
+
- Implement proper authorization
|
|
252
|
+
- Follow principle of least privilege
|
|
253
|
+
- Validate permissions server-side
|
|
254
|
+
|
|
255
|
+
## Best Practices
|
|
256
|
+
|
|
257
|
+
### Do's
|
|
258
|
+
|
|
259
|
+
- **Involve stakeholders** - Security, dev, and ops perspectives
|
|
260
|
+
- **Be systematic** - Cover all STRIDE categories
|
|
261
|
+
- **Prioritize realistically** - Focus on high-impact threats
|
|
262
|
+
- **Update regularly** - Threat models are living documents
|
|
263
|
+
|
|
264
|
+
### Don'ts
|
|
265
|
+
|
|
266
|
+
- **Don't skip categories** - Each reveals different threats
|
|
267
|
+
- **Don't assume security** - Question every component
|
|
268
|
+
- **Don't work in isolation** - Collaborative modeling is better
|
|
269
|
+
|
|
270
|
+
## Related Skills
|
|
271
|
+
|
|
272
|
+
- `sast-configuration` - For automated security scanning
|
|
273
|
+
- `security` - For general security practices
|