npm - devflow-kit - Versions diffs - 0.9.0 → 1.1.0 - Mend

devflow-kit 0.9.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (414) hide show

package/shared/skills/security-patterns/SKILL.md ADDED Viewed

@@ -0,0 +1,156 @@
+---
+name: security-patterns
+description: Security vulnerability analysis patterns for code review. Detects injection flaws, authentication bypasses, insecure cryptography, hardcoded secrets, and missing input sanitization. Loaded by Reviewer agent when focus=security.
+user-invocable: false
+allowed-tools: Read, Grep, Glob
+---
+# Security Patterns
+Domain expertise for security vulnerability detection. Use alongside `review-methodology` for complete security reviews.
+## Iron Law
+> **ASSUME ALL INPUT IS MALICIOUS**
+>
+> Every user input, URL parameter, header, and cookie is an attack vector. Use parameterized
+> queries always. Escape output always. Validate schemas always. "This field is internal"
+> is not a defense. Defense in depth, not wishful thinking.
+---
+## Vulnerability Categories
+### 1. Input Validation & Injection
+**SQL Injection**
+```typescript
+// VULNERABLE
+const query = `SELECT * FROM users WHERE email = '${email}'`;
+// SECURE
+await db.execute("SELECT * FROM users WHERE email = ?", [email]);
+```
+**XSS (Cross-Site Scripting)**
+```typescript
+// VULNERABLE
+element.innerHTML = userInput;
+// SECURE
+element.textContent = userInput;
+```
+> See `references/injection.md` for NoSQL, command injection, path traversal patterns.
+### 2. Authentication & Authorization
+**Missing Auth Checks**
+```typescript
+// VULNERABLE
+app.delete('/api/users/:id', async (req, res) => {
+  await deleteUser(req.params.id);  // No auth!
+});
+// SECURE
+app.delete('/api/users/:id', requireAuth, requireRole('admin'), handler);
+```
+> See `references/auth.md` for password policies, session management, JWT patterns.
+### 3. Cryptography & Secrets
+**Hardcoded Secrets**
+```typescript
+// VULNERABLE
+const API_KEY = 'sk-abc123xyz789';
+// SECURE
+const API_KEY = process.env.API_KEY;
+```
+**Insecure Random**
+```typescript
+// VULNERABLE
+const token = Math.random().toString(36);
+// SECURE
+const token = crypto.randomBytes(32).toString('hex');
+```
+> See `references/crypto.md` for weak crypto detection, encryption patterns.
+### 4. Configuration & Headers
+```typescript
+// REQUIRED: Use helmet or set manually
+app.use(helmet());
+res.setHeader('Content-Security-Policy', "default-src 'self'");
+res.setHeader('X-Frame-Options', 'DENY');
+res.setHeader('Strict-Transport-Security', 'max-age=31536000');
+// CORS: Never use origin: '*'
+app.use(cors({ origin: ['https://myapp.com'], credentials: true }));
+```
+### 5. Business Logic
+**Race Conditions**
+```typescript
+// VULNERABLE
+if (balance >= amount) await withdraw(userId, amount);
+// SECURE: Use transactions with row locks
+await db.transaction(async (tx) => {
+  const balance = await tx.getBalance(userId, { forUpdate: true });
+  if (balance >= amount) await tx.withdraw(userId, amount);
+});
+```
+**Mass Assignment**
+```typescript
+// VULNERABLE
+await User.create(req.body);  // All fields accepted!
+// SECURE: Explicitly list allowed fields
+await User.create({ email: req.body.email, name: req.body.name });
+```
+---
+## Extended References
+| Reference | Content |
+|-----------|---------|
+| `references/injection.md` | NoSQL, command, path traversal, LDAP, template injection |
+| `references/auth.md` | Password policy, session management, JWT, RBAC/ABAC |
+| `references/crypto.md` | Secret management, weak crypto, encryption, timing attacks |
+| `references/detection.md` | All grep patterns for automated scanning |
+---
+## Severity Guidelines
+| Level | Criteria | Examples |
+|-------|----------|----------|
+| **CRITICAL** | Immediate exploitation | SQL injection in auth, RCE, hardcoded admin creds |
+| **HIGH** | Significant risk | XSS, broken access control, weak crypto, CSRF |
+| **MEDIUM** | Moderate with conditions | Missing headers, permissive CORS, missing rate limits |
+| **LOW** | Minor improvement | Outdated deps (no CVE), suboptimal CSP |
+---
+## OWASP Reference
+| ID | Category | Examples |
+|----|----------|----------|
+| A01 | Broken Access Control | Missing auth, IDOR, privilege escalation |
+| A02 | Cryptographic Failures | Weak hashing, hardcoded secrets |
+| A03 | Injection | SQL, NoSQL, command, XSS |
+| A04 | Insecure Design | Missing rate limits, mass assignment |
+| A05 | Security Misconfiguration | Debug enabled, missing headers |
+| A06 | Vulnerable Components | Outdated deps with known CVEs |
+| A07 | Auth Failures | Weak passwords, session issues |
+| A08 | Data Integrity Failures | Untrusted deserialization |
+| A09 | Logging Failures | Missing security logs |
+| A10 | SSRF | Unvalidated URLs in server requests |

package/shared/skills/security-patterns/references/detection.md ADDED Viewed

@@ -0,0 +1,287 @@
+# Security Detection Patterns
+Comprehensive grep commands and patterns for security vulnerability detection.
+## Injection Detection
+### SQL Injection
+```bash
+# String interpolation in queries
+grep -rn "query.*\${" --include="*.ts" --include="*.js"
+grep -rn "query.*+ " --include="*.ts" --include="*.js"
+grep -rn "execute.*\`" --include="*.ts" --include="*.js"
+# Raw SQL with variables
+grep -rn "SELECT.*\${" --include="*.ts" --include="*.js"
+grep -rn "INSERT.*\${" --include="*.ts" --include="*.js"
+grep -rn "UPDATE.*\${" --include="*.ts" --include="*.js"
+grep -rn "DELETE.*\${" --include="*.ts" --include="*.js"
+# ORM raw queries
+grep -rn "\.raw\s*\(" --include="*.ts" --include="*.js"
+grep -rn "\.query\s*\(" --include="*.ts" --include="*.js"
+```
+### NoSQL Injection
+```bash
+# MongoDB queries with user input
+grep -rn "findOne.*req\.\|find.*req\." --include="*.ts" --include="*.js"
+grep -rn "\$where" --include="*.ts" --include="*.js"
+grep -rn "\$regex.*req\." --include="*.ts" --include="*.js"
+```
+### Command Injection
+```bash
+# Shell execution
+grep -rn "exec\s*\(" --include="*.ts" --include="*.js"
+grep -rn "execSync" --include="*.ts" --include="*.js"
+grep -rn "spawn.*\`" --include="*.ts" --include="*.js"
+grep -rn "child_process" --include="*.ts" --include="*.js"
+# Eval and similar
+grep -rn "eval\s*\(" --include="*.ts" --include="*.js"
+grep -rn "Function\s*\(" --include="*.ts" --include="*.js"
+grep -rn "new Function" --include="*.ts" --include="*.js"
+```
+### XSS Detection
+```bash
+# Dangerous DOM manipulation
