code-review-best-practices/example-guidelines/security/input-validation.yaml at main · augmentcode/code-review-best-practices · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
# Input Validation Security Code Review Guidelines
# Comprehensive rules for input validation and sanitization best practices
# Version: 1.0
# Last Updated: 2026-01-02

name: Input Validation Security Guidelines
description: Code review guidelines for input validation covering XSS prevention, injection prevention, file uploads, data validation, and URL/path validation

globs:
  - "**/*.py"
  - "**/*.js"
  - "**/*.ts"
  - "**/*.java"
  - "**/*.go"
  - "**/*.rb"
  - "**/*.php"
  - "**/*.cs"
  - "**/*.html"
  - "**/*.vue"
  - "**/*.jsx"
  - "**/*.tsx"
  - "**/*controller*"
  - "**/*handler*"
  - "**/*route*"
  - "**/*upload*"
  - "**/*form*"

rules:
  # ============================================================================
  # XSS PREVENTION RULES
  # ============================================================================

  - name: encode-output-for-context
    description: >
      Always encode output based on context: HTML entity encoding for HTML body, attribute
      encoding for attributes, JavaScript encoding for script contexts, URL encoding for
      URLs. Use framework auto-escaping and be aware of contexts where it's disabled.
    severity: critical

  - name: implement-content-security-policy
    description: >
      Implement a strict Content-Security-Policy header. Start with default-src 'self';
      add specific sources as needed. Avoid 'unsafe-inline' and 'unsafe-eval'. Use nonces
      or hashes for inline scripts. Report violations with report-uri or report-to.
    severity: high

  - name: sanitize-html-input
    description: >
      When HTML input is required, use a well-tested sanitization library (DOMPurify,
      Bleach, OWASP Java HTML Sanitizer). Whitelist allowed tags and attributes. Never
      use regex for HTML sanitization. Re-sanitize on output, not just input.
    severity: critical

  - name: prevent-dom-based-xss
    description: >
      Avoid dangerous DOM APIs with untrusted data: innerHTML, outerHTML, document.write,
      eval. Use textContent, setAttribute with validation, or framework-provided safe
      methods. Sanitize data from URL parameters, localStorage, and postMessage.
    severity: high

  - name: validate-rich-text-content
    description: >
      Rich text editors are high-risk XSS vectors. Use editors with built-in sanitization.
      Validate on server side regardless of client sanitization. Consider storing markdown
      and rendering server-side. Limit allowed formatting to business requirements.
    severity: high

  # ============================================================================
  # INJECTION PREVENTION RULES
  # ============================================================================

  - name: prevent-sql-injection
    description: >
      Never concatenate user input into SQL queries. Always use parameterized queries,
      prepared statements, or ORM query builders. Validate and whitelist column/table names
      for dynamic queries. Enable SQL query logging in development to audit queries.
    severity: critical

  - name: prevent-nosql-injection
    description: >
      NoSQL databases are vulnerable to injection via operators like $gt, $ne, $where.
      Validate input types strictly - reject objects when expecting strings. Use ODM/ORM
      libraries correctly. Sanitize MongoDB query operators from user input.
    severity: critical

  - name: prevent-ldap-injection
    description: >
      Escape special LDAP characters in user input: *, (, ), \, NUL, and leading #/space.
      Use parameterized LDAP queries when available. Validate input against expected
      patterns. Consider using higher-level APIs that handle escaping.
    severity: high

  - name: prevent-command-injection
    description: >
      Avoid executing shell commands with user input. If necessary, use parameterized
      APIs (subprocess with list arguments, not shell=True). Never interpolate user
      input into commands. Whitelist allowed commands and arguments strictly.
    severity: critical

  - name: prevent-template-injection
    description: >
      Server-side template injection (SSTI) allows code execution. Never pass user input
      to template rendering as template code. Use logic-less templates when possible.
      Sandbox template engines. Audit template rendering with user-controlled data.
    severity: critical

  - name: prevent-xml-injection
    description: >
      Disable external entity processing (XXE) in XML parsers. Use defusedxml in Python,
      disable DTDs in Java. Avoid XML where possible; prefer JSON. If using XML, validate
      against schema and sanitize content appropriately.
    severity: high

  # ============================================================================
  # FILE UPLOAD RULES
  # ============================================================================

