npm - devflow-kit - Versions diffs - 0.8.1 → 1.0.0 - Mend

devflow-kit 0.8.1 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (395) hide show

package/shared/skills/input-validation/references/detection.md ADDED Viewed

@@ -0,0 +1,283 @@
+# Validation Issue Detection
+Grep patterns and report templates for finding validation issues.
+## Quick Detection Commands
+### Find Unvalidated Request Body Usage
+```bash
+# Express/Node.js
+grep -rn "req\.body" --include="*.ts" --include="*.js" | grep -v "safeParse\|validate\|schema"
+# Look for direct property access without validation
+grep -rn "req\.body\.\w" --include="*.ts" --include="*.js"
+```
+### Find Unvalidated Parameters
+```bash
+# Path parameters
+grep -rn "req\.params\.\w" --include="*.ts" --include="*.js" | grep -v "safeParse\|validate"
+# Query parameters
+grep -rn "req\.query\.\w" --include="*.ts" --include="*.js" | grep -v "safeParse\|validate"
+```
+### Find SQL Injection Risks
+```bash
+# Template literals with SQL
+grep -rn '`.*SELECT.*\${' --include="*.ts" --include="*.js"
+grep -rn '`.*INSERT.*\${' --include="*.ts" --include="*.js"
+grep -rn '`.*UPDATE.*\${' --include="*.ts" --include="*.js"
+grep -rn '`.*DELETE.*\${' --include="*.ts" --include="*.js"
+# String concatenation in queries
+grep -rn "'\s*\+\s*.*\+\s*'" --include="*.ts" --include="*.js" | grep -i "select\|insert\|update\|delete"
+```
+### Find Unvalidated External Data
+```bash
+# JSON.parse without validation
+grep -rn "JSON\.parse" --include="*.ts" --include="*.js" | grep -v "safeParse\|try"
+# fetch responses used directly
+grep -rn "\.json()" --include="*.ts" --include="*.js" | grep -v "safeParse\|schema\|validate"
+```
+### Find Unvalidated Environment Variables
+```bash
+# Direct process.env usage
+grep -rn "process\.env\.\w" --include="*.ts" --include="*.js" | grep -v "safeParse\|validate\|ConfigSchema"
+```
+### Find Dangerous Functions
+```bash
+# eval and Function constructor
+grep -rn "eval\s*(" --include="*.ts" --include="*.js"
+grep -rn "new\s*Function\s*(" --include="*.ts" --include="*.js"
+# JWT decode without verify
+grep -rn "jwt\.decode" --include="*.ts" --include="*.js" | grep -v "jwt\.verify"
+```
+---
+## Validation Report Format
+When validation issues detected:
+```markdown
+# INPUT VALIDATION ISSUES DETECTED
+## CRITICAL - Missing Boundary Validation
+**File**: src/api/routes/users.ts:45
+**Issue**: API endpoint accepts unvalidated user input
+**Security Risk**: HIGH - Injection attacks, data corruption possible
+**Current Code**:
+```typescript
+app.post('/api/users', async (req, res) => {
+  const user = await createUser(req.body); // NO VALIDATION
+  res.json(user);
+});
+```
+**Required Fix**:
+```typescript
+const UserRequestSchema = z.object({
+  body: z.object({
+    email: z.string().email().max(255),
+    name: z.string().min(1).max(100),
+    age: z.number().int().min(0).max(150)
+  })
+});
+app.post('/api/users', async (req, res) => {
+  const validation = UserRequestSchema.safeParse(req);
+  if (!validation.success) {
+    return res.status(400).json({ error: validation.error });
+  }
+  const result = await createUser(validation.data.body);
+  // ... handle result
+});
+```
+**Impact**: Prevents malicious input, ensures data integrity
+## CRITICAL - Manual Validation Instead of Schema
+**File**: src/services/validation.ts:23
+**Issue**: Manual type checking instead of schema validation
+**Problem**: Scattered validation logic, incomplete checks
+**Current Code**:
+```typescript
+if (!data.email || typeof data.email !== 'string') {
+  throw new Error('Invalid email');
+}
+if (!data.age || typeof data.age !== 'number') {
+  throw new Error('Invalid age');
+}
+// ... 15 more manual checks
+```
+**Required Fix**:
+```typescript
+const UserSchema = z.object({
+  email: z.string().email().max(255),
+  age: z.number().int().min(0).max(150),
+  name: z.string().min(1).max(100),
+  // All validation rules in one place
+});
+const validation = UserSchema.safeParse(data);
