ndomo 0.1.0

package/skills/golang-security/references/network.md

@@ -0,0 +1,253 @@
+# Network/Web Security Rules
+
+Network and web security vulnerabilities can lead to data leakage and unauthorized access.
+
+**Rules:**
+
+1. Redirects MUST be validated against an allowlist of domains.
+2. HTTP servers MUST configure `ReadTimeout`, `WriteTimeout`, and `IdleTimeout`.
+3. Pprof endpoints MUST NEVER be exposed publicly.
+4. XML parsers MUST disable XXE — reject `<!DOCTYPE` and `<!ENTITY` declarations.
+
+---
+
+## Open Redirect Vulnerability — Medium
+
+Redirects to unvalidated URLs can be used for phishing.
+
+**Bad:**
+
+```go
+target := r.URL.Query().Get("url")
+http.Redirect(w, r, target, http.StatusFound) // DON'T
+```
+
+**Good:**
+
+```go
+target := r.URL.Query().Get("url")
+u, _ := url.Parse(target)
+// Only allow http/https
+if u.Scheme != "http" && u.Scheme != "https" {
+    return errors.New("invalid scheme")
+}
+// Block javascript/data schemes
+if strings.HasPrefix(target, "javascript:") || strings.HasPrefix(target, "data:") {
+    return errors.New("blocked scheme")
+}
+// Check against whitelist
+if !isAllowedDomain(u.Host) {
+    return errors.New("invalid domain")
+}
+http.Redirect(w, r, target, http.StatusFound)
+```
+
+---
+
+## Bind to All Interfaces — Medium
+
+Binding to 0.0.0.0 exposes services to all network interfaces.
+
+**Bad:**
+
+```go
+listener, _ := net.Listen("tcp", "0.0.0.0:8080") // DON'T: Exposes all interfaces
+```
+
+**Good:**
+
+```go
+// Bind only to localhost
+listener, _ := net.Listen("tcp", "127.0.0.1:8080")
+
+// Or specific internal IP
+listener, _ := net.Listen("tcp", "10.0.1.5:8080")
+```
+
+---
+
+## Slowloris Attack Vulnerability — Medium
+
+Slowloris attacks exhaust connection pools.
+
+**Bad:**
+
+```go
+server := &http.Server{
+    Addr: ":8080",
+    // Missing ReadTimeout, WriteTimeout, IdleTimeout
+}
+```
+
+**Good:**
+
+```go
+server := &http.Server{
+    Addr:         ":8080",
+    ReadTimeout:  5 * time.Second,
+    WriteTimeout: 10 * time.Second,
+    IdleTimeout:  120 * time.Second,
+    MaxHeaderBytes: 1 << 20, // Limit header size to 1MB
+}
+```
+
+---
+
+## Insecure HTTP Server Configuration — Medium
+
+Running HTTP servers without proper security settings.
+
+**Bad:**
+
+```go
+http.ListenAndServe(":8080", handler) // DON'T: No security hardening
+```
+
+**Good:**
+
+```go
+server := &http.Server{
+    Addr:         ":443",
+    ReadTimeout:  5 * time.Second,
+    WriteTimeout: 10 * time.Second,
+    IdleTimeout:  120 * time.Second,
+    MaxHeaderBytes: 1 << 20,
+}
+server.ListenAndServeTLS("cert.pem", "key.pem")
+```
+
+---
+
+## Observable Timing (Timing Attacks) — Medium
+
+Timing differences can leak sensitive information.
+
+**Bad:**
+
+```go
+func checkPassword(input, secret string) bool {
+    return input == secret // DON'T: Short-circuit leaks length
+}
+```
+
+**Good:**
+
+```go
+import "crypto/subtle"
+
+// For comparing fixed-length tokens or hashes:
+func checkToken(input, expected string) bool {
+    // ConstantTimeCompare already handles unequal lengths without leaking timing
+    return subtle.ConstantTimeCompare([]byte(input), []byte(expected)) == 1
+}
+
+// For passwords, use Argon2id (preferred) or bcrypt — they handle hashing
+// and constant-time comparison internally:
+// argon2: hash := argon2.IDKey([]byte(password), salt, 3, 64*1024, 4, 32)
+// bcrypt: err := bcrypt.CompareHashAndPassword([]byte(storedHash), []byte(password))
+
+// For HMAC verification:
+import "crypto/hmac"
+func verifyHMAC(message, messageMAC, key []byte) bool {
+    mac := hmac.New(sha256.New, key)
+    mac.Write(message)
+    expectedMAC := mac.Sum(nil)
+    return hmac.Equal(messageMAC, expectedMAC) // Constant-time
+}
+```
+
+---
+
+## Exposed pprof Profiling Endpoints — High
+
+Debug pprof endpoints expose sensitive runtime information.
