hjdave/everything-claude-code-zh
1
0
Fork 0
mirror of https://github.com/sweetwisdom/everything-claude-code-zh.git synced 2026-03-22 06:20:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: 完成所有文档的中文翻译并应用到项目

Browse Source
This commit is contained in:
xuxiang
2026-01-28 00:12:54 +08:00
parent 0ced59a26b
commit e133f58e1c
76 changed files with 6808 additions and 6170 deletions
Download Patch File Download Diff File Expand all files Collapse all files

328
skills/security-review/SKILL.md
View File

@@ -1,64 +1,64 @@
---
name: security-review
description: Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns.
description: 当添加身份认证authentication、处理用户输入、使用凭据secrets、创建 API 端点或实现支付/敏感功能时,请使用此技能。提供全面的安全检查清单和模式。
---
# Security Review Skill
# 安全审查技能 (Security Review Skill)
This skill ensures all code follows security best practices and identifies potential vulnerabilities.
此技能确保所有代码遵循安全最佳实践,并识别潜在的漏洞。
## When to Activate
## 何时激活
- Implementing authentication or authorization
- Handling user input or file uploads
- Creating new API endpoints
- Working with secrets or credentials
- Implementing payment features
- Storing or transmitting sensitive data
- Integrating third-party APIs
- 实现身份认证(authentication)或授权(authorization)时
- 处理用户输入或文件上传时
- 创建新的 API 端点时
- 处理凭据(secrets)或证书(credentials)时
- 实现支付功能时
- 存储或传输敏感数据时
- 集成第三方 API
## Security Checklist
## 安全检查清单
### 1. Secrets Management
### 1. 凭据管理 (Secrets Management)
#### ❌ NEVER Do This
#### ❌ 严禁这样做
```typescript
const apiKey = "sk-proj-xxxxx" // Hardcoded secret
const dbPassword = "password123" // In source code
const apiKey = "sk-proj-xxxxx" // 硬编码凭据
const dbPassword = "password123" // 在源代码中
```
#### ✅ ALWAYS Do This
#### ✅ 务必这样做
```typescript
const apiKey = process.env.OPENAI_API_KEY
const dbUrl = process.env.DATABASE_URL
// Verify secrets exist
// 验证凭据是否存在
if (!apiKey) {
throw new Error('OPENAI_API_KEY not configured')
}
```
#### Verification Steps
- [ ] No hardcoded API keys, tokens, or passwords
- [ ] All secrets in environment variables
- [ ] `.env.local` in .gitignore
- [ ] No secrets in git history
- [ ] Production secrets in hosting platform (Vercel, Railway)
#### 验证步骤
- [ ] 不存在硬编码的 API 密钥、令牌tokens或密码
- [ ] 所有凭据均存储在环境变量中
- [ ] `.env.local` 已包含在 .gitignore
- [ ] Git 历史记录中没有凭据
- [ ] 生产环境凭据配置在托管平台(如 Vercel, Railway
### 2. Input Validation
### 2. 输入校验 (Input Validation)
#### Always Validate User Input
#### 始终校验用户输入
```typescript
import { z } from 'zod'
// Define validation schema
// 定义校验模式 (Schema)
const CreateUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
age: z.number().int().min(0).max(150)
})
// Validate before processing
// 在处理前校验
export async function createUser(input: unknown) {
try {
const validated = CreateUserSchema.parse(input)
@@ -72,22 +72,22 @@ export async function createUser(input: unknown) {
}
```
#### File Upload Validation
#### 文件上传校验
```typescript
function validateFileUpload(file: File) {
// Size check (5MB max)
// 大小检查 (最大 5MB)
const maxSize = 5 * 1024 * 1024
if (file.size > maxSize) {
throw new Error('File too large (max 5MB)')
}
// Type check
// 类型检查
const allowedTypes = ['image/jpeg', 'image/png', 'image/gif']
if (!allowedTypes.includes(file.type)) {
throw new Error('Invalid file type')
}
// Extension check
// 后缀检查
const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif']
const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0]
if (!extension || !allowedExtensions.includes(extension)) {
@@ -98,59 +98,59 @@ function validateFileUpload(file: File) {
}
```
#### Verification Steps
- [ ] All user inputs validated with schemas
- [ ] File uploads restricted (size, type, extension)
- [ ] No direct use of user input in queries
- [ ] Whitelist validation (not blacklist)
