security fixes

SECURITY_QUICK_REFERENCE.md

@@ -0,0 +1,167 @@
+# Security Quick Reference Card
+
+Quick reference for common security tasks in OpenRabbit development.
+
+## ❌ Common Security Mistakes
+
+### 1. Exposing Full Webhook Data
+```yaml
+# ❌ NEVER DO THIS
+env:
+  EVENT_DATA: ${{ toJSON(github.event) }}  # Exposes emails, tokens!
+```
+
+### 2. Unvalidated User Input
+```python
+# ❌ NEVER DO THIS
+owner, repo = repo_string.split('/')  # No validation!
+```
+
+### 3. Hardcoded Secrets
+```python
+# ❌ NEVER DO THIS
+api_key = "sk-1234567890abcdef"  # Hardcoded secret!
+```
+
+---
+
+## ✅ Secure Patterns
+
+### 1. Workflow Event Handling
+```yaml
+# ✅ Use minimal data extraction
+run: |
+  EVENT_DATA=$(cat <<EOF
+  {
+    "issue": {"number": ${{ github.event.issue.number }}},
+    "comment": {"body": $(echo '${{ github.event.comment.body }}' | jq -Rs .)}
+  }
+  EOF
+  )
+  python utils/safe_dispatch.py issue_comment "$REPO" "$EVENT_DATA"
+```
+
+### 2. Repository Validation
+```python
+# ✅ Always validate
+from utils.webhook_sanitizer import validate_repository_format
+
+try:
+    owner, repo = validate_repository_format(user_input)
+except ValueError as e:
+    logger.error(f"Invalid repository: {e}")
+    return
+```
+
+### 3. Webhook Data Sanitization
+```python
+# ✅ Sanitize before logging
+from utils.webhook_sanitizer import sanitize_webhook_data
+
+sanitized = sanitize_webhook_data(event_data)
+logger.info(f"Processing event: {sanitized}")
+```
+
+### 4. Secret Management
+```python
+# ✅ Use environment variables
+import os
+
+api_key = os.environ.get("OPENAI_API_KEY")
+if not api_key:
+    raise ValueError("OPENAI_API_KEY not set")
+```
+
+---
+
+## 🔍 Pre-Commit Checks
+
+Install once:
+```bash
+pip install pre-commit
+pre-commit install
+```
+
+Run manually:
+```bash
+pre-commit run --all-files
+```
+
+Bypass (NOT recommended):
+```bash
+git commit --no-verify
+```
+
+---
+
+## 🛠️ Quick Commands
+
+### Test Security Utilities
+```bash
+cd tools/ai-review
+
+# Test sanitization
+python -c "from utils.webhook_sanitizer import sanitize_webhook_data; \
+print(sanitize_webhook_data({'user': {'email': 'test@example.com'}}))"
+
+# Test validation (should fail)
+python -c "from utils.webhook_sanitizer import validate_repository_format; \
+validate_repository_format('owner/repo; rm -rf /')"
+```
+
+### Validate Workflow Files
+```bash
+# Check for security issues
+python tools/ai-review/security/validate_workflows.py .gitea/workflows/*.yml
+
+# Validate YAML syntax
+python -c "import yaml; yaml.safe_load(open('.gitea/workflows/ai-comment-reply.yml'))"
+```
+
+### Scan for Secrets
+```bash
+# Check specific file
+python tools/ai-review/security/check_secrets.py path/to/file.py
+
+# Scan all Python files
+find . -name "*.py" -exec python tools/ai-review/security/check_secrets.py {} \;
+```
+
+---
+
+## 📋 Security Checklist
+
+Before committing:
+- [ ] No hardcoded secrets in code
+- [ ] All user inputs validated
+- [ ] Webhook data sanitized before logging
+- [ ] Repository format validated
+- [ ] Pre-commit hooks pass
+- [ ] No full webhook data in environment variables
+
+Before deploying workflow changes:
+- [ ] Workflow validated with `validate_workflows.py`
+- [ ] YAML syntax valid
+- [ ] Input validation present
+- [ ] Minimal data extraction used
+- [ ] SECURITY.md guidelines followed
+
+---
+
+## 📚 Full Documentation
+
+- **Complete Guide**: `SECURITY.md`
+- **Implementation Details**: `SECURITY_FIXES_SUMMARY.md`
+- **Developer Guide**: `CLAUDE.md` (Security Best Practices section)
+
+---
+
+## 🚨 Security Issue Found?
+
+1. **DO NOT** create a public issue
+2. Review `SECURITY.md` for reporting process
+3. Email security contact immediately
+
+---
+
+**Remember**: Security is everyone's responsibility!