+
+**Bad:**
+
+```go
+import _ "net/http/pprof" // DON'T: Automatically registers /debug/pprof
+http.ListenAndServe(":8080", handler)
+```
+
+**Good:**
+
+```go
+// Option 1: Use build tags to exclude pprof from production builds
+// File: debug_pprof.go
+//go:build !production
+
+package main
+
+import _ "net/http/pprof"
+
+// Option 2: Serve pprof on a separate internal-only listener
+func startDebugServer() {
+    debugMux := http.NewServeMux()
+    debugMux.HandleFunc("/debug/pprof/", pprof.Index)
+    debugMux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
+    debugMux.HandleFunc("/debug/pprof/profile", pprof.Profile)
+    debugMux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
+    debugMux.HandleFunc("/debug/pprof/trace", pprof.Trace)
+    go http.ListenAndServe("127.0.0.1:6060", debugMux) // localhost only
+}
+```
+
+---
+
+## XXE Vulnerability — High
+
+XML parsers that process external entity references.
+
+**Bad:**
+
+```go
+decoder := xml.NewDecoder(bytes.NewReader(xmlData))
+decoder.Decode(&person) // DON'T: May process external entities
+```
+
+**Good:**
+
+```go
+decoder := xml.NewDecoder(bytes.NewReader(xmlData))
+decoder.Strict = true
+
+// Block DTD declarations
+xmlStr := string(xmlData)
+if strings.Contains(xmlStr, "<!DOCTYPE") || strings.Contains(xmlStr, "<!ENTITY") {
+    return errors.New("XML contains DTD - potential XXE")
+}
+decoder.Decode(&person)
+```
+
+---
+
+## Permissive Regex Validation — Low
+
+Weak regex validation can allow malicious input.
+
+**Bad:**
+
+```go
+matched, _ := regexp.MatchString(`.+@.+\..+`, email) // DON'T: Too permissive
+```
+
+**Good:**
+
+```go
+var emailRegex = regexp.MustCompile(`^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`)
+if !emailRegex.MatchString(email) {
+    return errors.New("invalid email")
+}
+// Also block injection patterns
+```
+
+---
+
+## CWE References
+
+- **CWE-601**: Open Redirect
+- **CWE-208**: Observable Timing Discrepancy
+- **CWE-611**: Improper Restriction of XML External Entity Reference
+- **CWE-770**: Allocation of Resources Without Limits
+- **CWE-20**: Improper Input Validation
+- **CWE-200**: Exposure of Sensitive Information

package/skills/golang-security/references/secrets.md

@@ -0,0 +1,189 @@
+# Secrets Management Security Rules
+
+Hardcoded secrets, credentials, and sensitive data in source code is a major security vulnerability.
+
+**Rules:**
+
+1. Secrets MUST be loaded from environment variables or secret managers.
+2. NEVER commit secrets to VCS.
+3. `.gitignore` MUST exclude secret files (`.env`, `*.key`, `*.pem`).