- [ ] Error messages don't leak sensitive info
#### 验证步骤
- [ ] 所有用户输入均通过模式(schemas)校验
- [ ] 限制文件上传(大小、类型、后缀)
- [ ] 不在查询中直接使用原始用户输入
- [ ] 使用白名单校验(而非黑名单)
- [ ] 错误消息不泄露敏感信息
### 3. SQL Injection Prevention
### 3. SQL 注入防护 (SQL Injection Prevention)
#### ❌ NEVER Concatenate SQL
#### ❌ 严禁拼接 SQL 字符串
```typescript
// DANGEROUS - SQL Injection vulnerability
// 危险 - 存在 SQL 注入漏洞
const query = `SELECT * FROM users WHERE email = '${userEmail}'`
await db.query(query)
```
#### ✅ ALWAYS Use Parameterized Queries
#### ✅ 始终使用参数化查询
```typescript
// Safe - parameterized query
// 安全 - 参数化查询
const { data } = await supabase
.from('users')
.select('*')
.eq('email', userEmail)
// Or with raw SQL
// 或者使用原生 SQL
await db.query(
'SELECT * FROM users WHERE email = $1',
[userEmail]
)
```
#### Verification Steps
- [ ] All database queries use parameterized queries
- [ ] No string concatenation in SQL
- [ ] ORM/query builder used correctly
- [ ] Supabase queries properly sanitized
#### 验证步骤
- [ ] 所有数据库查询均使用参数化查询
- [ ] SQL 中没有字符串拼接
- [ ] 正确使用 ORM 或查询构建器query builder
- [ ] Supabase 查询已正确清理(sanitized
### 4. Authentication & Authorization
### 4. 认证与授权 (Authentication & Authorization)
#### JWT Token Handling
#### JWT 令牌处理
```typescript
// ❌ WRONG: localStorage (vulnerable to XSS)
// ❌ 错误:使用 localStorage (易受 XSS 攻击)
localStorage.setItem('token', token)
// ✅ CORRECT: httpOnly cookies
// ✅ 正确:使用 httpOnly cookies
res.setHeader('Set-Cookie',
`token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`)
```
#### Authorization Checks
#### 授权检查
```typescript
export async function deleteUser(userId: string, requesterId: string) {
// ALWAYS verify authorization first
// 始终先验证授权
const requester = await db.users.findUnique({
where: { id: requesterId }
})
@@ -162,41 +162,41 @@ export async function deleteUser(userId: string, requesterId: string) {
)
}
// Proceed with deletion
// 执行删除
await db.users.delete({ where: { id: userId } })
}
```
#### Row Level Security (Supabase)
#### 行级安全性 (Supabase RLS)
```sql
-- Enable RLS on all tables
-- 在所有表上启用 RLS
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
-- Users can only view their own data
-- 用户只能查看自己的数据
CREATE POLICY "Users view own data"
ON users FOR SELECT
USING (auth.uid() = id);
-- Users can only update their own data
-- 用户只能更新自己的数据
CREATE POLICY "Users update own data"
ON users FOR UPDATE
USING (auth.uid() = id);
```
#### Verification Steps
- [ ] Tokens stored in httpOnly cookies (not localStorage)
- [ ] Authorization checks before sensitive operations
- [ ] Row Level Security enabled in Supabase
- [ ] Role-based access control implemented
- [ ] Session management secure
#### 验证步骤
- [ ] 令牌存储在 httpOnly cookies 中(而非 localStorage
- [ ] 在敏感操作前进行授权检查
- [ ] 在 Supabase 中启用了行级安全性Row Level Security
- [ ] 实现了基于角色的访问控制RBAC
- [ ] 会话管理(Session management)安全
### 5. XSS Prevention
### 5. XSS 防护 (XSS Prevention)
#### Sanitize HTML
#### 清理 HTML
```typescript
import DOMPurify from 'isomorphic-dompurify'
// ALWAYS sanitize user-provided HTML
// 始终清理用户提供的 HTML
function renderUserContent(html: string) {
const clean = DOMPurify.sanitize(html, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'],
@@ -206,7 +206,7 @@ function renderUserContent(html: string) {
}
```
#### Content Security Policy
#### 内容安全策略 (CSP)
```typescript
// next.config.js
const securityHeaders = [
@@ -224,15 +224,15 @@ const securityHeaders = [
]
```
#### Verification Steps
- [ ] User-provided HTML sanitized
- [ ] CSP headers configured
- [ ] No unvalidated dynamic content rendering
- [ ] React's built-in XSS protection used
#### 验证步骤
- [ ] 已清理用户提供的 HTML
- [ ] 配置了 CSP 响应头
- [ ] 没有未经校验的动态内容渲染
- [ ] 使用了 React 内置的 XSS 防护机制
### 6. CSRF Protection
### 6. CSRF 防护 (CSRF Protection)
#### CSRF Tokens
#### CSRF 令牌
```typescript
