@tinkcarlos/skillora 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/skills/.temp-skill-index.md +245 -0
- package/.claude/skills/SKILL.md +264 -0
- package/.claude/skills/api-scaffolding/SKILL.md +431 -0
- package/.claude/skills/api-scaffolding/agents/backend-architect.md +282 -0
- package/.claude/skills/api-scaffolding/agents/django-pro.md +144 -0
- package/.claude/skills/api-scaffolding/agents/fastapi-pro.md +156 -0
- package/.claude/skills/api-scaffolding/agents/graphql-architect.md +146 -0
- package/.claude/skills/api-scaffolding/skills/fastapi-templates/SKILL.md +171 -0
- package/.claude/skills/api-testing-observability/SKILL.md +583 -0
- package/.claude/skills/api-testing-observability/agents/api-documenter.md +146 -0
- package/.claude/skills/api-testing-observability/commands/api-mock.md +1320 -0
- package/.claude/skills/brainstorming/SKILL.md +283 -0
- package/.claude/skills/bug-fixing/SKILL.md +382 -0
- package/.claude/skills/bug-fixing/references/backend-guide.md +132 -0
- package/.claude/skills/bug-fixing/references/bug-guide.md +354 -0
- package/.claude/skills/bug-fixing/references/bug-record-template.md +134 -0
- package/.claude/skills/bug-fixing/references/bug-records.md +88 -0
- package/.claude/skills/bug-fixing/references/code-review-gate.md +81 -0
- package/.claude/skills/bug-fixing/references/common-bugs.md +140 -0
- package/.claude/skills/bug-fixing/references/complete-workflow.md +361 -0
- package/.claude/skills/bug-fixing/references/config-driven-fixes.md +136 -0
- package/.claude/skills/bug-fixing/references/context-isolation-protocol.md +268 -0
- package/.claude/skills/bug-fixing/references/cross-surface-regression.md +120 -0
- package/.claude/skills/bug-fixing/references/database-investigation.md +129 -0
- package/.claude/skills/bug-fixing/references/dependency-and-integrity-protocol.md +369 -0
- package/.claude/skills/bug-fixing/references/fix-completeness-checklist.md +239 -0
- package/.claude/skills/bug-fixing/references/frontend-guide.md +219 -0
- package/.claude/skills/bug-fixing/references/fullstack-joint-guide.md +123 -0
- package/.claude/skills/bug-fixing/references/functional-breakage.md +117 -0
- package/.claude/skills/bug-fixing/references/ide-lint-errors-guide.md +176 -0
- package/.claude/skills/bug-fixing/references/impact-analysis.md +511 -0
- package/.claude/skills/bug-fixing/references/investigation-checklist.md +263 -0
- package/.claude/skills/bug-fixing/references/knowledge-extraction-guide.md +531 -0
- package/.claude/skills/bug-fixing/references/knowledge-workflow.md +212 -0
- package/.claude/skills/bug-fixing/references/post-edit-quality-gate.md +30 -0
- package/.claude/skills/bug-fixing/references/python-env-and-testing.md +126 -0
- package/.claude/skills/bug-fixing/references/rca-guide.md +428 -0
- package/.claude/skills/bug-fixing/references/similar-bug-patterns.md +113 -0
- package/.claude/skills/bug-fixing/references/skill-delegation-guide.md +350 -0
- package/.claude/skills/bug-fixing/references/skill-orchestration.md +155 -0
- package/.claude/skills/bug-fixing/references/testing-strategy.md +350 -0
- package/.claude/skills/bug-fixing/references/tooling-build-scripts.md +162 -0
- package/.claude/skills/bug-fixing/references/user-input-validation.md +77 -0
- package/.claude/skills/bug-fixing/references/ux-patterns.md +158 -0
- package/.claude/skills/bug-fixing/references/windows-terminal-hygiene.md +106 -0
- package/.claude/skills/bug-fixing/references/zero-regression-matrix.md +239 -0
- package/.claude/skills/bug-fixing/references/zero-risk-protocol.md +102 -0
- package/.claude/skills/bug-fixing/scripts/format_code.py +611 -0
- package/.claude/skills/bug-fixing/scripts/generate_report_template.py +74 -0
- package/.claude/skills/bug-fixing/scripts/lint_check.py +816 -0
- package/.claude/skills/bug-fixing/scripts/requirements.txt +36 -0
- package/.claude/skills/cicd-pipeline/SKILL.md +300 -0
- package/.claude/skills/code-review/SKILL.md +535 -0
- package/.claude/skills/code-review/references/anti-pattern-scan.md +102 -0
- package/.claude/skills/code-review/references/automated-analysis.md +456 -0
- package/.claude/skills/code-review/references/backend-common-issues.md +589 -0
- package/.claude/skills/code-review/references/backend-expert-guide.md +415 -0
- package/.claude/skills/code-review/references/backend-review.md +868 -0
- package/.claude/skills/code-review/references/batch-processing-strategy.md +198 -0
- package/.claude/skills/code-review/references/call-chain-analysis-protocol.md +166 -0
- package/.claude/skills/code-review/references/common-patterns.md +321 -0
- package/.claude/skills/code-review/references/configuration-review.md +425 -0
- package/.claude/skills/code-review/references/control-flow-completeness.md +114 -0
- package/.claude/skills/code-review/references/database-review.md +298 -0
- package/.claude/skills/code-review/references/dependency-and-integrity-protocol.md +313 -0
