纵深防御验证：多层数据验证模式，杜绝软件安全漏洞与错误

Defense-in-Depth Validation by obra/superpowers-skills

589 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/obra/superpowers-skills --skill 'Defense-in-Depth Validation'

开发代码质量安全

🇨🇳中文介绍

纵深防御验证

概述

当你修复由无效数据引起的错误时，在一个地方添加验证似乎就足够了。但这一单一检查可能会被不同的代码路径、重构或模拟所绕过。

核心原则： 在数据传递的每一层都进行验证。从结构上杜绝错误发生的可能性。

为何需要多层验证

单一验证：“我们修复了错误” 多层验证：“我们让错误不可能发生”

不同层级捕获不同的情况：

入口验证捕获大多数错误
业务逻辑捕获边缘情况
环境防护防止特定上下文中的危险
调试日志在其他层失效时提供帮助

四层防御

第一层：入口点验证

目的： 在 API 边界拒绝明显无效的输入

function createProject(name: string, workingDirectory: string) {
  if (!workingDirectory || workingDirectory.trim() === '') {
    throw new Error('workingDirectory cannot be empty');
  }
  if (!existsSync(workingDirectory)) {
    throw new Error(`workingDirectory does not exist: ${workingDirectory}`);
  }
  if (!statSync(workingDirectory).isDirectory()) {
    throw new Error(`workingDirectory is not a directory: ${workingDirectory}`);
  }
  // ... proceed
}

第二层：业务逻辑验证

目的： 确保数据对于当前操作有意义

function initializeWorkspace(projectDir: string, sessionId: string) {
  if (!projectDir) {
    throw new Error('projectDir required for workspace initialization');
  }
  // ... proceed
}

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

第三层：环境防护

目的： 防止在特定上下文中执行危险操作

async function gitInit(directory: string) {
  // In tests, refuse git init outside temp directories
  if (process.env.NODE_ENV === 'test') {
    const normalized = normalize(resolve(directory));
    const tmpDir = normalize(resolve(tmpdir()));

    if (!normalized.startsWith(tmpDir)) {
      throw new Error(
        `Refusing git init outside temp dir during tests: ${directory}`
      );
    }
  }
  // ... proceed
}

第四层：调试插桩

目的： 捕获上下文用于取证分析

async function gitInit(directory: string) {
  const stack = new Error().stack;
  logger.debug('About to git init', {
    directory,
    cwd: process.cwd(),
    stack,
  });
  // ... proceed
}

当你发现一个错误时：

追踪数据流 - 错误值源自何处？在哪里被使用？
映射所有检查点 - 列出数据经过的每一个点
在每一层添加验证 - 入口层、业务层、环境层、调试层
测试每一层 - 尝试绕过第一层，验证第二层能捕获它

错误：空的 projectDir 导致在源代码目录执行 git init

测试设置 → 空字符串
Project.create(name, '')
WorkspaceManager.createWorkspace('')
git init 在 process.cwd() 中运行

添加的四层防御：

第一层：Project.create() 验证非空/存在/可写
第二层：WorkspaceManager 验证 projectDir 非空
第三层：WorktreeManager 在测试中拒绝在 tmpdir 之外执行 git init
第四层：在 git init 之前记录堆栈跟踪

结果： 所有 1847 个测试通过，错误无法复现

所有四层都是必要的。在测试过程中，每一层都捕获了其他层遗漏的错误：

不同的代码路径绕过了入口验证
模拟绕过了业务逻辑检查
不同平台上的边缘情况需要环境防护
调试日志识别出结构性误用

不要止步于一个验证点。 在每一层都添加检查。

🇺🇸English

Defense-in-Depth Validation

Overview

When you fix a bug caused by invalid data, adding validation at one place feels sufficient. But that single check can be bypassed by different code paths, refactoring, or mocks.

Core principle: Validate at EVERY layer data passes through. Make the bug structurally impossible.

Why Multiple Layers

Single validation: "We fixed the bug" Multiple layers: "We made the bug impossible"

Different layers catch different cases:

Entry validation catches most bugs
Business logic catches edge cases
Environment guards prevent context-specific dangers
Debug logging helps when other layers fail

The Four Layers

Layer 1: Entry Point Validation

Purpose: Reject obviously invalid input at API boundary

function createProject(name: string, workingDirectory: string) {
  if (!workingDirectory || workingDirectory.trim() === '') {
    throw new Error('workingDirectory cannot be empty');
  }
  if (!existsSync(workingDirectory)) {
    throw new Error(`workingDirectory does not exist: ${workingDirectory}`);
  }
  if (!statSync(workingDirectory).isDirectory()) {
    throw new Error(`workingDirectory is not a directory: ${workingDirectory}`);
  }
  // ... proceed
}

Layer 2: Business Logic Validation

Purpose: Ensure data makes sense for this operation

function initializeWorkspace(projectDir: string, sessionId: string) {
  if (!projectDir) {
    throw new Error('projectDir required for workspace initialization');
  }
  // ... proceed
}

Layer 3: Environment Guards

Purpose: Prevent dangerous operations in specific contexts

async function gitInit(directory: string) {
  // In tests, refuse git init outside temp directories
  if (process.env.NODE_ENV === 'test') {
    const normalized = normalize(resolve(directory));
    const tmpDir = normalize(resolve(tmpdir()));

    if (!normalized.startsWith(tmpDir)) {
      throw new Error(
        `Refusing git init outside temp dir during tests: ${directory}`
      );
    }
  }
  // ... proceed
}

Layer 4: Debug Instrumentation

Purpose: Capture context for forensics

async function gitInit(directory: string) {
  const stack = new Error().stack;
  logger.debug('About to git init', {
    directory,
    cwd: process.cwd(),
    stack,
  });
  // ... proceed
}

Applying the Pattern

When you find a bug:

Trace the data flow - Where does bad value originate? Where used?
Map all checkpoints - List every point data passes through
Add validation at each layer - Entry, business, environment, debug
Test each layer - Try to bypass layer 1, verify layer 2 catches it

Example from Session

Bug: Empty projectDir caused git init in source code

Data flow:

Test setup → empty string
Project.create(name, '')
WorkspaceManager.createWorkspace('')
git init runs in process.cwd()

Four layers added:

Layer 1: Project.create() validates not empty/exists/writable
Layer 2: WorkspaceManager validates projectDir not empty
Layer 3: WorktreeManager refuses git init outside tmpdir in tests
Layer 4: Stack trace logging before git init

Result: All 1847 tests passed, bug impossible to reproduce

Key Insight

All four layers were necessary. During testing, each layer caught bugs the others missed:

Different code paths bypassed entry validation
Mocks bypassed business logic checks
Edge cases on different platforms needed environment guards
Debug logging identified structural misuse

Don't stop at one validation point. Add checks at every layer.

Weekly Installs

–

Repository

obra/superpowers-skills

GitHub Stars

580

First Seen

–

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Azure RBAC 权限管理工具：查找最小角色、创建自定义角色与自动化分配

117,000 周安装