TypeScript安全审查工具 - OWASP Top 10代码审计与Node.js应用安全评估

typescript-security-review by giuseppe-trisciuoglio/developer-kit

150 周安装量

173 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/giuseppe-trisciuoglio/developer-kit --skill typescript-security-review

Node.js TypeScript 安全

🇨🇳中文介绍

TypeScript 安全审查

概述

此技能为 TypeScript 和 Node.js 应用程序提供结构化、全面的安全审查。它根据 OWASP Top 10、特定框架的安全最佳实践以及生产就绪安全标准来评估代码。审查会产生按严重性（严重、高、中、低）分类的可操作发现项，并附带具体的修复示例。

当通过代理系统调用时，此技能会委托给 typescript-security-expert 代理进行深度安全分析。

使用时机

对 TypeScript/Node.js 代码库进行安全审计时
审查身份验证和授权实现（JWT、OAuth2、Passport.js）时
检查常见漏洞（XSS、注入、CSRF、路径遍历）时
验证输入验证和清理逻辑时
审查依赖项安全性（npm audit、已知 CVE）时
检查密钥管理和环境变量处理时
评估 API 安全性（速率限制、CORS、安全标头）时
审查 Express、NestJS 或 Next.js 安全配置时
部署到生产环境前或进行重大代码更改后
合规性检查（GDPR、HIPAA、SOC2 数据处理要求）时

操作指南

确定范围：确定哪些文件和模块需要进行安全审查。优先处理身份验证、授权、数据处理、API 端点和配置文件。使用 grep 查找安全敏感模式（eval、exec、innerHTML、密码处理、JWT 操作）。

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

相关 Skills

Azure RBAC 权限管理工具：查找最小角色、创建自定义角色与自动化分配

127,200 周安装

Azure PostgreSQL 无密码身份验证配置指南：Entra ID 迁移与访问管理

34,800 周安装

OpenClaw 安全 Linux 云部署指南：私有优先、SSH隧道、Podman容器化

33,700 周安装

Linux云主机安全托管指南：从SSH加固到HTTPS部署

33,600 周安装

// ❌ 严重：JWT 配置薄弱
import jwt from 'jsonwebtoken';

const SECRET = 'mysecret123'; // 硬编码的弱密钥

function generateToken(user: User) {
  return jwt.sign({ id: user.id, role: user.role }, SECRET);
  // 缺少过期时间，弱密钥，未指定算法
}

function verifyToken(token: string) {
  return jwt.verify(token, SECRET); // 无算法限制
}

// ✅ 安全：正确的 JWT 配置
import jwt from 'jsonwebtoken';
import { randomBytes } from 'crypto';

const JWT_SECRET = process.env.JWT_SECRET;
if (!JWT_SECRET || JWT_SECRET.length < 32) {
  throw new Error('JWT_SECRET must be set and at least 32 characters');
}

function generateToken(user: User): string {
  return jwt.sign(
    { sub: user.id }, // 最小化声明，无敏感数据
    JWT_SECRET,
    {
      algorithm: 'HS256',
      expiresIn: '15m',
      issuer: 'my-app',
      audience: 'my-app-client',
    }
  );
}

function verifyToken(token: string): JwtPayload {
  return jwt.verify(token, JWT_SECRET, {
    algorithms: ['HS256'], // 限制接受的算法
    issuer: 'my-app',
    audience: 'my-app-client',
  }) as JwtPayload;
}

// ❌ 严重：SQL 注入漏洞
async function findUser(email: string) {
  const result = await db.query(
    `SELECT * FROM users WHERE email = '${email}'`
  );
  return result.rows[0];
}

// ✅ 安全：参数化查询
async function findUser(email: string) {
  const result = await db.query(
    'SELECT id, name, email FROM users WHERE email = $1',
    [email]
  );
  return result.rows[0];
}

// ✅ 安全：使用类型安全查询的 ORM（Drizzle 示例）
async function findUser(email: string) {
  return db.select({
    id: users.id,
    name: users.name,
    email: users.email,
  })
  .from(users)
  .where(eq(users.email, email))
  .limit(1);
}

// ❌ 高：缺少输入验证
app.post('/api/users', async (req, res) => {
  const user = await createUser(req.body);
  res.json(user);
});

