developer-ai 1.0.0

package/skills/security-audit/SKILL.md

@@ -0,0 +1,453 @@
+---
+name: security-audit
+description: Guide for identifying and fixing security vulnerabilities. Use when reviewing code for security issues, setting up authentication, handling sensitive data, or hardening applications. Covers OWASP Top 10, input validation, authentication, and secure coding practices.
+---
+
+# Security Audit Skill
+
+This skill provides guidance for identifying and fixing security vulnerabilities in web applications.
+
+## Overview
+
+Security must be built into every layer of an application. This skill covers common vulnerabilities, secure coding practices, and security testing approaches.
+
+## OWASP Top 10
+
+### 1. Injection
+
+**SQL Injection**
+```javascript
+// VULNERABLE
+const query = `SELECT * FROM users WHERE id = ${userId}`;
+
+// SECURE - Parameterized query
+const query = 'SELECT * FROM users WHERE id = $1';
+const result = await db.query(query, [userId]);
+
+// SECURE - ORM
+const user = await User.findUnique({ where: { id: userId } });
+```
+
+**Command Injection**
+```javascript
+// VULNERABLE
+exec(`convert ${userInput}.png output.jpg`);
+
+// SECURE - Validate and sanitize
+const safeFilename = path.basename(userInput).replace(/[^a-zA-Z0-9]/g, '');
+exec(`convert ${safeFilename}.png output.jpg`);
+
+// SECURE - Use library instead of shell
+const sharp = require('sharp');
+await sharp(`${safeFilename}.png`).toFile('output.jpg');
+```
+
+### 2. Broken Authentication
+
+**Password Storage**
+```javascript
+// VULNERABLE - Plain text or weak hash
+const hash = md5(password);
+
+// SECURE - bcrypt with proper cost factor
+const bcrypt = require('bcrypt');
+const hash = await bcrypt.hash(password, 12);
+const valid = await bcrypt.compare(password, hash);
+```
+
+**Session Management**
+```javascript
+// SECURE session configuration
+app.use(session({
+  secret: process.env.SESSION_SECRET,
+  name: '__session', // Don't use default name
+  cookie: {
+    httpOnly: true,
+    secure: true, // HTTPS only
+    sameSite: 'strict',
+    maxAge: 15 * 60 * 1000, // 15 minutes
+  },
+  resave: false,
+  saveUninitialized: false,
+}));
+```
+
+### 3. Sensitive Data Exposure
+
+**Environment Variables**
+```javascript
+// NEVER commit secrets
+// Use .env file (in .gitignore)
+const apiKey = process.env.API_KEY;
+
+// Validate required env vars at startup
+const required = ['DATABASE_URL', 'JWT_SECRET', 'API_KEY'];
+for (const key of required) {
+  if (!process.env[key]) {
+    throw new Error(`Missing required env var: ${key}`);
+  }
+}
+```
+
+**Data Encryption**
+```javascript
+const crypto = require('crypto');
+
+// Encrypt sensitive data
+function encrypt(text, key) {
+  const iv = crypto.randomBytes(16);
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+  const encrypted = Buffer.concat([
+    cipher.update(text, 'utf8'),
+    cipher.final()
+  ]);
+  const tag = cipher.getAuthTag();
+  return { iv, encrypted, tag };
+}
+
+// Decrypt
+function decrypt({ iv, encrypted, tag }, key) {
+  const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(encrypted) + decipher.final('utf8');
+}
+```
+
+### 4. XML External Entities (XXE)
+
+```javascript
+// SECURE - Disable external entities
+const parser = new DOMParser();
+// Use JSON instead of XML when possible
+```
+
+### 5. Broken Access Control
+
+```javascript
+// VULNERABLE - No authorization check
+app.get('/api/users/:id', async (req, res) => {
+  const user = await User.findById(req.params.id);
+  res.json(user);
+});
+
+// SECURE - Check authorization
+app.get('/api/users/:id', authenticate, async (req, res) => {
+  // Users can only access their own data