- package/.claude/skills/code-review/references/external-standards.md +51 -0
- package/.claude/skills/code-review/references/feature-review.md +329 -0
- package/.claude/skills/code-review/references/file-review-template.md +326 -0
- package/.claude/skills/code-review/references/frontend-advanced.md +654 -0
- package/.claude/skills/code-review/references/frontend-common-issues.md +482 -0
- package/.claude/skills/code-review/references/frontend-expert-guide.md +342 -0
- package/.claude/skills/code-review/references/frontend-review.md +783 -0
- package/.claude/skills/code-review/references/fullstack-consistency.md +418 -0
- package/.claude/skills/code-review/references/fullstack-review.md +477 -0
- package/.claude/skills/code-review/references/functional-completeness.md +386 -0
- package/.claude/skills/code-review/references/hidden-bugs-detection.md +473 -0
- package/.claude/skills/code-review/references/ide-lint-errors-guide.md +173 -0
- package/.claude/skills/code-review/references/infrastructure-review.md +453 -0
- package/.claude/skills/code-review/references/iteration-review.md +264 -0
- package/.claude/skills/code-review/references/job-review.md +335 -0
- package/.claude/skills/code-review/references/layered-checklist-protocol.md +157 -0
- package/.claude/skills/code-review/references/logic-completeness.md +535 -0
- package/.claude/skills/code-review/references/mandatory-checklist.md +288 -0
- package/.claude/skills/code-review/references/multi-language-guide.md +800 -0
- package/.claude/skills/code-review/references/new-project-review.md +226 -0
- package/.claude/skills/code-review/references/non-code-files-review.md +451 -0
- package/.claude/skills/code-review/references/overlooked-issues.md +657 -0
- package/.claude/skills/code-review/references/platform-specific-review.md +195 -0
- package/.claude/skills/code-review/references/precision-analysis-protocol.md +260 -0
- package/.claude/skills/code-review/references/python-patterns.md +494 -0
- package/.claude/skills/code-review/references/rca-techniques.md +362 -0
- package/.claude/skills/code-review/references/report-template.md +430 -0
- package/.claude/skills/code-review/references/resource-limits-and-degradation.md +137 -0
- package/.claude/skills/code-review/references/review-dimensions.md +311 -0
- package/.claude/skills/code-review/references/review-guide.md +202 -0
- package/.claude/skills/code-review/references/review-knowledge-workflow.md +257 -0
- package/.claude/skills/code-review/references/review-progress-tracker-protocol.md +172 -0
- package/.claude/skills/code-review/references/review-record-template.md +195 -0
- package/.claude/skills/code-review/references/skill-orchestration.md +143 -0
- package/.claude/skills/code-review/references/ui-ux-review.md +470 -0
- package/.claude/skills/containerization/SKILL.md +313 -0
- package/.claude/skills/database-migrations/agents/database-admin.md +142 -0
- package/.claude/skills/database-migrations/agents/database-optimizer.md +144 -0
- package/.claude/skills/database-migrations/commands/migration-observability.md +408 -0
- package/.claude/skills/database-migrations/commands/sql-migrations.md +492 -0
- package/.claude/skills/finishing-a-development-branch/SKILL.md +319 -0
- package/.claude/skills/frontend-design/LICENSE.txt +177 -0
- package/.claude/skills/frontend-design/SKILL.md +587 -0
- package/.claude/skills/frontend-design/references/color-consistency.md +487 -0
- package/.claude/skills/frontend-design/references/color-palettes-full.md +657 -0
- package/.claude/skills/frontend-design/references/design-system-generator.md +285 -0
- package/.claude/skills/frontend-design/references/font-pairings-full.md +705 -0
- package/.claude/skills/frontend-design/references/industry-anti-patterns.md +281 -0
- package/.claude/skills/frontend-design/references/layout-anti-patterns.md +582 -0
- package/.claude/skills/frontend-design/references/motion-patterns.md +659 -0
- package/.claude/skills/frontend-design/references/pre-delivery-checklist.md +153 -0
- package/.claude/skills/frontend-design/references/responsive-design.md +555 -0
- package/.claude/skills/frontend-design/references/style-modification-rules.md +335 -0
- package/.claude/skills/frontend-design/references/ui-styles-full.md +383 -0
- package/.claude/skills/frontend-design/references/ui-styles-rating.md +191 -0
- package/.claude/skills/frontend-design/references/ux-guidelines.md +640 -0
- package/.claude/skills/fullstack-developer/SKILL.md +512 -0
- package/.claude/skills/fullstack-developer/references/api-contract-guide.md +312 -0
- package/.claude/skills/fullstack-developer/references/api-response-patterns.md +223 -0
- package/.claude/skills/fullstack-developer/references/async-patterns.md +220 -0
- package/.claude/skills/fullstack-developer/references/bug-prevention.md +914 -0
- package/.claude/skills/fullstack-developer/references/code-quality-checklist.md +271 -0
