security-review
4
总安装量
3
周安装量
#52058
全站排名
安装命令
npx skills add https://github.com/zhukunpenglinyutong/ai-max --skill security-review
Agent 安装分布
windsurf
2
trae
2
opencode
2
codex
2
claude-code
2
antigravity
2
Skill 文档
å®å ¨å®¡æ¥ Skill
æ¤ skill ç¡®ä¿ææ代ç éµå¾ªå®å ¨æä½³å®è·µå¹¶è¯å«æ½å¨æ¼æ´ã
ä½æ¶æ¿æ´»
- å®ç°è®¤è¯æææ
- å¤çç¨æ·è¾å ¥ææ件ä¸ä¼
- å建æ°ç API 端ç¹
- å¤çå¯é¥æåè¯
- å®ç°æ¯ä»åè½
- åå¨æä¼ è¾æææ°æ®
- éæ第ä¸æ¹ API
å®å ¨æ£æ¥æ¸ å
1. å¯é¥ç®¡ç
â æ°¸ä¸è¿æ ·å
const apiKey = "sk-proj-xxxxx" // 硬ç¼ç çå¯é¥
const dbPassword = "password123" // å¨æºä»£ç ä¸
â å§ç»è¿æ ·å
const apiKey = process.env.OPENAI_API_KEY
const dbUrl = process.env.DATABASE_URL
// éªè¯å¯é¥åå¨
if (!apiKey) {
throw new Error('OPENAI_API_KEY not configured')
}
éªè¯æ¥éª¤
- 没æ硬ç¼ç ç API å¯é¥ã令çæå¯ç
- ææå¯é¥é½å¨ç¯å¢åéä¸
-
.env.localå¨ .gitignore ä¸ - git åå²ä¸æ²¡æå¯é¥
- ç产å¯é¥å¨æ管平å°ï¼VercelãRailwayï¼ä¸
2. è¾å ¥éªè¯
å§ç»éªè¯ç¨æ·è¾å ¥
import { z } from 'zod'
// å®ä¹éªè¯ schema
const CreateUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
age: z.number().int().min(0).max(150)
})
// å¤çåéªè¯
export async function createUser(input: unknown) {
try {
const validated = CreateUserSchema.parse(input)
return await db.users.create(validated)
} catch (error) {
if (error instanceof z.ZodError) {
return { success: false, errors: error.errors }
}
throw error
}
}
æ件ä¸ä¼ éªè¯
function validateFileUpload(file: File) {
// 大å°æ£æ¥ï¼æ大 5MBï¼
const maxSize = 5 * 1024 * 1024
if (file.size > maxSize) {
throw new Error('File too large (max 5MB)')
}
// ç±»åæ£æ¥
const allowedTypes = ['image/jpeg', 'image/png', 'image/gif']
if (!allowedTypes.includes(file.type)) {
throw new Error('Invalid file type')
}
// æ©å±åæ£æ¥
const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif']
const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0]
if (!extension || !allowedExtensions.includes(extension)) {
throw new Error('Invalid file extension')
}
return true
}
éªè¯æ¥éª¤
- ææç¨æ·è¾å ¥é½ä½¿ç¨ schema éªè¯
- æ件ä¸ä¼ åéå¶ï¼å¤§å°ãç±»åãæ©å±åï¼
- 没æç´æ¥å¨æ¥è¯¢ä¸ä½¿ç¨ç¨æ·è¾å ¥
- 使ç¨ç½ååéªè¯ï¼èéé»ååï¼
- é误æ¶æ¯ä¸æ³é²ææä¿¡æ¯
3. SQL æ³¨å ¥é²æ¤
â æ°¸ä¸æ¼æ¥ SQL
// å±é© - SQL 注å
¥æ¼æ´
const query = `SELECT * FROM users WHERE email = '${userEmail}'`
await db.query(query)
â å§ç»ä½¿ç¨åæ°åæ¥è¯¢
// å®å
¨ - åæ°åæ¥è¯¢
const { data } = await supabase
.from('users')
.select('*')
.eq('email', userEmail)
// æ使ç¨åå§ SQL
await db.query(
'SELECT * FROM users WHERE email = $1',
[userEmail]
)
éªè¯æ¥éª¤
- æææ°æ®åºæ¥è¯¢ä½¿ç¨åæ°åæ¥è¯¢
- SQL ä¸æ²¡æå符串æ¼æ¥
- ORM/æ¥è¯¢æ建å¨ä½¿ç¨æ£ç¡®
- Supabase æ¥è¯¢æ£ç¡®æ¸ ç
4. 认è¯ä¸ææ
JWT 令çå¤ç
// â é误ï¼localStorageï¼æå XSS æ»å»ï¼
localStorage.setItem('token', token)
// â
æ£ç¡®ï¼httpOnly cookies
res.setHeader('Set-Cookie',
`token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)
æææ£æ¥
export async function deleteUser(userId: string, requesterId: string) {
// å§ç»å
éªè¯ææ
