catlog22/Claude-Code-Workflow
1
0
Fork 0
mirror of https://github.com/catlog22/Claude-Code-Workflow.git synced 2026-02-11 02:33:51 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
c0c1a2eb92dca1e95c67fee1d2dc4e4b9eb74ffc
Claude-Code-Workflow/.claude/skills/review-code/specs/rules/security-rules.json
catlog22 15514c8f91 Add multi-dimensional code review rules for architecture, correctness, performance, readability, security, and testing 
- Introduced architecture rules to detect circular dependencies, god classes, layer violations, and mixed concerns.
- Added correctness rules focusing on null checks, empty catch blocks, unreachable code, and type coercion.
- Implemented performance rules addressing nested loops, synchronous I/O, memory leaks, and unnecessary re-renders in React.
- Created readability rules to improve function length, variable naming, deep nesting, magic numbers, and commented code.
- Established security rules to identify XSS risks, hardcoded secrets, SQL injection vulnerabilities, and insecure random generation.
- Developed testing rules to enhance test quality, coverage, and maintainability, including missing assertions and error path testing.
- Documented the structure and schema for rule files in the index.md for better understanding and usage.
2026-01-13 14:53:20 +08:00

59 lines
3.3 KiB
JSON
Raw Blame History

{
"dimension": "security",
"prefix": "SEC",
"description": "Rules for detecting security vulnerabilities including XSS, injection, and credential exposure",
"rules": [
{
"id": "xss-innerHTML",
"category": "xss-risk",
"severity": "critical",
"pattern": "innerHTML\\s*=|dangerouslySetInnerHTML",
"patternType": "includes",
"description": "Direct HTML injection via innerHTML or dangerouslySetInnerHTML can lead to XSS vulnerabilities",
"recommendation": "Use textContent for plain text, or sanitize HTML input using a library like DOMPurify before injection",
"fixExample": "// Before\nelement.innerHTML = userInput;\n<div dangerouslySetInnerHTML={{__html: data}} />\n\n// After\nelement.textContent = userInput;\n// or\nimport DOMPurify from 'dompurify';\nelement.innerHTML = DOMPurify.sanitize(userInput);"
},
{
"id": "hardcoded-secret",
"category": "hardcoded-secret",
"severity": "critical",
"pattern": "(?:password|secret|api[_-]?key|token|credential)\\s*[=:]\\s*['\"][^'\"]{8,}['\"]",
"patternType": "regex",
"caseInsensitive": true,
"description": "Hardcoded credentials detected in source code. This is a security risk if code is exposed",
"recommendation": "Use environment variables, secret management services, or configuration files excluded from version control",
"fixExample": "// Before\nconst apiKey = 'sk-1234567890abcdef';\n\n// After\nconst apiKey = process.env.API_KEY;\n// or\nconst apiKey = await getSecretFromVault('api-key');"
},
{
"id": "sql-injection",
"category": "injection",
"severity": "critical",
"pattern": "query\\s*\\(\\s*[`'\"].*\\$\\{|execute\\s*\\(\\s*[`'\"].*\\+",
"patternType": "regex",
"description": "String concatenation or template literals in SQL queries can lead to SQL injection",
"recommendation": "Use parameterized queries or prepared statements with placeholders",
"fixExample": "// Before\ndb.query(`SELECT * FROM users WHERE id = ${userId}`);\n\n// After\ndb.query('SELECT * FROM users WHERE id = ?', [userId]);\n// or\ndb.query('SELECT * FROM users WHERE id = $1', [userId]);"
},
{
"id": "command-injection",
"category": "injection",
"severity": "critical",
"pattern": "exec\\s*\\(|execSync\\s*\\(|spawn\\s*\\([^,]*\\+|child_process",
"patternType": "regex",
"description": "Command execution with user input can lead to command injection attacks",
"recommendation": "Validate and sanitize input, use parameterized commands, or avoid shell execution entirely",
"fixExample": "// Before\nexec(`ls ${userInput}`);\n\n// After\nexecFile('ls', [sanitizedInput], options);\n// or use spawn with {shell: false}"
},
{
"id": "insecure-random",
"category": "cryptography",
"severity": "high",
"pattern": "Math\\.random\\(\\)",
"patternType": "includes",
"description": "Math.random() is not cryptographically secure and should not be used for security-sensitive operations",
"recommendation": "Use crypto.randomBytes() or crypto.getRandomValues() for security-critical random generation",
"fixExample": "// Before\nconst token = Math.random().toString(36);\n\n// After\nimport crypto from 'crypto';\nconst token = crypto.randomBytes(32).toString('hex');"
}
]
}
Reference in New Issue View Git Blame Copy Permalink