Back to Details

security

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Audit

安全审计

Perform a thorough security review of $ARGUMENTS (or the whole app if no argument is given). Work through every step below in order and report findings with file paths and line numbers.
对**$ARGUMENTS**(若未提供参数则对整个应用)执行全面的安全审查。按顺序完成以下每一步,并附上文件路径和行号报告发现的问题。

Step 1 — Map the attack surface

步骤1 — 梳理攻击面

Read these files before checking anything:
  • src/main.tsx
    / 
    src/App.tsx
    — entry point, routing, auth gating
  • vite.config.ts
    — dev server proxy, CORS, headers
  • package.json
    — list of third-party dependencies
  • Any file matching 
    **/auth*
    , 
    **/login*
    , 
    **/token*
    , 
    **/credential*
Identify:
  • All pages/routes and whether each is behind an auth guard
  • All places where external data enters the app (CDF SDK calls, 
    fetch
    , user form input)
  • All places where data is written back (CDF upsert, 
    fetch
    POST/PUT/DELETE)
在检查任何内容前,先阅读以下文件:
  • src/main.tsx
    / 
    src/App.tsx
    — 入口文件、路由、身份认证拦截
  • vite.config.ts
    — 开发服务器代理、CORS、请求头
  • package.json
    — 第三方依赖列表
  • 所有匹配
    **/auth*
    **/login*
    **/token*
    **/credential*
    的文件
识别:
  • 所有页面/路由,以及每个路由是否受身份认证拦截保护
  • 外部数据进入应用的所有入口(CDF SDK调用、
    fetch
    、用户表单输入)
  • 数据回写的所有位置(CDF upsert、
    fetch
    POST/PUT/DELETE请求)

Step 2 — Credential & secret hygiene

步骤2 — 凭证与密钥管理

Search for hard-coded credentials and sensitive values:
bash
undefined
搜索硬编码的凭证和敏感值:
bash
undefined

Look for anything that smells like a secret in source files

在源码文件中查找疑似密钥的内容

grep -rn --include=".ts" --include=".tsx" --include=".js"
-E "(password|secret|apikey|api_key|token|bearer|private_key)\s=\s*['"]" src/

Flag any match. Secrets must come from environment variables (`import.meta.env.VITE_*`) or from the Dune auth flow — never hard-coded.

Also verify:
- `.env.example` does not contain real secrets (only placeholder values like `your-token-here`)
- `.gitignore` lists `.env` and `.env.local`
- No `console.log`, `console.error`, or similar calls that print a CDF token, user object, or API key

---
grep -rn --include=".ts" --include=".tsx" --include=".js"
-E "(password|secret|apikey|api_key|token|bearer|private_key)\s=\s*['"]" src/

标记所有匹配项。密钥必须来自环境变量(`import.meta.env.VITE_*`)或Dune身份认证流程——绝对不能硬编码。

同时验证:
- `.env.example` 不包含真实密钥(仅包含`your-token-here`这类占位符值)
- `.gitignore` 已列出`.env`和`.env.local`
- 没有`console.log`、`console.error`或类似调用会打印CDF令牌、用户对象或API密钥

---

Step 3 — Dangerous DOM APIs

步骤3 — 危险DOM API

Search for patterns that allow arbitrary script execution or HTML injection:
bash
grep -rn --include="*.tsx" --include="*.ts" \
  -E "dangerouslySetInnerHTML|innerHTML\s*=|eval\(|new Function\(|setTimeout\(['\"]|setInterval\(['\"]" src/
For each hit:
  • dangerouslySetInnerHTML
    : confirm the value is sanitized with DOMPurify or equivalent before use. If not, flag as HIGH.
  • eval
    / 
    new Function
    : flag as HIGH unconditionally — there is no safe use in a browser app.
  • setTimeout
    /
    setInterval
    with a string argument: flag as MEDIUM (equivalent to 
    eval
    ).
搜索允许任意脚本执行或HTML注入的模式:
bash
grep -rn --include="*.tsx" --include="*.ts" \
  -E "dangerouslySetInnerHTML|innerHTML\s*=|eval\(|new Function\(|setTimeout\(['\"]|setInterval\(['\"]" src/
针对每个匹配项:
  • dangerouslySetInnerHTML
    :确认值在使用前已通过DOMPurify或同类工具进行清理。若未清理,标记为高风险
  • eval
    / 
    new Function
    :无条件标记为高风险——在浏览器应用中没有安全的使用场景。
  • setTimeout
    /
    setInterval
    使用字符串参数:标记为中风险(等价于
    eval
    )。

