CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-01 19:25:10 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
9d34baa973475d4901c8e8aee2e94e33f9417679
gstack/review/specialists/security.md
T
Garry Tan 9ca8f1d7a9 feat: adaptive gating + cross-review dedup for review army (v0.15.2.0) (#760) 
* feat: add test_stub optional field to specialist finding schema

All specialist prompts now document test_stub as an optional output field,
enabling specialists to suggest test code alongside findings.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: adaptive gating + test framework detection for review army

Adds gstack-specialist-stats binary for tracking specialist hit rates.
Resolver now detects test framework for test_stub generation, applies
adaptive gating to skip silent specialists, and compiles per-specialist
stats for the review-log entry.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: cross-review finding dedup + test stub override + enriched review-log

Step 5.0 suppresses findings previously skipped by the user when the
relevant code hasn't changed. Test stub findings force ASK classification
so users approve test creation. Review-log now includes quality_score,
per-specialist stats, and per-finding action records.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: bump version and changelog (v0.15.2.0)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: bash operator precedence in test framework detection

[ -f a ] || [ -f b ] && X="y" evaluates as A || (B && C), so the
assignment only runs when the second test passes. Wrap the OR group
in braces: { [ -f a ] || [ -f b ]; } && X="y".

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 22:46:21 -07:00

3.0 KiB
Raw Blame History

Security Specialist Review Checklist

Scope: When SCOPE_AUTH=true OR (SCOPE_BACKEND=true AND diff > 100 lines) Output: JSON objects, one finding per line. Schema: {"severity":"CRITICAL|INFORMATIONAL","confidence":N,"path":"file","line":N,"category":"security","summary":"...","fix":"...","fingerprint":"path:line:security","specialist":"security"} Optional: line, fix, fingerprint, evidence, test_stub. If no findings: output NO FINDINGS and nothing else.

This checklist goes deeper than the main CRITICAL pass. The main agent already checks SQL injection, race conditions, LLM trust, and enum completeness. This specialist focuses on auth/authz patterns, cryptographic misuse, and attack surface expansion.

Categories

Input Validation at Trust Boundaries

  • User input accepted without validation at controller/handler level
  • Query parameters used directly in database queries or file paths
  • Request body fields accepted without type checking or schema validation
  • File uploads without type/size/content validation
  • Webhook payloads processed without signature verification

Auth & Authorization Bypass

  • Endpoints missing authentication middleware (check route definitions)
  • Authorization checks that default to "allow" instead of "deny"
  • Role escalation paths (user can modify their own role/permissions)
  • Direct object reference vulnerabilities (user A accesses user B's data by changing an ID)
  • Session fixation or session hijacking opportunities
  • Token/API key validation that doesn't check expiration

Injection Vectors (beyond SQL)

  • Command injection via subprocess calls with user-controlled arguments
  • Template injection (Jinja2, ERB, Handlebars) with user input
  • LDAP injection in directory queries
  • SSRF via user-controlled URLs (fetch, redirect, webhook targets)
  • Path traversal via user-controlled file paths (../../etc/passwd)
  • Header injection via user-controlled values in HTTP headers

Cryptographic Misuse

  • Weak hashing algorithms (MD5, SHA1) for security-sensitive operations
  • Predictable randomness (Math.random, rand()) for tokens or secrets
  • Non-constant-time comparisons (==) on secrets, tokens, or digests
  • Hardcoded encryption keys or IVs
  • Missing salt in password hashing

Secrets Exposure

  • API keys, tokens, or passwords in source code (even in comments)
  • Secrets logged in application logs or error messages
  • Credentials in URLs (query parameters or basic auth in URL)
  • Sensitive data in error responses returned to users
  • PII stored in plaintext when encryption is expected

XSS via Escape Hatches

  • Rails: .html_safe, raw() on user-controlled data
  • React: dangerouslySetInnerHTML with user content
  • Vue: v-html with user content
  • Django: |safe, mark_safe() on user input
  • General: innerHTML assignment with unsanitized data

Deserialization

  • Deserializing untrusted data (pickle, Marshal, YAML.load, JSON.parse of executable types)
  • Accepting serialized objects from user input or external APIs without schema validation
Reference in New Issue View Git Blame Copy Permalink