+  if (req.user.id !== req.params.id && req.user.role !== 'admin') {
+    return res.status(403).json({ error: 'Forbidden' });
+  }
+  
+  const user = await User.findById(req.params.id);
+  res.json(user);
+});
+```
+
+### 6. Security Misconfiguration
+
+**HTTP Headers**
+```javascript
+const helmet = require('helmet');
+
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", "data:", "https:"],
+    },
+  },
+  hsts: {
+    maxAge: 31536000,
+    includeSubDomains: true,
+    preload: true,
+  },
+}));
+
+// Additional headers
+app.use((req, res, next) => {
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader('X-Frame-Options', 'DENY');
+  res.setHeader('X-XSS-Protection', '1; mode=block');
+  next();
+});
+```
+
+### 7. Cross-Site Scripting (XSS)
+
+**Output Encoding**
+```javascript
+// VULNERABLE
+element.innerHTML = userInput;
+
+// SECURE - Use textContent for text
+element.textContent = userInput;
+
+// SECURE - Sanitize HTML if needed
+const DOMPurify = require('dompurify');
+element.innerHTML = DOMPurify.sanitize(userInput);
+```
+
+**React (Auto-escapes by default)**
+```jsx
+// SAFE - React escapes this
+return <div>{userInput}</div>;
+
+// DANGEROUS - Explicitly rendering HTML
+return <div dangerouslySetInnerHTML={{ __html: userInput }} />;
+
+// If you must render HTML, sanitize it
+const sanitized = DOMPurify.sanitize(userInput);
+return <div dangerouslySetInnerHTML={{ __html: sanitized }} />;
+```
+
+### 8. Insecure Deserialization
+
+```javascript
+// VULNERABLE - Deserializing untrusted data
+const data = JSON.parse(userInput);
+Object.assign(user, data); // Prototype pollution possible
+
+// SECURE - Validate and whitelist fields
+const allowedFields = ['name', 'email'];
+const data = JSON.parse(userInput);
+const sanitized = {};
+for (const field of allowedFields) {
+  if (data[field] !== undefined) {
+    sanitized[field] = data[field];
+  }
+}
+```
+
+### 9. Using Components with Known Vulnerabilities
+
+```bash
+# Check for vulnerabilities
+npm audit
+npm audit fix
+
+# Use Snyk for deeper analysis
+npx snyk test
+```
+
+### 10. Insufficient Logging & Monitoring
+
+```javascript
+const winston = require('winston');
+
+const logger = winston.createLogger({
+  level: 'info',
+  format: winston.format.json(),
+  transports: [
+    new winston.transports.File({ filename: 'error.log', level: 'error' }),
+    new winston.transports.File({ filename: 'combined.log' }),
+  ],
+});
+
+// Log security events
+function logSecurityEvent(event, details) {
+  logger.warn({
+    type: 'SECURITY',
+    event,
+    ...details,
+    timestamp: new Date().toISOString(),
+  });
+}
+
+// Example: Failed login attempt
+logSecurityEvent('FAILED_LOGIN', {
+  email: req.body.email,
+  ip: req.ip,
+  userAgent: req.get('User-Agent'),
+});
+```
+
+## Input Validation
+
+### Server-Side Validation
+
+```javascript
+const Joi = require('joi');
+
+const userSchema = Joi.object({
+  name: Joi.string().min(2).max(100).required(),
+  email: Joi.string().email().required(),
+  password: Joi.string()
+    .min(8)
+    .pattern(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])/)
+    .required(),
+  age: Joi.number().integer().min(13).max(120),
+});
+
+app.post('/users', async (req, res) => {
+  const { error, value } = userSchema.validate(req.body);
+  
+  if (error) {
+    return res.status(400).json({
+      error: 'Validation failed',
+      details: error.details,
+    });
+  }
+  
+  // Proceed with sanitized value
+  const user = await User.create(value);
+});
+```
+
+### File Upload Validation
+
+```javascript
+const multer = require('multer');
+const path = require('path');
+
+const upload = multer({
+  limits: {
