security

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Security Skill

安全技能指南

Dependency Scanning

依赖项扫描

pnpm audit

pnpm 审计

bash

undefined

bash

undefined

Run audit

执行审计

pnpm audit

Only high/critical

仅检查高/严重等级漏洞

pnpm audit --audit-level=high

Auto-fix

自动修复

pnpm audit --fix

JSON report

生成JSON报告

pnpm audit --json > audit.json

undefined

pnpm audit --json > audit.json

undefined

Fix Vulnerabilities

修复漏洞

Direct dependencies: Update version in

pnpm-workspace.yaml

catalog

Transitive dependencies:

bash

undefined

直接依赖项： 在

pnpm-workspace.yaml

的依赖清单中更新版本

间接依赖项：

bash

undefined

Find dependency chain

查找依赖链

pnpm why vulnerable-package

Use overrides as last resort

仅在万不得已时使用覆盖配置

package.json

{ "pnpm": { "overrides": { "vulnerable-package": "^3.1.0" } } }

undefined

{ "pnpm": { "overrides": { "vulnerable-package": "^3.1.0" } } }

undefined

Snyk

bash

snyk auth          # Authenticate
snyk test          # Test for vulnerabilities
snyk monitor       # Monitor for new vulnerabilities
snyk fix           # Auto-fix

bash

snyk auth          # 身份验证
snyk test          # 检测漏洞
snyk monitor       # 持续监控新漏洞
snyk fix           # 自动修复

OWASP Top 10 Checks

OWASP Top 10 检查项

1. Broken Access Control

1. 访问控制失效

typescript

// ❌ No authorization
export async function deletePost(postId: string) {
  await db.delete(posts).where(eq(posts.id, postId));
}

// ✅ With authorization
export async function deletePost(postId: string, userId: string) {
  const post = await db.query.posts.findFirst({ where: eq(posts.id, postId) });
  if (post.authorId !== userId) throw new Error("Unauthorized");
  await db.delete(posts).where(eq(posts.id, postId));
}

typescript

// ❌ 未添加授权校验
export async function deletePost(postId: string) {
  await db.delete(posts).where(eq(posts.id, postId));
}

// ✅ 添加授权校验
export async function deletePost(postId: string, userId: string) {
  const post = await db.query.posts.findFirst({ where: eq(posts.id, postId) });
  if (post.authorId !== userId) throw new Error("Unauthorized");
  await db.delete(posts).where(eq(posts.id, postId));
}

2. Injection Prevention

2. 注入攻击防护

typescript

// ❌ SQL Injection
const query = `SELECT * FROM users WHERE id = ${userId}`;

// ✅ Parameterized query (Drizzle ORM)
const user = await db.query.users.findFirst({ where: eq(users.id, userId) });

typescript

// ❌ 存在SQL注入风险
const query = `SELECT * FROM users WHERE id = ${userId}`;

// ✅ 使用参数化查询（Drizzle ORM）
const user = await db.query.users.findFirst({ where: eq(users.id, userId) });

3. XSS Prevention

3. XSS攻击防护

React escapes content by default. When rendering HTML:

Sanitize with
```
sanitize-html
```
library before rendering
Never render untrusted content directly

React默认会转义内容。渲染HTML时：

渲染前使用
```
sanitize-html
```
库进行内容清理
绝不要直接渲染不可信内容

4. Rate Limiting

4. 限流控制

typescript

import { Ratelimit } from "@upstash/ratelimit";
import { redis } from "@sgcarstrends/utils";

const ratelimit = new Ratelimit({
  redis,
  limiter: Ratelimit.slidingWindow(5, "15 m"),
});

export async function login(email: string, password: string, ip: string) {
  const { success } = await ratelimit.limit(ip);
  if (!success) throw new Error("Too many login attempts");
  return verifyCredentials(email, password);
}

typescript

import { Ratelimit } from "@upstash/ratelimit";
import { redis } from "@sgcarstrends/utils";

const ratelimit = new Ratelimit({
  redis,
  limiter: Ratelimit.slidingWindow(5, "15 m"),
});

export async function login(email: string, password: string, ip: string) {
  const { success } = await ratelimit.limit(ip);
  if (!success) throw new Error("Too many login attempts");
  return verifyCredentials(email, password);
}

5. Password Security

5. 密码安全

typescript

import bcrypt from "bcrypt";

// ✅ Hash passwords
const hashedPassword = await bcrypt.hash(password, 10);

// ✅ Strong password validation
const passwordSchema = z.string()
  .min(12)
  .regex(/[A-Z]/, "Must contain uppercase")
  .regex(/[a-z]/, "Must contain lowercase")
  .regex(/[0-9]/, "Must contain number")
  .regex(/[^A-Za-z0-9]/, "Must contain special character");

typescript

import bcrypt from "bcrypt";

// ✅ 对密码进行哈希处理
const hashedPassword = await bcrypt.hash(password, 10);

// ✅ 强密码校验
const passwordSchema = z.string()
  .min(12)
  .regex(/[A-Z]/, "Must contain uppercase")
  .regex(/[a-z]/, "Must contain lowercase")
  .regex(/[0-9]/, "Must contain number")
  .regex(/[^A-Za-z0-9]/, "Must contain special character");

6. SSRF Prevention

6. SSRF攻击防护

typescript

// ❌ SSRF vulnerability
export async function fetchUrl(url: string) {
  return await fetch(url);
}