- package/.claude/skills/fullstack-developer/references/complete-development-workflow.md +278 -0
- package/.claude/skills/fullstack-developer/references/context-isolation-protocol.md +256 -0
- package/.claude/skills/fullstack-developer/references/database-migration.md +331 -0
- package/.claude/skills/fullstack-developer/references/dependency-and-integrity-protocol.md +390 -0
- package/.claude/skills/fullstack-developer/references/development-phases.md +333 -0
- package/.claude/skills/fullstack-developer/references/expert-guide.md +214 -0
- package/.claude/skills/fullstack-developer/references/file-import-patterns.md +114 -0
- package/.claude/skills/fullstack-developer/references/graceful-degradation-patterns.md +78 -0
- package/.claude/skills/fullstack-developer/references/ide-lint-errors-guide.md +183 -0
- package/.claude/skills/fullstack-developer/references/integration-testing.md +301 -0
- package/.claude/skills/fullstack-developer/references/mock-api-patterns.md +307 -0
- package/.claude/skills/fullstack-developer/references/phase-gate-template.md +249 -0
- package/.claude/skills/fullstack-developer/references/post-edit-quality-gate.md +30 -0
- package/.claude/skills/fullstack-developer/references/python-engineering.md +79 -0
- package/.claude/skills/fullstack-developer/references/skill-orchestration.md +214 -0
- package/.claude/skills/fullstack-developer/references/skill-router-table.md +304 -0
- package/.claude/skills/fullstack-developer/references/state-sync.md +217 -0
- package/.claude/skills/fullstack-developer/references/ui-testing-checklist.md +292 -0
- package/.claude/skills/fullstack-developer/scripts/format_code.py +611 -0
- package/.claude/skills/fullstack-developer/scripts/lint_check.py +816 -0
- package/.claude/skills/fullstack-developer/scripts/requirements.txt +36 -0
- package/.claude/skills/performance-optimization/SKILL.md +250 -0
- package/.claude/skills/product-requirements/SKILL.md +357 -0
- package/.claude/skills/product-requirements/references/acceptance-criteria.md +335 -0
- package/.claude/skills/product-requirements/references/answer-first-questioning-protocol.md +299 -0
- package/.claude/skills/product-requirements/references/competitive-analysis-guide.md +183 -0
- package/.claude/skills/product-requirements/references/document-accuracy-protocol.md +253 -0
- package/.claude/skills/product-requirements/references/document-management-protocol.md +278 -0
- package/.claude/skills/product-requirements/references/external-standards.md +62 -0
- package/.claude/skills/product-requirements/references/feature-spec-template.md +359 -0
- package/.claude/skills/product-requirements/references/knowledge-acquisition-protocol.md +251 -0
- package/.claude/skills/product-requirements/references/plan-execution-protocol.md +334 -0
- package/.claude/skills/product-requirements/references/plan-generation-protocol.md +264 -0
- package/.claude/skills/product-requirements/references/prioritization-frameworks.md +80 -0
- package/.claude/skills/product-requirements/references/requirement-decomposition-protocol.md +291 -0
- package/.claude/skills/product-requirements/references/user-story-examples.md +297 -0
- package/.claude/skills/product-requirements/references/workflow-templates.md +266 -0
- package/.claude/skills/react-best-practices/SKILL.md +198 -0
- package/.claude/skills/react-best-practices/references/advanced-patterns.md +94 -0
- package/.claude/skills/react-best-practices/references/bundle-optimization.md +182 -0
- package/.claude/skills/react-best-practices/references/client-data-fetching.md +112 -0
- package/.claude/skills/react-best-practices/references/complete-guide.md +2249 -0
- package/.claude/skills/react-best-practices/references/eliminating-waterfalls.md +169 -0
- package/.claude/skills/react-best-practices/references/javascript-performance.md +256 -0
- package/.claude/skills/react-best-practices/references/rendering-performance.md +230 -0
- package/.claude/skills/react-best-practices/references/rerender-optimization.md +214 -0
- package/.claude/skills/react-best-practices/references/server-performance.md +182 -0
- package/.claude/skills/security-audit/SKILL.md +226 -0
- package/.claude/skills/shared-references/advanced-debugging-techniques.md +186 -0
- package/.claude/skills/shared-references/code-quality-checklist.md +218 -0
- package/.claude/skills/shared-references/code-review-efficiency-guide.md +125 -0
- package/.claude/skills/shared-references/mcp-dependency-compatibility-protocol.md +276 -0
- package/.claude/skills/shared-references/skill-call-graph.md +230 -0
- package/.claude/skills/shared-references/skill-orchestration-protocol.md +281 -0
- package/.claude/skills/shared-references/subagent-dispatch-templates.md +199 -0
- package/.claude/skills/skill-expert-skills/LICENSE.txt +204 -0
- package/.claude/skills/skill-expert-skills/QUICK_NAVIGATION.md +374 -0
- package/.claude/skills/skill-expert-skills/SKILL.md +247 -0
