Hiddenden/openrabbit
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
c712fe670bdbac7d9f6fe02ac6c7604100aaaeb7
openrabbit/SECURITY_QUICK_REFERENCE.md
latte f94d21580c
All checks were successful
Enterprise AI Code Review / ai-review (pull_request) Successful in 26s
Details
security fixes
2025-12-28 19:55:05 +00:00

168 lines
3.5 KiB
Markdown
Raw Blame History

# Security Quick Reference Card
Quick reference for common security tasks in OpenRabbit development.
## ❌ Common Security Mistakes
### 1. Exposing Full Webhook Data
```yaml
# ❌ NEVER DO THIS
env:
EVENT_DATA: ${{ toJSON(github.event) }} # Exposes emails, tokens!
```
### 2. Unvalidated User Input
```python
# ❌ NEVER DO THIS
owner, repo = repo_string.split('/') # No validation!
```
### 3. Hardcoded Secrets
```python
# ❌ NEVER DO THIS
api_key = "sk-1234567890abcdef" # Hardcoded secret!
```
---
## ✅ Secure Patterns
### 1. Workflow Event Handling
```yaml
# ✅ Use minimal data extraction
run: |
EVENT_DATA=$(cat <<EOF
{
"issue": {"number": ${{ github.event.issue.number }}},
"comment": {"body": $(echo '${{ github.event.comment.body }}' | jq -Rs .)}
}
EOF
)
python utils/safe_dispatch.py issue_comment "$REPO" "$EVENT_DATA"
```
### 2. Repository Validation
```python
# ✅ Always validate
from utils.webhook_sanitizer import validate_repository_format
try:
owner, repo = validate_repository_format(user_input)
except ValueError as e:
logger.error(f"Invalid repository: {e}")
return
```
### 3. Webhook Data Sanitization
```python
# ✅ Sanitize before logging
from utils.webhook_sanitizer import sanitize_webhook_data
sanitized = sanitize_webhook_data(event_data)
logger.info(f"Processing event: {sanitized}")
```
### 4. Secret Management
```python
# ✅ Use environment variables
import os
api_key = os.environ.get("OPENAI_API_KEY")
if not api_key:
raise ValueError("OPENAI_API_KEY not set")
```
---
## 🔍 Pre-Commit Checks
Install once:
```bash
pip install pre-commit
pre-commit install
```
Run manually:
```bash
pre-commit run --all-files
```
Bypass (NOT recommended):
```bash
git commit --no-verify
```
---
## 🛠️ Quick Commands
### Test Security Utilities
```bash
cd tools/ai-review
# Test sanitization
python -c "from utils.webhook_sanitizer import sanitize_webhook_data; \
print(sanitize_webhook_data({'user': {'email': 'test@example.com'}}))"
# Test validation (should fail)
python -c "from utils.webhook_sanitizer import validate_repository_format; \
validate_repository_format('owner/repo; rm -rf /')"
```
### Validate Workflow Files
```bash
# Check for security issues
python tools/ai-review/security/validate_workflows.py .gitea/workflows/*.yml
# Validate YAML syntax
python -c "import yaml; yaml.safe_load(open('.gitea/workflows/ai-comment-reply.yml'))"
```
### Scan for Secrets
```bash
# Check specific file
python tools/ai-review/security/check_secrets.py path/to/file.py
# Scan all Python files
find . -name "*.py" -exec python tools/ai-review/security/check_secrets.py {} \;
```
---
## 📋 Security Checklist
Before committing:
- [ ] No hardcoded secrets in code
- [ ] All user inputs validated
- [ ] Webhook data sanitized before logging
- [ ] Repository format validated
- [ ] Pre-commit hooks pass
- [ ] No full webhook data in environment variables
Before deploying workflow changes:
- [ ] Workflow validated with `validate_workflows.py`
- [ ] YAML syntax valid
- [ ] Input validation present
- [ ] Minimal data extraction used
- [ ] SECURITY.md guidelines followed
---
## 📚 Full Documentation
- **Complete Guide**: `SECURITY.md`
- **Implementation Details**: `SECURITY_FIXES_SUMMARY.md`
- **Developer Guide**: `CLAUDE.md` (Security Best Practices section)
---
## 🚨 Security Issue Found?
1. **DO NOT** create a public issue
2. Review `SECURITY.md` for reporting process
3. Email security contact immediately
---
**Remember**: Security is everyone's responsibility!
Reference in New Issue View Git Blame Copy Permalink