const requester = await db.users.findUnique({
where: { id: requesterId }
})
if (requester.role !== 'admin') {
return NextResponse.json(
{ error: 'Unauthorized' },
{ status: 403 }
)
}
// 继ç»æ§è¡å é¤
await db.users.delete({ where: { id: userId } })
}
è¡çº§å®å ¨ï¼Supabaseï¼
-- å¨ææ表ä¸å¯ç¨ RLS
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
-- ç¨æ·åªè½æ¥çèªå·±çæ°æ®
CREATE POLICY "Users view own data"
ON users FOR SELECT
USING (auth.uid() = id);
-- ç¨æ·åªè½æ´æ°èªå·±çæ°æ®
CREATE POLICY "Users update own data"
ON users FOR UPDATE
USING (auth.uid() = id);
éªè¯æ¥éª¤
- 令çåå¨å¨ httpOnly cookies ä¸ï¼èé localStorageï¼
- æææä½åè¿è¡æææ£æ¥
- Supabase ä¸å¯ç¨è¡çº§å®å ¨
- å®ç°åºäºè§è²ç访é®æ§å¶
- ä¼è¯ç®¡çå®å ¨
5. XSS é²æ¤
æ¸ ç HTML
import DOMPurify from 'isomorphic-dompurify'
// å§ç»æ¸
çç¨æ·æä¾ç HTML
function renderUserContent(html: string) {
const clean = DOMPurify.sanitize(html, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
ALLOWED_ATTR: []
})
return <div dangerouslySetInnerHTML={{ __html: clean }} />
}
å 容å®å ¨çç¥
// next.config.js
const securityHeaders = [
{
key: 'Content-Security-Policy',
value: `
default-src 'self';
script-src 'self' 'unsafe-eval' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self';
connect-src 'self' https://api.example.com;
`.replace(/\s{2,}/g, ' ').trim()
}
]
éªè¯æ¥éª¤
- ç¨æ·æä¾ç HTML å·²æ¸ ç
- CSP 头é¨å·²é ç½®
- 没ææªéªè¯çå¨æå 容渲æ
- ä½¿ç¨ React å ç½®ç XSS é²æ¤
6. CSRF é²æ¤
CSRF 令ç
import { csrf } from '@/lib/csrf'
export async function POST(request: Request) {
const token = request.headers.get('X-CSRF-Token')
if (!csrf.verify(token)) {
return NextResponse.json(
{ error: 'Invalid CSRF token' },
{ status: 403 }
)
}
// å¤ç请æ±
}
SameSite Cookies
res.setHeader('Set-Cookie',
`session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)
éªè¯æ¥éª¤
- ç¶ææ´æ¹æä½ä½¿ç¨ CSRF 令ç
- ææ cookies 设置 SameSite=Strict
- å®ç°åéæ交 cookie 模å¼
7. éçéå¶
API éçéå¶
import rateLimit from 'express-rate-limit'
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 åé
max: 100, // æ¯çªå£ 100 次请æ±
message: 'Too many requests'
})
// åºç¨å°è·¯ç±
app.use('/api/', limiter)
æè´µæä½
// 对æ索使ç¨æ´ä¸¥æ ¼çéçéå¶
const searchLimiter = rateLimit({
windowMs: 60 * 1000, // 1 åé
max: 10, // æ¯åé 10 次请æ±
message: 'Too many search requests'
})
app.use('/api/search', searchLimiter)
éªè¯æ¥éª¤
- ææ API 端ç¹é½æéçéå¶
- æè´µæä½ææ´ä¸¥æ ¼çéå¶
- åºäº IP çéçéå¶
- åºäºç¨æ·çéçéå¶ï¼å·²è®¤è¯ç¨æ·ï¼
8. æææ°æ®æ´é²
æ¥å¿è®°å½
// â é误ï¼è®°å½æææ°æ®
console.log('User login:', { email, password })
console.log('Payment:', { cardNumber, cvv })
// â
æ£ç¡®ï¼è±ææææ°æ®
console.log('User login:', { email, userId })
console.log('Payment:', { last4: card.last4, userId })
é误æ¶æ¯
// â é误ï¼æ´é²å
é¨ç»è
catch (error) {
return NextResponse.json(
{ error: error.message, stack: error.stack },
{ status: 500 }
)
}
// â
æ£ç¡®ï¼éç¨é误æ¶æ¯
catch (error) {
console.error('Internal error:', error)