+if (!validation.success) {
+  return { ok: false, error: validation.error };
+}
+```
+**Impact**: Centralized validation, type safety, better error messages
+## CRITICAL - SQL Injection Risk
+**File**: src/database/queries.ts:67
+**Issue**: String interpolation in SQL query
+**Security Risk**: CRITICAL - SQL injection possible
+**Current Code**:
+```typescript
+const query = `SELECT * FROM users WHERE email = '${email}'`;
+```
+**Required Fix**:
+```typescript
+// 1. Validate input
+const validation = EmailSchema.safeParse(email);
+if (!validation.success) {
+  return { ok: false, error: new Error('Invalid email') };
+}
+// 2. Use parameterized query
+const query = 'SELECT * FROM users WHERE email = $1';
+const result = await db.query(query, [validation.data]);
+```
+**Impact**: Prevents SQL injection attacks (critical security issue)
+## HIGH - External API Response Not Validated
+**File**: src/integrations/payment.ts:89
+**Issue**: Trusting external API response without validation
+**Risk**: Application crash if API changes structure
+**Current Code**:
+```typescript
+const data = await response.json();
+return data.amount; // No validation
+```
+**Required Fix**:
+```typescript
+const PaymentResponseSchema = z.object({
+  amount: z.number().positive(),
+  currency: z.string().length(3),
+  status: z.enum(['success', 'failed', 'pending'])
+});
+const validation = PaymentResponseSchema.safeParse(await response.json());
+if (!validation.success) {
+  return { ok: false, error: new Error('Invalid payment response') };
+}
+return { ok: true, value: validation.data.amount };
+```
+## Summary
+- **Critical**: X validation issues (Y missing, Z SQL injection risks)
+- **High**: X external data issues
+- **Security Risk**: CRITICAL/HIGH/MEDIUM
+- **Files affected**: X
+## SECURITY GATE FAILED
+These validation gaps create serious security vulnerabilities:
+1. SQL injection possible in X locations
+2. Unvalidated user input in Y API endpoints
+3. External data trusted without validation
+**DO NOT deploy until these are fixed.**
+## Required Actions
+1. **Immediate** (Security Critical):
+   - Fix SQL injection risks
+   - Add validation to all API endpoints
+2. **High Priority**:
+   - Validate all external API responses
+   - Validate environment variables on startup
+3. **Standard**:
+   - Replace manual validation with schemas
+   - Add validation tests
+## Implementation Guide
+**Step 1**: Install validation library
+```bash
+npm install zod  # or appropriate library
+```
+**Step 2**: Define schemas for all boundaries
+```typescript
+// src/validation/schemas.ts
+export const schemas = {
+  createUser: UserSchema,
+  updateUser: UpdateUserSchema,
+  searchQuery: SearchQuerySchema,
+  // ... all input shapes
+};
+```
+**Step 3**: Apply at boundaries
+```typescript
+// Validate at entry point
+const validation = schema.safeParse(input);
+// Check result and proceed
+```
+**Step 4**: Add tests
+```typescript
+// Verify validation catches invalid input
+```
+```
+---
+## Risk Classification
+| Issue Type | Risk Level | Fix Priority |
+|------------|------------|--------------|
+| SQL injection | CRITICAL | Immediate |
+| Command injection | CRITICAL | Immediate |
+| Path traversal | CRITICAL | Immediate |
+| Missing auth validation | CRITICAL | Immediate |
+| Unvalidated API input | HIGH | Same day |
+| Unvalidated external data | HIGH | Same day |
+| Manual validation | MEDIUM | This sprint |
+| Missing env validation | MEDIUM | This sprint |
+| Incomplete schemas | LOW | Next sprint |
+---
+## Integration Points
+This skill works with:
+- **core-patterns**: Ensures validation uses Result types, catches fake/incomplete validation
+- **test-patterns**: Validates boundary tests exist
+- **security-patterns**: Broader security review context

package/shared/skills/input-validation/references/patterns.md ADDED Viewed

@@ -0,0 +1,361 @@
+# Input Validation Correct Patterns
+Extended examples of proper validation patterns.