- package/.claude/skills/skill-expert-skills/docs/_index.md +91 -0
- package/.claude/skills/skill-expert-skills/references/deep-research-methodology.md +389 -0
- package/.claude/skills/skill-expert-skills/references/docs-generation-workflow.md +398 -0
- package/.claude/skills/skill-expert-skills/references/domain-expertise-protocol.md +343 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/_index.md +54 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/backend-expertise.md +517 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/bug-fixing-expertise.md +363 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/code-review-expertise.md +392 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/frontend-expertise.md +410 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge-template.md +503 -0
- package/.claude/skills/skill-expert-skills/references/examples.md +782 -0
- package/.claude/skills/skill-expert-skills/references/integration-examples.md +655 -0
- package/.claude/skills/skill-expert-skills/references/knowledge-validation-checklist.md +246 -0
- package/.claude/skills/skill-expert-skills/references/latest-knowledge-acquisition.md +461 -0
- package/.claude/skills/skill-expert-skills/references/mcp-tools-guide.md +439 -0
- package/.claude/skills/skill-expert-skills/references/official-best-practices.md +616 -0
- package/.claude/skills/skill-expert-skills/references/patterns.md +218 -0
- package/.claude/skills/skill-expert-skills/references/plugin-skills-guide.md +432 -0
- package/.claude/skills/skill-expert-skills/references/requirement-elicitation-protocol.md +290 -0
- package/.claude/skills/skill-expert-skills/references/skill-creator-SKILL.md +353 -0
- package/.claude/skills/skill-expert-skills/references/skill-templates.md +583 -0
- package/.claude/skills/skill-expert-skills/references/skills-knowledge-base.md +561 -0
- package/.claude/skills/skill-expert-skills/references/tools-guide.md +379 -0
- package/.claude/skills/skill-expert-skills/references/troubleshooting.md +378 -0
- package/.claude/skills/skill-expert-skills/references/universality-guide.md +205 -0
- package/.claude/skills/skill-expert-skills/references/writing-style-guide.md +466 -0
- package/.claude/skills/skill-expert-skills/scripts/__pycache__/quick_validate.cpython-313.pyc +0 -0
- package/.claude/skills/skill-expert-skills/scripts/__pycache__/universal_validate.cpython-313.pyc +0 -0
- package/.claude/skills/skill-expert-skills/scripts/analyze_trigger.py +425 -0
- package/.claude/skills/skill-expert-skills/scripts/diff_with_official.py +188 -0
- package/.claude/skills/skill-expert-skills/scripts/init_skill.py +349 -0
- package/.claude/skills/skill-expert-skills/scripts/package_skill.py +156 -0
- package/.claude/skills/skill-expert-skills/scripts/quick_validate.py +493 -0
- package/.claude/skills/skill-expert-skills/scripts/requirements.txt +2 -0
- package/.claude/skills/skill-expert-skills/scripts/universal_validate.py +182 -0
- package/.claude/skills/skill-expert-skills/scripts/upgrade_skill.py +431 -0
- package/.claude/skills/subagent-driven-development/SKILL.md +268 -0
- package/.claude/skills/test-driven-development/SKILL.md +246 -0
- package/.claude/skills/test-driven-development/references/testing-anti-patterns.md +192 -0
- package/.claude/skills/using-git-worktrees/SKILL.md +266 -0
- package/.claude/skills/using-skillstack/SKILL.md +127 -0
- package/.claude/skills/vercel-deploy/SKILL.md +166 -0
- package/.claude/skills/vercel-deploy/scripts/deploy.sh +249 -0
- package/.claude/skills/verification-before-completion/SKILL.md +305 -0
- package/.claude/skills/writing-plans/SKILL.md +259 -0
- package/README.md +69 -0
- package/bin/cli.js +468 -0
- package/lib/init.js +333 -0
- package/package.json +29 -0
|
@@ -0,0 +1,425 @@
|
|
|
1
|
+
# Configuration Review Guide
|
|
2
|
+
|
|
3
|
+
> Comprehensive guide for reviewing XML, YAML, JSON, TOML, and environment configuration files.
|
|
4
|
+
|
|
5
|
+
## Table of Contents
|
|
6
|
+
|
|
7
|
+
- [Configuration File Types](#configuration-file-types)
|
|
8
|
+
- [XML Configuration Review](#xml-configuration-review)
|
|
9
|
+
- [YAML Configuration Review](#yaml-configuration-review)
|
|
10
|
+
- [JSON Configuration Review](#json-configuration-review)
|
|
11
|
+
- [Environment Files Review](#environment-files-review)
|
|
12
|
+
- [Security Checklist](#security-checklist)
|
|
13
|
+
- [Common Anti-Patterns](#common-anti-patterns)
|
|
14
|
+
|
|
15
|
+
---
|
|
16
|
+
|
|
17
|
+
## Configuration File Types
|
|
18
|
+
|
|
19
|
+
| Format | Common Uses | Key Concerns |
|
|
20
|
+
|--------|-------------|--------------|
|
|
21
|
+
| **XML** | Java/Spring, .NET, Maven, Hibernate | Verbosity, schema validation, XXE attacks |
|
|
22
|
+
| **YAML** | Kubernetes, Docker, CI/CD, Ansible | Indentation errors, type coercion |
|
|
23
|
+
| **JSON** | Package managers, APIs, settings | No comments, strict syntax |
|
|
24
|
+
