fix-code-vulnerability

Original：🇺🇸 English

Translated

Guidance for identifying and fixing security vulnerabilities in code. This skill should be used when asked to fix security issues, address CVEs or CWEs, remediate vulnerabilities like injection attacks (SQL, command, CRLF, XSS), or when working with failing security-related tests.

1installs

Sourceletta-ai/skills

Added on2026-02-07

NPX Install

npx skill4agent add letta-ai/skills fix-code-vulnerability

SKILL.md Content

View Translation Comparison →

Fix Code Vulnerability

Overview

This skill provides a systematic approach for identifying, analyzing, and fixing security vulnerabilities in codebases. It covers common vulnerability types (injection attacks, input validation issues, etc.) and provides verification strategies to ensure fixes are complete and correct.

Workflow

Phase 1: Initial Reconnaissance

Start by understanding the scope and nature of the vulnerability:

Run existing tests first - Execute the test suite to identify any failing security-related tests. Failing tests often directly indicate what vulnerability needs to be fixed and what behavior is expected.
Read failing tests immediately - When security tests fail, read them first before exploring the broader codebase. Tests reveal:
- The exact vulnerability type (CWE number, attack vector)
- Expected defensive behavior
- Specific inputs that should be blocked
- The API or function under test
Identify the vulnerability type - Classify the vulnerability:
- CWE-89: SQL Injection
- CWE-78: OS Command Injection
- CWE-79: Cross-Site Scripting (XSS)
- CWE-93: CRLF Injection (HTTP Response Splitting)
- CWE-22: Path Traversal
- CWE-94: Code Injection
- CWE-611: XML External Entity (XXE)

Phase 2: Code Analysis

Trace the vulnerable code path:

Follow the data flow - Trace from user input to the vulnerable operation:
- Entry points (API endpoints, form handlers, file readers)
- Data transformation functions
- Output points (database queries, file operations, HTTP responses)
Identify the fix location - Prefer fixing at centralized helper functions rather than multiple call sites:
- Look for utility functions that process the vulnerable data
- Fixing a shared helper covers all callers automatically
- Avoid scattered fixes that may miss edge cases
Read code in larger chunks - When analyzing related functions, read them together rather than making many small reads. This provides better context for understanding the code flow.

Phase 3: Implementing the Fix

Apply the appropriate defensive measure:

Input validation - For injection vulnerabilities:
- Validate against dangerous characters (e.g.,
```
\n
```
  ,
```
\r
```
  ,
```
\0
```
  for CRLF)
- Use allowlists when possible (define what IS allowed vs. what is NOT)
- Raise clear error messages that identify the issue
Output encoding - For XSS and similar:
- Encode output appropriate to the context (HTML, URL, JavaScript)
- Use framework-provided encoding functions
Parameterization - For SQL/command injection:
- Use parameterized queries or prepared statements
- Avoid string concatenation with user input
Error handling - Ensure the fix:
- Raises appropriate exceptions with descriptive messages
- Does not leak sensitive information in error messages
- Fails securely (deny by default)

Phase 4: Verification

Confirm the fix is complete:

Run the full test suite - All tests should pass, including:
- The originally failing security tests
- Existing functionality tests (ensure no regressions)
Verify edge cases are covered - Check that the fix handles:
- All variations of the attack (e.g., all control characters, not just
```
\n
```
  )
- Both direct and indirect attack paths
- All methods that could trigger the vulnerability
Create a vulnerability report - Document:
- Vulnerability type and CWE identifier
- Affected code locations
- Fix description and rationale
- Test coverage confirmation

Common Pitfalls

Avoid These Mistakes

Incomplete character coverage - When blocking dangerous characters, ensure all variants are covered (e.g., both
```
\r
```
and
```
\n
```
for CRLF, not just one).
Fixing at wrong level - Don't patch individual call sites when a centralized fix is available. Find the common helper function.
Missing indirect paths - A function may be called through multiple code paths. Verify the fix covers all entry points.
Skipping test verification - Always run tests after applying fixes. Visual inspection is insufficient.
Overly broad fixes - Don't break legitimate functionality. Understand what valid inputs look like before blocking patterns.

Attack Scenarios to Consider

When fixing vulnerabilities, understand the attack:

CRLF Injection (CWE-93): Attacker injects
```
\r\n
```
to split HTTP headers, enabling response splitting attacks
SQL Injection (CWE-89): Attacker escapes string context to execute arbitrary SQL
Command Injection (CWE-78): Attacker uses shell metacharacters to execute system commands
Path Traversal (CWE-22): Attacker uses
```
../
```
sequences to access files outside intended directory

Process Efficiency Tips

Start with tests - Running tests first immediately reveals which security checks are failing and what behavior is expected.
Read tests before code - Security tests describe the vulnerability and expected fix more clearly than searching the codebase.
Fix centralized functions - Identify and fix shared helper functions to cover all code paths with minimal changes.
Verify once, comprehensively - Run the full test suite rather than individual tests to catch any regressions.
Document the vulnerability - Create a report that explains the vulnerability type, fix applied, and verification performed.

Fix Code Vulnerability

Overview

Workflow

Phase 1: Initial Reconnaissance

Start by understanding the scope and nature of the vulnerability:

Run existing tests first - Execute the test suite to identify any failing security-related tests. Failing tests often directly indicate what vulnerability needs to be fixed and what behavior is expected.
Read failing tests immediately - When security tests fail, read them first before exploring the broader codebase. Tests reveal:
- The exact vulnerability type (CWE number, attack vector)
- Expected defensive behavior
- Specific inputs that should be blocked
- The API or function under test
Identify the vulnerability type - Classify the vulnerability:
- CWE-89: SQL Injection
- CWE-78: OS Command Injection
- CWE-79: Cross-Site Scripting (XSS)
- CWE-93: CRLF Injection (HTTP Response Splitting)
- CWE-22: Path Traversal
- CWE-94: Code Injection
- CWE-611: XML External Entity (XXE)

Phase 2: Code Analysis

Trace the vulnerable code path:

Follow the data flow - Trace from user input to the vulnerable operation:
- Entry points (API endpoints, form handlers, file readers)
- Data transformation functions
- Output points (database queries, file operations, HTTP responses)
Identify the fix location - Prefer fixing at centralized helper functions rather than multiple call sites:
- Look for utility functions that process the vulnerable data
- Fixing a shared helper covers all callers automatically
- Avoid scattered fixes that may miss edge cases
Read code in larger chunks - When analyzing related functions, read them together rather than making many small reads. This provides better context for understanding the code flow.

Phase 3: Implementing the Fix

Apply the appropriate defensive measure:

Input validation - For injection vulnerabilities:
- Validate against dangerous characters (e.g.,
```
\n
```
  ,
```
\r
```
  ,
```
\0
```
  for CRLF)
- Use allowlists when possible (define what IS allowed vs. what is NOT)
- Raise clear error messages that identify the issue
Output encoding - For XSS and similar:
- Encode output appropriate to the context (HTML, URL, JavaScript)
- Use framework-provided encoding functions
Parameterization - For SQL/command injection:
- Use parameterized queries or prepared statements
- Avoid string concatenation with user input
Error handling - Ensure the fix:
- Raises appropriate exceptions with descriptive messages
- Does not leak sensitive information in error messages
- Fails securely (deny by default)

Phase 4: Verification

Confirm the fix is complete:

Run the full test suite - All tests should pass, including:
- The originally failing security tests
- Existing functionality tests (ensure no regressions)
Verify edge cases are covered - Check that the fix handles:
- All variations of the attack (e.g., all control characters, not just
```
\n
```
  )
- Both direct and indirect attack paths
- All methods that could trigger the vulnerability
Create a vulnerability report - Document:
- Vulnerability type and CWE identifier
- Affected code locations
- Fix description and rationale
- Test coverage confirmation

Common Pitfalls

Avoid These Mistakes

Incomplete character coverage - When blocking dangerous characters, ensure all variants are covered (e.g., both
```
\r
```
and
```
\n
```
for CRLF, not just one).
Fixing at wrong level - Don't patch individual call sites when a centralized fix is available. Find the common helper function.
Missing indirect paths - A function may be called through multiple code paths. Verify the fix covers all entry points.
Skipping test verification - Always run tests after applying fixes. Visual inspection is insufficient.
Overly broad fixes - Don't break legitimate functionality. Understand what valid inputs look like before blocking patterns.

Attack Scenarios to Consider

When fixing vulnerabilities, understand the attack:

CRLF Injection (CWE-93): Attacker injects
```
\r\n
```
to split HTTP headers, enabling response splitting attacks
SQL Injection (CWE-89): Attacker escapes string context to execute arbitrary SQL
Command Injection (CWE-78): Attacker uses shell metacharacters to execute system commands
Path Traversal (CWE-22): Attacker uses
```
../
```
sequences to access files outside intended directory

Process Efficiency Tips

Start with tests - Running tests first immediately reveals which security checks are failing and what behavior is expected.
Read tests before code - Security tests describe the vulnerability and expected fix more clearly than searching the codebase.
Fix centralized functions - Identify and fix shared helper functions to cover all code paths with minimal changes.
Verify once, comprehensively - Run the full test suite rather than individual tests to catch any regressions.
Document the vulnerability - Create a report that explains the vulnerability type, fix applied, and verification performed.

fix-code-vulnerability

NPX Install

Tags

SKILL.md Content

Fix Code Vulnerability

Overview

Workflow

Phase 1: Initial Reconnaissance

Phase 2: Code Analysis

Phase 3: Implementing the Fix

Phase 4: Verification

Common Pitfalls

Avoid These Mistakes

Attack Scenarios to Consider

Process Efficiency Tips

fix-code-vulnerability

NPX Install

Tags

SKILL.md Content

Fix Code Vulnerability

Overview

Workflow

Phase 1: Initial Reconnaissance

Phase 2: Code Analysis

Phase 3: Implementing the Fix

Phase 4: Verification

Common Pitfalls

Avoid These Mistakes

Attack Scenarios to Consider

Process Efficiency Tips