import { csrf } from '@/lib/csrf'
@@ -246,7 +246,7 @@ export async function POST(request: Request) {
)
}
// Process request
// 处理请求
}
```
@@ -256,61 +256,61 @@ res.setHeader('Set-Cookie',
`session=${sessionId}; HttpOnly; Secure; SameSite=Strict`)
```
#### Verification Steps
- [ ] CSRF tokens on state-changing operations
- [ ] SameSite=Strict on all cookies
- [ ] Double-submit cookie pattern implemented
#### 验证步骤
- [ ] 对状态变更操作使用了 CSRF 令牌
- [ ] 所有 cookies 均设置了 SameSite=Strict
- [ ] 实现了双重提交 cookie 模式double-submit cookie pattern
### 7. Rate Limiting
### 7. 速率限制 (Rate Limiting)
#### API Rate Limiting
#### API 速率限制
```typescript
import rateLimit from 'express-rate-limit'
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // 100 requests per window
windowMs: 15 * 60 * 1000, // 15 分钟
max: 100, // 每个窗口 100 次请求
message: 'Too many requests'
})
// Apply to routes
// 应用到路由
app.use('/api/', limiter)
```
#### Expensive Operations
#### 高消耗操作
```typescript
// Aggressive rate limiting for searches
// 对搜索操作执行更严格的速率限制
const searchLimiter = rateLimit({
windowMs: 60 * 1000, // 1 minute
max: 10, // 10 requests per minute
windowMs: 60 * 1000, // 1 分钟
max: 10, // 每分钟 10 次请求
message: 'Too many search requests'
})
app.use('/api/search', searchLimiter)
```
#### Verification Steps
- [ ] Rate limiting on all API endpoints
- [ ] Stricter limits on expensive operations
- [ ] IP-based rate limiting
- [ ] User-based rate limiting (authenticated)
#### 验证步骤
- [ ] 在所有 API 端点上启用了速率限制
- [ ] 对高消耗操作执行更严格的限制
- [ ] 基于 IP 的速率限制
- [ ] 基于用户的速率限制(已认证用户)
### 8. Sensitive Data Exposure
### 8. 敏感数据泄露 (Sensitive Data Exposure)
#### Logging
#### 日志记录
```typescript
// ❌ WRONG: Logging sensitive data
// ❌ 错误:记录敏感数据
console.log('User login:', { email, password })
console.log('Payment:', { cardNumber, cvv })
// ✅ CORRECT: Redact sensitive data
// ✅ 正确:脱敏敏感数据
console.log('User login:', { email, userId })
console.log('Payment:', { last4: card.last4, userId })
```
#### Error Messages
#### 错误消息
```typescript
// ❌ WRONG: Exposing internal details
// ❌ 错误:暴露内部细节
catch (error) {
return NextResponse.json(
{ error: error.message, stack: error.stack },
@@ -318,7 +318,7 @@ catch (error) {
)
}
// ✅ CORRECT: Generic error messages
// ✅ 正确:通用的错误消息
catch (error) {
console.error('Internal error:', error)
return NextResponse.json(
@@ -328,15 +328,15 @@ catch (error) {
}
```
#### Verification Steps
- [ ] No passwords, tokens, or secrets in logs
- [ ] Error messages generic for users
- [ ] Detailed errors only in server logs
- [ ] No stack traces exposed to users
#### 验证步骤
- [ ] 日志中不含密码、令牌或凭据
- [ ] 向用户展示通用的错误消息
- [ ] 仅在服务器日志中记录详细错误
- [ ] 不向用户暴露堆栈轨迹(stack traces
### 9. Blockchain Security (Solana)
### 9. 区块链安全 (Solana)
#### Wallet Verification
#### 钱包验证
```typescript
import { verify } from '@solana/web3.js'
@@ -358,20 +358,20 @@ async function verifyWalletOwnership(
}
```
#### Transaction Verification
#### 交易验证
```typescript
async function verifyTransaction(transaction: Transaction) {
// Verify recipient
// 验证收款人
if (transaction.to !== expectedRecipient) {
throw new Error('Invalid recipient')
}
// Verify amount
// 验证金额
if (transaction.amount > maxAmount) {
throw new Error('Amount exceeds limit')
}
// Verify user has sufficient balance
// 验证用户余额是否充足
const balance = await getBalance(transaction.from)
if (balance < transaction.amount) {
throw new Error('Insufficient balance')
@@ -381,56 +381,56 @@ async function verifyTransaction(transaction: Transaction) {
}
```
#### Verification Steps
- [ ] Wallet signatures verified
- [ ] Transaction details validated
- [ ] Balance checks before transactions
- [ ] No blind transaction signing
#### 验证步骤
- [ ] 验证了钱包签名
- [ ] 校验了交易详情
- [ ] 交易前进行余额检查