// ✅ Whitelist approach
const ALLOWED_DOMAINS = ["api.example.com", "data.gov.sg"];

export async function fetchUrl(url: string) {
  const parsedUrl = new URL(url);
  if (!ALLOWED_DOMAINS.includes(parsedUrl.hostname)) {
    throw new Error("Domain not allowed");
  }
  return await fetch(url);
}

typescript

// ❌ 存在SSRF漏洞风险
export async function fetchUrl(url: string) {
  return await fetch(url);
}

// ✅ 采用白名单机制
const ALLOWED_DOMAINS = ["api.example.com", "data.gov.sg"];

export async function fetchUrl(url: string) {
  const parsedUrl = new URL(url);
  if (!ALLOWED_DOMAINS.includes(parsedUrl.hostname)) {
    throw new Error("Domain not allowed");
  }
  return await fetch(url);
}

Input Validation

输入校验

typescript

import { z } from "zod";

const userInputSchema = z.object({
  name: z.string().min(1).max(100),
  email: z.string().email(),
  age: z.number().int().min(0).max(150),
});

export async function createUser(data: unknown) {
  const validated = userInputSchema.parse(data);
  // Now safe to use
}

typescript

import { z } from "zod";

const userInputSchema = z.object({
  name: z.string().min(1).max(100),
  email: z.string().email(),
  age: z.number().int().min(0).max(150),
});

export async function createUser(data: unknown) {
  const validated = userInputSchema.parse(data);
  // 此时数据可安全使用
}

CORS Configuration

CORS配置

typescript

// ❌ Too permissive
app.use(cors({ origin: "*" }));

// ✅ Whitelist specific origins
app.use(cors({
  origin: [
    "https://sgcarstrends.com",
    "https://staging.sgcarstrends.com",
    process.env.NODE_ENV === "development" ? "http://localhost:3001" : "",
  ].filter(Boolean),
  credentials: true,
}));

typescript

// ❌ 配置过于宽松
app.use(cors({ origin: "*" }));

// ✅ 配置特定域名白名单
app.use(cors({
  origin: [
    "https://sgcarstrends.com",
    "https://staging.sgcarstrends.com",
    process.env.NODE_ENV === "development" ? "http://localhost:3001" : "",
  ].filter(Boolean),
  credentials: true,
}));

Security Headers

安全响应头

typescript

// next.config.js
const securityHeaders = [
  { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains; preload" },
  { key: "X-Frame-Options", value: "SAMEORIGIN" },
  { key: "X-Content-Type-Options", value: "nosniff" },
  { key: "X-XSS-Protection", value: "1; mode=block" },
  { key: "Referrer-Policy", value: "origin-when-cross-origin" },
];

module.exports = {
  async headers() {
    return [{ source: "/:path*", headers: securityHeaders }];
  },
};

typescript

// next.config.js
const securityHeaders = [
  { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains; preload" },
  { key: "X-Frame-Options", value: "SAMEORIGIN" },
  { key: "X-Content-Type-Options", value: "nosniff" },
  { key: "X-XSS-Protection", value: "1; mode=block" },
  { key: "Referrer-Policy", value: "origin-when-cross-origin" },
];

module.exports = {
  async headers() {
    return [{ source: "/:path*", headers: securityHeaders }];
  },
};

Environment Variables

环境变量

typescript

// ❌ Hardcoded secret
const apiKey = "sk_live_EXAMPLE_NOT_REAL";

// ✅ From environment with validation
import { z } from "zod";

const envSchema = z.object({
  API_KEY: z.string().min(1),
  DATABASE_URL: z.string().url(),
});

const env = envSchema.parse(process.env);

typescript

// ❌ 硬编码密钥
const apiKey = "sk_live_EXAMPLE_NOT_REAL";

// ✅ 从环境变量读取并校验
import { z } from "zod";

const envSchema = z.object({
  API_KEY: z.string().min(1),
  DATABASE_URL: z.string().url(),
});

const env = envSchema.parse(process.env);

CI Integration

CI集成

yaml

undefined

yaml

undefined

.github/workflows/security.yml

name: Security Audit

on: push: branches: [main] schedule: - cron: '0 0 * * 1' # Weekly

jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v2 - run: pnpm install - run: pnpm audit --audit-level=high

undefined

name: Security Audit

on: push: branches: [main] schedule: - cron: '0 0 * * 1' # 每周执行

jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: pnpm/action-setup@v2 - run: pnpm install - run: pnpm audit --audit-level=high

undefined

security

Original

Translation

Security Skill

安全技能指南

Dependency Scanning

依赖项扫描

pnpm audit

pnpm 审计

Run audit

执行审计

Only high/critical

仅检查高/严重等级漏洞

Auto-fix

自动修复

JSON report

生成JSON报告

Fix Vulnerabilities

修复漏洞

Find dependency chain

查找依赖链

Use overrides as last resort

仅在万不得已时使用覆盖配置

package.json

package.json

Snyk

Snyk

OWASP Top 10 Checks

OWASP Top 10 检查项

1. Broken Access Control

1. 访问控制失效

2. Injection Prevention

2. 注入攻击防护

3. XSS Prevention

3. XSS攻击防护

4. Rate Limiting

4. 限流控制

5. Password Security

5. 密码安全

6. SSRF Prevention

6. SSRF攻击防护

Input Validation

输入校验

CORS Configuration

CORS配置

Security Headers

安全响应头

Environment Variables

环境变量

CI Integration

CI集成

.github/workflows/security.yml

.github/workflows/security.yml

Security Checklist

安全检查清单

References

参考资料