Code Review Security

When to Use

Activate this skill when:

Reviewing pull requests for security vulnerabilities
Auditing authentication or authorization code changes
Reviewing code that handles user input, file uploads, or external data
Checking for OWASP Top 10 vulnerabilities in new features
Validating that secrets are not committed to the repository
Scanning dependencies for known vulnerabilities
Reviewing API endpoints that expose sensitive data

Output: Write findings to security-review.md with severity, file:line, description, and recommendations.

Do NOT use this skill for:

Deployment infrastructure security (use docker-best-practices)
Incident response procedures (use incident-response)
General code quality review without security focus (use pre-merge-checklist)
Writing implementation code (use python-backend-expert or react-frontend-expert)

Instructions

OWASP Top 10 Checklist

Review every PR against the OWASP Top 10 (2021 edition). Each category below includes specific checks for Python/FastAPI and React codebases.

A01: Broken Access Control

What to look for:

Missing authorization checks on endpoints
Direct object reference without ownership verification
Endpoints that expose data without role-based filtering
Missing Depends() for auth on new routes

Python/FastAPI checks:

# BAD: No authorization check -- any authenticated user can access any user
@router.get("/users/{user_id}")
async def get_user(user_id: int, db: Session = Depends(get_db)):
    return await user_repo.get(user_id)

# GOOD: Verify the requesting user owns the resource or is admin
@router.get("/users/{user_id}")
async def get_user(
    user_id: int,
    current_user: User = Depends(get_current_user),
    db: Session = Depends(get_db),
):
    if current_user.id != user_id and current_user.role != "admin":
        raise HTTPException(status_code=403, detail="Forbidden")
    return await user_repo.get(user_id)

Review checklist:

Every route has authentication (Depends(get_current_user))
Resource access is verified against the requesting user
Admin-only endpoints check role == "admin"
List endpoints filter by user ownership (unless admin)
No IDOR (Insecure Direct Object Reference) vulnerabilities

A02: Cryptographic Failures

What to look for:

Passwords stored in plaintext or with weak hashing
Sensitive data in logs or error messages
Hardcoded secrets, API keys, or tokens
Weak JWT configuration

Python checks:

# BAD: Weak password hashing
import hashlib
password_hash = hashlib.md5(password.encode()).hexdigest()

# GOOD: Use bcrypt via passlib
from passlib.context import CryptContext
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
password_hash = pwd_context.hash(password)

# BAD: Secret in code
SECRET_KEY = "my-super-secret-key-123"

# GOOD: Secret from environment
SECRET_KEY = os.environ["SECRET_KEY"]

Review checklist:

Passwords hashed with bcrypt (never MD5, SHA1, or plaintext)
JWT secret loaded from environment, not hardcoded
Sensitive data excluded from logs (passwords, tokens, PII)
HTTPS enforced for all external communication
No secrets in source code (check .env.example has placeholders only)

A03: Injection

What to look for:

Raw SQL queries with string interpolation
eval(), exec(), compile() with user input
subprocess calls with shell=True
Template injection

Python checks:

# BAD: SQL injection via string formatting
query = f"SELECT * FROM users WHERE email = '{email}'"
db.execute(text(query))

# GOOD: Parameterized query
db.execute(text("SELECT * FROM users WHERE email = :email"), {"email": email})

# GOOD: SQLAlchemy ORM (always parameterized)
user = db.query(User).filter(User.email == email).first()

# BAD: Command injection
subprocess.run(f"convert {filename}", shell=True)

# GOOD: Pass arguments as a list
subprocess.run(["convert", filename], shell=False)

# BAD: Code execution with user input
result = eval(user_input)

# GOOD: Never eval user input. Use ast.literal_eval for safe parsing.
result = ast.literal_eval(user_input)  # Only for literal structures

Review checklist:

No raw SQL with string interpolation (use ORM or parameterized queries)
No eval(), exec(), or compile() with external input
No subprocess.run(..., shell=True) with dynamic arguments
No pickle.loads() on untrusted data
All user input validated by Pydantic schemas before use

A04: Insecure Design

What to look for:

Missing rate limiting on authentication endpoints
No account lockout after failed login attempts
Missing CAPTCHA on public-facing forms
Business logic flaws (e.g., negative amounts, self-privilege-escalation)

Review checklist:

Rate limiting on login, registration, and password reset
Account lockout or exponential backoff after 5+ failed attempts
Business logic validates constraints (positive amounts, valid transitions)
Sensitive operations require re-authentication