- [ ] 不存在盲签blind signing)交易
### 10. Dependency Security
### 10. 依赖项安全 (Dependency Security)
#### Regular Updates
#### 定期更新
```bash
# Check for vulnerabilities
# 检查漏洞
npm audit
# Fix automatically fixable issues
# 自动修复可修复的问题
npm audit fix
# Update dependencies
# 更新依赖
npm update
# Check for outdated packages
# 检查过期的包
npm outdated
```
#### Lock Files
#### 锁定文件 (Lock Files)
```bash
# ALWAYS commit lock files
# 始终提交 lock 文件
git add package-lock.json
# Use in CI/CD for reproducible builds
npm ci # Instead of npm install
# CI/CD 中使用以确保可重现的构建
npm ci # 而非 npm install
```
#### Verification Steps
- [ ] Dependencies up to date
- [ ] No known vulnerabilities (npm audit clean)
- [ ] Lock files committed
- [ ] Dependabot enabled on GitHub
- [ ] Regular security updates
#### 验证步骤
- [ ] 依赖项保持最新
- [ ] 无已知漏洞(npm audit clean
- [ ] 已提交 lock 文件
- [ ] 在 GitHub 上启用了 Dependabot
- [ ] 定期执行安全更新
## Security Testing
## 安全测试
### Automated Security Tests
### 自动化安全测试
```typescript
// Test authentication
// 测试身份认证
test('requires authentication', async () => {
const response = await fetch('/api/protected')
expect(response.status).toBe(401)
})
// Test authorization
// 测试授权
test('requires admin role', async () => {
const response = await fetch('/api/admin', {
headers: { Authorization: `Bearer ${userToken}` }
@@ -438,7 +438,7 @@ test('requires admin role', async () => {
expect(response.status).toBe(403)
})
// Test input validation
// 测试输入校验
test('rejects invalid input', async () => {
const response = await fetch('/api/users', {
method: 'POST',
@@ -447,7 +447,7 @@ test('rejects invalid input', async () => {
expect(response.status).toBe(400)
})
// Test rate limiting
// 测试速率限制
test('enforces rate limits', async () => {
const requests = Array(101).fill(null).map(() =>
fetch('/api/endpoint')
@@ -460,35 +460,35 @@ test('enforces rate limits', async () => {
})
```
## Pre-Deployment Security Checklist
## 部署前安全检查清单
Before ANY production deployment:
在**任何**生产环境部署之前:
- [ ] **Secrets**: No hardcoded secrets, all in env vars
- [ ] **Input Validation**: All user inputs validated
- [ ] **SQL Injection**: All queries parameterized
- [ ] **XSS**: User content sanitized
- [ ] **CSRF**: Protection enabled
- [ ] **Authentication**: Proper token handling
- [ ] **Authorization**: Role checks in place
- [ ] **Rate Limiting**: Enabled on all endpoints
- [ ] **HTTPS**: Enforced in production
- [ ] **Security Headers**: CSP, X-Frame-Options configured
- [ ] **Error Handling**: No sensitive data in errors
- [ ] **Logging**: No sensitive data logged
- [ ] **Dependencies**: Up to date, no vulnerabilities
- [ ] **Row Level Security**: Enabled in Supabase
- [ ] **CORS**: Properly configured
- [ ] **File Uploads**: Validated (size, type)
- [ ] **Wallet Signatures**: Verified (if blockchain)
- [ ] **凭据 (Secrets)**:无硬编码凭据,全部位于环境变量中
- [ ] **输入校验**:所有用户输入均已校验
- [ ] **SQL 注入**:所有查询均已参数化
- [ ] **XSS**:用户内容已清理
- [ ] **CSRF**:防护已启用
- [ ] **身份认证**:正确的令牌处理
- [ ] **授权**:角色检查已就位
- [ ] **速率限制**:在所有端点上启用
- [ ] **HTTPS**:在生产环境中强制执行
- [ ] **安全响应头**:已配置 CSP, X-Frame-Options
- [ ] **错误处理**:错误信息中无敏感数据
- [ ] **日志记录**:日志中无敏感数据
- [ ] **依赖项**:已更新且无漏洞
- [ ] **行级安全性**:在 Supabase 中启用
- [ ] **CORS**:已正确配置
- [ ] **文件上传**:已校验(大小、类型)
- [ ] **钱包签名**:已验证(如果是区块链项目)
## Resources
## 资源
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [Next.js Security](https://nextjs.org/docs/security)
- [Supabase Security](https://supabase.com/docs/guides/auth)
- [Next.js 安全指南](https://nextjs.org/docs/security)
- [Supabase 安全指南](https://supabase.com/docs/guides/auth)
- [Web Security Academy](https://portswigger.net/web-security)
---
**Remember**: Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution.
**请记住**:安全并非可选项。一个漏洞就可能危害整个平台。如有疑虑,请宁可信其有,从严处理。