agent-bot/takt
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
takt/resources/global/en/knowledge/security.md
nrslib b7c2a4db08 takt: # タスク指示書: 専門知識のknowledgeへの抽出と付与 
## 概要
既存のスタンス/インストラクションに埋め込まれているフロントエンド・バックエンド等の専門知識をknowledgeファイルとして抽出し、抽出元に適切に付与する。

---

## タスク

### 1. 専門知識の抽出(優先度: 高)

既存のスタンス・インストラクションファイルをレビューし、以下の専門知識を特定・抽出:
- **フロントエンド知識**(React、CSS、UI/UXなど)
- **バックエンド知識**(API設計、DB、サーバーサイドなど)
- **その他の専門知識**(発見したもの)

抽出した知識をknowledgeファイルとして作成する。

### 2. 抽出元への付与(優先度: 高)

抽出した知識を、元々その知識を使用していたスタンス/インストラクションに付与設定する。
- 抽出元 = 付与先

---

## 確認方法
- 抽出後、元のスタンス/インストラクションから専門知識が分離されていること
- 抽出元にknowledgeが正しく付与設定されていること
2026-02-07 13:01:15 +09:00

4.4 KiB
Raw Blame History

Security Knowledge

AI-Generated Code Security Issues

AI-generated code has unique vulnerability patterns.

Pattern Risk Example
Plausible but dangerous defaults High cors: { origin: '*' } looks fine but is dangerous
Outdated security practices Medium Using deprecated encryption, old auth patterns
Incomplete validation High Validates format but not business rules
Over-trusting inputs Critical Assumes internal APIs are always safe
Copy-paste vulnerabilities High Same dangerous pattern repeated in multiple files

Require extra scrutiny:

  • Auth/authorization logic (AI tends to miss edge cases)
  • Input validation (AI may check syntax but miss semantics)
  • Error messages (AI may expose internal details)
  • Config files (AI may use dangerous defaults from training data)

Injection Attacks

SQL Injection:

  • SQL construction via string concatenation → REJECT
  • Not using parameterized queries → REJECT
  • Unsanitized input in ORM raw queries → REJECT
// NG
db.query(`SELECT * FROM users WHERE id = ${userId}`)

// OK
db.query('SELECT * FROM users WHERE id = ?', [userId])

Command Injection:

  • Unvalidated input in exec(), spawn() → REJECT
  • Insufficient escaping in shell command construction → REJECT
// NG
exec(`ls ${userInput}`)

// OK
execFile('ls', [sanitizedInput])

XSS (Cross-Site Scripting):

  • Unescaped output to HTML/JS → REJECT
  • Improper use of innerHTML, dangerouslySetInnerHTML → REJECT
  • Direct embedding of URL parameters → REJECT

Authentication & Authorization

Authentication issues:

  • Hardcoded credentials → Immediate REJECT
  • Plaintext password storage → Immediate REJECT
  • Weak hash algorithms (MD5, SHA1) → REJECT
  • Improper session token management → REJECT

Authorization issues:

  • Missing permission checks → REJECT
  • IDOR (Insecure Direct Object Reference) → REJECT
  • Privilege escalation possibility → REJECT
// NG - No permission check
app.get('/user/:id', (req, res) => {
  return db.getUser(req.params.id)
})

// OK
app.get('/user/:id', authorize('read:user'), (req, res) => {
  if (req.user.id !== req.params.id && !req.user.isAdmin) {
    return res.status(403).send('Forbidden')
  }
  return db.getUser(req.params.id)
})

Data Protection

Sensitive information exposure:

  • Hardcoded API keys, secrets → Immediate REJECT
  • Sensitive info in logs → REJECT
  • Internal info exposure in error messages → REJECT
  • Committed .env files → REJECT

Data validation:

  • Unvalidated input values → REJECT
  • Missing type checks → REJECT
  • No size limits set → REJECT

Cryptography

  • Use of weak crypto algorithms → REJECT
  • Fixed IV/Nonce usage → REJECT
  • Hardcoded encryption keys → Immediate REJECT
  • No HTTPS (production) → REJECT

File Operations

Path Traversal:

  • File paths containing user input → REJECT
  • Insufficient ../ sanitization → REJECT
// NG
const filePath = path.join(baseDir, userInput)
fs.readFile(filePath)

// OK
const safePath = path.resolve(baseDir, userInput)
if (!safePath.startsWith(path.resolve(baseDir))) {
  throw new Error('Invalid path')
}

File Upload:

  • No file type validation → REJECT
  • No file size limits → REJECT
  • Allowing executable file uploads → REJECT

Dependencies

  • Packages with known vulnerabilities → REJECT
  • Unmaintained packages → Warning
  • Unnecessary dependencies → Warning

Error Handling

  • Stack trace exposure in production → REJECT
  • Detailed error message exposure → REJECT
  • Swallowing security events → REJECT

Rate Limiting & DoS Protection

  • No rate limiting (auth endpoints) → Warning
  • Resource exhaustion attack possibility → Warning
  • Infinite loop possibility → REJECT

OWASP Top 10 Checklist

Category Check Items
A01 Broken Access Control Authorization checks, CORS config
A02 Cryptographic Failures Encryption, sensitive data protection
A03 Injection SQL, Command, XSS
A04 Insecure Design Security design patterns
A05 Security Misconfiguration Default settings, unnecessary features
A06 Vulnerable Components Dependency vulnerabilities
A07 Auth Failures Authentication mechanisms
A08 Software Integrity Code signing, CI/CD
A09 Logging Failures Security logging
A10 SSRF Server-side requests