A05: Security Misconfiguration

What to look for:

Debug mode enabled in production
CORS configured with wildcard * origins
Default credentials or admin accounts
Verbose error messages exposing stack traces

Python/FastAPI checks:

# BAD: Wide-open CORS
app.add_middleware(CORSMiddleware, allow_origins=["*"])

# GOOD: Explicit allowed origins
app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://app.example.com"],
    allow_methods=["GET", "POST", "PUT", "DELETE"],
    allow_headers=["Authorization", "Content-Type"],
)

# BAD: Debug mode in production
app = FastAPI(debug=True)

# GOOD: Debug only in development
app = FastAPI(debug=settings.DEBUG)  # DEBUG=False in production

Review checklist:

CORS origins are explicit (no wildcard in production)
Debug mode disabled in production configuration
Error responses do not expose stack traces or internal details
Default admin credentials are changed or removed
Security headers set (X-Content-Type-Options, X-Frame-Options, etc.)

A06: Vulnerable and Outdated Components

Review checklist:

No known CVEs in Python dependencies (pip-audit or safety check)
No known CVEs in npm dependencies (npm audit)
Dependencies pinned to specific versions in lock files
No deprecated packages still in use

A07: Identification and Authentication Failures

What to look for:

Weak password policies
Session tokens that do not expire
Missing multi-factor authentication for admin actions
JWT tokens without expiration

Python checks:

# BAD: JWT without expiration
token = jwt.encode({"sub": user_id}, SECRET_KEY, algorithm="HS256")

# GOOD: JWT with expiration
token = jwt.encode(
    {"sub": user_id, "exp": datetime.utcnow() + timedelta(minutes=30)},
    SECRET_KEY,
    algorithm="HS256",
)

Review checklist:

JWT tokens have expiration (exp claim)
Refresh tokens are stored securely and can be revoked
Password policy enforces minimum length (12+) and complexity
Session invalidation on password change or logout
No user enumeration via login error messages

A08: Software and Data Integrity Failures

Review checklist:

CI/CD pipeline validates artifact integrity
No unsigned or unverified packages
Deserialization of untrusted data uses safe methods (no pickle.loads)
Database migrations are reviewed before execution

A09: Security Logging and Monitoring Failures

Review checklist:

Authentication events are logged (login, logout, failed attempts)
Authorization failures are logged with context
Sensitive data is NOT included in logs (passwords, tokens, PII)
Log entries include timestamp, user ID, IP address, action
Alerting configured for suspicious patterns (brute force, unusual access)

A10: Server-Side Request Forgery (SSRF)

What to look for:

User-supplied URLs used in server-side requests
Redirect endpoints that accept arbitrary URLs

Python checks:

# BAD: Fetch arbitrary URL from user input
url = request.query_params["url"]
response = httpx.get(url)  # SSRF: can access internal services

# GOOD: Validate URL against allowlist
ALLOWED_HOSTS = {"api.example.com", "cdn.example.com"}
parsed = urlparse(url)
if parsed.hostname not in ALLOWED_HOSTS:
    raise HTTPException(400, "URL not allowed")
response = httpx.get(url)

Review checklist:

No server-side requests to user-controlled URLs without validation
URL allowlists used for external integrations
Internal service URLs not exposed in error messages

Python-Specific Security Checks

Beyond OWASP, review Python code for these patterns:

Pattern	Risk	Fix
`eval(user_input)`	Remote code execution	Remove or use `ast.literal_eval`
`pickle.loads(data)`	Arbitrary code execution	Use JSON or `msgpack`
`subprocess.run(cmd, shell=True)`	Command injection	Pass args as list, `shell=False`
`yaml.load(data)`	Code execution	Use `yaml.safe_load(data)`
`os.system(cmd)`	Command injection	Use `subprocess.run([...])`
Raw SQL strings	SQL injection	Use ORM or parameterized queries
`hashlib.md5(password)`	Weak hashing	Use `bcrypt` via `passlib`
`jwt.decode(token, options={"verify_signature": False})`	Auth bypass	Always verify signature
`open(user_path)`	Path traversal	Validate path, use `pathlib.resolve()`
`tempfile.mktemp()`	Race condition	Use `tempfile.mkstemp()`

