| name | arch-security-review |
| description | Use when reviewing code for security vulnerabilities, implementing authorization, or ensuring data protection. |
| allowed-tools | Read, Write, Edit, Grep, Glob, Bash, Task |
Security Review Workflow
When to Use This Skill
- Security audit of code changes
- Implementing authentication/authorization
- Data protection review
- Vulnerability assessment
Pre-Flight Checklist
OWASP Top 10 Checklist
1. Broken Access Control
[HttpGet("{id}")]
public async Task<Employee> Get(string id)
=> await repo.GetByIdAsync(id);
[HttpGet("{id}")]
[PlatformAuthorize(Roles.Manager, Roles.Admin)]
public async Task<Employee> Get(string id)
{
var employee = await repo.GetByIdAsync(id);
if (employee.CompanyId != RequestContext.CurrentCompanyId())
throw new UnauthorizedAccessException();
return employee;
}
2. Cryptographic Failures
var apiKey = config["ApiKey"];
await SaveToDatabase(apiKey);
var encryptedKey = encryptionService.Encrypt(apiKey);
await SaveToDatabase(encryptedKey);
var apiKey = config.GetValue<string>("ApiKey");
3. Injection
var sql = $"SELECT * FROM Users WHERE Name = '{name}'";
await context.Database.ExecuteSqlRawAsync(sql);
await context.Users.Where(u => u.Name == name).ToListAsync();
await context.Database.ExecuteSqlRawAsync(
"SELECT * FROM Users WHERE Name = @p0", name);
4. Insecure Design
[HttpPost("login")]
public async Task<IActionResult> Login(LoginRequest request)
=> await authService.Login(request);
[HttpPost("login")]
[RateLimit(MaxRequests = 5, WindowSeconds = 60)]
public async Task<IActionResult> Login(LoginRequest request)
=> await authService.Login(request);
5. Security Misconfiguration
app.UseDeveloperExceptionPage();
if (env.IsDevelopment())
app.UseDeveloperExceptionPage();
else
app.UseExceptionHandler("/Error");
6. Vulnerable Components
dotnet list package --vulnerable
dotnet outdated
7. Authentication Failures
if (password.Length >= 4) { }
public class PasswordPolicy
{
public bool Validate(string password)
{
return password.Length >= 12
&& password.Any(char.IsUpper)
&& password.Any(char.IsLower)
&& password.Any(char.IsDigit)
&& password.Any(c => !char.IsLetterOrDigit(c));
}
}
8. Data Integrity Failures
var userData = await externalApi.GetUserAsync(id);
await SaveToDatabase(userData);
var userData = await externalApi.GetUserAsync(id);
var validation = userData.Validate();
if (!validation.IsValid)
throw new ValidationException(validation.Errors);
await SaveToDatabase(userData);
9. Logging Failures
Logger.LogInformation("User login: {Email} {Password}", email, password);
Logger.LogInformation("User login: {Email}", email);
10. SSRF (Server-Side Request Forgery)
var url = request.WebhookUrl;
await httpClient.GetAsync(url);
if (!IsAllowedUrl(request.WebhookUrl))
throw new SecurityException("Invalid webhook URL");
private bool IsAllowedUrl(string url)
{
var uri = new Uri(url);
return AllowedDomains.Contains(uri.Host)
&& uri.Scheme == "https";
}
Authorization Patterns
Controller Level
[ApiController]
[Route("api/[controller]")]
[PlatformAuthorize]
public class EmployeeController : PlatformBaseController
{
[HttpPost]
[PlatformAuthorize(Roles.Admin, Roles.Manager)]
public async Task<IActionResult> Create(...)
}
Handler Level
protected override async Task<PlatformValidationResult<T>> ValidateRequestAsync(
PlatformValidationResult<T> validation, CancellationToken ct)
{
return await validation
.And(_ => RequestContext.HasRole(Roles.Admin), "Admin role required")
.And(_ => entity.CompanyId == RequestContext.CurrentCompanyId(),
"Access denied: different company")
.And(_ => entity.OwnerId == RequestContext.UserId() ||
RequestContext.HasRole(Roles.Admin),
"Access denied: not owner");
}
Query Level
var employees = await repo.GetAllAsync(
e => e.CompanyId == RequestContext.CurrentCompanyId()
&& (e.IsPublic || e.OwnerId == RequestContext.UserId()));
Data Protection
Sensitive Data Handling
public class SensitiveDataHandler
{
public string EncryptForStorage(string plainText)
=> encryptionService.Encrypt(plainText);
public string MaskEmail(string email)
{
var parts = email.Split('@');
return $"{parts[0][0]}***@{parts[1]}";
}
public void LogUserAction(User user)
{
Logger.LogInformation("User action: {UserId}", user.Id);
}
}
File Upload Security
public async Task<IActionResult> Upload(IFormFile file)
{
var allowedTypes = new[] { ".pdf", ".docx", ".xlsx" };
var extension = Path.GetExtension(file.FileName).ToLowerInvariant();
if (!allowedTypes.Contains(extension))
return BadRequest("Invalid file type");
if (file.Length > 10 * 1024 * 1024)
return BadRequest("File too large");
if (!await antivirusService.ScanAsync(file))
return BadRequest("File rejected by security scan");
var safeFileName = $"{Guid.NewGuid()}{extension}";
await fileService.SaveAsync(file, safeFileName);
return Ok();
}
Security Scanning Commands
dotnet list package --vulnerable
dotnet outdated
grep -r "password\|secret\|apikey" --include="*.cs" --include="*.json"
grep -r "Password=\"" --include="*.cs"
grep -r "connectionString.*password" --include="*.json"
Security Review Checklist
Authentication
Authorization
Input Validation
Data Protection
Dependencies
Anti-Patterns to AVOID
:x: Trusting client input
var isAdmin = request.IsAdmin;
:x: Exposing internal errors
catch (Exception ex) { return BadRequest(ex.ToString()); }
:x: Hardcoded secrets
var apiKey = "sk_live_xxxxx";
:x: Insufficient logging
await DeleteAllUsers();
Verification Checklist