Back to Details

ln-621-security-auditor

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Auditor (L3 Worker)

Security Auditor (L3 Worker)

Specialized worker auditing security vulnerabilities in codebase.
专注于审计代码库中安全漏洞的工作者。

Purpose & Scope

目标与范围

  • Worker in ln-620 coordinator pipeline - invoked by ln-620-codebase-auditor
  • Audit codebase for security vulnerabilities (Category 1: Critical Priority)
  • Scan for hardcoded secrets, SQL injection, XSS, insecure dependencies, missing input validation
  • Return structured findings to coordinator with severity, location, effort, recommendations
  • Calculate compliance score (X/10) for Security category
  • ln-620协调器流水线中的工作者 - 由ln-620-codebase-auditor调用
  • 审计代码库中的安全漏洞(类别1:最高优先级)
  • 扫描硬编码密钥、SQL注入、XSS、不安全依赖项、缺失的输入验证问题
  • 向协调器返回包含严重程度、位置、修复工作量、建议的结构化检测结果
  • 计算安全类别的合规分数(X/10)

Inputs (from Coordinator)

输入(来自协调器)

MANDATORY READ: Load 
shared/references/task_delegation_pattern.md#audit-coordinator--worker-contract
for contextStore structure.
Receives 
contextStore
with: 
tech_stack
, 
best_practices
, 
principles
, 
codebase_root
.
必读: 加载
shared/references/task_delegation_pattern.md#audit-coordinator--worker-contract
以了解contextStore结构。
接收包含以下内容的
contextStore
tech_stack
best_practices
principles
codebase_root

Workflow

工作流程

  1. Parse Context: Extract tech stack, best practices, codebase root from contextStore
  2. Scan Codebase: Run security checks using Glob/Grep patterns (see Audit Rules below)
  3. Collect Findings: Record each violation with severity, location (file:line), effort estimate (S/M/L), recommendation
  4. Calculate Score: Count violations by severity, calculate compliance score (X/10)
  5. Return Results: Return JSON with category, score, findings to coordinator
  1. 解析上下文: 从contextStore中提取技术栈、最佳实践、代码库根目录信息
  2. 扫描代码库: 使用Glob/Grep模式运行安全检查(见下方审计规则)
  3. 收集检测结果: 记录每个违规项的严重程度、位置(文件:行号)、修复工作量预估(S/M/L)以及修复建议
  4. 计算分数: 按严重程度统计违规项数量,计算合规分数(X/10)
  5. 返回结果: 向协调器返回包含类别、分数、检测结果的JSON数据

Audit Rules (Priority: CRITICAL)

审计规则(优先级:最高)

1. Hardcoded Secrets

1. 硬编码密钥

What: API keys, passwords, tokens, private keys in source code
Detection:
  • Search patterns: 
    API_KEY = "..."
    , 
    password = "..."
    , 
    token = "..."
    , 
    SECRET = "..."
  • File extensions: 
    .ts
    , 
    .js
    , 
    .py
    , 
    .go
    , 
    .java
    , 
    .cs
  • Exclude: 
    .env.example
    , 
    README.md
    , test files with mock data
Severity:
  • CRITICAL: Production credentials (AWS keys, database passwords, API tokens)
  • HIGH: Development/staging credentials
  • MEDIUM: Test credentials in non-test files
Recommendation: Move to environment variables (.env), use secret management (Vault, AWS Secrets Manager)
Effort: S (replace hardcoded value with 
process.env.VAR_NAME
)
检测内容: 源代码中的API密钥、密码、令牌、私钥
检测方式:
  • 搜索模式:
    API_KEY = "..."
    password = "..."
    token = "..."
    SECRET = "..."
  • 文件扩展名:
    .ts
    .js
    .py
    .go
    .java
    .cs
  • 排除文件:
    .env.example
    README.md
    、包含模拟数据的测试文件
严重程度:
  • 关键: 生产环境凭证(AWS密钥、数据库密码、API令牌)
  • 高: 开发/预发布环境凭证
  • 中: 非测试文件中的测试凭证
修复建议: 迁移至环境变量(.env),使用密钥管理工具(Vault、AWS Secrets Manager)
修复工作量: S(将硬编码值替换为
process.env.VAR_NAME

2. SQL Injection Patterns

2. SQL注入模式

What: String concatenation in SQL queries instead of parameterized queries
Detection:
  • Patterns: 
    query = "SELECT * FROM users WHERE id=" + userId
    , 
    db.execute(f"SELECT * FROM {table}")
    , 
    `SELECT * FROM ${table}`
  • Languages: JavaScript, Python, PHP, Java
Severity:
  • CRITICAL: User input directly concatenated without sanitization
  • HIGH: Variable concatenation in production code
  • MEDIUM: Concatenation with internal variables only
Recommendation: Use parameterized queries (prepared statements), ORM query builders
Effort: M (refactor query to use placeholders)
检测内容: SQL查询中使用字符串拼接而非参数化查询
检测方式:
  • 模式示例:
    query = "SELECT * FROM users WHERE id=" + userId
    db.execute(f"SELECT * FROM {table}")
    `SELECT * FROM ${table}`
  • 适用语言:JavaScript、Python、PHP、Java
严重程度:
  • 关键: 用户输入直接拼接且未经过滤
  • 高: 生产代码中存在变量拼接
  • 中: 仅内部变量拼接
修复建议: 使用参数化查询(预编译语句)、ORM查询构建器
修复工作量: M(重构查询以使用占位符)

3. XSS Vulnerabilities

3. 跨站脚本攻击(XSS)漏洞

What: Unsanitized user input rendered in HTML/templates
Detection:
  • Patterns: 
    innerHTML = userInput
    , 
    dangerouslySetInnerHTML={{__html: data}}
    , 
    echo $userInput;
  • Template engines: Check for unescaped output (
    {{ var | safe }}
    , 
    <%- var %>
    )
Severity:
  • CRITICAL: User input directly inserted into DOM without sanitization
  • HIGH: User input with partial sanitization (insufficient escaping)
  • MEDIUM: Internal data with potential XSS if compromised
Recommendation: Use framework escaping (React auto-escapes, use 
textContent
), sanitize with DOMPurify
Effort: S-M (replace 
innerHTML
with 
textContent
or sanitize)
检测内容: 未经过滤的用户输入在HTML/模板中渲染
检测方式:
  • 模式示例:
    innerHTML = userInput
    dangerouslySetInnerHTML={{__html: data}}
    echo $userInput;
  • 模板引擎:检查未转义输出(
    {{ var | safe }}
    <%- var %>
严重程度:
  • 关键: 用户输入直接插入DOM且未经过滤
  • 高: 用户输入仅经过部分过滤(转义不充分)
  • 中: 内部数据存在被劫持后触发XSS的风险
修复建议: 使用框架自带转义(React自动转义,使用
textContent
),通过DOMPurify进行过滤
修复工作量: S-M(将
innerHTML
替换为
textContent
或进行过滤)

4. Insecure Dependencies

4. 不安全依赖项

What: Dependencies with known CVEs (Common Vulnerabilities and Exposures)
Detection:
  • Run 
    npm audit
    (Node.js), 
    pip-audit
    (Python), 
    cargo audit
    (Rust), 
    dotnet list package --vulnerable
    (.NET)
  • Check for outdated critical dependencies
Severity:
  • CRITICAL: CVE with exploitable vulnerability in production dependencies
  • HIGH: CVE in dev dependencies or lower severity production CVEs
  • MEDIUM: Outdated packages without known CVEs but security risk
Recommendation: Update to patched versions, replace unmaintained packages
Effort: S-M (update package.json, test), L (if breaking changes)
检测内容: 存在已知CVE(通用漏洞披露)的依赖项
检测方式:
  • 运行
    npm audit
    (Node.js)、
    pip-audit
    (Python)、
    cargo audit
    (Rust)、
    dotnet list package --vulnerable
    (.NET)
  • 检查存在严重漏洞的过时依赖项
严重程度:
  • 关键: 生产依赖项中存在可被利用的CVE漏洞
  • 高: 开发依赖项存在CVE漏洞,或生产依赖项存在低严重程度CVE
  • 中: 无已知CVE但存在安全风险的过时包
修复建议: 更新至已修复漏洞的版本,替换无人维护的包
修复工作量: S-M(更新package.json并测试),L(若存在破坏性变更)

5. Missing Input Validation

5. 缺失的输入验证

What: Missing validation at system boundaries (API endpoints, user forms, file uploads)
Detection:
  • API routes without validation middleware
  • Form handlers without input sanitization
  • File uploads without type/size checks
  • Missing CORS configuration
Severity:
  • CRITICAL: File upload without validation, authentication bypass potential
  • HIGH: Missing validation on sensitive endpoints (payment, auth, user data)
  • MEDIUM: Missing validation on read-only or internal endpoints
Recommendation: Add validation middleware (Joi, Yup, express-validator), implement input sanitization
Effort: M (add validation schema and middleware)
检测内容: 系统边界(API端点、用户表单、文件上传)缺失验证
检测方式:
  • API路由未配置验证中间件
  • 表单处理器未对输入进行过滤
  • 文件上传未检查类型/大小
  • 缺失CORS配置
严重程度:
  • 关键: 文件上传未验证,存在身份验证绕过风险
  • 高: 敏感端点(支付、认证、用户数据)缺失验证
  • 中: 只读或内部端点缺失验证
修复建议: 添加验证中间件(Joi、Yup、express-validator),实现输入过滤
修复工作量: M(添加验证Schema和中间件)

Scoring Algorithm

评分算法

See 
shared/references/audit_scoring.md
for unified formula and score interpretation.
统一公式及分数解读请参考
shared/references/audit_scoring.md

Output Format

输出格式

MANDATORY READ: Load 
shared/references/audit_output_schema.md
for JSON structure.
Return JSON with 
category: "Security"
and checks: hardcoded_secrets, sql_injection, xss_vulnerabilities, insecure_dependencies, missing_input_validation.
必读: 加载
shared/references/audit_output_schema.md
了解JSON结构。
返回包含
category: "Security"
以及检测项:hardcoded_secrets、sql_injection、xss_vulnerabilities、insecure_dependencies、missing_input_validation的JSON数据。

Critical Rules

关键规则

  • Do not auto-fix: Report violations only; coordinator creates task for user to fix
  • Tech stack aware: Use contextStore to apply framework-specific patterns (e.g., React XSS vs PHP XSS)
  • False positive reduction: Exclude test files, example configs, documentation
  • Effort realism: S = <1 hour, M = 1-4 hours, L = >4 hours
  • Location precision: Always include 
    file:line
    for programmatic navigation
  • 请勿自动修复: 仅报告违规项;由协调器为用户创建修复任务
  • 适配技术栈: 使用contextStore应用框架特定的检测模式(例如React XSS与PHP XSS的检测差异)
  • 减少误报: 排除测试文件、示例配置、文档
  • 修复工作量真实合理: S = 少于1小时,M = 1-4小时,L = 超过4小时
  • 位置精准: 始终包含
    文件:行号
    以支持程序化导航

Definition of Done

完成标准

  • contextStore parsed successfully
  • All 5 security checks completed (secrets, SQL injection, XSS, deps, validation)
  • Findings collected with severity, location, effort, recommendation
  • Score calculated using penalty algorithm
  • JSON result returned to coordinator
  • 成功解析contextStore
  • 完成全部5项安全检测(密钥、SQL注入、XSS、依赖项、输入验证)
  • 收集的检测结果包含严重程度、位置、修复工作量、建议
  • 使用惩罚算法计算分数
  • 向协调器返回JSON格式的结果

Reference Files

参考文件

  • Audit scoring formula: 
    shared/references/audit_scoring.md
  • Audit output schema: 
    shared/references/audit_output_schema.md
  • Security audit rules: references/security_rules.md
Version: 3.0.0 Last Updated: 2025-12-23
  • 审计评分公式: 
    shared/references/audit_scoring.md
  • 审计输出 schema: 
    shared/references/audit_output_schema.md
  • 安全审计规则:references/security_rules.md
版本: 3.0.0 最后更新时间: 2025-12-23