openrabbit/SECURITY_QUICK_REFERENCE.md

Security Quick Reference Card

Quick reference for common security tasks in OpenRabbit development.

❌ Common Security Mistakes

1. Exposing Full Webhook Data

# ❌ NEVER DO THIS
env:
  EVENT_DATA: ${{ toJSON(github.event) }}  # Exposes emails, tokens!

2. Unvalidated User Input

# ❌ NEVER DO THIS
owner, repo = repo_string.split('/')  # No validation!

3. Hardcoded Secrets

# ❌ NEVER DO THIS
api_key = "sk-1234567890abcdef"  # Hardcoded secret!

---

✅ Secure Patterns

1. Workflow Event Handling

# ✅ Use minimal data extraction
run: |
  EVENT_DATA=$(cat <<EOF
  {
    "issue": {"number": ${{ github.event.issue.number }}},
    "comment": {"body": $(echo '${{ github.event.comment.body }}' | jq -Rs .)}
  }
  EOF
  )
  python utils/safe_dispatch.py issue_comment "$REPO" "$EVENT_DATA"

2. Repository Validation

# ✅ Always validate
from utils.webhook_sanitizer import validate_repository_format

try:
    owner, repo = validate_repository_format(user_input)
except ValueError as e:
    logger.error(f"Invalid repository: {e}")
    return

3. Webhook Data Sanitization

# ✅ Sanitize before logging
from utils.webhook_sanitizer import sanitize_webhook_data

sanitized = sanitize_webhook_data(event_data)
logger.info(f"Processing event: {sanitized}")

4. Secret Management

# ✅ Use environment variables
import os

api_key = os.environ.get("OPENAI_API_KEY")
if not api_key:
    raise ValueError("OPENAI_API_KEY not set")

---

🔍 Pre-Commit Checks

Install once:

pip install pre-commit
pre-commit install

Run manually:

pre-commit run --all-files

Bypass (NOT recommended):

git commit --no-verify

---

🛠️ Quick Commands

Test Security Utilities

cd tools/ai-review

# Test sanitization
python -c "from utils.webhook_sanitizer import sanitize_webhook_data; \
print(sanitize_webhook_data({'user': {'email': 'test@example.com'}}))"

# Test validation (should fail)
python -c "from utils.webhook_sanitizer import validate_repository_format; \
validate_repository_format('owner/repo; rm -rf /')"

Validate Workflow Files

# Check for security issues
python tools/ai-review/security/validate_workflows.py .gitea/workflows/*.yml

# Validate YAML syntax
python -c "import yaml; yaml.safe_load(open('.gitea/workflows/ai-comment-reply.yml'))"

Scan for Secrets

# Check specific file
python tools/ai-review/security/check_secrets.py path/to/file.py

# Scan all Python files
find . -name "*.py" -exec python tools/ai-review/security/check_secrets.py {} \;

---

📋 Security Checklist

Before committing:

• No hardcoded secrets in code
• All user inputs validated
• Webhook data sanitized before logging
• Repository format validated
• Pre-commit hooks pass
• No full webhook data in environment variables

Before deploying workflow changes:

• Workflow validated with validate_workflows.py
• YAML syntax valid
• Input validation present
• Minimal data extraction used
• SECURITY.md guidelines followed

---

📚 Full Documentation

• Complete Guide: SECURITY.md
• Implementation Details: SECURITY_FIXES_SUMMARY.md
• Developer Guide: CLAUDE.md (Security Best Practices section)

---

🚨 Security Issue Found?

1. DO NOT create a public issue
2. Review SECURITY.md for reporting process
3. Email security contact immediately

---

Remember: Security is everyone's responsibility!