fix: harden unicode safety checks

2026-04-15 14:33:33 +08:00 · 2026-03-29 08:59:06 -04:00
parent dd675d4258
commit 866d9ebb53
239 changed files with 3780 additions and 3962 deletions
--- a/docs/zh-CN/skills/security-review/SKILL.md
+++ b/docs/zh-CN/skills/security-review/SKILL.md
@@ -22,14 +22,14 @@ origin: ECC

 ### 1. 密钥管理

-#### ❌ 绝对不要这样做
+#### FAIL: 绝对不要这样做

 ```typescript
 const apiKey = "sk-proj-xxxxx"  // Hardcoded secret
 const dbPassword = "password123" // In source code
 ```

-#### ✅ 始终这样做
+#### PASS: 始终这样做

 ```typescript
 const apiKey = process.env.OPENAI_API_KEY
@@ -114,7 +114,7 @@ function validateFileUpload(file: File) {

 ### 3. SQL 注入防护

-#### ❌ 绝对不要拼接 SQL
+#### FAIL: 绝对不要拼接 SQL

 ```typescript
 // DANGEROUS - SQL Injection vulnerability
@@ -122,7 +122,7 @@ const query = `SELECT * FROM users WHERE email = '${userEmail}'`
 await db.query(query)
 ```

-#### ✅ 始终使用参数化查询
+#### PASS: 始终使用参数化查询

 ```typescript
 // Safe - parameterized query
@@ -150,10 +150,10 @@ await db.query(
 #### JWT 令牌处理

 ```typescript
-// ❌ WRONG: localStorage (vulnerable to XSS)
+// FAIL: WRONG: localStorage (vulnerable to XSS)
 localStorage.setItem('token', token)

-// ✅ CORRECT: httpOnly cookies
+// PASS: CORRECT: httpOnly cookies
 res.setHeader('Set-Cookie',
  `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)
 ```
@@ -323,11 +323,11 @@ app.use('/api/search', searchLimiter)
 #### 日志记录

 ```typescript
-// ❌ WRONG: Logging sensitive data
+// FAIL: WRONG: Logging sensitive data
 console.log('User login:', { email, password })
 console.log('Payment:', { cardNumber, cvv })

-// ✅ CORRECT: Redact sensitive data
+// PASS: CORRECT: Redact sensitive data
 console.log('User login:', { email, userId })
 console.log('Payment:', { last4: card.last4, userId })
 ```
@@ -335,7 +335,7 @@ console.log('Payment:', { last4: card.last4, userId })
 #### 错误消息

 ```typescript
-// ❌ WRONG: Exposing internal details
+// FAIL: WRONG: Exposing internal details
 catch (error) {
  return NextResponse.json(
    { error: error.message, stack: error.stack },
@@ -343,7 +343,7 @@ catch (error) {
  )
 }

-// ✅ CORRECT: Generic error messages
+// PASS: CORRECT: Generic error messages
 catch (error) {
  console.error('Internal error:', error)
  return NextResponse.json(
--- a/docs/zh-CN/skills/security-review/cloud-infrastructure-security.md
+++ b/docs/zh-CN/skills/security-review/cloud-infrastructure-security.md
@@ -24,7 +24,7 @@
 #### 最小权限原则

 ```yaml
-# ✅ CORRECT: Minimal permissions
+# PASS: CORRECT: Minimal permissions
 iam_role:
  permissions:
    - s3:GetObject  # Only read access
@@ -32,7 +32,7 @@ iam_role:
  resources:
    - arn:aws:s3:::my-bucket/*  # Specific bucket only

-# ❌ WRONG: Overly broad permissions
+# FAIL: WRONG: Overly broad permissions
 iam_role:
  permissions:
    - s3:*  # All S3 actions
@@ -65,14 +65,14 @@ aws iam enable-mfa-device \
 #### 云密钥管理器

 ```typescript
-// ✅ CORRECT: Use cloud secrets manager
+// PASS: CORRECT: Use cloud secrets manager
 import { SecretsManager } from '@aws-sdk/client-secrets-manager';

 const client = new SecretsManager({ region: 'us-east-1' });
 const secret = await client.getSecretValue({ SecretId: 'prod/api-key' });
 const apiKey = JSON.parse(secret.SecretString).key;

-// ❌ WRONG: Hardcoded or in environment variables only
+// FAIL: WRONG: Hardcoded or in environment variables only
 const apiKey = process.env.API_KEY; // Not rotated, not audited
 ```

