41 lines
2.1 KiB
Markdown
41 lines
2.1 KiB
Markdown
---
|
|
name: nexus-security-review
|
|
description: Use when reviewing or changing Nexus backend/API/security-sensitive code. