ndomo 0.1.0

package/skills/golang-security/references/injection.md

@@ -0,0 +1,315 @@
+# Injection Security Rules
+
+Injection vulnerabilities allow attackers to execute arbitrary code, queries, or commands.
+
+**Rules:**
+
+1. SQL queries MUST use parameterized placeholders — NEVER concatenate user input.
+2. Command execution MUST use `exec.Command` with separate args — NEVER shell interpolation.
+3. HTML output MUST use `html/template` for automatic escaping.
+4. SSRF: outbound URLs MUST be validated against an allowlist.
+
+---
+
+## SQL Injection — Critical
+
+Building SQL queries by concatenating user input. Always use prepared statements with placeholders.
+
+**Bad:**
+
+```go
+query := fmt.Sprintf("SELECT * FROM users WHERE name = '%s'", input)
+query := "SELECT * FROM users WHERE id = " + id
+query := "DELETE FROM orders WHERE id = " + strconv.Itoa(orderID) // safe but inconsistent — use placeholders everywhere
+```
+
+**Good:**
+
+```go
+// Placeholder syntax varies by driver: $1 (pgx/lib/pq), ? (MySQL/SQLite)
+db.QueryRow("SELECT * FROM users WHERE name = $1", input)
+db.Exec("DELETE FROM orders WHERE id = $1", orderID)
+```
+
+### Dynamic IN clauses
+
+Never build `IN (...)` by joining user strings. Generate numbered placeholders.
+
+**Bad:**
+
+```go
+query := fmt.Sprintf("SELECT * FROM users WHERE id IN (%s)", strings.Join(ids, ","))
+```
+
+**Good:**
+
+```go
+// Build placeholders: $1, $2, $3, ...
+placeholders := make([]string, len(ids))
+args := make([]any, len(ids))
+for i, id := range ids {
+    placeholders[i] = fmt.Sprintf("$%d", i+1)
+    args[i] = id
+}
+query := fmt.Sprintf("SELECT * FROM users WHERE id IN (%s)", strings.Join(placeholders, ","))
+rows, err := db.Query(query, args...)
+```
+
+With `sqlx`:
+
+```go
+query, args, err := sqlx.In("SELECT * FROM users WHERE id IN (?)", ids)
+query = db.Rebind(query) // converts ? to $1,$2,... for postgres
+rows, err := db.Query(query, args...)
+```
+
+### Dynamic column names and ORDER BY
+
+Placeholders only work for **values**, not identifiers (table/column names) or SQL keywords. Allowlist identifiers explicitly.
+
+**Bad:**
+
+```go
+query := fmt.Sprintf("SELECT * FROM users ORDER BY %s", sortCol) // SQL injection
+```
+
+**Good:**
+
+```go
+allowed := map[string]string{
+    "name": "name", "created": "created_at", "email": "email",
+}
+col, ok := allowed[sortCol]
+if !ok {
+    col = "created_at"
+}
+query := fmt.Sprintf("SELECT * FROM users ORDER BY %s", col) // safe: col is from allowlist
+```
+
+### Dynamic WHERE filters
+
+Build queries incrementally; parameterize every user-supplied value.
+
+```go
+var conditions []string
+var args []any
+idx := 1
+
+if name != "" {
+    conditions = append(conditions, fmt.Sprintf("name = $%d", idx))
+    args = append(args, name)
+    idx++
+}
+if minAge > 0 {
+    conditions = append(conditions, fmt.Sprintf("age >= $%d", idx))
+    args = append(args, minAge)
+    idx++
+}
+
+query := "SELECT * FROM users"
+if len(conditions) > 0 {
+    query += " WHERE " + strings.Join(conditions, " AND ")
+}
+rows, err := db.Query(query, args...)
+```
+
+### Prefer `sqlx` or `pgx` over raw `database/sql`
+
+Libraries like `sqlx` and `pgx` provide safer ergonomics (named parameters, `IN` clause expansion, struct scanning) while still using prepared statements under the hood. They reduce the temptation to fall back to string concatenation for complex queries.
+
+---
+
+## XPath Injection — High
+
+XPath injection allows manipulation of XML data queries.
+
+**Bad:**
+
+```go
+xpathQuery := "//user[@username='" + username + "']" // Vulnerable
+```
+
+**Good:**
+
+```go
+// Use numeric ID
+xpathQuery := fmt.Sprintf("//user[@id='%d']", userID)
+
+// Or parse XML without XPath
+```
+
+---
+
+## Code Injection — Critical
+
+Generating code from unvalidated user input.
+
+**Bad:**
+
+```go
+template := "func handle" + resourceName + "() {...}" // DON'T
+```
+
+**Good:**
+
+```go
+// Validate resource name matches whitelist
+if !allowedResources[resourceName] {
+    return errors.New("invalid resource")
+}
+// Use predefined templates
+```
+
+---
+
+## Command Injection — Critical
+
+Passing unvalidated input to shell commands.
+
+**Bad:**
+
+```go
+cmd := exec.Command("sh", "-c", "rm -f /tmp/"+filename) // DON'T
+```
+
+**Good:**
+
+```go
+cmd := exec.Command("rm", "-f", filepath.Join("/tmp", filename))
+
+// Better: validate filename
+if filepath.Base(filename) != filename {
+    return errors.New("invalid filename")
+}
+```
+
+---
+
+## Template Injection — High
+
+Using untrusted input in templates.
+
+**Bad:**
+
+```go
+data := r.URL.Query().Get("user") // Untrusted input
+t.Execute(w, data)
+```
+
+**Good:**
+
+```go
+// Validate input
+user := strings.TrimSpace(r.URL.Query().Get("user"))
+if !allowedRoles[role] {
+    role = "user"
+}
+t.Execute(w, data)
+```
+
+---
+
+## Cross-Site Scripting (XSS) — High
+
+XSS allows attackers to execute malicious scripts.
+
+**Bad:**
+
+```go
+w.Write([]byte(fmt.Sprintf("<div>%s</div>", data))) // DON'T
+```
+
+**Good:**
+
+```go
+import "html/template"
+t := template.Must(template.New("safe").Parse("<div>{{.}}</div>"))
+t.Execute(w, data) // Auto-escapes
+```
+
+---
+
+## HTML Tag Injection — High
+
+Injecting HTML tags through unvalidated input.
+
+**Bad:**
+
+```go
+fmt.Fprintf(w, "<div>Welcome, %s!</div>", input) // DON'T
+```
+
+**Good:**
+
+```go
+import "html"
+escaped := html.EscapeString(input)
+fmt.Fprintf(w, "<div>Welcome, %s!</div>", escaped)
+```
+
+---
+
+## Server-Side Request Forgery (SSRF) — High
+
+Forcing the server to make requests to unintended endpoints.
+
+**Bad:**
+
+```go
+url := r.URL.Query().Get("url")
+resp, _ := http.Get(url) // DON'T: No validation
+```
+
+**Good:**
+
+```go
+u, err := url.Parse(targetURL)
+// Block non-HTTP/S protocols
+if u.Scheme != "http" && u.Scheme != "https" {
+    return errors.New("invalid scheme")
+}
+// Block internal hosts
+if isInternalIP(u.Hostname()) {
+    return errors.New("internal host not allowed")
+}
+// Block metadata endpoints
+if strings.Contains(u.Hostname(), "metadata.") {
+    return errors.New("metadata endpoint blocked")
+}
+```
+
+---
+
+## Unsafe Deserialization — Critical
+
+Deserializing untrusted input can lead to resource exhaustion, type confusion, or unsafe object construction.
+
+**Bad:**
+
+```go
+dec := gob.NewDecoder(r.Body) // DON'T: gob is not hardened for adversarial input
+var user interface{}
+dec.Decode(&user)
+```
+
+**Good:**
+
+```go
+import "encoding/json"
+dec := json.NewDecoder(r.Body)
+var user User
+dec.Decode(&user) // JSON doesn't execute code
+// Validate fields
+```
+
+---
+
+## CWE References
+
+- **CWE-78**: OS Command Injection
+- **CWE-89**: SQL Injection
+- **CWE-94**: Code Injection
+- **CWE-79**: Cross-site Scripting (XSS)
+- **CWE-918**: Server-Side Request Forgery (SSRF)
+- **CWE-502**: Deserialization of Untrusted Data
+- **CWE-20**: Improper Input Validation

package/skills/golang-security/references/logging.md

@@ -0,0 +1,163 @@
+# Logging Security Rules
+
+Logging sensitive information can lead to data exposure and compliance violations.
+
+**Rules:**
+
+1. PII MUST NEVER be logged — filter passwords, tokens, emails, and personal data.
+2. Log injection MUST be prevented — sanitize user input before logging.
+3. Error messages MUST NOT expose internals to users — log details server-side, return generic messages.
+
+---
+
+## Sensitive Data in Logs — Medium
+
+**Bad:**
+
+```go
+type User struct {
+    ID       string
+    Username string
+    Password string
+    Token    string
+}
+
+func logUserLogin(user *User) {
+    log.Printf("User logged in: %+v\n", user)  // DON'T: Logs password, token
+}
+```
+
+**Good:**
+
+```go
+import "log/slog"
+
+func logUserLogin(logger *slog.Logger, user *User) {
+    logger.Info("user_login",
+        "user_id", user.ID,
+        "username", user.Username,
+        // Don't log: password, token
+    )
+}
+```
+
+---
+
+## Log Injection — Low
+
+User input in logs can lead to log injection attacks.
+
+**Bad:**
+
+```go
+log.Printf("User logged in: %s\n", username)  // DON'T: No sanitization
+```
+
+**Good:**
+
+```go
+import "log/slog"
+
+// Sanitize user input before logging
+func sanitizeLogInput(input string) string {
+    // Remove control characters
+    var result strings.Builder
+    for _, r := range input {
+        if !unicode.IsControl(r) || r == '\n' || r == '\t' {
+            result.WriteRune(r)
+        }
+    }
+    return result.String()
+}
+
+func logUsername(logger *slog.Logger, username string) {
+    sanitized := sanitizeLogInput(username)
+    logger.Info("user_login", "username", sanitized)
+}
+```
+
+---
+
+## Information Leakage in Error Messages — Medium
+
+**Bad:**
+
+```go
+func handleDatabaseError(err error) error {
+    return fmt.Errorf("database error: %v", err)  // DON'T: Leaks internal details
+}
+
+func dbErrorToHTTP(err error) {
+    http.Error(w, "Error: "+err.Error(), 500)  // DON'T
+}
+```
+
+**Good:**
+
+```go
+func handleDatabaseError(logger *slog.Logger, err error) error {
+    // Log detailed error for debugging
+    logger.Error("database_error", "error", err.Error())
+    // Return generic message to client
+    return errors.New("database operation failed")
+}
+
+func dbErrorToHTTP(w http.ResponseWriter, logger *slog.Logger, err error) {
+    logger.Error("database_error", "error", err.Error())
+    http.Error(w, "Internal server error", http.StatusInternalServerError)
+}
+```
+
+---
+
+## General Logger Security — Low
+
+**Bad:**
+
+```go
+import "log"
+log.Println("User logged in:", user.ID, password)  // DON'T: Logs password
+fmt.Printf("DEBUG: %+v\n", data)  // DON'T: Raw data
+```
+
+**Good:**
+
+```go
+import "log/slog"
+
+handler := slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{
+    Level:     slog.LevelInfo,
+    AddSource: false,
+})
+logger := slog.New(handler)
+
+logger.Info("user_login",
+    "user_id", userID,
+    "ip_address", request.RemoteIP,
+)
+```
+
+---
+
+## Log Security Checklist
+
+- [ ] No passwords, tokens, or secrets in logs
+- [ ] No PII/PHI in production logs
+- [ ] Sanitize user input before logging
+- [ ] Use structured logging (JSON)
+- [ ] Implement log level strategy
+- [ ] Separate access logs from error logs
+- [ ] Log file permissions restricted (e.g., 600)
+- [ ] Log rotation prevents disk exhaustion
+- [ ] Generic error messages to clients
+- [ ] Detailed errors only in internal logs
+
+---
+
+## CWE References
+
+- **CWE-532**: Insertion of Sensitive Information into Log File
+- **CWE-117**: Improper Output Neutralization for Logs
+- **CWE-209**: Information Exposure Through an Error Message
+- **CWE-200**: Exposure of Sensitive Information
+- **CWE-312**: Cleartext Storage of Sensitive Information

package/skills/golang-security/references/memory-safety.md

@@ -0,0 +1,241 @@
+# Memory Safety Security Rules
+
+Memory safety vulnerabilities can lead to crashes, data corruption, and security compromises.
+
+**Rules:**
+
+1. Integer overflow MUST be checked at boundaries — NEVER trust unchecked arithmetic on external input.
+2. `unsafe` MUST NOT be used in application code — restrict to low-level libraries with thorough review.
+3. Data races MUST be detected with `-race` flag in CI.
+
+---
+
+## Integer Overflow — High
+
+Integer overflows can cause unexpected behavior and crashes.
+
+**Bad:**
+
+```go
+func allocateBuffer(rows, cols int) []byte {
+    size := rows * cols  // DON'T: Can overflow
+    return make([]byte, size)
+}
+```
+
+**Good:**
+
+```go
+import "math"
+
+func safeMultiply(a, b int) (int, error) {
+    if a == 0 || b == 0 {
+        return 0, nil
+    }
+    if a > math.MaxInt/b {
+        return 0, errors.New("integer overflow")
+    }
+    result := a * b
+    if result/b != a {
+        return 0, errors.New("overflow detected")
+    }
+    return result, nil
+}
+
+func allocateBuffer(rows, cols int) ([]byte, error) {
+    size, err := safeMultiply(rows, cols)
+    if err != nil {
+        return nil, err
+    }
+    const maxBufferSize = 100 * 1024 * 1024 // 100MB limit
+    if size > maxBufferSize {
+        return nil, errors.New("buffer size exceeds limit")
+    }
+    return make([]byte, size), nil
+}
+```
+
+---
+
+## math/big.Rat Issues — Low
+
+Rat can consume large amounts of memory if denominators grow without bounds.
+
+**Bad:**
+
+```go
+import "math/big"
+
+func unsafeFraction(operations int) *big.Rat {
+    r := big.NewRat(1, 1)
+    for i := 0; i < operations; i++ {
+        r.Mul(r, big.NewRat(int64(i+1), int64(i+2)))  // DON'T
+    }
+    return r  // Could be memory intensive
+}
+```
+
+**Good:**
+
+```go
+const maxRatNumBits = 1000
+
+func safeFraction(operations int) (*big.Rat, error) {
+    r := big.NewRat(1, 1)
+    for i := 0; i < operations; i++ {
+        r.Mul(r, big.NewRat(int64(i+1), int64(i+2)))
+        if r.Num().BitLen() > maxRatNumBits || r.Denom().BitLen() > maxRatNumBits {
+            return nil, errors.New("fraction precision too large")
+        }
+    }
+    return r, nil
+}
+```
+
+---
+
+## Memory Aliasing Vulnerability — Medium
+
+Memory aliasing can cause data corruption and race conditions.
+
+**Bad:**
+
+```go
+func reverseBytes(data []byte) {
+    for i, j := 0, len(data)-1; i < j; i, j = i+1, j-1 {
+        data[i], data[j] = data[j], data[i]  // DON'T if slices alias
+    }
+}
+```
+
+**Good:**
+
+```go
+import "unsafe"
+
+func checkOverlap(a, b []byte) bool {
+    if len(a) == 0 || len(b) == 0 {
+        return false
+    }
+    aStart := uintptr(unsafe.Pointer(&a[0]))
+    aEnd := aStart + uintptr(len(a))
+    bStart := uintptr(unsafe.Pointer(&b[0]))
+    bEnd := bStart + uintptr(len(b))
+    return aStart < bEnd && bStart < aEnd
+}
+
+func safeCopy(dest, src []byte) {
+    if checkOverlap(dest, src) {
+        temp := make([]byte, len(src))
+        copy(temp, src)
+        copy(dest, temp)
+    } else {
+        copy(dest, src)
+    }
+}
+```
+
+---
+
+## Use of unsafe Package — High
+
+The unsafe package bypasses Go's type safety and memory safety.
+
+**Bad:**
+
+```go
+import "unsafe"
+
+func UnsafeStringToBytes(s string) []byte {
+    return (*[0x7fffffff]byte)(unsafe.Pointer(
+        (*reflect.StringHeader)(unsafe.Pointer(&s)).Data,
+    ))[:len(s):len(s)]  // DON'T: memory corruption risk
+}
+
+func TypePun(value uint64) float64 {
+    return *(*float64)(unsafe.Pointer(&value))  // DON'T
+}
+```
+
+**Good:**
+
+```go
+// Safe string encoding
+func StringToBytes(s string) []byte {
+    return []byte(s)
+}
+func BytesToString(b []byte) string {
+    return string(b)
+}
+
+// Safe type conversion
+import "encoding/binary"
+func Uint64ToFloat64(value uint64) float64 {
+    buf := make([]byte, 8)
+    binary.LittleEndian.PutUint64(buf, value)
+    bits := binary.LittleEndian.Uint64(buf)
+    return math.Float64frombits(bits)
+}
+```
+
+---
+
+## Data Races — High
+
+Go's race detector is your primary defense.
+
+**Bad:**
+
+```go
+type Counter struct {
+    value int
+}
+
+func (c *Counter) Increment() {
+    c.value++  // DON'T: Data race without sync
+}
+```
+
+**Good:**
+
+```go
+import "sync"
+
+type Counter struct {
+    value int
+    mu    sync.Mutex
+}
+
+func (c *Counter) Increment() {
+    c.mu.Lock()
+    defer c.mu.Unlock()
+    c.value++
+}
+
+// Or atomic for simple cases
+import "sync/atomic"
+type AtomicCounter struct {
+    value int64
+}
+func (c *AtomicCounter) Increment() {
+    atomic.AddInt64(&c.value, 1)
+}
+```
+
+## Always Run Race Detector
+
+```bash
+go test -race ./...
+go build -race
+```
+
+---
+
+## CWE References
+
+- **CWE-190**: Integer Overflow or Wraparound
+- **CWE-119**: Improper Restriction of Operations within Bounds
+- **CWE-125**: Out-of-bounds Read
+- **CWE-787**: Out-of-bounds Write
+- **CWE-362**: Race Condition
+- **CWE-367**: Time-of-check Time-of-use (TOCTOU)