+
+---
+
+## Hardcoded Secrets and Credentials — Critical
+
+**Bad:**
+
+```go
+const (
+    AWS_ACCESS_KEY    = "AKIAIOSFODNN7EXAMPLE"  // DON'T
+    AWS_SECRET_KEY    = "wJalrXUtnFEMI/K7MDENG"  // DON'T
+    DATABASE_PASSWORD = "SuperSecret123!"         // DON'T
+    JWT_SECRET        = "my-super-secret-jwt-key" // DON'T
+)
+
+var config = Config{
+    APIKey:  "abc123-xyz789-secret-key", // DON'T
+    Secret:  "my-super-secret-value",    // DON'T
+    DatabaseURL: "user:passw0rd!@localhost:5432/db", // DON'T
+}
+```
+
+**Good:**
+
+```go
+import "os"
+
+type Config struct {
+    AWSAccessKey     string
+    AWSSecretKey     string
+    DatabasePassword string
+    JWTSecret        string
+}
+
+func LoadConfig() (*Config, error) {
+    cfg := &Config{
+        AWSAccessKey:     os.Getenv("AWS_ACCESS_KEY_ID"),
+        AWSSecretKey:     os.Getenv("AWS_SECRET_ACCESS_KEY"),
+        DatabasePassword: os.Getenv("DATABASE_PASSWORD"),
+        JWTSecret:        os.Getenv("JWT_SECRET"),
+    }
+
+    if cfg.JWTSecret == "" {
+        return nil, errors.New("JWT_SECRET is required")
+    }
+    return cfg, nil
+}
+```
+
+---
+
+## Hardcoded Database Passwords — Critical
+
+**Bad:**
+
+```go
+// MySQL
+dsn := "user:Password123!@tcp(localhost:3306)/dbname" // DON'T
+
+// PostgreSQL
+dsn := "user=postgres password=P@ssw0rd! dbname=mydb host=localhost" // DON'T
+```
+
+**Good:**
+
+```go
+// MySQL
+func connectMySQL() (*sql.DB, error) {
+    user := os.Getenv("DB_USER")
+    password := os.Getenv("DB_PASSWORD")
+    if password == "" {
+        return nil, errors.New("DB_PASSWORD required")
+    }
+    host := getEnvWithDefault("DB_HOST", "localhost")
+    port := getEnvWithDefault("DB_PORT", "3306")
+    addr := net.JoinHostPort(host, port)
+    dsn := fmt.Sprintf("%s:%s@tcp(%s)/%s",
+        user, password, addr, getEnvWithDefault("DB_NAME", "mydb"))
+    return sql.Open("mysql", dsn)
+}
+
+// PostgreSQL
+func connectPostgres() (*sql.DB, error) {
+    connStr := os.Getenv("DATABASE_URL")
+    if connStr == "" {
+        return nil, errors.New("DATABASE_URL required")
+    }
+    return sql.Open("postgres", connStr)
+}
+```
+
+---
+
+## Secrets Storage Best Practices
+
+### Environment Variables
+
+```go
+type EnvSecretLoader struct{}
+
+func (l *EnvSecretLoader) Load(required []string) (map[string]string, error) {
+    secrets := make(map[string]string)
+    missing := []string{}
+    for _, name := range required {
+        value := os.Getenv(name)
+        if value == "" {
+            missing = append(missing, name)
+            continue
+        }
+        secrets[name] = value
+    }
+    if len(missing) > 0 {
+        return nil, fmt.Errorf("missing: %v", missing)
+    }
+    return secrets, nil
+}
+```
+
+### Secret Managers
+
+```go
+type SecretManager interface {
+    GetSecret(name string) (string, error)
+}
+
+// AWS Secrets Manager
+type AWSSecretsManager struct {
+    client *secretsmanager.Client
+}
+
+func (m *AWSSecretsManager) GetSecret(name string) (string, error) {
+    result, err := m.client.GetSecretValue(context.TODO(), &secretsmanager.GetSecretValueInput{
+        SecretId: aws.String(name),
+    })
+    if err != nil {
+        return "", err
+    }
+    if result.SecretString != nil {
+        return *result.SecretString, nil
+    }
+    return string(result.SecretBinary), nil
+}
+```
+
+### .gitignore Patterns
+
+```
+# Secrets
+.env
+.env.local
+.env.*.local
+*.key
+*.pem
+*.p12
+*.pfx
+secrets/
+credentials/
+```
+
+---
+
+## Secret Detection Patterns
+
+| Pattern         | Example                         |
+| --------------- | ------------------------------- |
+| API Keys        | `Key = "sk_live_..."`           |
+| Passwords       | `password = "..."`              |
+| Tokens          | `token = "..."`                 |
+| Private Keys    | `BEGIN PRIVATE KEY`             |
+| AWS Credentials | `AWS_ACCESS_KEY_ID = "AKIA..."` |
+| JWT Secrets     | `jwtSecret = "..."`             |
+
+---
+
+## CWE References
+
+- **CWE-798**: Use of Hard-coded Credentials
+- **CWE-312**: Cleartext Storage of Sensitive Information
+- **CWE-532**: Insertion of Sensitive Information into Log File
+- **CWE-359**: Exposure of Private Personal Information

package/skills/golang-security/references/third-party.md

@@ -0,0 +1,159 @@
+# Third-Party Data Leak Rules
+
+Third-party monitoring and analytics services can inadvertently transmit sensitive user data to external systems.
+
+**Rules:**
+
+1. PII MUST be filtered before sending to third-party services.
+2. Error tracking MUST NOT receive raw user data — use `BeforeSend` hooks to redact.