Step 4 — Authentication & authorization

步骤4 — 身份认证与授权

Read the auth setup (likely 
src/contexts/
, 
src/hooks/
, or 
setup-dune-auth
output):
  • Every route that shows CDF data must be behind the Dune auth guard (
    useCogniteClient
    returns a non-null 
    sdk
    before rendering).
  • The CDF client must be initialized with short-lived OIDC tokens, not a static API key.
  • User role/capability checks must happen server-side (CDF ACLs) — do not rely solely on hiding UI elements.
Check the 
useAtlasChat
/ Atlas agent integration:
  • The 
    agentExternalId
    must not be constructed from user-supplied input.
  • Tool 
    execute
    functions must not trust 
    args
    blindly — validate or guard before using values in CDF queries.
阅读身份认证设置(通常在
src/contexts/
src/hooks/
setup-dune-auth
输出文件中):
  • 所有展示CDF数据的路由必须受Dune身份认证拦截保护(
    useCogniteClient
    在渲染前返回非空的
    sdk
    )。
  • CDF客户端必须使用短期OIDC令牌初始化,而非静态API密钥。
  • 用户角色/权限检查必须在服务器端执行(CDF访问控制列表)——不得仅依赖隐藏UI元素。
检查
useAtlasChat
/ Atlas代理集成:
  • agentExternalId
    不得由用户提供的输入构造。
  • 工具
    execute
    函数不得盲目信任
    args
    ——在CDF查询中使用值前需验证或拦截。

Step 5 — Input validation

步骤5 — 输入验证

Every value that comes from a form, URL param, or query string before it reaches a CDF call or is rendered to the DOM must be validated:
bash
undefined
所有来自表单、URL参数或查询字符串的值,在传入CDF调用或渲染到DOM前必须经过验证:
bash
undefined

Find useSearchParams, URLSearchParams, and form onChange handlers

查找useSearchParams、URLSearchParams和表单onChange处理器

grep -rn --include=".tsx" --include=".ts"
-E "useSearchParams|URLSearchParams|searchParams.get|e.target.value" src/

For each hit, verify:
- The value is validated with Zod or a type guard before use.
- String values rendered in JSX are not concatenated into raw HTML.

---
grep -rn --include=".tsx" --include=".ts"
-E "useSearchParams|URLSearchParams|searchParams.get|e.target.value" src/

针对每个匹配项,验证:
- 值在使用前已通过Zod或类型守卫进行验证。
- 在JSX中渲染的字符串值未拼接成原始HTML。

---

Step 6 — Vite / server configuration

步骤6 — Vite / 服务器配置

Read 
vite.config.ts
and any 
server.ts
/ 
express.ts
files:
  • Confirm 
    server.headers
    includes at minimum: 
    • Content-Security-Policy
      — restricts script sources
    • X-Frame-Options: DENY
      or 
      frame-ancestors 'none'
    • X-Content-Type-Options: nosniff
  • Confirm the dev proxy (
    server.proxy
    ) does not expose internal endpoints in production builds.
  • Confirm 
    define
    does not embed raw secrets into the bundle (use 
    import.meta.env
    instead).
阅读
vite.config.ts
及所有
server.ts
/ 
express.ts
文件:
  • 确认
    server.headers
    至少包含: 
    • Content-Security-Policy
      — 限制脚本源
    • X-Frame-Options: DENY
      frame-ancestors 'none'
    • X-Content-Type-Options: nosniff
  • 确认开发服务器代理(
    server.proxy
    )在生产构建中未暴露内部端点。
  • 确认
    define
    未将原始密钥嵌入到打包文件中(改用
    import.meta.env
    )。

Step 7 — Dependency audit

步骤7 — 依赖审计

bash
pnpm audit --audit-level=high
List every high/critical vulnerability with its package name, severity, and the recommended fix. If no vulnerabilities are found at high/critical level, state that explicitly.
bash
pnpm audit --audit-level=high
列出所有高/严重级别的漏洞,包含包名、严重程度和推荐修复方案。若未发现高/严重级别的漏洞,需明确说明。

Step 8 — Report findings

步骤8 — 报告发现的问题

Produce a structured report grouped by severity:
SeverityFileLineIssueRecommendation
HIGH
src/...
42
eval()
call		Remove; use a data-driven approach
MEDIUM............
LOW............
INFO...Dependency X has a known low-severity CVERun 
pnpm update X
If no issues are found in a step, state "No issues found" for that step. Do not skip steps silently.
生成按严重程度分组的结构化报告:
严重程度文件行号问题建议
高风险
src/...
42调用
eval()
删除该调用;采用数据驱动的实现方式
中风险............
低风险............
信息...依赖包X存在已知低严重级别的CVE执行
pnpm update X
若某一步未发现问题,需明确说明“未发现问题”。不得静默跳过任何步骤。

Done

完成

Summarize the total number of findings by severity and list any items that require immediate action before the next deployment.
按严重程度总结发现问题的总数,并列出下次部署前需立即处理的事项。