@@ -99,17 +99,17 @@ aws secretsmanager rotate-secret \
 #### VPC 和防火墙配置

 ```terraform
-# ✅ CORRECT: Restricted security group
+# PASS: CORRECT: Restricted security group
 resource "aws_security_group" "app" {
  name = "app-sg"
-  
+
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/16"]  # Internal VPC only
  }
-  
+
  egress {
    from_port   = 443
    to_port     = 443
@@ -118,7 +118,7 @@ resource "aws_security_group" "app" {
  }
 }

-# ❌ WRONG: Open to the internet
+# FAIL: WRONG: Open to the internet
 resource "aws_security_group" "bad" {
  ingress {
    from_port   = 0
@@ -142,7 +142,7 @@ resource "aws_security_group" "bad" {
 #### CloudWatch/日志记录配置

 ```typescript
-// ✅ CORRECT: Comprehensive logging
+// PASS: CORRECT: Comprehensive logging
 import { CloudWatchLogsClient, CreateLogStreamCommand } from '@aws-sdk/client-cloudwatch-logs';

 const logSecurityEvent = async (event: SecurityEvent) => {
@@ -177,7 +177,7 @@ const logSecurityEvent = async (event: SecurityEvent) => {
 #### 安全流水线配置

 ```yaml
-# ✅ CORRECT: Secure GitHub Actions workflow
+# PASS: CORRECT: Secure GitHub Actions workflow
 name: Deploy

 on:
@@ -189,18 +189,18 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      contents: read  # Minimal permissions
-      
+
    steps:
      - uses: actions/checkout@v4
-      
+
      # Scan for secrets
      - name: Secret scanning
        uses: trufflesecurity/trufflehog@main
-        
+
      # Dependency audit
      - name: Audit dependencies
        run: npm audit --audit-level=high
-        
+
      # Use OIDC, not long-lived tokens
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
@@ -237,18 +237,18 @@ jobs:
 #### Cloudflare 安全配置

 ```typescript
-// ✅ CORRECT: Cloudflare Workers with security headers
+// PASS: CORRECT: Cloudflare Workers with security headers
 export default {
  async fetch(request: Request): Promise<Response> {
    const response = await fetch(request);
-    
+
    // Add security headers
    const headers = new Headers(response.headers);
    headers.set('X-Frame-Options', 'DENY');
    headers.set('X-Content-Type-Options', 'nosniff');
    headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
    headers.set('Permissions-Policy', 'geolocation=(), microphone=()');
-    
+
    return new Response(response.body, {
      status: response.status,
      headers
@@ -281,17 +281,17 @@ export default {
 #### 自动化备份

 ```terraform
-# ✅ CORRECT: Automated RDS backups
+# PASS: CORRECT: Automated RDS backups
 resource "aws_db_instance" "main" {
  allocated_storage     = 20
  engine               = "postgres"
-  
+
  backup_retention_period = 30  # 30 days retention
  backup_window          = "03:00-04:00"
  maintenance_window     = "mon:04:00-mon:05:00"
-  
+
  enabled_cloudwatch_logs_exports = ["postgresql"]
-  
+
  deletion_protection = true  # Prevent accidental deletion
 }
 ```
@@ -327,10 +327,10 @@ resource "aws_db_instance" "main" {
 ### S3 存储桶暴露

 ```bash
-# ❌ WRONG: Public bucket
+# FAIL: WRONG: Public bucket
 aws s3api put-bucket-acl --bucket my-bucket --acl public-read

-# ✅ CORRECT: Private bucket with specific access
+# PASS: CORRECT: Private bucket with specific access
 aws s3api put-bucket-acl --bucket my-bucket --acl private
 aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json
 ```
@@ -338,12 +338,12 @@ aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json
 ### RDS 公开访问

 ```terraform
-# ❌ WRONG
+# FAIL: WRONG
 resource "aws_db_instance" "bad" {
  publicly_accessible = true  # NEVER do this!
 }

-# ✅ CORRECT
+# PASS: CORRECT
 resource "aws_db_instance" "good" {
  publicly_accessible = false
  vpc_security_group_ids = [aws_security_group.db.id]