c50527b4c0
TODOs: - [x] Add documentation - [x] e2e tests: run security review, update knowledge, and fix issue - [x] more stringent risk rating <!-- CURSOR_SUMMARY --> --- > [!NOTE] > Introduces a new Security mode with a Security Review panel that runs reviews, edits rules, parses findings via IPC, and supports fixing issues, with tests and prompt/runtime support. > > - **UI/Preview Panel**: > - Add `security` preview mode to `previewModeAtom` and ActionHeader (Shield button). > - New `SecurityPanel` showing findings table (sorted by severity), run review, fix issue flow, and edit `SECURITY_RULES.md` dialog. > - Wire into `PreviewPanel` content switch. > - **Hooks**: > - `useSecurityReview(appId)`: fetch latest review via IPC. > - `useStreamChat`: add `onSettled` callback to invoke refreshes after streams. > - **IPC/Main**: > - `security_handlers`: `get-latest-security-review` parses `<dyad-security-finding>` from latest assistant message. > - Register handler in `ipc_host`; expose channel in `preload`. > - `ipc_client`: add `getLatestSecurityReview(appId)`. > - `chat_stream_handlers`: detect `/security-review`, use dedicated system prompt, optionally append `SECURITY_RULES.md`, suppress Supabase-not-available note in this mode. > - **Prompts**: > - Add `SECURITY_REVIEW_SYSTEM_PROMPT` with structured finding output. > - **Supabase**: > - Enhance schema query to include `rls_enabled`, split policy `using_clause`/`with_check_clause`. > - **E2E Tests**: > - New `security_review.spec.ts` plus snapshots and fixture findings; update test helper for `security` mode and findings table snapshot. > - Fake LLM server streams security findings for `/security-review` and increases batch size. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 5022d01e22a2dd929a968eeba0da592e0aeece01. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
130 lines
8.6 KiB
YAML
130 lines
8.6 KiB
YAML
- table:
|
|
- rowgroup:
|
|
- row "Level Issue Action":
|
|
- cell "Level"
|
|
- cell "Issue"
|
|
- cell "Action"
|
|
- rowgroup:
|
|
- 'row "critical SQL Injection in User Lookup What: User input flows directly into database queries without validation, allowing attackers to execute arbitrary SQL commands Risk: An attac... Show more Fix Issue"':
|
|
- cell "critical":
|
|
- img
|
|
- 'cell "SQL Injection in User Lookup What: User input flows directly into database queries without validation, allowing attackers to execute arbitrary SQL commands Risk: An attac... Show more"':
|
|
- 'button "SQL Injection in User Lookup What: User input flows directly into database queries without validation, allowing attackers to execute arbitrary SQL commands Risk: An attac... Show more"':
|
|
- paragraph:
|
|
- strong: What
|
|
- text: ": User input flows directly into database queries without validation, allowing attackers to execute arbitrary SQL commands"
|
|
- paragraph:
|
|
- strong: Risk
|
|
- text: ": An attac..."
|
|
- button "Show more":
|
|
- img
|
|
- cell "Fix Issue":
|
|
- button "Fix Issue"
|
|
- 'row "critical Hardcoded AWS Credentials in Source Code What: AWS access keys are stored directly in the codebase and committed to version control, exposing full cloud infrastructure access Risk: A... Show more Fix Issue"':
|
|
- cell "critical":
|
|
- img
|
|
- 'cell "Hardcoded AWS Credentials in Source Code What: AWS access keys are stored directly in the codebase and committed to version control, exposing full cloud infrastructure access Risk: A... Show more"':
|
|
- 'button "Hardcoded AWS Credentials in Source Code What: AWS access keys are stored directly in the codebase and committed to version control, exposing full cloud infrastructure access Risk: A... Show more"':
|
|
- paragraph:
|
|
- strong: What
|
|
- text: ": AWS access keys are stored directly in the codebase and committed to version control, exposing full cloud infrastructure access"
|
|
- paragraph:
|
|
- strong: Risk
|
|
- text: ": A..."
|
|
- button "Show more":
|
|
- img
|
|
- cell "Fix Issue":
|
|
- button "Fix Issue"
|
|
- 'row "high Missing Authentication on Admin Endpoints What: Administrative API endpoints can be accessed without authentication, relying only on URL obscurity Risk: An attacker who discovers thes... Show more Fix Issue"':
|
|
- cell "high":
|
|
- img
|
|
- 'cell "Missing Authentication on Admin Endpoints What: Administrative API endpoints can be accessed without authentication, relying only on URL obscurity Risk: An attacker who discovers thes... Show more"':
|
|
- 'button "Missing Authentication on Admin Endpoints What: Administrative API endpoints can be accessed without authentication, relying only on URL obscurity Risk: An attacker who discovers thes... Show more"':
|
|
- paragraph:
|
|
- strong: What
|
|
- text: ": Administrative API endpoints can be accessed without authentication, relying only on URL obscurity"
|
|
- paragraph:
|
|
- strong: Risk
|
|
- text: ": An attacker who discovers thes..."