+grep -rn "innerHTML" --include="*.ts" --include="*.js" --include="*.tsx" --include="*.jsx"
+grep -rn "document.write" --include="*.ts" --include="*.js"
+grep -rn "dangerouslySetInnerHTML" --include="*.tsx" --include="*.jsx"
+# React unescaped rendering
+grep -rn "__html" --include="*.tsx" --include="*.jsx"
+```
+### Path Traversal
+```bash
+# File operations with user input
+grep -rn "readFile.*req\.\|readFileSync.*req\." --include="*.ts" --include="*.js"
+grep -rn "writeFile.*req\.\|writeFileSync.*req\." --include="*.ts" --include="*.js"
+grep -rn "path\.join.*req\." --include="*.ts" --include="*.js"
+grep -rn "fs\.\|readdir\|unlink" --include="*.ts" --include="*.js"
+```
+## Authentication Detection
+### Missing Auth Middleware
+```bash
+# Endpoints without auth checks
+grep -rn "app\.\(get\|post\|put\|delete\|patch\).*async" --include="*.ts" --include="*.js" | \
+  grep -v "requireAuth\|isAuthenticated\|authorize\|protect"
+# Express route handlers
+grep -rn "router\.\(get\|post\|put\|delete\).*\(" --include="*.ts" --include="*.js" | \
+  grep -v "auth\|protect\|verify"
+```
+### JWT Issues
+```bash
+# JWT without algorithm specification
+grep -rn "jwt\.sign\|jwt\.verify" --include="*.ts" --include="*.js" -A 5 | \
+  grep -v "algorithm"
+# JWT without expiration
+grep -rn "jwt\.sign" --include="*.ts" --include="*.js" -A 5 | \
+  grep -v "expiresIn\|exp"
+# Weak JWT secrets
+grep -rn "jwt\.sign.*['\"][a-zA-Z0-9]\{1,20\}['\"]" --include="*.ts" --include="*.js"
+```
+### Session Issues
+```bash
+# Session configuration
+grep -rn "session\|cookie" --include="*.ts" --include="*.js" | \
+  grep -v "httpOnly\|secure\|sameSite"
+# Session in URL
+grep -rn "session.*=.*req\.query\|session.*=.*req\.params" --include="*.ts" --include="*.js"
+```
+### Password Handling
+```bash
+# Weak password requirements
+grep -rn "password.*length" --include="*.ts" --include="*.js" | \
+  grep -v "minLength.*12\|min.*12"
+# Plain text password storage
+grep -rn "password.*=.*req\." --include="*.ts" --include="*.js" | \
+  grep -v "hash\|bcrypt\|argon"
+```
+## Cryptography Detection
+### Hardcoded Secrets
+```bash
+# Common secret patterns
+grep -rn "password.*=.*['\"]" --include="*.ts" --include="*.js"
+grep -rn "api.key.*=.*['\"]" --include="*.ts" --include="*.js"
+grep -rn "secret.*=.*['\"]" --include="*.ts" --include="*.js"
+grep -rn "token.*=.*['\"]" --include="*.ts" --include="*.js"
+# API key patterns
+grep -rn "sk-\|pk-\|api_" --include="*.ts" --include="*.js" --include="*.json"
+grep -rn "AKIA[0-9A-Z]\{16\}" --include="*.ts" --include="*.js" # AWS keys
+# Private keys
+grep -rn "BEGIN.*PRIVATE KEY" --include="*.ts" --include="*.js" --include="*.pem"
+```
+### Weak Algorithms
+```bash
+# Weak hash functions
+grep -rn "createHash.*md5\|sha1" --include="*.ts" --include="*.js"
+# Weak encryption
+grep -rn "DES\|RC4\|Blowfish" --include="*.ts" --include="*.js"
+grep -rn "aes-.*-ecb" --include="*.ts" --include="*.js"
+# Non-authenticated encryption
+grep -rn "aes-.*-cbc" --include="*.ts" --include="*.js" | \
+  grep -v "hmac\|auth"
+```
+### Insecure Random
+```bash
+# Math.random for security
+grep -rn "Math.random" --include="*.ts" --include="*.js"
+# Date-based IDs
+grep -rn "Date.now.*id\|Date.now.*token" --include="*.ts" --include="*.js"
+# UUID v1 (time-based)