React-Specific Security Checks

Pattern	Risk	Fix
`dangerouslySetInnerHTML`	XSS	Use text content or sanitize with DOMPurify
`javascript:` in href	XSS	Validate URLs, allow only `https:`
`window.location = userInput`	Open redirect	Validate against allowlist
Storing tokens in localStorage	Token theft via XSS	Use httpOnly cookies
Inline event handlers from data	XSS	Use React event handlers
`eval()` or `Function()`	Code execution	Remove entirely
Rendering user HTML	XSS	Use a sanitization library

React code review:

// BAD: XSS via dangerouslySetInnerHTML
<div dangerouslySetInnerHTML={{ __html: userBio }} />

// GOOD: Sanitize first, or use text content
import DOMPurify from "dompurify";
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userBio) }} />

// BETTER: Use text content when HTML is not needed
<p>{userBio}</p>

// BAD: javascript: URL
<a href={userLink}>Click</a>  // userLink could be "javascript:alert(1)"

// GOOD: Validate protocol
const safeHref = /^https?:\/\//.test(userLink) ? userLink : "#";
<a href={safeHref}>Click</a>

Severity Classification

Classify each finding by severity for prioritization:

Severity	Description	Examples	SLA
Critical	Exploitable remotely, no auth needed, data breach	SQL injection, RCE, auth bypass	Block merge, fix immediately
High	Exploitable with auth, privilege escalation	IDOR, broken access control, XSS (stored)	Block merge, fix before release
Medium	Requires specific conditions to exploit	CSRF, XSS (reflected), open redirect	Fix within sprint
Low	Defense-in-depth, informational	Missing headers, verbose errors	Fix when convenient
Info	Best practice recommendations	Dependency updates, code style	Track in backlog

Finding Report Format

When reporting security findings, use this format for consistency:

## Security Finding: [Title]

**Severity:** Critical | High | Medium | Low | Info
**Category:** OWASP A01-A10 or custom category
**File:** path/to/file.py:42
**CWE:** CWE-89 (if applicable)

### Description
Brief description of the vulnerability and its impact.

### Vulnerable Code
```python
# The problematic code
vulnerable_function(user_input)

Recommended Fix

# The secure alternative
safe_function(sanitize(user_input))

Impact

What an attacker could achieve by exploiting this vulnerability.

References

Link to relevant OWASP page
Link to relevant CWE entry


### Automated Scanning

Use `scripts/security-scan.py` to perform AST-based scanning for common vulnerability patterns in Python code. The script scans for:
- `eval()` / `exec()` / `compile()` calls
- `subprocess` with `shell=True`
- `pickle.loads()` on potentially untrusted data
- Raw SQL string construction
- `yaml.load()` without `Loader=SafeLoader`
- Hardcoded secret patterns (API keys, passwords)
- Weak hash functions (MD5, SHA1 for passwords)

Run: `python scripts/security-scan.py --path ./app --output-dir ./security-results`

**Dependency scanning (run separately):**
```bash
# Python dependencies
pip-audit --requirement requirements.txt --output json > dep-audit.json

# npm dependencies
npm audit --json > npm-audit.json

Examples

Example Review Comment (Critical)

SECURITY: SQL Injection (Critical, OWASP A03)

File: app/repositories/user_repository.py:47
query = f"SELECT * FROM users WHERE name LIKE '%{search_term}%'"
This constructs a raw SQL query with string interpolation, allowing SQL injection. An attacker could input '; DROP TABLE users; -- to destroy data.

Fix: Use SQLAlchemy ORM filtering:
users = db.query(User).filter(User.name.ilike(f"%{search_term}%")).all()

Example Review Comment (Medium)

SECURITY: Missing Rate Limiting (Medium, OWASP A04)

File: app/routes/auth.py:12

The /auth/login endpoint has no rate limiting. An attacker could perform brute-force password attacks at unlimited speed.

Fix: Add rate limiting middleware:
from slowapi import Limiter
limiter = Limiter(key_func=get_remote_address)

@router.post("/login")
@limiter.limit("5/minute")
async def login(request: Request, ...):

Output File

Write security findings to security-review.md:

# Security Review: [Feature/PR Name]

## Summary
- Critical: 0 | High: 1 | Medium: 2 | Low: 1

## Findings

### [CRITICAL] SQL Injection in user search
- **File:** app/routes/users.py:45
- **OWASP:** A03 Injection
- **Description:** Raw SQL with string interpolation
- **Recommendation:** Use SQLAlchemy ORM filtering

### [HIGH] Missing authorization check
...

## Passed Checks
- No hardcoded secrets found
- Dependencies up to date