| **TOML** | Rust (Cargo), Python (pyproject) | Section ordering, type clarity |
|
|
25
|
+
| **.env** | Environment variables | Secrets exposure, format errors |
|
|
26
|
+
| **INI** | Legacy apps, Windows | Limited structure |
|
|
27
|
+
| **Properties** | Java applications | Encoding issues |
|
|
28
|
+
|
|
29
|
+
---
|
|
30
|
+
|
|
31
|
+
## XML Configuration Review
|
|
32
|
+
|
|
33
|
+
### Common XML Issues
|
|
34
|
+
|
|
35
|
+
| Issue | Risk | Example |
|
|
36
|
+
|-------|------|---------|
|
|
37
|
+
| **XXE Vulnerability** | Remote code execution | External entity injection |
|
|
38
|
+
| **Secrets in XML** | Credential exposure | Plaintext passwords |
|
|
39
|
+
| **Invalid Schema** | Runtime errors | Missing required elements |
|
|
40
|
+
| **Encoding Issues** | Character corruption | Wrong encoding declaration |
|
|
41
|
+
|
|
42
|
+
### XXE Vulnerability Detection
|
|
43
|
+
|
|
44
|
+
```xml
|
|
45
|
+
<!-- 🔴 VULNERABLE: XXE attack possible -->
|
|
46
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
|
47
|
+
<!DOCTYPE foo [
|
|
48
|
+
<!ENTITY xxe SYSTEM "https://example.invalid/xxe">
|
|
49
|
+
]>
|
|
50
|
+
<data>&xxe;</data>
|
|
51
|
+
|
|
52
|
+
<!-- Check parser configuration -->
|
|
53
|
+
<!-- Java: Disable external entities -->
|
|
54
|
+
<!-- factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); -->
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
### Spring/Java XML Review
|
|
58
|
+
|
|
59
|
+
```xml
|
|
60
|
+
<!-- 🔴 BUG: Hardcoded credentials -->
|
|
61
|
+
<bean id="dataSource" class="...DataSource">
|
|
62
|
+
<property name="password" value="supersecret"/>
|
|
63
|
+
</bean>
|
|
64
|
+
|
|
65
|
+
<!-- ✅ FIX: Use placeholder -->
|
|
66
|
+
<bean id="dataSource" class="...DataSource">
|
|
67
|
+
<property name="password" value="${db.password}"/>
|
|
68
|
+
</bean>
|
|
69
|
+
|
|
70
|
+
<!-- 🔴 BUG: Overly permissive CORS -->
|
|
71
|
+
<mvc:cors>
|
|
72
|
+
<mvc:mapping path="/**" allowed-origins="*"/>
|
|
73
|
+
</mvc:cors>
|
|
74
|
+
|
|
75
|
+
<!-- ✅ FIX: Specific origins -->
|
|
76
|
+
<mvc:cors>
|
|
77
|
+
<mvc:mapping path="/api/**" allowed-origins="https://myapp.com"/>
|
|
78
|
+
</mvc:cors>
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
### Maven pom.xml Review
|
|
82
|
+
|
|
83
|
+
```xml
|
|
84
|
+
<!-- 🔴 BUG: Dependency without version -->
|
|
85
|
+
<dependency>
|
|
86
|
+
<groupId>com.example</groupId>
|
|
87
|
+
<artifactId>library</artifactId>
|
|
88
|
+
</dependency>
|
|
89
|
+
|
|
90
|
+
<!-- ✅ FIX: Pin version -->
|
|
91
|
+
<dependency>
|
|
92
|
+
<groupId>com.example</groupId>
|
|
93
|
+
<artifactId>library</artifactId>
|
|
94
|
+
<version>1.2.3</version>
|
|
95
|
+
</dependency>
|
|
96
|
+
|
|
97
|
+
<!-- 🔴 BUG: Known vulnerable dependency -->
|
|
98
|
+
<dependency>
|
|
99
|
+
<groupId>log4j</groupId>
|
|
100
|
+
<artifactId>log4j</artifactId>
|
|
101
|
+
<version>1.2.17</version> <!-- CVE-2021-44228 -->
|
|
102
|
+
</dependency>
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
### .NET web.config Review
|
|
106
|
+
|
|
107
|
+
```xml
|
|
108
|
+
<!-- 🔴 BUG: Debug mode in production -->
|
|
109
|
+
<system.web>
|
|
110
|
+
<compilation debug="true"/>
|
|
111
|
+
</system.web>
|
|
112
|
+
|
|
113
|
+
<!-- ✅ FIX: Debug off in production -->
|
|
114
|
+
<system.web>
|
|
115
|
+
<compilation debug="false"/>
|
|
116
|
+
</system.web>
|
|
117
|
+
|
|
118
|
+
<!-- 🔴 BUG: Custom errors disabled -->
|
|
119
|
+
<system.web>
|
|
120
|
+
<customErrors mode="Off"/>
|
|
121
|
+
</system.web>
|
|
122
|
+
|
|
123
|
+
<!-- ✅ FIX: Show generic errors -->
|
|
124
|
+
<system.web>
|
|
125
|
+
<customErrors mode="RemoteOnly" defaultRedirect="/Error"/>
|
|
126
|
+
</system.web>
|
|
127
|
+
|
|
128
|
+
<!-- 🔴 BUG: Plaintext connection string -->
|
|
129
|
+
<connectionStrings>
|
|
130
|
+
<add name="DB" connectionString="...Password=secret..."/>
|
|
131
|
+
</connectionStrings>
|
|
132
|
+
|
|
133
|
+
<!-- ✅ FIX: Use encrypted sections or environment -->
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
---
|
|
137
|
+
|
|
138
|
+
## YAML Configuration Review
|
|
139
|
+
|
|
140
|
+
### Common YAML Pitfalls
|
|
141
|
+
|
|
142
|
+
| Issue | Example | Problem |
|
|
143
|
+
|-------|---------|---------|
|
|
144
|
+
| **Type Coercion** | `version: 1.0` | Parsed as float, not string |
|
|
145
|
+
| **Boolean Confusion** | `on: true`, `yes: 1` | Unexpected boolean conversion |
|
|
146
|
+
| **Indentation** | Mixed tabs/spaces | Parse errors |
|
|
147
|
+
| **Multiline Strings** | Improper folding | Whitespace issues |
|
|
148
|
+
|
|
149
|
+
### YAML Type Coercion Bugs
|
|
150
|
+
|
|
151
|
+
```yaml
|
|
152
|
+
# 🔴 BUG: Version parsed as float (becomes 1)
|
|
153
|
+
version: 1.0
|
|
154
|
+
|
|
155
|
+
# ✅ FIX: Quote to keep as string
|
|
156
|
+
version: "1.0"
|
|
157
|
+
|
|
158
|
+
# 🔴 BUG: Norway country code parsed as boolean
|
|
159
|
+
countries:
|
|
160
|
+
- NO # Parsed as false!
