agent-bot/takt
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
takt/resources/global/en/knowledge/security.md
nrslib b7c2a4db08 takt: # タスク指示書: 専門知識のknowledgeへの抽出と付与 
## 概要
既存のスタンス/インストラクションに埋め込まれているフロントエンド・バックエンド等の専門知識をknowledgeファイルとして抽出し、抽出元に適切に付与する。

---

## タスク

### 1. 専門知識の抽出(優先度: 高)

既存のスタンス・インストラクションファイルをレビューし、以下の専門知識を特定・抽出:
- **フロントエンド知識**(React、CSS、UI/UXなど)
- **バックエンド知識**(API設計、DB、サーバーサイドなど)
- **その他の専門知識**(発見したもの)

抽出した知識をknowledgeファイルとして作成する。

### 2. 抽出元への付与(優先度: 高)

抽出した知識を、元々その知識を使用していたスタンス/インストラクションに付与設定する。
- 抽出元 = 付与先

---

## 確認方法
- 抽出後、元のスタンス/インストラクションから専門知識が分離されていること
- 抽出元にknowledgeが正しく付与設定されていること
2026-02-07 13:01:15 +09:00

165 lines
4.4 KiB
Markdown
Raw Blame History

# Security Knowledge
## AI-Generated Code Security Issues
AI-generated code has unique vulnerability patterns.
| Pattern | Risk | Example |
|---------|------|---------|
| Plausible but dangerous defaults | High | `cors: { origin: '*' }` looks fine but is dangerous |
| Outdated security practices | Medium | Using deprecated encryption, old auth patterns |
| Incomplete validation | High | Validates format but not business rules |
| Over-trusting inputs | Critical | Assumes internal APIs are always safe |
| Copy-paste vulnerabilities | High | Same dangerous pattern repeated in multiple files |
Require extra scrutiny:
- Auth/authorization logic (AI tends to miss edge cases)
- Input validation (AI may check syntax but miss semantics)
- Error messages (AI may expose internal details)
- Config files (AI may use dangerous defaults from training data)
## Injection Attacks
**SQL Injection:**
- SQL construction via string concatenation → REJECT
- Not using parameterized queries → REJECT
- Unsanitized input in ORM raw queries → REJECT
```typescript
// NG
db.query(`SELECT * FROM users WHERE id = ${userId}`)
// OK
db.query('SELECT * FROM users WHERE id = ?', [userId])
```
**Command Injection:**
- Unvalidated input in `exec()`, `spawn()` → REJECT
- Insufficient escaping in shell command construction → REJECT
```typescript
// NG
exec(`ls ${userInput}`)
// OK
execFile('ls', [sanitizedInput])
```
**XSS (Cross-Site Scripting):**
- Unescaped output to HTML/JS → REJECT
- Improper use of `innerHTML`, `dangerouslySetInnerHTML` → REJECT
- Direct embedding of URL parameters → REJECT
## Authentication & Authorization
**Authentication issues:**
- Hardcoded credentials → Immediate REJECT
- Plaintext password storage → Immediate REJECT
- Weak hash algorithms (MD5, SHA1) → REJECT
- Improper session token management → REJECT
**Authorization issues:**
- Missing permission checks → REJECT
- IDOR (Insecure Direct Object Reference) → REJECT
- Privilege escalation possibility → REJECT
```typescript
// NG - No permission check
app.get('/user/:id', (req, res) => {
return db.getUser(req.params.id)
})
// OK
app.get('/user/:id', authorize('read:user'), (req, res) => {
if (req.user.id !== req.params.id && !req.user.isAdmin) {
return res.status(403).send('Forbidden')
}
return db.getUser(req.params.id)
})
```
## Data Protection
**Sensitive information exposure:**
- Hardcoded API keys, secrets → Immediate REJECT
- Sensitive info in logs → REJECT
- Internal info exposure in error messages → REJECT
- Committed `.env` files → REJECT
**Data validation:**
- Unvalidated input values → REJECT
- Missing type checks → REJECT
- No size limits set → REJECT
## Cryptography
- Use of weak crypto algorithms → REJECT
- Fixed IV/Nonce usage → REJECT
- Hardcoded encryption keys → Immediate REJECT
- No HTTPS (production) → REJECT
## File Operations
**Path Traversal:**
- File paths containing user input → REJECT
- Insufficient `../` sanitization → REJECT
```typescript
// NG
const filePath = path.join(baseDir, userInput)
fs.readFile(filePath)
// OK
const safePath = path.resolve(baseDir, userInput)
if (!safePath.startsWith(path.resolve(baseDir))) {
throw new Error('Invalid path')
}
```
**File Upload:**
- No file type validation → REJECT
- No file size limits → REJECT
- Allowing executable file uploads → REJECT
## Dependencies
- Packages with known vulnerabilities → REJECT
- Unmaintained packages → Warning
- Unnecessary dependencies → Warning
## Error Handling
- Stack trace exposure in production → REJECT
- Detailed error message exposure → REJECT
- Swallowing security events → REJECT
## Rate Limiting & DoS Protection
- No rate limiting (auth endpoints) → Warning
- Resource exhaustion attack possibility → Warning
- Infinite loop possibility → REJECT
## OWASP Top 10 Checklist
| Category | Check Items |
|----------|-------------|
| A01 Broken Access Control | Authorization checks, CORS config |
| A02 Cryptographic Failures | Encryption, sensitive data protection |
| A03 Injection | SQL, Command, XSS |
| A04 Insecure Design | Security design patterns |
| A05 Security Misconfiguration | Default settings, unnecessary features |
| A06 Vulnerable Components | Dependency vulnerabilities |
| A07 Auth Failures | Authentication mechanisms |
| A08 Software Integrity | Code signing, CI/CD |
| A09 Logging Failures | Security logging |
| A10 SSRF | Server-side requests |
Reference in New Issue View Git Blame Copy Permalink