// ✅ 安全：使用 Zod 进行全面的输入验证
import { z } from 'zod';

const createUserSchema = z.object({
  name: z.string().min(1).max(100).trim(),
  email: z.string().email().max(254).toLowerCase(),
  password: z.string()
    .min(12, 'Password must be at least 12 characters')
    .regex(/[A-Z]/, 'Must contain uppercase letter')
    .regex(/[a-z]/, 'Must contain lowercase letter')
    .regex(/[0-9]/, 'Must contain a number'),
  role: z.enum(['user', 'editor']).default('user'),
});

app.post('/api/users', async (req, res) => {
  const result = createUserSchema.safeParse(req.body);
  if (!result.success) {
    return res.status(400).json({ errors: result.error.flatten() });
  }
  const user = await createUser(result.data);
  res.status(201).json(user);
});

// ❌ 高：通过 dangerouslySetInnerHTML 导致的 XSS 漏洞
function Comment({ content }: { content: string }) {
  return <div dangerouslySetInnerHTML={{ __html: content }} />;
}

// ✅ 安全：渲染前清理 HTML
import DOMPurify from 'isomorphic-dompurify';

function Comment({ content }: { content: string }) {
  const sanitized = DOMPurify.sanitize(content, {
    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a', 'p', 'br'],
    ALLOWED_ATTR: ['href', 'target', 'rel'],
  });
  return <div dangerouslySetInnerHTML={{ __html: sanitized }} />;
}

// ✅ 更好：使用 markdown 渲染器而非原始 HTML
import ReactMarkdown from 'react-markdown';

function Comment({ content }: { content: string }) {
  return <ReactMarkdown>{content}</ReactMarkdown>;
}

// ❌ 中：缺少安全标头且 CORS 过于宽松
const app = express();
app.use(cors()); // 允许所有来源

// ✅ 安全：全面的安全配置
import helmet from 'helmet';
import cors from 'cors';
import rateLimit from 'express-rate-limit';

const app = express();

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", 'data:', 'https:'],
    },
  },
  hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
}));

app.use(cors({
  origin: process.env.ALLOWED_ORIGINS?.split(',') ?? [],
  credentials: true,
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
}));

app.use(rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
  standardHeaders: true,
  legacyHeaders: false,
}));

在 API 边界验证所有输入——切勿仅依赖客户端验证
使用参数化查询或 ORM——切勿将用户输入拼接到查询中
将密钥存储在环境变量或密钥管理器中——切勿存储在源代码中
对数据库账户、API 密钥和 IAM 角色应用最小权限原则
启用安全标头（helmet.js）并将 CORS 限制在已知来源
在所有面向公众的端点上实施速率限制
使用 bcrypt 或 argon2 哈希密码——切勿将 MD5/SHA 用于密码
设置 Cookie 标志：HttpOnly、Secure、SameSite=Strict
在 CI 流水线中使用 npm audit 来捕获依赖项漏洞
记录安全事件（登录失败、权限拒绝）但不记录敏感数据

🇺🇸English

TypeScript Security Review

Overview

This skill provides structured, comprehensive security review for TypeScript and Node.js applications. It evaluates code against OWASP Top 10, framework-specific security best practices, and production-readiness security criteria. The review produces actionable findings classified by severity (Critical, High, Medium, Low) with concrete remediation examples.

This skill delegates to the typescript-security-expert agent for deep security analysis when invoked through the agent system.

When to Use

Performing security audits on TypeScript/Node.js codebases
Reviewing authentication and authorization implementations (JWT, OAuth2, Passport.js)
Checking for common vulnerabilities (XSS, injection, CSRF, path traversal)
Validating input validation and sanitization logic
Reviewing dependency security (npm audit, known CVEs)
Checking secrets management and environment variable handling
Assessing API security (rate limiting, CORS, security headers)
Reviewing Express, NestJS, or Next.js security configurations
Before deploying to production or after significant code changes
Compliance checks (GDPR, HIPAA, SOC2 data handling requirements)

