code-review-security

Code Review Security

When to Use

Activate this skill when:

• Reviewing pull requests for security vulnerabilities
• Auditing authentication or authorization code changes
• Reviewing code that handles user input, file uploads, or external data
• Checking for OWASP Top 10 vulnerabilities in new features
• Validating that secrets are not committed to the repository
• Scanning dependencies for known vulnerabilities
• Reviewing API endpoints that expose sensitive data

Output: Write findings to security-review.md with severity, file:line, description, and recommendations.

Do NOT use this skill for:

• Deployment infrastructure security (use docker-best-practices)
• Incident response procedures (use incident-response)
• General code quality review without security focus (use pre-merge-checklist)
• Writing implementation code (use python-backend-expert or react-frontend-expert)

Instructions

OWASP Top 10 Checklist

Review every PR against the OWASP Top 10 (2021 edition). Each category below includes specific checks for Python/FastAPI and React codebases.

---

A01: Broken Access Control

What to look for:

• Missing authorization checks on endpoints
• Direct object reference without ownership verification
• Endpoints that expose data without role-based filtering
• Missing Depends() for auth on new routes

Python/FastAPI checks:

# BAD: No authorization check -- any authenticated user can access any user
@router.get("/users/{user_id}")
async def get_user(user_id: int, db: Session = Depends(get_db)):
    return await user_repo.get(user_id)

# GOOD: Verify the requesting user owns the resource or is admin
@router.get("/users/{user_id}")
async def get_user(
    user_id: int,
    current_user: User = Depends(get_current_user),
    db: Session = Depends(get_db),
):
    if current_user.id != user_id and current_user.role != "admin":
        raise HTTPException(status_code=403, detail="Forbidden")
    return await user_repo.get(user_id)

Review checklist:

• Every route has authentication (Depends(get_current_user))
• Resource access is verified against the requesting user
• Admin-only endpoints check role == "admin"
• List endpoints filter by user ownership (unless admin)
• No IDOR (Insecure Direct Object Reference) vulnerabilities

---

A02: Cryptographic Failures

What to look for:

• Passwords stored in plaintext or with weak hashing
• Sensitive data in logs or error messages
• Hardcoded secrets, API keys, or tokens
• Weak JWT configuration

Python checks:

# BAD: Weak password hashing
import hashlib
password_hash = hashlib.md5(password.encode()).hexdigest()

# GOOD: Use bcrypt via passlib
from passlib.context import CryptContext
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
password_hash = pwd_context.hash(password)

# BAD: Secret in code
SECRET_KEY = "my-super-secret-key-123"

# GOOD: Secret from environment
SECRET_KEY = os.environ["SECRET_KEY"]

Review checklist:

• Passwords hashed with bcrypt (never MD5, SHA1, or plaintext)
• JWT secret loaded from environment, not hardcoded
• Sensitive data excluded from logs (passwords, tokens, PII)
• HTTPS enforced for all external communication
• No secrets in source code (check .env.example has placeholders only)

---

A03: Injection

What to look for:

• Raw SQL queries with string interpolation
• eval(), exec(), compile() with user input
• subprocess calls with shell=True
• Template injection

Python checks:

# BAD: SQL injection via string formatting
query = f"SELECT * FROM users WHERE email = '{email}'"
db.execute(text(query))

# GOOD: Parameterized query
db.execute(text("SELECT * FROM users WHERE email = :email"), {"email": email})

# GOOD: SQLAlchemy ORM (always parameterized)
user = db.query(User).filter(User.email == email).first()

# BAD: Command injection
subprocess.run(f"convert {filename}", shell=True)

# GOOD: Pass arguments as a list
subprocess.run(["convert", filename], shell=False)

# BAD: Code execution with user input
result = eval(user_input)

# GOOD: Never eval user input. Use ast.literal_eval for safe parsing.
result = ast.literal_eval(user_input)  # Only for literal structures

Review checklist:

• No raw SQL with string interpolation (use ORM or parameterized queries)
• No eval(), exec(), or compile() with external input
• No subprocess.run(..., shell=True) with dynamic arguments
• No pickle.loads() on untrusted data
• All user input validated by Pydantic schemas before use

---

A04: Insecure Design

What to look for:

• Missing rate limiting on authentication endpoints
• No account lockout after failed login attempts
• Missing CAPTCHA on public-facing forms
• Business logic flaws (e.g., negative amounts, self-privilege-escalation)

Review checklist:

• Rate limiting on login, registration, and password reset
• Account lockout or exponential backoff after 5+ failed attempts
• Business logic validates constraints (positive amounts, valid transitions)
• Sensitive operations require re-authentication

---

A05: Security Misconfiguration

What to look for:

• Debug mode enabled in production
• CORS configured with wildcard * origins
• Default credentials or admin accounts
• Verbose error messages exposing stack traces

Python/FastAPI checks:

# BAD: Wide-open CORS
app.add_middleware(CORSMiddleware, allow_origins=["*"])

# GOOD: Explicit allowed origins
app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://app.example.com"],
    allow_methods=["GET", "POST", "PUT", "DELETE"],
    allow_headers=["Authorization", "Content-Type"],
)

# BAD: Debug mode in production
app = FastAPI(debug=True)

# GOOD: Debug only in development
app = FastAPI(debug=settings.DEBUG)  # DEBUG=False in production

Review checklist:

• CORS origins are explicit (no wildcard in production)
• Debug mode disabled in production configuration
• Error responses do not expose stack traces or internal details
• Default admin credentials are changed or removed
• Security headers set (X-Content-Type-Options, X-Frame-Options, etc.)

---

A06: Vulnerable and Outdated Components

Review checklist:

• No known CVEs in Python dependencies (pip-audit or safety check)
• No known CVEs in npm dependencies (npm audit)
• Dependencies pinned to specific versions in lock files
• No deprecated packages still in use

---

A07: Identification and Authentication Failures

What to look for:

• Weak password policies
• Session tokens that do not expire
• Missing multi-factor authentication for admin actions
• JWT tokens without expiration

Python checks:

# BAD: JWT without expiration
token = jwt.encode({"sub": user_id}, SECRET_KEY, algorithm="HS256")

# GOOD: JWT with expiration
token = jwt.encode(
    {"sub": user_id, "exp": datetime.utcnow() + timedelta(minutes=30)},
    SECRET_KEY,
    algorithm="HS256",
)

Review checklist:

• JWT tokens have expiration (exp claim)
• Refresh tokens are stored securely and can be revoked
• Password policy enforces minimum length (12+) and complexity
• Session invalidation on password change or logout
• No user enumeration via login error messages

---

A08: Software and Data Integrity Failures

Review checklist:

• CI/CD pipeline validates artifact integrity
• No unsigned or unverified packages
• Deserialization of untrusted data uses safe methods (no pickle.loads)
• Database migrations are reviewed before execution

---

A09: Security Logging and Monitoring Failures

Review checklist:

• Authentication events are logged (login, logout, failed attempts)
• Authorization failures are logged with context
• Sensitive data is NOT included in logs (passwords, tokens, PII)
• Log entries include timestamp, user ID, IP address, action
• Alerting configured for suspicious patterns (brute force, unusual access)

---

A10: Server-Side Request Forgery (SSRF)

What to look for:

• User-supplied URLs used in server-side requests
• Redirect endpoints that accept arbitrary URLs

Python checks:

# BAD: Fetch arbitrary URL from user input
url = request.query_params["url"]
response = httpx.get(url)  # SSRF: can access internal services

# GOOD: Validate URL against allowlist
ALLOWED_HOSTS = {"api.example.com", "cdn.example.com"}
parsed = urlparse(url)
if parsed.hostname not in ALLOWED_HOSTS:
    raise HTTPException(400, "URL not allowed")
response = httpx.get(url)

Review checklist:

• No server-side requests to user-controlled URLs without validation
• URL allowlists used for external integrations
• Internal service URLs not exposed in error messages

---

Python-Specific Security Checks

Beyond OWASP, review Python code for these patterns:

Pattern	Risk	Fix
eval(user_input)	Remote code execution	Remove or use ast.literal_eval
pickle.loads(data)	Arbitrary code execution	Use JSON or msgpack
subprocess.run(cmd, shell=True)	Command injection	Pass args as list, shell=False
yaml.load(data)	Code execution	Use yaml.safe_load(data)
os.system(cmd)	Command injection	Use subprocess.run([...])
Raw SQL strings	SQL injection	Use ORM or parameterized queries
hashlib.md5(password)	Weak hashing	Use bcrypt via passlib
jwt.decode(token, options={"verify_signature": False})	Auth bypass	Always verify signature
open(user_path)	Path traversal	Validate path, use pathlib.resolve()
tempfile.mktemp()	Race condition	Use tempfile.mkstemp()

