AgentSkillsCN

security-review

针对 Go 产品/评论 API(HTTP 处理器、服务/存储层、Postgres、Redis、RabbitMQ/出站队列)的代码变更进行安全风险审查。适用场景:当用户要求进行安全审查、在合并高风险变更之前、在新增端点/认证功能时,或在回应安全担忧时。

SKILL.md
--- frontmatter
name: security-review
description: Review code changes for security risks in this Go products/reviews API (HTTP handlers, service/repo layers, Postgres, Redis, RabbitMQ/outbox). Use when the user asks for a security review, before merging risky changes, when adding endpoints/auth, or when responding to a security concern.

Security Review

Quick start (checklist)

  • Identify trust boundaries: external input (HTTP), internal services, DB/cache/broker.
  • Validate and constrain inputs: types, lengths, formats, bounds; reject/normalize early.
  • Ensure authn/authz: who can call this, and what are they allowed to do?
  • Confirm safe persistence: SQL parameters (no string concatenation), correct transactions, no privilege escalation.
  • Check secrets & logs: don’t log credentials/PII; avoid leaking internal errors.
  • Review DoS risks: unbounded loops, large payloads, expensive queries, missing timeouts.
  • Review concurrency/race: shared state, cache invalidation, outbox processing.

Review workflow

  1. Map the change
    • What endpoints changed? Which layers (internal/http/, internal/service/, internal/repository/, internal/cache/, internal/outbox/)?
    • What new data is accepted/stored/emitted?
  2. Threat-model lightly
    • Attacker goal: data exfiltration, tampering, auth bypass, replay/spam, DoS.
    • Entry points: request bodies/params/headers, background consumers, message payloads.
  3. Layer-specific checks
    • HTTP: strict decoding, content-type, size limits, consistent error responses.
    • Service: authorization decisions live here; ensure invariants hold.
    • Repository (Postgres): parameterized queries; transactions for aggregate updates.
    • Cache (Redis): keys scoped; avoid user-controlled key injection; TTL sanity.
    • RabbitMQ/outbox: event payload contains no secrets; idempotency and replay safety.
  4. Output
    • Report findings grouped by severity: Critical / High / Medium / Low.
    • For each finding: risk, affected surface, concrete fix, and a quick verification step.

Common pitfalls to watch

  • Missing authorization checks on mutation endpoints.
  • Accepting unbounded strings/arrays leading to memory or query amplification.
  • Logging raw request bodies or DB errors that include sensitive data.
  • Building SQL with string concatenation.
  • Cache keys derived from untrusted input without normalization.
  • Publishing events containing PII or internal identifiers unnecessarily.