code-security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCode Security Guidelines
代码安全指南
Comprehensive security rules for writing secure code across multiple languages and frameworks. Covers OWASP Top 10 vulnerabilities, infrastructure security, and coding best practices.
适用于多语言和多框架的编写安全代码的全面安全规则。涵盖OWASP Top 10漏洞、基础设施安全和编码最佳实践。
How It Works
工作方式
- When you write or review code, reference these security guidelines
- Each rule includes incorrect (vulnerable) and correct (secure) code examples
- Rules are organized by vulnerability category and impact level
- 编写或审核代码时,参考这些安全指南
- 每条规则都包含错误(存在漏洞)和正确(安全)的代码示例
- 规则按漏洞类别和影响级别分类
Categories
类别
Critical Impact
严重影响
- SQL Injection - Use parameterized queries, never concatenate user input
- Command Injection - Avoid shell commands with user input, use safe APIs
- XSS - Escape output, use framework protections
- XXE - Disable external entities in XML parsers
- Path Traversal - Validate and sanitize file paths
- Insecure Deserialization - Never deserialize untrusted data
- Code Injection - Never eval() user input
- Hardcoded Secrets - Use environment variables or secret managers
- Memory Safety - Prevent buffer overflows, use-after-free (C/C++)
- SQL注入 - 使用参数化查询,切勿拼接用户输入
- 命令注入 - 避免使用包含用户输入的shell命令,使用安全API
- XSS - 转义输出,使用框架防护机制
- XXE - 在XML解析器中禁用外部实体
- 路径遍历 - 验证并清理文件路径
- 不安全的反序列化 - 切勿反序列化不可信数据
- 代码注入 - 切勿对用户输入使用eval()
- 硬编码密钥 - 使用环境变量或密钥管理器
- 内存安全 - 防止缓冲区溢出、释放后使用(C/C++)
High Impact
高影响
- Insecure Crypto - Use SHA-256+, AES-256, avoid MD5/SHA1/DES
- Insecure Transport - Use HTTPS, verify certificates
- SSRF - Validate URLs, use allowlists
- JWT Issues - Always verify signatures
- CSRF - Use CSRF tokens on state-changing requests
- Prototype Pollution - Validate object keys in JavaScript
- 不安全的加密 - 使用SHA-256+、AES-256,避免MD5/SHA1/DES
- 不安全的传输 - 使用HTTPS,验证证书
- SSRF - 验证URL,使用允许列表
- JWT问题 - 始终验证签名
- CSRF - 在状态变更请求上使用CSRF令牌
- 原型污染 - 在JavaScript中验证对象键
Infrastructure
基础设施
- Terraform AWS/Azure/GCP - Encryption, least privilege, no public access
- Kubernetes - No privileged containers, run as non-root
- Docker - Don't run as root, pin image versions
- GitHub Actions - Avoid script injection, pin action versions
- Terraform AWS/Azure/GCP - 加密、最小权限、无公共访问
- Kubernetes - 无特权容器,以非root用户运行
- Docker - 不要以root用户运行,固定镜像版本
- GitHub Actions - 避免脚本注入,固定动作版本
Usage
使用方法
Reference the rules in directory for detailed examples:
rules/- - SQL injection prevention
rules/sql-injection.md - - Cross-site scripting prevention
rules/xss.md - - Command injection prevention
rules/command-injection.md - - Full index of all 28 rule categories
rules/_sections.md
参考目录中的规则获取详细示例:
rules/- - SQL注入防护
rules/sql-injection.md - - 跨站脚本防护
rules/xss.md - - 命令注入防护
rules/command-injection.md - - 全部28个规则类别的完整索引
rules/_sections.md
Quick Reference
快速参考
| Vulnerability | Key Prevention |
|---|---|
| SQL Injection | Parameterized queries |
| XSS | Output encoding |
| Command Injection | Avoid shell, use APIs |
| Path Traversal | Validate paths |
| SSRF | URL allowlists |
| Secrets | Environment variables |
| Crypto | SHA-256, AES-256 |
| 漏洞类型 | 核心防护措施 |
|---|---|
| SQL注入 | 参数化查询 |
| XSS | 输出编码 |
| 命令注入 | 避免使用shell,使用API |
| 路径遍历 | 验证路径 |
| SSRF | URL允许列表 |
| 密钥管理 | 环境变量 |
| 加密算法 | SHA-256, AES-256 |