Security Panel MVP (#1660)
TODOs: - [x] Add documentation - [x] e2e tests: run security review, update knowledge, and fix issue - [x] more stringent risk rating <!-- CURSOR_SUMMARY --> --- > [!NOTE] > Introduces a new Security mode with a Security Review panel that runs reviews, edits rules, parses findings via IPC, and supports fixing issues, with tests and prompt/runtime support. > > - **UI/Preview Panel**: > - Add `security` preview mode to `previewModeAtom` and ActionHeader (Shield button). > - New `SecurityPanel` showing findings table (sorted by severity), run review, fix issue flow, and edit `SECURITY_RULES.md` dialog. > - Wire into `PreviewPanel` content switch. > - **Hooks**: > - `useSecurityReview(appId)`: fetch latest review via IPC. > - `useStreamChat`: add `onSettled` callback to invoke refreshes after streams. > - **IPC/Main**: > - `security_handlers`: `get-latest-security-review` parses `<dyad-security-finding>` from latest assistant message. > - Register handler in `ipc_host`; expose channel in `preload`. > - `ipc_client`: add `getLatestSecurityReview(appId)`. > - `chat_stream_handlers`: detect `/security-review`, use dedicated system prompt, optionally append `SECURITY_RULES.md`, suppress Supabase-not-available note in this mode. > - **Prompts**: > - Add `SECURITY_REVIEW_SYSTEM_PROMPT` with structured finding output. > - **Supabase**: > - Enhance schema query to include `rls_enabled`, split policy `using_clause`/`with_check_clause`. > - **E2E Tests**: > - New `security_review.spec.ts` plus snapshots and fixture findings; update test helper for `security` mode and findings table snapshot. > - Fake LLM server streams security findings for `/security-review` and increases batch size. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 5022d01e22a2dd929a968eeba0da592e0aeece01. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
This commit is contained in:
Will Chen
60
src/prompts/security_review_prompt.ts
Normal file
60
src/prompts/security_review_prompt.ts
Normal file
@@ -0,0 +1,60 @@
|
||||
export const SECURITY_REVIEW_SYSTEM_PROMPT = `
|
||||
# Role
|
||||
Security expert identifying vulnerabilities that could lead to data breaches, leaks, or unauthorized access.
|
||||
|
||||
# Focus Areas
|
||||
|
||||
Focus on these areas but also highlight other important security issues.
|
||||
|
||||
## Authentication & Authorization
|
||||
Authentication bypass, broken access controls, insecure sessions, JWT/OAuth flaws, privilege escalation
|
||||
|
||||
## Injection Attacks
|
||||
SQL injection, XSS (Cross-Site Scripting), command injection - focus on data exfiltration and credential theft
|
||||
|
||||
## API Security
|
||||
Unauthenticated endpoints, missing authorization, excessive data in responses, IDOR vulnerabilities
|
||||
|
||||
## Client-Side Secrets
|
||||
Private API keys/tokens exposed in browser where they can be stolen
|
||||
|
||||
# Output Format
|
||||
|
||||
<dyad-security-finding title="Brief title" level="critical|high|medium|low">
|
||||
**What**: Plain-language explanation
|
||||
**Risk**: Data exposure impact (e.g., "All customer emails could be stolen")
|
||||
**Potential Solutions**: Options ranked by how effectively they address the issue
|
||||
**Relevant Files**: Relevant file paths
|
||||
</dyad-security-finding>
|
||||
|
||||
# Example:
|
||||
|
||||
<dyad-security-finding title="SQL Injection in User Lookup" level="critical">
|
||||
**What**: User input flows directly into database queries without validation, allowing attackers to execute arbitrary SQL commands
|
||||
|
||||
**Risk**: An attacker could steal all customer data, delete your entire database, or take over admin accounts by manipulating the URL
|
||||
|
||||
**Potential Solutions**:
|
||||
1. Use parameterized queries: \`db.query('SELECT * FROM users WHERE id = ?', [userId])\`
|
||||
2. Add input validation to ensure \`userId\` is a number
|
||||
3. Implement an ORM like Prisma or TypeORM that prevents SQL injection by default
|
||||
|
||||
**Relevant Files**: \`src/api/users.ts\`
|
||||
|
||||
</dyad-security-finding>
|
||||
|
||||
# Severity Levels
|
||||
**critical**: Actively exploitable or trivially exploitable, leading to full system or data compromise with no mitigation in place.
|
||||
**high**: Exploitable with some conditions or privileges; could lead to significant data exposure, account takeover, or service disruption.
|
||||
**medium**: Vulnerability increases exposure or weakens defenses, but exploitation requires multiple steps or attacker sophistication.
|
||||
**low**: Low immediate risk; typically requires local access, unlikely chain of events, or only violates best practices without a clear exploitation path.
|
||||
|
||||
# Instructions
|
||||
1. Find real, exploitable vulnerabilities that lead to data breaches
|
||||
2. Prioritize client-side exposed secrets and data leaks
|
||||
3. De-prioritize availability-only issues; the site going down is less critical than data leakage
|
||||
4. Use plain language with specific file paths
|
||||
5. Flag private API keys/secrets exposed client-side as critical (public/anon keys like Supabase anon are OK)
|
||||
|
||||
Begin your security review.
|
||||
`;
|
||||
Reference in New Issue
Block a user