CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-01 19:25:10 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
be96ff5ce771f67d4502ea4b2fbbcba53654cdcf
gstack/review/specialists/security.md
T
Garry Tan a4a181ca92 feat: Review Army — parallel specialist reviewers for /review (v0.14.3.0) (#692) 
* feat: extend gstack-diff-scope with SCOPE_MIGRATIONS, SCOPE_API, SCOPE_AUTH

Three new scope signals for Review Army specialist activation:
- SCOPE_MIGRATIONS: db/migrate/, prisma/migrations/, alembic/, *.sql
- SCOPE_API: *controller*, *route*, *endpoint*, *.graphql, openapi.*
- SCOPE_AUTH: *auth*, *session*, *jwt*, *oauth*, *permission*, *role*

* feat: add 7 specialist checklist files for Review Army

- testing.md (always-on): coverage gaps, flaky patterns, security enforcement
- maintainability.md (always-on): dead code, DRY, stale comments
- security.md (conditional): OWASP deep analysis, auth bypass, injection
- performance.md (conditional): N+1 queries, bundle impact, complexity
- data-migration.md (conditional): reversibility, lock duration, backfill
- api-contract.md (conditional): breaking changes, versioning, error format
- red-team.md (conditional): adversarial analysis, cross-cutting concerns

All use standard header with JSON output schema and NO FINDINGS fallback.

* feat: Review Army resolver — parallel specialist dispatch + merge

New resolver in review-army.ts generates template prose for:
- Stack detection and specialist selection
- Parallel Agent tool dispatch with learning-informed prompts
- JSON finding collection, fingerprint dedup, consensus highlighting
- PR quality score computation
- Red Team conditional dispatch

Registered as REVIEW_ARMY in resolvers/index.ts.

* refactor: restructure /review template for Review Army

- Replace Steps 4-4.75 with CRITICAL pass + {{REVIEW_ARMY}}
- Remove {{DESIGN_REVIEW_LITE}} and {{TEST_COVERAGE_AUDIT_REVIEW}}
  (subsumed into Design and Testing specialists respectively)
- Extract specialist-covered categories from checklist.md
- Keep CRITICAL + uncovered INFORMATIONAL in main agent pass

* test: Review Army — 14 diff-scope tests + 7 E2E tests

- test/diff-scope.test.ts: 14 tests for all 9 scope signals
- test/skill-e2e-review-army.test.ts: 7 E2E tests
  Gate: migration safety, N+1 detection, delivery audit,
        quality score, JSON findings
  Periodic: red team, consensus
- Updated gen-skill-docs tests for new review structure
- Added touchfile entries and tier classifications

* docs: update SELF_LEARNING_V0.md with Release 2 status + Release 2.5

Mark Release 2 (Review Army) as in-progress. Add Release 2.5 for
deferred expansions (E1 adaptive gating, E3 test stubs, E5 cross-review
dedup, E7 specialist tracking).

* chore: bump version and changelog (v0.14.3.0)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-30 22:07:50 -06:00

2.9 KiB
Raw Blame History

Security Specialist Review Checklist

Scope: When SCOPE_AUTH=true OR (SCOPE_BACKEND=true AND diff > 100 lines) Output: JSON objects, one finding per line. Schema: {"severity":"CRITICAL|INFORMATIONAL","confidence":N,"path":"file","line":N,"category":"security","summary":"...","fix":"...","fingerprint":"path:line:security","specialist":"security"} If no findings: output NO FINDINGS and nothing else.

This checklist goes deeper than the main CRITICAL pass. The main agent already checks SQL injection, race conditions, LLM trust, and enum completeness. This specialist focuses on auth/authz patterns, cryptographic misuse, and attack surface expansion.

Categories

Input Validation at Trust Boundaries

  • User input accepted without validation at controller/handler level
  • Query parameters used directly in database queries or file paths
  • Request body fields accepted without type checking or schema validation
  • File uploads without type/size/content validation
  • Webhook payloads processed without signature verification

Auth & Authorization Bypass

  • Endpoints missing authentication middleware (check route definitions)
  • Authorization checks that default to "allow" instead of "deny"
  • Role escalation paths (user can modify their own role/permissions)
  • Direct object reference vulnerabilities (user A accesses user B's data by changing an ID)
  • Session fixation or session hijacking opportunities
  • Token/API key validation that doesn't check expiration

Injection Vectors (beyond SQL)

  • Command injection via subprocess calls with user-controlled arguments
  • Template injection (Jinja2, ERB, Handlebars) with user input
  • LDAP injection in directory queries
  • SSRF via user-controlled URLs (fetch, redirect, webhook targets)
  • Path traversal via user-controlled file paths (../../etc/passwd)
  • Header injection via user-controlled values in HTTP headers

Cryptographic Misuse

  • Weak hashing algorithms (MD5, SHA1) for security-sensitive operations
  • Predictable randomness (Math.random, rand()) for tokens or secrets
  • Non-constant-time comparisons (==) on secrets, tokens, or digests
  • Hardcoded encryption keys or IVs
  • Missing salt in password hashing

Secrets Exposure

  • API keys, tokens, or passwords in source code (even in comments)
  • Secrets logged in application logs or error messages
  • Credentials in URLs (query parameters or basic auth in URL)
  • Sensitive data in error responses returned to users
  • PII stored in plaintext when encryption is expected

XSS via Escape Hatches

  • Rails: .html_safe, raw() on user-controlled data
  • React: dangerouslySetInnerHTML with user content
  • Vue: v-html with user content
  • Django: |safe, mark_safe() on user input
  • General: innerHTML assignment with unsanitized data

Deserialization

  • Deserializing untrusted data (pickle, Marshal, YAML.load, JSON.parse of executable types)
  • Accepting serialized objects from user input or external APIs without schema validation
Reference in New Issue View Git Blame Copy Permalink