+## Schema Validation at Boundary
+```typescript
+import { z } from 'zod';
+const UserSchema = z.object({
+  email: z.string().email().max(255),
+  age: z.number().int().min(0).max(150),
+  name: z.string().min(1).max(100)
+});
+type User = z.infer<typeof UserSchema>;
+function createUser(data: unknown): Result<User, ValidationError> {
+  const validation = UserSchema.safeParse(data);
+  if (!validation.success) {
+    return {
+      ok: false,
+      error: new ValidationError('Invalid user data', validation.error)
+    };
+  }
+  // After this point, data is guaranteed valid User type
+  return { ok: true, value: validation.data };
+}
+```
+---
+## API Endpoint Validation
+```typescript
+const CreateUserRequestSchema = z.object({
+  body: UserSchema
+});
+app.post('/api/users', async (req, res) => {
+  const validation = CreateUserRequestSchema.safeParse(req);
+  if (!validation.success) {
+    return res.status(400).json({
+      error: 'Validation failed',
+      details: validation.error.issues
+    });
+  }
+  // Now req.body is safely typed as User
+  const result = await createUser(validation.data.body);
+  if (!result.ok) {
+    return res.status(500).json({ error: result.error.message });
+  }
+  res.json(result.value);
+});
+```
+---
+## External API Response Validation
+```typescript
+const ExternalUserSchema = z.object({
+  id: z.string().uuid(),
+  name: z.string(),
+  email: z.string().email(),
+  // Define exact structure we expect
+});
+async function fetchUserData(userId: string): Promise<Result<UserData, Error>> {
+  try {
+    const response = await fetch(`https://api.example.com/users/${userId}`);
+    const rawData = await response.json();
+    const validation = ExternalUserSchema.safeParse(rawData);
+    if (!validation.success) {
+      return {
+        ok: false,
+        error: new Error('External API returned invalid data')
+      };
+    }
+    return { ok: true, value: validation.data };
+  } catch (error) {
+    return { ok: false, error: error as Error };
+  }
+}
+```
+---
+## Environment Variable Validation
+```typescript
+const ConfigSchema = z.object({
+  port: z.string().regex(/^\d+$/).transform(Number).pipe(z.number().min(1).max(65535)),
+  dbUrl: z.string().url().startsWith('postgresql://'),
+  apiKey: z.string().min(32).max(128)
+});
+function loadConfig(): Result<Config, Error> {
+  const validation = ConfigSchema.safeParse({
+    port: process.env.PORT,
+    dbUrl: process.env.DATABASE_URL,
+    apiKey: process.env.API_KEY
+  });
+  if (!validation.success) {
+    return {
+      ok: false,
+      error: new Error(`Invalid configuration: ${validation.error.message}`)
+    };
+  }
+  return { ok: true, value: validation.data };
+}
+// Application initialization
+const configResult = loadConfig();
+if (!configResult.ok) {
+  console.error('Failed to load configuration:', configResult.error);
+  process.exit(1);
+}
+const config = configResult.value; // Type-safe, validated config
+```
+---
+## Database Query with Validation
+```typescript
+const EmailSchema = z.string().email().max(255);
+const SearchTermSchema = z.string().min(1).max(100).regex(/^[a-zA-Z0-9\s-]+$/);
+async function getUserByEmail(email: unknown): Promise<Result<User, Error>> {
+  const validation = EmailSchema.safeParse(email);
+  if (!validation.success) {
+    return { ok: false, error: new Error('Invalid email format') };
+  }
+  try {
+    // Parameterized query prevents SQL injection
+    const user = await db.query('SELECT * FROM users WHERE email = $1', [validation.data]);
+    return { ok: true, value: user };
+  } catch (error) {
+    return { ok: false, error: error as Error };
+  }
+}
+async function searchUsers(searchTerm: unknown): Promise<Result<User[], Error>> {
+  const validation = SearchTermSchema.safeParse(searchTerm);
+  if (!validation.success) {
+    return { ok: false, error: new Error('Invalid search term') };
+  }
+  try {
+    const users = await db.query(
+      'SELECT * FROM users WHERE name ILIKE $1',
+      [`%${validation.data}%`]
+    );
+    return { ok: true, value: users };
+  } catch (error) {
+    return { ok: false, error: error as Error };
+  }
+}
+```
+---
+## File Upload Validation
+```typescript
+const FileUploadSchema = z.object({
+  name: z.string().max(255).regex(/^[a-zA-Z0-9._-]+$/),
+  size: z.number().max(10 * 1024 * 1024), // 10MB max