React-Specific Security Checks

Pattern	Risk	Fix
dangerouslySetInnerHTML	XSS	Use text content or sanitize with DOMPurify
javascript: in href	XSS	Validate URLs, allow only https:
window.location = userInput	Open redirect	Validate against allowlist
Storing tokens in localStorage	Token theft via XSS	Use httpOnly cookies
Inline event handlers from data	XSS	Use React event handlers
eval() or Function()	Code execution	Remove entirely
Rendering user HTML	XSS	Use a sanitization library

React code review:

// BAD: XSS via dangerouslySetInnerHTML
<div dangerouslySetInnerHTML={{ __html: userBio }} />

// GOOD: Sanitize first, or use text content
import DOMPurify from "dompurify";
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userBio) }} />

// BETTER: Use text content when HTML is not needed
<p>{userBio}</p>

// BAD: javascript: URL
<a href={userLink}>Click</a>  // userLink could be "javascript:alert(1)"

// GOOD: Validate protocol
const safeHref = /^https?:\/\//.test(userLink) ? userLink : "#";
<a href={safeHref}>Click</a>

Severity Classification

Classify each finding by severity for prioritization:

Severity	Description	Examples	SLA
Critical	Exploitable remotely, no auth needed, data breach	SQL injection, RCE, auth bypass	Block merge, fix immediately
High	Exploitable with auth, privilege escalation	IDOR, broken access control, XSS (stored)	Block merge, fix before release
Medium	Requires specific conditions to exploit	CSRF, XSS (reflected), open redirect	Fix within sprint
Low	Defense-in-depth, informational	Missing headers, verbose errors	Fix when convenient
Info	Best practice recommendations	Dependency updates, code style	Track in backlog

Finding Report Format

When reporting security findings, use this format for consistency:

## Security Finding: [Title]

**Severity:** Critical | High | Medium | Low | Info
**Category:** OWASP A01-A10 or custom category
**File:** path/to/file.py:42
**CWE:** CWE-89 (if applicable)

### Description
Brief description of the vulnerability and its impact.

### Vulnerable Code
```python
# The problematic code
vulnerable_function(user_input)

Recommended Fix

# The secure alternative
safe_function(sanitize(user_input))

Impact

What an attacker could achieve by exploiting this vulnerability.

References

• Link to relevant OWASP page
• Link to relevant CWE entry

### Automated Scanning

Use `scripts/security-scan.py` to perform AST-based scanning for common vulnerability patterns in Python code. The script scans for:
- `eval()` / `exec()` / `compile()` calls
- `subprocess` with `shell=True`
- `pickle.loads()` on potentially untrusted data
- Raw SQL string construction
- `yaml.load()` without `Loader=SafeLoader`
- Hardcoded secret patterns (API keys, passwords)
- Weak hash functions (MD5, SHA1 for passwords)

Run: `python scripts/security-scan.py --path ./app --output-dir ./security-results`

**Dependency scanning (run separately):**
```bash
# Python dependencies
pip-audit --requirement requirements.txt --output json > dep-audit.json

# npm dependencies
npm audit --json > npm-audit.json

Examples

Example Review Comment (Critical)

SECURITY: SQL Injection (Critical, OWASP A03)

File: app/repositories/user_repository.py:47

query = f"SELECT * FROM users WHERE name LIKE '%{search_term}%'"

This constructs a raw SQL query with string interpolation, allowing SQL injection. An attacker could input '; DROP TABLE users; -- to destroy data.

Fix: Use SQLAlchemy ORM filtering:

users = db.query(User).filter(User.name.ilike(f"%{search_term}%")).all()

Example Review Comment (Medium)

SECURITY: Missing Rate Limiting (Medium, OWASP A04)

File: app/routes/auth.py:12

The /auth/login endpoint has no rate limiting. An attacker could perform brute-force password attacks at unlimited speed.

Fix: Add rate limiting middleware:

from slowapi import Limiter
limiter = Limiter(key_func=get_remote_address)

@router.post("/login")
@limiter.limit("5/minute")
async def login(request: Request, ...):

Output File

Write security findings to security-review.md:

# Security Review: [Feature/PR Name]

## Summary
- Critical: 0 | High: 1 | Medium: 2 | Low: 1

## Findings

### [CRITICAL] SQL Injection in user search
- **File:** app/routes/users.py:45
- **OWASP:** A03 Injection
- **Description:** Raw SQL with string interpolation
- **Recommendation:** Use SQLAlchemy ORM filtering

### [HIGH] Missing authorization check
...

## Passed Checks
- No hardcoded secrets found
- Dependencies up to date