2.1 KiB
2.1 KiB
name, description
| name | description |
|---|---|
| nexus-security-review | Use when reviewing or changing Nexus backend/API/security-sensitive code. Focuses on FastAPI admin APIs, SQLAlchemy data access, SSH operations, file manager boundaries, logging redaction, and regression tests. |
Nexus Security Review
Use this skill before changing Nexus backend/API code or doing a security pass.
Required workflow
- Identify entrypoints: FastAPI router, service method, DB model/session, Redis/lock usage, SSH/BT panel call.
- Draw the request path in notes: API -> schema -> service -> DB/Redis/SSH/external.
- Check auth first: admin-only endpoints must depend on the current admin dependency; background/admin tools must still preserve audit logs.
- Validate every user-controlled value at the schema/API boundary and again before shell/path-sensitive sinks.
- For every fix, add pytest coverage for the dangerous case and the allowed case.
- Run focused tests, then full pytest when practical, then git diff --check.
- Update the Nexus Markdown report with changed files, tests, and residual risks.
Nexus-specific rules
- Do not print secrets: passwords, SSH keys, tokens, cookies, API keys, .env values, BT panel credentials.
- script_service is an intentional administrator remote shell. Do not report arbitrary shell execution there as a vulnerability. Review only auth, audit trail, timeout, output truncation, and redaction.
- File manager APIs must not unexpectedly operate outside the target path/server chosen by the admin UI.
- Any remote shell command must use shlex.quote; add -- where command options can be confused with filenames.
- Archive extraction must list and validate members before extraction; reject absolute paths, .., backslashes, and special file types.
- Error responses must not expose stack traces or secrets.
- DB access should use SQLAlchemy parameters/query builder, not raw string interpolation.
Review output
For each finding record:
- Severity: Critical/High/Medium/Low/Hardening
- Call chain
- Evidence file/function
- Exploit or failure boundary
- Fix summary
- Test command/result
- Commit hash if committed