Security Review
Quick start (checklist)
- • Identify trust boundaries: external input (HTTP), internal services, DB/cache/broker.
- • Validate and constrain inputs: types, lengths, formats, bounds; reject/normalize early.
- • Ensure authn/authz: who can call this, and what are they allowed to do?
- • Confirm safe persistence: SQL parameters (no string concatenation), correct transactions, no privilege escalation.
- • Check secrets & logs: don’t log credentials/PII; avoid leaking internal errors.
- • Review DoS risks: unbounded loops, large payloads, expensive queries, missing timeouts.
- • Review concurrency/race: shared state, cache invalidation, outbox processing.
Review workflow
- •Map the change
- •What endpoints changed? Which layers (
internal/http/,internal/service/,internal/repository/,internal/cache/,internal/outbox/)? - •What new data is accepted/stored/emitted?
- •What endpoints changed? Which layers (
- •Threat-model lightly
- •Attacker goal: data exfiltration, tampering, auth bypass, replay/spam, DoS.
- •Entry points: request bodies/params/headers, background consumers, message payloads.
- •Layer-specific checks
- •HTTP: strict decoding, content-type, size limits, consistent error responses.
- •Service: authorization decisions live here; ensure invariants hold.
- •Repository (Postgres): parameterized queries; transactions for aggregate updates.
- •Cache (Redis): keys scoped; avoid user-controlled key injection; TTL sanity.
- •RabbitMQ/outbox: event payload contains no secrets; idempotency and replay safety.
- •Output
- •Report findings grouped by severity: Critical / High / Medium / Low.
- •For each finding: risk, affected surface, concrete fix, and a quick verification step.
Common pitfalls to watch
- •Missing authorization checks on mutation endpoints.
- •Accepting unbounded strings/arrays leading to memory or query amplification.
- •Logging raw request bodies or DB errors that include sensitive data.
- •Building SQL with string concatenation.
- •Cache keys derived from untrusted input without normalization.
- •Publishing events containing PII or internal identifiers unnecessarily.