|
|
161
|
+
|
|
162
|
+
# ✅ FIX: Quote it
|
|
163
|
+
countries:
|
|
164
|
+
- "NO"
|
|
165
|
+
|
|
166
|
+
# 🔴 BUG: Timestamp parsed unexpectedly
|
|
167
|
+
date: 2024-01-01 # Parsed as datetime, not string
|
|
168
|
+
|
|
169
|
+
# ✅ FIX: Quote if string needed
|
|
170
|
+
date: "2024-01-01"
|
|
171
|
+
|
|
172
|
+
# 🔴 BUG: Octal number confusion
|
|
173
|
+
port: 0755 # May be parsed as octal (493 decimal)
|
|
174
|
+
|
|
175
|
+
# ✅ FIX: Quote or use explicit decimal
|
|
176
|
+
port: 755
|
|
177
|
+
```
|
|
178
|
+
|
|
179
|
+
### Kubernetes YAML Issues
|
|
180
|
+
|
|
181
|
+
```yaml
|
|
182
|
+
# 🔴 BUG: Wrong indentation (spec at wrong level)
|
|
183
|
+
apiVersion: v1
|
|
184
|
+
kind: Pod
|
|
185
|
+
spec: # Should not be indented
|
|
186
|
+
containers: []
|
|
187
|
+
|
|
188
|
+
# ✅ FIX: Correct indentation
|
|
189
|
+
apiVersion: v1
|
|
190
|
+
kind: Pod
|
|
191
|
+
spec:
|
|
192
|
+
containers: []
|
|
193
|
+
|
|
194
|
+
# 🔴 BUG: Multiline string incorrectly formatted
|
|
195
|
+
env:
|
|
196
|
+
- name: CONFIG
|
|
197
|
+
value: line1
|
|
198
|
+
line2 # This is invalid YAML
|
|
199
|
+
|
|
200
|
+
# ✅ FIX: Use block scalar
|
|
201
|
+
env:
|
|
202
|
+
- name: CONFIG
|
|
203
|
+
value: |
|
|
204
|
+
line1
|
|
205
|
+
line2
|
|
206
|
+
```
|
|
207
|
+
|
|
208
|
+
### Ansible YAML Review
|
|
209
|
+
|
|
210
|
+
```yaml
|
|
211
|
+
# 🔴 BUG: Hardcoded password
|
|
212
|
+
- name: Create user
|
|
213
|
+
user:
|
|
214
|
+
name: admin
|
|
215
|
+
password: supersecret
|
|
216
|
+
|
|
217
|
+
# ✅ FIX: Use vault-encrypted variable
|
|
218
|
+
- name: Create user
|
|
219
|
+
user:
|
|
220
|
+
name: admin
|
|
221
|
+
password: "{{ vault_admin_password }}"
|
|
222
|
+
|
|
223
|
+
# 🔴 BUG: No become for privileged operation
|
|
224
|
+
- name: Install package
|
|
225
|
+
apt:
|
|
226
|
+
name: nginx
|
|
227
|
+
|
|
228
|
+
# ✅ FIX: Add become
|
|
229
|
+
- name: Install package
|
|
230
|
+
apt:
|
|
231
|
+
name: nginx
|
|
232
|
+
become: yes
|
|
233
|
+
```
|
|
234
|
+
|
|
235
|
+
---
|
|
236
|
+
|
|
237
|
+
## JSON Configuration Review
|
|
238
|
+
|
|
239
|
+
### Common JSON Issues
|
|
240
|
+
|
|
241
|
+
| Issue | Problem | Impact |
|
|
242
|
+
|-------|---------|--------|
|
|
243
|
+
| **Trailing Comma** | Invalid JSON | Parse failure |
|
|
244
|
+
| **Comments** | Not allowed in JSON | Parse failure |
|
|
245
|
+
| **Duplicate Keys** | Undefined behavior | Unpredictable |
|
|
246
|
+
| **Large Numbers** | Precision loss | Data corruption |
|
|
247
|
+
|
|
248
|
+
### package.json Review
|
|
249
|
+
|
|
250
|
+
```json
|
|
251
|
+
// 🔴 BUG: Range version (non-reproducible)
|
|
252
|
+
{
|
|
253
|
+
"dependencies": {
|
|
254
|
+
"lodash": "^4.0.0"
|
|
255
|
+
}
|
|
256
|
+
}
|
|
257
|
+
|
|
258
|
+
// ✅ FIX: Use lockfile (package-lock.json) and consider exact versions
|
|
259
|
+
{
|
|
260
|
+
"dependencies": {
|
|
261
|
+
"lodash": "4.17.21"
|
|
262
|
+
}
|
|
263
|
+
}
|
|
264
|
+
|
|
265
|
+
// 🔴 BUG: Script with inline secret
|
|
266
|
+
{
|
|
267
|
+
"scripts": {
|
|
268
|
+
"deploy": "API_KEY=abc123 deploy.sh"
|
|
269
|
+
}
|
|
270
|
+
}
|
|
271
|
+
|
|
272
|
+
// ✅ FIX: Use environment variable
|
|
273
|
+
{
|
|
274
|
+
"scripts": {
|
|
275
|
+
"deploy": "deploy.sh"
|
|
276
|
+
}
|
|
277
|
+
}
|
|
278
|
+
```
|
|
279
|
+
|
|
280
|
+
### tsconfig.json / jsconfig.json
|
|
281
|
+
|
|
282
|
+
```json
|
|
283
|
+
// 🔴 BUG: Overly permissive TypeScript
|
|
284
|
+
{
|
|
285
|
+
"compilerOptions": {
|
|
286
|
+
"strict": false,
|
|
287
|
+
"any": true
|
|
288
|
+
}
|
|
289
|
+
}
|
|
290
|
+
|
|
291
|
+
// ✅ FIX: Enable strict mode
|
|
292
|
+
{
|
|
293
|
+
"compilerOptions": {
|
|
294
|
+
"strict": true,
|
|
295
|
+
"noImplicitAny": true,
|
|
296
|
+
"strictNullChecks": true
|
|
297
|
+
}
|
|
298
|
+
}
|
|
299
|
+
```
|
|
300
|
+
|
|
301
|
+
---
|
|
302
|
+
|
|
303
|
+
## Environment Files Review
|
|
304
|
+
|
|
305
|
+
### .env File Security
|
|
306
|
+
|
|
307
|
+
```bash
|
|
308
|
+
# 🔴 BUG: .env in git
|
|
309
|
+
# Check: git ls-files | grep -E "\.env$"
|
|
310
|
+
|
|
311
|
+
# 🔴 BUG: Production secrets in .env.example
|
|
312
|
+
# .env.example should have placeholder values only
|
|
313
|
+
DATABASE_URL=postgres://user:CHANGE_ME@localhost/db
|
|
314
|
+
|
|
315
|
+
