AgentSkillsCN

security

安全模式、OWASP 检查以及漏洞防范。在审查安全性、处理身份认证,或排查潜在漏洞时加载此技能。

SKILL.md
--- frontmatter
name: security
description: Security patterns, OWASP checks, and vulnerability prevention. Load when reviewing security, handling auth, or checking for vulnerabilities.

Security

OWASP Top 10 Checklist

VulnerabilityCheck
InjectionParameterized queries, input sanitization
Broken AuthJWT validation, session management
Sensitive DataEncryption, secure transmission
XXEDisable external entities in XML parsers
Broken AccessRole-based access control
MisconfigSecurity headers, default credentials
XSSOutput encoding, CSP headers
Insecure DeserializationValidate serialized data
Vulnerable ComponentsDependency scanning
Insufficient LoggingAudit logging, monitoring

Auth Patterns

python
# Pattern 1: JWT validation
from datetime import datetime
import jwt

def verify_token(token: str) -> dict:
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
        if datetime.utcnow() > datetime.fromtimestamp(payload["exp"]):
            raise HTTPException(401, "Token expired")
        return payload
    except jwt.InvalidTokenError:
        raise HTTPException(401, "Invalid token")

# Pattern 2: Password hashing
from passlib.context import CryptContext

pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

def hash_password(password: str) -> str:
    return pwd_context.hash(password)

def verify_password(plain: str, hashed: str) -> bool:
    return pwd_context.verify(plain, hashed)

Input Validation

python
# Pattern 3: Input sanitization
from pydantic import BaseModel, validator
import re

class UserInput(BaseModel):
    email: str
    
    @validator('email')
    def validate_email(cls, v):
        if not re.match(r'^[\w\.-]+@[\w\.-]+\.\w+$', v):
            raise ValueError('Invalid email format')
        return v.lower()

# Pattern 4: SQL injection prevention
# NEVER do this:
# query = f"SELECT * FROM users WHERE id = {user_id}"

# ALWAYS do this:
result = await db.execute(
    select(User).where(User.id == user_id)
)

Security Headers

python
# FastAPI security headers middleware
@app.middleware("http")
async def add_security_headers(request, call_next):
    response = await call_next(request)
    response.headers["X-Content-Type-Options"] = "nosniff"
    response.headers["X-Frame-Options"] = "DENY"
    response.headers["X-XSS-Protection"] = "1; mode=block"
    response.headers["Strict-Transport-Security"] = "max-age=31536000"
    return response

Gotchas

CategoryPatternSolution
SecretsHardcoded in codeUse environment variables
AuthToken in URLUse headers or cookies
CORSWildcard originSpecify allowed origins
LoggingSensitive data loggedRedact PII from logs
DepsOutdated packagesRegular dependency updates

Commands

TaskCommand
Check depspip-audit or npm audit
Scan secretstrufflehog or gitleaks
SASTbandit (Python) or eslint-plugin-security