+
+---
+
+## Overview
+
+These rules detect Go code that sends data to third-party services. Always review what data is being transmitted and ensure it complies with privacy regulations (GDPR, CCPA, etc.).
+
+---
+
+## Common Vulnerable Services
+
+| Service          | Risk                                                  |
+| ---------------- | ----------------------------------------------------- |
+| Airbrake         | Error tracking - sensitive data may be sent           |
+| Bugsnag          | Error tracking - sensitive data exposure              |
+| Sentry           | Error tracking - sensitive data in breadcrumbs/events |
+| Rollbar          | Error tracking - sensitive data leaks                 |
+| Honeybadger      | Error tracking - sensitive data leaks                 |
+| New Relic        | Monitoring - sensitive data exposure                  |
+| Datadog          | Monitoring - sensitive data in telemetry              |
+| OpenTelemetry    | Observability - sensitive data in traces/metrics      |
+| Google Analytics | Analytics - PII tracking risks                        |
+| Algolia          | Search API - data exfiltration risks                  |
+| Segment          | Analytics - PII tracking risks                        |
+| BigQuery         | Analytics - sensitive data in queries                 |
+| ClickHouse       | Database - sensitive data queries                     |
+| Elasticsearch    | Search engine - sensitive data in queries             |
+
+---
+
+## Error Tracking Services — Medium
+
+**Bad:**
+
+```go
+import "github.com/getsentry/sentry-go"
+
+sentry.CaptureException(err) // DON'T: Captures full request context
+```
+
+**Good:**
+
+```go
+sentry.Init(sentry.ClientOptions{
+    Dsn: "https://xxx@sentry.io/123",
+    RequestHeaders: []string{"Accept", "User-Agent"},
+    BeforeSend: func(event *sentry.Event, hint *sentry.EventHint) *sentry.Event {
+        // Remove sensitive headers
+        if event.Request != nil {
+            delete(event.Request.Headers, "Authorization")
+            delete(event.Request.Headers, "Cookie")
+        }
+        return event
+    },
+})
+```
+
+---
+
+## Analytics/Monitoring Services — Medium
+
+**Bad:**
+
+```go
+analytics.Track("user_signed_up", analytics.Properties{
+    "email":   user.Email,   // DON'T: PII!
+    "phone":   user.Phone,   // DON'T: PII!
+    "address": user.Address, // DON'T: PII!
+})
+```
+
+**Good:**
+
+```go
+analytics.Track("user_signed_up", analytics.Properties{
+    "user_id":        user.ID,          // OK: Internal identifier
+    "plan":           user.Plan,        // OK: Business data
+    "country":        user.CountryCode, // OK: Non-identifying
+})
+
+// Hash PII for correlation
+func hashEmail(email string) string {
+    h := sha256.New()
+    h.Write([]byte(email))
+    return hex.EncodeToString(h.Sum(nil))[:8]
+}
+```
+
+---
+
+## Data Filtering Layer
+
+```go
+type DataFilter struct {
+    sensitiveFields []string
+}
+
+func NewDataFilter() *DataFilter {
+    return &DataFilter{
+        sensitiveFields: []string{
+            "password", "token", "secret", "key", "email",
+            "phone", "address", "ssn", "credit_card", "bank_account",
+        },
+    }
+}
+
+func (f *DataFilter) Filter(data map[string]interface{}) map[string]interface{} {
+    result := make(map[string]interface{})
+    for k, v := range data {
+        keyLower := strings.ToLower(k)
+        isSensitive := false
+        for _, field := range f.sensitiveFields {
+            if strings.Contains(keyLower, field) {
+                isSensitive = true
+                break
+            }
+        }
+        if isSensitive {
+            result[k] = "[REDACTED]"
+        } else {
+            result[k] = v
+        }
+    }
+    return result
+}
+```
+
+---
+
+## Review Checklist
+
+Before integrating any third-party service:
+
+- [ ] Identify what data is being sent
+- [ ] Remove any PII/PHI from transmitted data
+- [ ] Review data residency requirements
+- [ ] Implement data retention policies
+- [ ] Set up data export logging/auditing
+- [ ] Configure error handling to avoid data exposure
+- [ ] Review terms of service for data usage
+- [ ] Implement user consent management
+- [ ] Support data deletion requests
+- [ ] Conduct regular data flow audits
+
+---
+
+## CWE References
+
+- **CWE-200**: Exposure of Sensitive Information
+- **CWE-359**: Exposure of Private Personal Information
+- **CWE-201**: Information Exposure Through Sent Data