# 🔴 BUG: Weak/default secrets
|
|
316
|
+
SECRET_KEY=secret
|
|
317
|
+
API_KEY=test123
|
|
318
|
+
|
|
319
|
+
# ✅ GOOD: Strong random values
|
|
320
|
+
SECRET_KEY=a1b2c3d4e5f6... # Generated securely
|
|
321
|
+
```
|
|
322
|
+
|
|
323
|
+
### Environment Variable Patterns
|
|
324
|
+
|
|
325
|
+
| Pattern | Risk | Better |
|
|
326
|
+
|---------|------|--------|
|
|
327
|
+
| `PASSWORD=xxx` in code | Exposed in version control | Environment variable |
|
|
328
|
+
| `SECRET=xxx` in CI logs | Visible in build output | Masked secrets |
|
|
329
|
+
| Shared `.env` file | Multiple environments mixed | Separate env files |
|
|
330
|
+
|
|
331
|
+
### Detection Commands
|
|
332
|
+
|
|
333
|
+
```bash
|
|
334
|
+
# Find .env files
|
|
335
|
+
find . -name ".env*" -type f 2>/dev/null
|
|
336
|
+
|
|
337
|
+
# Check if .env is in git
|
|
338
|
+
git ls-files | grep -E "\.env$"
|
|
339
|
+
|
|
340
|
+
# Find hardcoded secrets in env files
|
|
341
|
+
grep -rn "password=\|secret=\|api_key=" --include="*.env*"
|
|
342
|
+
|
|
343
|
+
# Validate .env format
|
|
344
|
+
grep -v "^#\|^$\|^[A-Z_]*=" .env # Should return nothing
|
|
345
|
+
```
|
|
346
|
+
|
|
347
|
+
---
|
|
348
|
+
|
|
349
|
+
## Security Checklist
|
|
350
|
+
|
|
351
|
+
### Configuration Security Review
|
|
352
|
+
|
|
353
|
+
```markdown
|
|
354
|
+
## Configuration Security Checklist
|
|
355
|
+
|
|
356
|
+
### Secrets
|
|
357
|
+
- [ ] No plaintext secrets in any config file
|
|
358
|
+
- [ ] Secrets use environment variables or secrets manager
|
|
359
|
+
- [ ] Example files have placeholder values only
|
|
360
|
+
- [ ] .env files are gitignored
|
|
361
|
+
|
|
362
|
+
### Validation
|
|
363
|
+
- [ ] XML files have schema validation
|
|
364
|
+
- [ ] Required fields are validated
|
|
365
|
+
- [ ] Type coercion issues addressed
|
|
366
|
+
- [ ] Version numbers are quoted strings
|
|
367
|
+
|
|
368
|
+
### Permissions
|
|
369
|
+
- [ ] Config files have appropriate permissions (not world-readable)
|
|
370
|
+
- [ ] Sensitive configs separated from general configs
|
|
371
|
+
- [ ] Production configs protected
|
|
372
|
+
|
|
373
|
+
### Environment Separation
|
|
374
|
+
- [ ] Dev/staging/prod configs are separate
|
|
375
|
+
- [ ] No prod secrets in dev configs
|
|
376
|
+
- [ ] Environment-specific overrides work correctly
|
|
377
|
+
```
|
|
378
|
+
|
|
379
|
+
---
|
|
380
|
+
|
|
381
|
+
## Common Anti-Patterns
|
|
382
|
+
|
|
383
|
+
### Configuration Anti-Patterns
|
|
384
|
+
|
|
385
|
+
| Anti-Pattern | Problem | Solution |
|
|
386
|
+
|--------------|---------|----------|
|
|
387
|
+
| **God Config** | Single file with everything | Split by concern |
|
|
388
|
+
| **Config Duplication** | Same values in multiple places | Use shared/base configs |
|
|
389
|
+
| **Magic Values** | Unexplained numbers/strings | Add comments or constants |
|
|
390
|
+
| **Environment Coupling** | Code checks environment name | Use feature flags |
|
|
391
|
+
| **Missing Defaults** | Fails if config not set | Provide sensible defaults |
|
|
392
|
+
|
|
393
|
+
### Environment-Specific Issues
|
|
394
|
+
|
|
395
|
+
```python
|
|
396
|
+
# 🔴 BAD: Checking environment name
|
|
397
|
+
if os.environ.get("ENV") == "production":
|
|
398
|
+
enable_feature_x()
|
|
399
|
+
|
|
400
|
+
# ✅ GOOD: Feature flag
|
|
401
|
+
if os.environ.get("FEATURE_X_ENABLED", "false") == "true":
|
|
402
|
+
enable_feature_x()
|
|
403
|
+
|
|
404
|
+
# 🔴 BAD: Default to development behavior
|
|
405
|
+
DEBUG = os.environ.get("DEBUG", True) # Dangerous default!
|
|
406
|
+
|
|
407
|
+
# ✅ GOOD: Secure default
|
|
408
|
+
DEBUG = os.environ.get("DEBUG", "false").lower() == "true"
|
|
409
|
+
```
|
|
410
|
+
|
|
411
|
+
### Configuration Validation Pattern
|
|
412
|
+
|
|
413
|
+
```python
|
|
414
|
+
# ✅ GOOD: Validate configuration at startup
|
|
415
|
+
def validate_config():
|
|
416
|
+
required = ["DATABASE_URL", "SECRET_KEY", "API_KEY"]
|
|
417
|
+
missing = [var for var in required if not os.environ.get(var)]
|
|
418
|
+
|
|
419
|
+
if missing:
|
|
420
|
+
raise ValueError(f"Missing required config: {', '.join(missing)}")
|
|
421
|
+
|
|
422
|
+
if len(os.environ.get("SECRET_KEY", "")) < 32:
|
|
423
|
+
raise ValueError("SECRET_KEY must be at least 32 characters")