return NextResponse.json(
{ error: 'An error occurred. Please try again.' },
{ status: 500 }
)
}
éªè¯æ¥éª¤
- æ¥å¿ä¸æ²¡æå¯ç ã令çæå¯é¥
- ç¨æ·çå°çé误æ¶æ¯æ¯éç¨ç
- 详ç»é误åªå¨æå¡å¨æ¥å¿ä¸
- ä¸åç¨æ·æ´é²å æ è·è¸ª
9. åºåé¾å®å ¨ï¼Solanaï¼
é±å éªè¯
import { verify } from '@solana/web3.js'
async function verifyWalletOwnership(
publicKey: string,
signature: string,
message: string
) {
try {
const isValid = verify(
Buffer.from(message),
Buffer.from(signature, 'base64'),
Buffer.from(publicKey, 'base64')
)
return isValid
} catch (error) {
return false
}
}
交æéªè¯
async function verifyTransaction(transaction: Transaction) {
// éªè¯æ¥æ¶æ¹
if (transaction.to !== expectedRecipient) {
throw new Error('Invalid recipient')
}
// éªè¯éé¢
if (transaction.amount > maxAmount) {
throw new Error('Amount exceeds limit')
}
// éªè¯ç¨æ·ä½é¢å
足
const balance = await getBalance(transaction.from)
if (balance < transaction.amount) {
throw new Error('Insufficient balance')
}
return true
}
éªè¯æ¥éª¤
- é±å ç¾åå·²éªè¯
- 交æ详æ å·²éªè¯
- 交æåè¿è¡ä½é¢æ£æ¥
- 没æç²ç®ç¾å交æ
10. ä¾èµå®å ¨
å®ææ´æ°
# æ£æ¥æ¼æ´
npm audit
# èªå¨ä¿®å¤å¯ä¿®å¤çé®é¢
npm audit fix
# æ´æ°ä¾èµ
npm update
# æ£æ¥è¿æ¶çå
npm outdated
éå®æ件
# å§ç»æ交éå®æ件
git add package-lock.json
# å¨ CI/CD ä¸ä½¿ç¨ä»¥è·å¾å¯éç°çæ建
npm ci # èä¸æ¯ npm install
éªè¯æ¥éª¤
- ä¾èµæ¯ææ°ç
- 没æå·²ç¥æ¼æ´ï¼npm audit å¹²åï¼
- éå®æ件已æ交
- GitHub ä¸å¯ç¨äº Dependabot
- å®æå®å ¨æ´æ°
å®å ¨æµè¯
èªå¨åå®å ¨æµè¯
// æµè¯è®¤è¯
test('requires authentication', async () => {
const response = await fetch('/api/protected')
expect(response.status).toBe(401)
})
// æµè¯ææ
test('requires admin role', async () => {
const response = await fetch('/api/admin', {
headers: { Authorization: `Bearer ${userToken}` }
})
expect(response.status).toBe(403)
})
// æµè¯è¾å
¥éªè¯
test('rejects invalid input', async () => {
const response = await fetch('/api/users', {
method: 'POST',
body: JSON.stringify({ email: 'not-an-email' })
})
expect(response.status).toBe(400)
})
// æµè¯éçéå¶
test('enforces rate limits', async () => {
const requests = Array(101).fill(null).map(() =>
fetch('/api/endpoint')
)
const responses = await Promise.all(requests)
const tooManyRequests = responses.filter(r => r.status === 429)
expect(tooManyRequests.length).toBeGreaterThan(0)
})
é¨ç½²åå®å ¨æ£æ¥æ¸ å
ä»»ä½ç产é¨ç½²åï¼
- å¯é¥ï¼æ²¡æ硬ç¼ç çå¯é¥ï¼é½å¨ç¯å¢åéä¸
- è¾å ¥éªè¯ï¼ææç¨æ·è¾å ¥é½å·²éªè¯
- SQL æ³¨å ¥ï¼æææ¥è¯¢é½å·²åæ°å
- XSSï¼ç¨æ·å å®¹å·²æ¸ ç
- CSRFï¼é²æ¤å·²å¯ç¨
- 认è¯ï¼æ£ç¡®ç令çå¤ç
- ææï¼è§è²æ£æ¥å·²å°ä½
- éçéå¶ï¼ææ端ç¹é½å·²å¯ç¨
- HTTPSï¼ç产ç¯å¢å¼ºå¶å¯ç¨
- å®å ¨å¤´é¨ï¼CSPãX-Frame-Options å·²é ç½®
- é误å¤çï¼é误ä¸æ²¡ææææ°æ®
- æ¥å¿è®°å½ï¼æ¥å¿ä¸æ²¡ææææ°æ®
- ä¾èµï¼æ¯ææ°çï¼æ²¡ææ¼æ´
- è¡çº§å®å ¨ï¼Supabase ä¸å·²å¯ç¨
- CORSï¼æ£ç¡®é ç½®
- æ件ä¸ä¼ ï¼å·²éªè¯ï¼å¤§å°ãç±»åï¼
- é±å ç¾åï¼å·²éªè¯ï¼å¦ææ¯åºåé¾é¡¹ç®ï¼
èµæº
åè®°ï¼å®å ¨ä¸æ¯å¯éçãä¸ä¸ªæ¼æ´å°±å¯è½å±åæ´ä¸ªå¹³å°ãå½æçé®æ¶ï¼å®å¯è°¨æ ã