+  mimetype: z.enum(['image/jpeg', 'image/png', 'application/pdf']),
+});
+async function handleUpload(file: unknown): Promise<Result<string, Error>> {
+  const validation = FileUploadSchema.safeParse(file);
+  if (!validation.success) {
+    return { ok: false, error: new Error('Invalid file') };
+  }
+  const { name, size, mimetype } = validation.data;
+  // Additional content validation
+  const buffer = await readFileBuffer(file);
+  const detectedType = await fileType.fromBuffer(buffer);
+  if (detectedType?.mime !== mimetype) {
+    return { ok: false, error: new Error('File type mismatch') };
+  }
+  // Safe filename generation
+  const safeFilename = `${uuid()}_${name}`;
+  const safePath = path.join(UPLOAD_DIR, safeFilename);
+  await fs.writeFile(safePath, buffer);
+  return { ok: true, value: safeFilename };
+}
+```
+---
+## URL Parameter Validation
+```typescript
+const UserIdSchema = z.string().uuid();
+app.get('/users/:id', async (req, res) => {
+  const validation = UserIdSchema.safeParse(req.params.id);
+  if (!validation.success) {
+    return res.status(400).json({ error: 'Invalid user ID format' });
+  }
+  const result = await getUserById(validation.data);
+  if (!result.ok) {
+    return res.status(404).json({ error: 'User not found' });
+  }
+  res.json(result.value);
+});
+```
+---
+## Query String Validation
+```typescript
+const SearchQuerySchema = z.object({
+  q: z.string().min(1).max(100),
+  page: z.coerce.number().int().min(1).default(1),
+  limit: z.coerce.number().int().min(1).max(100).default(20),
+  sort: z.enum(['name', 'date', 'relevance']).default('relevance'),
+});
+app.get('/search', async (req, res) => {
+  const validation = SearchQuerySchema.safeParse(req.query);
+  if (!validation.success) {
+    return res.status(400).json({
+      error: 'Invalid query parameters',
+      details: validation.error.issues
+    });
+  }
+  const { q, page, limit, sort } = validation.data;
+  const results = await searchService.search(q, { page, limit, sort });
+  res.json(results);
+});
+```
+---
+## Webhook Signature Verification
+```typescript
+const WebhookPayloadSchema = z.object({
+  event: z.enum(['payment.completed', 'payment.failed', 'subscription.created']),
+  data: z.object({
+    id: z.string(),
+    amount: z.number().optional(),
+    status: z.string(),
+  }),
+  timestamp: z.number(),
+});
+app.post('/webhook', async (req, res) => {
+  // 1. Verify signature first
+  const signature = req.headers['x-webhook-signature'];
+  const expectedSignature = crypto
+    .createHmac('sha256', WEBHOOK_SECRET)
+    .update(JSON.stringify(req.body))
+    .digest('hex');
+  if (signature !== expectedSignature) {
+    return res.status(401).json({ error: 'Invalid signature' });
+  }
+  // 2. Then validate payload structure
+  const validation = WebhookPayloadSchema.safeParse(req.body);
+  if (!validation.success) {
+    return res.status(400).json({ error: 'Invalid payload' });
+  }
+  // 3. Process verified and validated event
+  await processWebhookEvent(validation.data);
+  res.sendStatus(200);
+});
+```
+---
+## GraphQL Input Validation
+```typescript
+const UserFilterSchema = z.object({
+  name: z.string().max(100).optional(),
+  email: z.string().email().optional(),
+  status: z.enum(['active', 'inactive']).optional(),
+  limit: z.number().int().min(1).max(100).default(20),
+});
+const resolvers = {
+  Query: {
+    users: async (_, { filter }) => {
+      const validation = UserFilterSchema.safeParse(filter);
+      if (!validation.success) {
+        throw new GraphQLError('Invalid filter', {
+          extensions: { code: 'BAD_USER_INPUT' }
+        });
+      }
+      return userService.findUsers(validation.data);
+    },
+  },
+};
+```
+---
+## Form Data Sanitization
+```typescript
+import DOMPurify from 'isomorphic-dompurify';
+const ProfileUpdateSchema = z.object({
+  bio: z.string().max(500).transform(s => DOMPurify.sanitize(s)),
+  website: z.string().url().optional(),
+  displayName: z.string().min(1).max(50),
+});
+app.post('/profile', async (req, res) => {
+  const validation = ProfileUpdateSchema.safeParse(req.body);
+  if (!validation.success) {
+    return res.status(400).json({ error: validation.error });
+  }
+  // bio is already sanitized by the schema transform
+  await db.users.update(req.userId, validation.data);
+  res.json({ success: true });
+});
+```