|
|
424
|
+
```
|
|
425
|
+
|
|
@@ -0,0 +1,114 @@
|
|
|
1
|
+
# Control Flow Completeness (控制流完整性检查)
|
|
2
|
+
|
|
3
|
+
**核心问题**:代码中的 `break/return/throw` 等早期退出语句,是否有合理的后续处理?
|
|
4
|
+
|
|
5
|
+
## 🔴 必检场景
|
|
6
|
+
|
|
7
|
+
### 1. 循环中的 break
|
|
8
|
+
|
|
9
|
+
**问题模式**:
|
|
10
|
+
```python
|
|
11
|
+
for step in range(max_steps):
|
|
12
|
+
if some_condition_fails:
|
|
13
|
+
break # ❌ 退出后没有任何处理
|
|
14
|
+
|
|
15
|
+
# ... 正常逻辑
|
|
16
|
+
# 循环结束后没有代码处理 break 的情况
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
**正确模式**:
|
|
20
|
+
```python
|
|
21
|
+
result = None
|
|
22
|
+
for step in range(max_steps):
|
|
23
|
+
if some_condition_fails:
|
|
24
|
+
# ✅ 设置回退值或执行降级逻辑
|
|
25
|
+
result = fallback_result()
|
|
26
|
+
break
|
|
27
|
+
|
|
28
|
+
result = process_step()
|
|
29
|
+
|
|
30
|
+
# ✅ 确保 result 有值
|
|
31
|
+
if result is None:
|
|
32
|
+
result = handle_no_result()
|
|
33
|
+
return result
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
### 2. 异步生成器/流式输出中的 break
|
|
37
|
+
|
|
38
|
+
**问题模式**:
|
|
39
|
+
```python
|
|
40
|
+
async def stream_response():
|
|
41
|
+
for step in range(max_steps):
|
|
42
|
+
if token_limit_exceeded:
|
|
43
|
+
break # ❌ 流直接结束,用户看到空回复
|
|
44
|
+
|
|
45
|
+
async for chunk in llm.stream(messages):
|
|
46
|
+
yield chunk
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
**正确模式**:
|
|
50
|
+
```python
|
|
51
|
+
async def stream_response():
|
|
52
|
+
yielded_any = False
|
|
53
|
+
for step in range(max_steps):
|
|
54
|
+
if token_limit_exceeded:
|
|
55
|
+
if not yielded_any:
|
|
56
|
+
# ✅ 确保至少有一个回复
|
|
57
|
+
yield create_fallback_response("由于限制,无法完整处理请求")
|
|
58
|
+
break
|
|
59
|
+
|
|
60
|
+
async for chunk in llm.stream(messages):
|
|
61
|
+
yielded_any = True
|
|
62
|
+
yield chunk
|
|
63
|
+
|
|
64
|
+
# ✅ 循环结束后检查是否有输出
|
|
65
|
+
if not yielded_any:
|
|
66
|
+
yield create_error_response("处理失败")
|
|
67
|
+
```
|
|
68
|
+
|
|
69
|
+
### 3. 条件判断中的 return
|
|
70
|
+
|
|
71
|
+
**问题模式**:
|
|
72
|
+
```python
|
|
73
|
+
async def process_request(request):
|
|
74
|
+
if not is_safe:
|
|
75
|
+
return # ❌ 静默返回,调用者不知道发生了什么
|
|
76
|
+
|
|
77
|
+
# ... 正常逻辑
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
**正确模式**:
|
|
81
|
+
```python
|
|
82
|
+
async def process_request(request):
|
|
83
|
+
if not is_safe:
|
|
84
|
+
# ✅ 返回有意义的结果或抛出异常
|
|
85
|
+
return ProcessResult(success=False, reason="Safety check failed")
|
|
86
|
+
|
|
87
|
+
# ... 正常逻辑
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
## 检查清单
|
|
91
|
+
|
|
92
|
+
| # | 检查项 | Severity |
|
|
93
|
+
|---|-------|----------|
|
|
94
|
+
| 1 | 每个 `break` 后,循环外是否有代码处理这种情况? | P0 |
|
|
95
|
+
| 2 | 每个 `return` 是否返回有意义的值(非 None/空)? | P1 |
|
|
96
|
+
| 3 | 生成器/流式函数中的 `break`,是否确保至少有一个输出? | P0 |
|
|
97
|
+
| 4 | 异常处理中的 `return`,是否有日志/通知? | P1 |
|
|
98
|
+
| 5 | 循环结束后,是否处理了"所有迭代都 break 了"的情况? | P0 |
|
|
99
|
+
|
|
100
|
+
## 典型 Bug 模式
|
|
101
|
+
|
|
102
|
+
| 模式 | 问题 | 解决方案 |
|
|
103
|
+
|------|------|---------|
|
|
104
|
+
| Silent Break | break 后没有任何处理 | 添加回退逻辑或状态标记 |
|
|
105
|
+
| Empty Stream | 流式输出提前中断 | 确保至少有一个输出 |
|
|
106
|
+
| Void Return | return 没有返回值 | 返回有意义的结果或抛异常 |
|
|
107
|
+
| Lost Context | break 后丢失上下文 | 在 break 前保存必要状态 |
|
|
108
|
+
|
|
109
|
+
## 检测方法
|
|
110
|
+
|
|
111
|
+
1. 搜索所有 `break` 语句:`grep -n "break" file.py`
|
|
112
|
+
2. 检查循环后是否有代码处理 break 情况
|
|
113
|
+
3. 搜索所有 `return` 语句,检查返回值是否有意义
|
|
114
|
+
4. 对于流式函数,确认是否有"确保输出"的逻辑
|