|
|
- button "Show more":
|
|
- img
|
|
- cell "Fix Issue":
|
|
- button "Fix Issue"
|
|
- 'row "high JWT Secret Using Default Value What: The application uses a hardcoded default JWT secret (\"your-secret-key\") for signing authentication tokens Risk: Attackers can forge val... Show more Fix Issue"':
|
|
- cell "high":
|
|
- img
|
|
- 'cell "JWT Secret Using Default Value What: The application uses a hardcoded default JWT secret (\"your-secret-key\") for signing authentication tokens Risk: Attackers can forge val... Show more"':
|
|
- 'button "JWT Secret Using Default Value What: The application uses a hardcoded default JWT secret (\"your-secret-key\") for signing authentication tokens Risk: Attackers can forge val... Show more"':
|
|
- paragraph:
|
|
- strong: What
|
|
- text: ": The application uses a hardcoded default JWT secret (\"your-secret-key\") for signing authentication tokens"
|
|
- paragraph:
|
|
- strong: Risk
|
|
- text: ": Attackers can forge val..."
|
|
- button "Show more":
|
|
- img
|
|
- cell "Fix Issue":
|
|
- button "Fix Issue"
|
|
- 'row "medium Unvalidated File Upload Extensions What: The file upload endpoint accepts any file type without validating extensions or content, only checking file size Risk: An attacker coul... Show more Fix Issue"':
|
|
- cell "medium":
|
|
- img
|
|
- 'cell "Unvalidated File Upload Extensions What: The file upload endpoint accepts any file type without validating extensions or content, only checking file size Risk: An attacker coul... Show more"':
|
|
- 'button "Unvalidated File Upload Extensions What: The file upload endpoint accepts any file type without validating extensions or content, only checking file size Risk: An attacker coul... Show more"':
|
|
- paragraph:
|
|
- strong: What
|
|
- text: ": The file upload endpoint accepts any file type without validating extensions or content, only checking file size"
|
|
- paragraph:
|
|
- strong: Risk
|
|
- text: ": An attacker coul..."
|
|
- button "Show more":
|
|
- img
|
|
- cell "Fix Issue":
|
|
- button "Fix Issue"
|
|
- 'row "medium Missing CSRF Protection on State-Changing Operations What: POST, PUT, and DELETE endpoints don''t implement CSRF tokens, making them vulnerable to cross-site request forgery attacks Risk: An atta... Show more Fix Issue"':
|
|
- cell "medium":
|
|
- img
|
|
- 'cell "Missing CSRF Protection on State-Changing Operations What: POST, PUT, and DELETE endpoints don''t implement CSRF tokens, making them vulnerable to cross-site request forgery attacks Risk: An atta... Show more"':
|
|
- 'button "Missing CSRF Protection on State-Changing Operations What: POST, PUT, and DELETE endpoints don''t implement CSRF tokens, making them vulnerable to cross-site request forgery attacks Risk: An atta... Show more"':
|
|
- paragraph:
|
|
- strong: What
|
|
- text: ": POST, PUT, and DELETE endpoints don't implement CSRF tokens, making them vulnerable to cross-site request forgery attacks"
|
|
- paragraph:
|
|
- strong: Risk
|
|
- text: ": An atta..."
|
|
- button "Show more":
|
|
- img
|
|
- cell "Fix Issue":
|
|
- button "Fix Issue"
|
|
- 'row "low Verbose Error Messages Expose Stack Traces What: Production error responses include full stack traces and internal file paths that are sent to end users Risk: Attackers can use this in... Show more Fix Issue"':
|
|
- cell "low":
|
|
- img
|
|
- 'cell "Verbose Error Messages Expose Stack Traces What: Production error responses include full stack traces and internal file paths that are sent to end users Risk: Attackers can use this in... Show more"':
|
|
- 'button "Verbose Error Messages Expose Stack Traces What: Production error responses include full stack traces and internal file paths that are sent to end users Risk: Attackers can use this in... Show more"':
|
|
- paragraph:
|
|
- strong: What
|
|
- text: ": Production error responses include full stack traces and internal file paths that are sent to end users"
|
|
- paragraph:
|
|
- strong: Risk
|
|
- text: ": Attackers can use this in..."
|
|
- button "Show more":
|
|
- img
|
|
- cell "Fix Issue":
|
|
- button "Fix Issue"
|
|
- 'row "low Missing Security Headers What: The application doesn''t set recommended security headers like `X-Frame-Options`, `X-Content-Type-Options`, and `Strict-Transport-Security` ... Show more Fix Issue"':
|
|
- cell "low":
|
|
- img
|
|
- 'cell "Missing Security Headers What: The application doesn''t set recommended security headers like `X-Frame-Options`, `X-Content-Type-Options`, and `Strict-Transport-Security` ... Show more"':
|
|
- 'button "Missing Security Headers What: The application doesn''t set recommended security headers like `X-Frame-Options`, `X-Content-Type-Options`, and `Strict-Transport-Security` ... Show more"':
|
|
- paragraph:
|
|
- strong: What
|
|
- text: ": The application doesn't set recommended security headers like"
|
|
- code: "`X-Frame-Options`"
|
|
- text: ","
|
|
- code: "`X-Content-Type-Options`"
|
|
- text: ", and"
|
|
- code: "`Strict-Transport-Security`"
|
|
- paragraph: ...
|
|
- button "Show more":
|
|
- img
|
|
- cell "Fix Issue":
|
|
- button "Fix Issue" |