+    fileSize: 5 * 1024 * 1024, // 5MB
+  },
+  fileFilter: (req, file, cb) => {
+    const allowedTypes = ['image/jpeg', 'image/png', 'image/gif'];
+    const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif'];
+    
+    const ext = path.extname(file.originalname).toLowerCase();
+    
+    if (!allowedTypes.includes(file.mimetype)) {
+      return cb(new Error('Invalid file type'));
+    }
+    
+    if (!allowedExtensions.includes(ext)) {
+      return cb(new Error('Invalid file extension'));
+    }
+    
+    cb(null, true);
+  },
+});
+```
+
+## Authentication Best Practices
+
+### JWT Implementation
+
+```javascript
+const jwt = require('jsonwebtoken');
+
+// Generate tokens
+function generateTokens(user) {
+  const accessToken = jwt.sign(
+    { userId: user.id, role: user.role },
+    process.env.JWT_SECRET,
+    { expiresIn: '15m' }
+  );
+  
+  const refreshToken = jwt.sign(
+    { userId: user.id },
+    process.env.REFRESH_SECRET,
+    { expiresIn: '7d' }
+  );
+  
+  return { accessToken, refreshToken };
+}
+
+// Verify middleware
+function authenticate(req, res, next) {
+  const authHeader = req.headers.authorization;
+  
+  if (!authHeader?.startsWith('Bearer ')) {
+    return res.status(401).json({ error: 'Missing token' });
+  }
+  
+  const token = authHeader.substring(7);
+  
+  try {
+    const payload = jwt.verify(token, process.env.JWT_SECRET);
+    req.user = payload;
+    next();
+  } catch (error) {
+    return res.status(401).json({ error: 'Invalid token' });
+  }
+}
+```
+
+### Rate Limiting
+
+```javascript
+const rateLimit = require('express-rate-limit');
+
+// General rate limit
+const generalLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100,
+  message: { error: 'Too many requests' },
+});
+
+// Strict limit for auth endpoints
+const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 5,
+  message: { error: 'Too many login attempts' },
+});
+
+app.use('/api/', generalLimiter);
+app.use('/api/auth/', authLimiter);
+```
+
+## CSRF Protection
+
+```javascript
+const csrf = require('csurf');
+
+// For traditional forms
+app.use(csrf({ cookie: true }));
+
+app.get('/form', (req, res) => {
+  res.render('form', { csrfToken: req.csrfToken() });
+});
+
+// For APIs - use SameSite cookies and check Origin header
+app.use((req, res, next) => {
+  const origin = req.get('Origin');
+  const allowedOrigins = ['https://example.com'];
+  
+  if (origin && !allowedOrigins.includes(origin)) {
+    return res.status(403).json({ error: 'Invalid origin' });
+  }
+  
+  next();
+});
+```
+
+## Security Audit Checklist
+
+### Authentication & Authorization
+- [ ] Passwords hashed with bcrypt (cost 12+)
+- [ ] JWT tokens expire quickly (15 min)
+- [ ] Refresh token rotation implemented
+- [ ] Rate limiting on auth endpoints
+- [ ] Account lockout after failed attempts
+- [ ] Authorization checks on all protected routes
+
+### Data Protection
+- [ ] HTTPS enforced everywhere
+- [ ] Sensitive data encrypted at rest
+- [ ] Secrets in environment variables
+- [ ] No secrets in logs or error messages
+- [ ] PII handling compliant with regulations
+
+### Input/Output
+- [ ] All input validated server-side
+- [ ] SQL injection prevented (parameterized queries)
+- [ ] XSS prevented (output encoding)
+- [ ] File uploads validated and sanitized
+- [ ] CSRF protection enabled
+
+### Infrastructure
+- [ ] Security headers configured
+- [ ] Dependencies updated and scanned
+- [ ] Error messages don't leak info
+- [ ] Security events logged
+- [ ] Backups encrypted
+
+### Monitoring
+- [ ] Failed login attempts logged
+- [ ] Suspicious activity alerts
+- [ ] Security audit trail maintained
+- [ ] Incident response plan in place