  - name: validate-file-types
    description: >
      Validate file types by content inspection (magic bytes), not just extension or
      MIME type (easily spoofed). Whitelist allowed types explicitly. Reject files that
      don't match expected content. Re-encode images to strip malicious content.
    severity: high

  - name: enforce-file-size-limits
    description: >
      Implement and enforce file size limits at multiple levels: web server, application,
      and storage. Reject oversized uploads early (before full read). Set appropriate
      limits per file type and user role. Monitor for quota abuse.
    severity: medium

  - name: secure-file-storage-location
    description: >
      Store uploaded files outside web root to prevent direct execution. Use a separate
      domain/CDN for serving user content. Generate random filenames; never use user-
      provided names directly. Set restrictive permissions on upload directories.
    severity: high

  - name: sanitize-filenames
    description: >
      Sanitize uploaded filenames: remove path components, special characters, and null
      bytes. Generate new filenames using UUIDs. Store original filename separately if
      needed. Prevent path traversal via filenames like ../../../etc/passwd.
    severity: high

  - name: scan-uploaded-files
    description: >
      Scan uploaded files for malware using antivirus integration. Quarantine suspicious
      files. Implement asynchronous scanning for large files. Re-scan files periodically.
      Consider sandboxed processing for risky file types.
    severity: high

  # ============================================================================
  # DATA VALIDATION RULES
  # ============================================================================

  - name: use-whitelist-validation
    description: >
      Use whitelist (allowlist) validation over blacklist. Define what IS allowed, not
      what isn't. Blacklists are easily bypassed with encoding tricks or new attack
      vectors. Validate against strict patterns for format-specific data.
    severity: high

  - name: validate-type-coercion
    description: >
      Be aware of type coercion vulnerabilities. Validate types strictly - reject "123"
      when expecting integer in languages that auto-coerce. Use strict equality checks.
      Test edge cases: empty strings, null, undefined, arrays where strings expected.
    severity: medium

  - name: implement-boundary-checking
    description: >
      Validate numeric inputs against expected boundaries. Check for integer overflow/
      underflow. Validate array indices before access. Set reasonable limits on counts
      and sizes. Handle edge cases: negative numbers, zero, very large values.
    severity: high

  - name: validate-date-time-inputs
    description: >
      Validate date/time inputs: check format, range, and timezone. Prevent date
      manipulation attacks (future dates for trials, past dates for deadlines).
      Normalize timezones. Be aware of timezone-related logic bugs.
    severity: medium

  - name: validate-json-depth
    description: >
      Limit JSON parsing depth to prevent denial of service through deeply nested
      structures. Set reasonable limits (e.g., 32 levels). Validate JSON structure
      before processing. Use streaming parsers for large payloads.
    severity: medium

  # ============================================================================
  # URL/PATH VALIDATION RULES
  # ============================================================================

  - name: prevent-open-redirect
    description: >
      Validate redirect URLs against an allowlist of destinations. Never redirect to
      user-supplied URLs without validation. If redirects are needed, use indirect
      references (IDs mapped to URLs server-side). Log redirect attempts.
    severity: high

  - name: prevent-ssrf
    description: >
      Server-Side Request Forgery (SSRF) allows attackers to make requests from your
      server. Validate and whitelist URLs for server-side requests. Block internal
      IPs (127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16). Use allowlist of domains/protocols.
    severity: critical

  - name: prevent-path-traversal
    description: >
      Validate file paths to prevent directory traversal. Normalize paths and verify
      they stay within expected directories. Block ../, encoded variants (%2e%2e%2f),
      and null bytes. Use path canonicalization before validation.
    severity: critical

  - name: validate-url-schemes
    description: >
      Whitelist allowed URL schemes (http, https). Block dangerous schemes: javascript:,
      data:, file:, ftp:. Be aware of scheme-relative URLs (//evil.com). Validate URL
      components separately (host, path, query).
    severity: high

  - name: normalize-unicode
    description: >
      Normalize Unicode input to prevent bypass attacks using different Unicode
      representations of same characters. Use NFC or NFKC normalization. Be aware
      of homoglyph attacks (cyrillic 'а' vs latin 'a'). Validate after normalization.
    severity: medium

  - name: validate-email-addresses
    description: >
      Validate email addresses properly - use established libraries, not simple regex.
      Consider sending verification emails rather than complex validation. Be aware of
      email header injection in email addresses. Normalize before comparison.
    severity: medium