Instructions

Identify Scope : Determine which files and modules are under security review. Prioritize authentication, authorization, data handling, API endpoints, and configuration files. Use grep to find security-sensitive patterns (eval, exec, innerHTML, password handling, JWT operations).
Check Authentication & Authorization: Review JWT implementation (signing algorithm, expiration, refresh tokens), OAuth2/OIDC integration, session management, password hashing (bcrypt/argon2), and multi-factor authentication. Verify that all protected routes enforce authentication.
Scan for Injection Vulnerabilities : Check for SQL/NoSQL injection in database queries, command injection in exec/spawn, template injection, and LDAP injection. Verify that all user input is validated and parameterized queries are used.
Review Input Validation : Check that all API inputs are validated with Zod, Joi, or class-validator. Verify schema completeness — no missing fields, proper type constraints, length limits, and format validation. Check for validation bypass paths.
Assess XSS Prevention : Review React component output for dangerouslySetInnerHTML usage, check Content Security Policy headers, verify HTML sanitization for user-generated content, and check template rendering in server-side code.
Check Secrets Management : Scan for hardcoded credentials, API keys, and secrets in source code. Verify .env files are gitignored, environment variables are validated at startup, and secrets are accessed through proper management services.
Review Dependency Security : Run npm audit or check package-lock.json for known vulnerabilities. Identify outdated dependencies with known CVEs. Check for unnecessary dependencies that increase attack surface.
Evaluate Security Headers & Configuration: Check for helmet.js or manual security header configuration. Review CORS policy, rate limiting, HTTPS enforcement, cookie security flags (HttpOnly, Secure, SameSite), and CSP configuration.
Produce Security Report : Generate a structured report with severity-classified findings (Critical, High, Medium, Low), remediation guidance with code examples, and a security posture summary.

Examples

Example 1: JWT Security Review

// ❌ Critical: Weak JWT configuration
import jwt from 'jsonwebtoken';

const SECRET = 'mysecret123'; // Hardcoded weak secret

function generateToken(user: User) {
  return jwt.sign({ id: user.id, role: user.role }, SECRET);
  // Missing expiration, weak secret, no algorithm specification
}

function verifyToken(token: string) {
  return jwt.verify(token, SECRET); // No algorithm restriction
}

// ✅ Secure: Proper JWT configuration
import jwt from 'jsonwebtoken';
import { randomBytes } from 'crypto';

const JWT_SECRET = process.env.JWT_SECRET;
if (!JWT_SECRET || JWT_SECRET.length < 32) {
  throw new Error('JWT_SECRET must be set and at least 32 characters');
}

function generateToken(user: User): string {
  return jwt.sign(
    { sub: user.id }, // Minimal claims, no sensitive data
    JWT_SECRET,
    {
      algorithm: 'HS256',
      expiresIn: '15m',
      issuer: 'my-app',
      audience: 'my-app-client',
    }
  );
}

function verifyToken(token: string): JwtPayload {
  return jwt.verify(token, JWT_SECRET, {
    algorithms: ['HS256'], // Restrict accepted algorithms
    issuer: 'my-app',
    audience: 'my-app-client',
  }) as JwtPayload;
}

Example 2: SQL Injection Prevention

// ❌ Critical: SQL injection vulnerability
async function findUser(email: string) {
  const result = await db.query(
    `SELECT * FROM users WHERE email = '${email}'`
  );
  return result.rows[0];
}

// ✅ Secure: Parameterized query
async function findUser(email: string) {
  const result = await db.query(
    'SELECT id, name, email FROM users WHERE email = $1',
    [email]
  );
  return result.rows[0];
}

// ✅ Secure: ORM with type-safe queries (Drizzle example)
async function findUser(email: string) {
  return db.select({
    id: users.id,
    name: users.name,
    email: users.email,
  })
  .from(users)
  .where(eq(users.email, email))
  .limit(1);
}

Example 3: Input Validation

// ❌ High: Missing input validation
app.post('/api/users', async (req, res) => {
  const user = await createUser(req.body);
  res.json(user);
});

// ✅ Secure: Comprehensive input validation with Zod
import { z } from 'zod';

const createUserSchema = z.object({
  name: z.string().min(1).max(100).trim(),
  email: z.string().email().max(254).toLowerCase(),
  password: z.string()
    .min(12, 'Password must be at least 12 characters')
    .regex(/[A-Z]/, 'Must contain uppercase letter')
    .regex(/[a-z]/, 'Must contain lowercase letter')
    .regex(/[0-9]/, 'Must contain a number'),
  role: z.enum(['user', 'editor']).default('user'),
});

app.post('/api/users', async (req, res) => {
  const result = createUserSchema.safeParse(req.body);
  if (!result.success) {
    return res.status(400).json({ errors: result.error.flatten() });
  }
  const user = await createUser(result.data);
  res.status(201).json(user);
});