+grep -rn "uuid\.v1\|uuidv1" --include="*.ts" --include="*.js"
+```
+## Configuration Detection
+### CORS Issues
+```bash
+# Permissive CORS
+grep -rn "cors.*origin.*\*\|Access-Control.*\*" --include="*.ts" --include="*.js"
+grep -rn "cors.*credentials.*true" --include="*.ts" --include="*.js"
+```
+### Missing Headers
+```bash
+# Check for security headers
+grep -rn "Content-Security-Policy\|X-Frame-Options\|X-Content-Type-Options" \
+  --include="*.ts" --include="*.js" -l
+# If no results, headers may be missing
+# Check for helmet usage
+grep -rn "helmet" --include="*.ts" --include="*.js"
+```
+### Error Exposure
+```bash
+# Stack trace exposure
+grep -rn "err\.stack\|error\.stack" --include="*.ts" --include="*.js" | \
+  grep -v "console\|log\|debug"
+# Verbose errors to client
+grep -rn "res\.json.*error\|res\.send.*error" --include="*.ts" --include="*.js"
+```
+## Business Logic Detection
+### Race Conditions
+```bash
+# Check-then-act patterns
+grep -rn "if.*balance\|if.*quantity\|if.*available" --include="*.ts" --include="*.js" -A 3 | \
+  grep -v "transaction\|lock"
+# Missing transaction blocks
+grep -rn "await.*update\|await.*delete" --include="*.ts" --include="*.js" | \
+  grep -v "transaction\|atomic"
+```
+### Mass Assignment
+```bash
+# Direct body assignment
+grep -rn "\.create.*req\.body\|\.update.*req\.body" --include="*.ts" --include="*.js"
+grep -rn "Object\.assign.*req\.body\|{.*\.\.\.req\.body" --include="*.ts" --include="*.js"
+```
+## Quick Security Audit Script
+```bash
+#!/bin/bash
+# security-audit.sh - Run all detection patterns
+echo "=== Security Audit ==="
+echo -e "\n## Injection Risks"
+echo "SQL Injection:"
+grep -rn "query.*\${" --include="*.ts" --include="*.js" 2>/dev/null | head -5
+echo -e "\nXSS:"
+grep -rn "innerHTML\|dangerouslySetInnerHTML" --include="*.ts" --include="*.js" --include="*.tsx" 2>/dev/null | head -5
+echo -e "\n## Hardcoded Secrets"
+grep -rn "password.*=.*['\"]" --include="*.ts" --include="*.js" 2>/dev/null | head -5
+grep -rn "api.key.*=.*['\"]" --include="*.ts" --include="*.js" 2>/dev/null | head -5
+echo -e "\n## Weak Crypto"
+grep -rn "createHash.*md5\|sha1" --include="*.ts" --include="*.js" 2>/dev/null | head -5
+grep -rn "Math.random" --include="*.ts" --include="*.js" 2>/dev/null | head -5
+echo -e "\n## Missing Auth"
+grep -rn "app\.\(get\|post\|put\|delete\).*async" --include="*.ts" --include="*.js" 2>/dev/null | \
+  grep -v "requireAuth\|isAuthenticated" | head -5
+echo -e "\n=== End Audit ==="
+```
+## Integration with CI/CD
+```yaml
+# .github/workflows/security.yml
+name: Security Scan
+on: [push, pull_request]
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check for hardcoded secrets
+        run: |
+          if grep -rn "password.*=.*['\"]" --include="*.ts" --include="*.js" src/; then
+            echo "::error::Potential hardcoded secrets found"
+            exit 1
+          fi
+      - name: Check for weak crypto
+        run: |
+          if grep -rn "createHash.*md5\|sha1" --include="*.ts" --include="*.js" src/; then
+            echo "::warning::Weak hash algorithms detected"
+          fi
+      - name: Check for Math.random
+        run: |
+          if grep -rn "Math.random" --include="*.ts" --include="*.js" src/; then
+            echo "::warning::Math.random used - verify not for security"
+          fi
+```