zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-03-30 13:43:26 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
25c8a5de08ef15407313b9923edcd095cd8ea809
everything-claude-code/.kiro/steering/typescript-security.md
Himanshu Sharma bacc585b87 Add Kiro steering files, hooks, and scripts (#812) 
Co-authored-by: Sungmin Hong <hsungmin@amazon.com>
2026-03-22 21:55:47 -07:00

2.1 KiB
Raw Blame History

inclusion, fileMatchPattern, description
inclusion fileMatchPattern description
fileMatch *.ts,*.tsx,*.js,*.jsx TypeScript/JavaScript security best practices extending common security rules with language-specific concerns

TypeScript/JavaScript Security

This file extends the common security rule with TypeScript/JavaScript specific content.

Secret Management

// NEVER: Hardcoded secrets
const apiKey = "sk-proj-xxxxx"
const dbPassword = "mypassword123"

// ALWAYS: Environment variables
const apiKey = process.env.OPENAI_API_KEY
const dbPassword = process.env.DATABASE_PASSWORD

if (!apiKey) {
  throw new Error('OPENAI_API_KEY not configured')
}

XSS Prevention

// NEVER: Direct HTML injection
element.innerHTML = userInput

// ALWAYS: Sanitize or use textContent
import DOMPurify from 'dompurify'
element.innerHTML = DOMPurify.sanitize(userInput)
// OR
element.textContent = userInput

Prototype Pollution

// NEVER: Unsafe object merging
function merge(target: any, source: any) {
  for (const key in source) {
    target[key] = source[key]  // Dangerous!
  }
}

// ALWAYS: Validate keys
function merge(target: any, source: any) {
  for (const key in source) {
    if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
      continue
    }
    target[key] = source[key]
  }
}

SQL Injection (Node.js)

// NEVER: String concatenation
const query = `SELECT * FROM users WHERE id = ${userId}`

// ALWAYS: Parameterized queries
const query = 'SELECT * FROM users WHERE id = ?'
db.query(query, [userId])

Path Traversal

// NEVER: Direct path construction
const filePath = `./uploads/${req.params.filename}`

// ALWAYS: Validate and sanitize
import path from 'path'
const filename = path.basename(req.params.filename)
const filePath = path.join('./uploads', filename)

Dependency Security

# Regular security audits
npm audit
npm audit fix

# Use lock files
npm ci  # Instead of npm install in CI/CD

Agent Support

  • Use security-reviewer agent for comprehensive security audits
  • Invoke via /agent swap security-reviewer or use the security-review skill
Reference in New Issue View Git Blame Copy Permalink