Example 4: XSS Prevention

// ❌ High: XSS vulnerability through dangerouslySetInnerHTML
function Comment({ content }: { content: string }) {
  return <div dangerouslySetInnerHTML={{ __html: content }} />;
}

// ✅ Secure: Sanitize HTML before rendering
import DOMPurify from 'isomorphic-dompurify';

function Comment({ content }: { content: string }) {
  const sanitized = DOMPurify.sanitize(content, {
    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a', 'p', 'br'],
    ALLOWED_ATTR: ['href', 'target', 'rel'],
  });
  return <div dangerouslySetInnerHTML={{ __html: sanitized }} />;
}

// ✅ Better: Use a markdown renderer instead of raw HTML
import ReactMarkdown from 'react-markdown';

function Comment({ content }: { content: string }) {
  return <ReactMarkdown>{content}</ReactMarkdown>;
}

Example 5: Security Headers and Configuration

// ❌ Medium: Missing security headers and permissive CORS
const app = express();
app.use(cors()); // Allows all origins

// ✅ Secure: Comprehensive security configuration
import helmet from 'helmet';
import cors from 'cors';
import rateLimit from 'express-rate-limit';

const app = express();

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", 'data:', 'https:'],
    },
  },
  hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
}));

app.use(cors({
  origin: process.env.ALLOWED_ORIGINS?.split(',') ?? [],
  credentials: true,
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
}));

app.use(rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
  standardHeaders: true,
  legacyHeaders: false,
}));

Review Output Format

Structure all security review findings as follows:

1. Security Posture Summary

Overall security assessment score (1-10) with key observations and risk level.

2. Critical Vulnerabilities (Immediate Action)

Issues that can be exploited to compromise the system, steal data, or cause unauthorized access.

3. High Priority (Address Within 30 Days)

Security misconfigurations, missing protections, or vulnerabilities requiring near-term remediation.

4. Medium Priority (Address Within 90 Days)

Issues that reduce security posture but have mitigating factors or limited exploitability.

5. Low Priority (Next Cycle)

Security improvements, hardening recommendations, and defense-in-depth enhancements.

6. Positive Security Observations

Well-implemented security patterns and practices to acknowledge.

7. Remediation Roadmap

Prioritized action items with code examples for the most critical fixes.

Best Practices

Validate all inputs at the API boundary — never trust client-side validation alone
Use parameterized queries or ORMs — never concatenate user input into queries
Store secrets in environment variables or secret managers — never in source code
Apply the principle of least privilege for database accounts, API keys, and IAM roles
Enable security headers (helmet.js) and restrict CORS to known origins
Implement rate limiting on all public-facing endpoints
Hash passwords with bcrypt or argon2 — never use MD5/SHA for passwords
Set cookie flags: HttpOnly, Secure, SameSite=Strict
Use npm audit in CI pipelines to catch dependency vulnerabilities
Log security events (failed logins, permission denials) without logging sensitive data

Constraints and Warnings

Security review is not a substitute for professional penetration testing
Focus on code-level vulnerabilities — infrastructure security is out of scope
Respect the project's framework — provide framework-specific remediation guidance
Do not log, print, or expose discovered secrets — report their location only
Dependency vulnerabilities should be assessed for actual exploitability, not just presence
Security recommendations must be practical — consider implementation effort vs risk reduction

References

See the references/ directory for detailed security documentation:

references/owasp-typescript.md — OWASP Top 10 mapped to TypeScript/Node.js patterns
references/common-vulnerabilities.md — Common vulnerability patterns and remediation
references/dependency-security.md — Dependency scanning and supply chain security guide

Weekly Installs

150

Repository

giuseppe-trisci…oper-kit

GitHub Stars

173

First Seen

Feb 28, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

gemini-cli136

codex136

github-copilot133

amp131

cline131

kimi-cli131

TypeScript安全审查工具 - OWASP Top 10代码审计与Node.js应用安全评估

🇨🇳中文介绍

TypeScript 安全审查

概述

使用时机

操作指南

相关 Skills

示例

示例 1：JWT 安全审查

示例 2：SQL 注入防护

示例 3：输入验证

示例 4：XSS 防护

示例 5：安全标头与配置

审查输出格式

1. 安全态势摘要

2. 严重漏洞（立即处理）

3. 高优先级（30 天内处理）

4. 中优先级（90 天内处理）

5. 低优先级（下一个周期）

6. 积极的安全观察

7. 修复路线图

最佳实践

约束与警告

参考资料