zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-04-14 22:13:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden unicode safety checks

Browse Source
This commit is contained in:
Affaan Mustafa
2026-03-29 08:59:06 -04:00
parent dd675d4258
commit 866d9ebb53
239 changed files with 3780 additions and 3962 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
skills/security-review/SKILL.md
View File

@@ -22,13 +22,13 @@ This skill ensures all code follows security best practices and identifies poten
### 1. Secrets Management
#### NEVER Do This
#### FAIL: NEVER Do This
```typescript
const apiKey = "sk-proj-xxxxx" // Hardcoded secret
const dbPassword = "password123" // In source code
```
#### ALWAYS Do This
#### PASS: ALWAYS Do This
```typescript
const apiKey = process.env.OPENAI_API_KEY
const dbUrl = process.env.DATABASE_URL
@@ -108,14 +108,14 @@ function validateFileUpload(file: File) {
### 3. SQL Injection Prevention
#### NEVER Concatenate SQL
#### FAIL: NEVER Concatenate SQL
```typescript
// DANGEROUS - SQL Injection vulnerability
const query = `SELECT * FROM users WHERE email = '${userEmail}'`
await db.query(query)
```
#### ALWAYS Use Parameterized Queries
#### PASS: ALWAYS Use Parameterized Queries
```typescript
// Safe - parameterized query
const { data } = await supabase
@@ -140,10 +140,10 @@ await db.query(
#### JWT Token Handling
```typescript
// WRONG: localStorage (vulnerable to XSS)
// FAIL: WRONG: localStorage (vulnerable to XSS)
localStorage.setItem('token', token)
// CORRECT: httpOnly cookies
// PASS: CORRECT: httpOnly cookies
res.setHeader('Set-Cookie',
`token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)
```
@@ -300,18 +300,18 @@ app.use('/api/search', searchLimiter)
#### Logging
```typescript
// WRONG: Logging sensitive data
// FAIL: WRONG: Logging sensitive data
console.log('User login:', { email, password })
console.log('Payment:', { cardNumber, cvv })
// CORRECT: Redact sensitive data
// PASS: CORRECT: Redact sensitive data
console.log('User login:', { email, userId })
console.log('Payment:', { last4: card.last4, userId })
```
#### Error Messages
```typescript
// WRONG: Exposing internal details
// FAIL: WRONG: Exposing internal details
catch (error) {
return NextResponse.json(
{ error: error.message, stack: error.stack },
@@ -319,7 +319,7 @@ catch (error) {
)
}
// CORRECT: Generic error messages
// PASS: CORRECT: Generic error messages
catch (error) {
console.error('Internal error:', error)
return NextResponse.json(