bms-speckit-plugin 6.1.0 → 6.2.0

package/agents/quality-control.md

@@ -113,9 +113,40 @@ Grep source files for patterns where a value of one type is used where another t
    - Check `.env` files are in `.gitignore`
    - Check no credentials in committed code
 3. Check for injection vulnerabilities:
-   - SQL injection: look for string concatenation in queries
-   - XSS: look for unescaped user input in HTML/JSX
-   - Command injection: look for unvalidated input in shell commands
+
+   **SQL Injection — enforce parameterized queries:**
+   All SQL queries that include dynamic values MUST use parameterized queries (placeholders), never string concatenation or interpolation. Grep for these dangerous patterns and fix every match:
+
+   - **String concatenation in SQL:**
+     - JS/TS: `"SELECT..." + variable`, template literals with variables in SQL strings
+     - Python: `"SELECT..." + variable`, `"SELECT...%s" % variable`, f-strings in SQL, `.format()` in SQL
+     - Go: `fmt.Sprintf("SELECT...%s", variable)`
+     - Java: `"SELECT..." + variable`
+     - PHP: `"SELECT...$variable"`, `"SELECT..." . $variable`
+
+   - **Safe parameterized alternatives (what to replace with):**
+     - JS/TS (mysql2/pg): `db.query("SELECT * FROM t WHERE id = ?", [userId])`
+     - Python (DB-API): `cursor.execute("SELECT * FROM t WHERE id = %s", (userId,))`
+     - Python (SQLAlchemy): `session.execute(text("...WHERE id = :id"), {"id": userId})`
+     - Go: `db.Query("SELECT * FROM t WHERE id = $1", userId)`
+     - Java (JDBC): `PreparedStatement` with `?` placeholders
+     - PHP (PDO): `$stmt = $pdo->prepare("SELECT * FROM t WHERE id = ?");`
+
+   - **ORM/query builder misuse** — Even with ORMs, raw query methods can be vulnerable:
+     - Sequelize: `sequelize.query("SELECT..." + input)` — must use `replacements` or `bind`
+     - Prisma: `prisma.$queryRawUnsafe(...)` — flag all usages, prefer `$queryRaw` with tagged template
+     - TypeORM: `.query("SELECT..." + input)` — must use parameterized version
+     - Django: raw SQL with string concat — must use params tuple
+     - SQLAlchemy: raw SQL with string concat — must use `text()` with bind params
+
+   - **Exceptions (do NOT flag these):**
+     - Static SQL with no dynamic values: `"SELECT * FROM users WHERE active = 1"`
+     - Parameterized queries using placeholders: `?`, `$1`, `%s`, `:name`
+     - Table/column names from internal constants (not user input) — but add a comment explaining why it's safe
+
+   **XSS:** look for unescaped user input rendered as raw HTML — unsafe inner HTML setters, raw output directives in template engines, disabled auto-escaping
+
+   **Command injection:** look for shell invocations that pass unsanitized user input as arguments. Prefer array-based APIs over shell string execution.
 4. Check authentication & authorization:
    - API endpoints have proper auth guards
    - Session handling is secure
@@ -213,7 +244,9 @@ After completing all phases, provide a summary report:
 
 ### Security
 - [ ] No hardcoded secrets
-- [ ] No injection vulnerabilities
+- [ ] SQL: all queries use parameterized placeholders (no string concat/interpolation)
+- [ ] XSS: no raw HTML rendering of user input
+- [ ] Command injection: no unsanitized input in shell calls
 - [ ] Dependencies have no known CVEs
 - [ ] Auth properly implemented
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bms-speckit-plugin",
-  "version": "6.1.0",
+  "version": "6.2.0",
   "description": "Chain-orchestrated development pipeline: /bms-speckit takes requirements and runs brainstorm → constitution → specify → plan → tasks → analyze → implement → verify with per-step error handling",
   "files": [
     ".claude-plugin/",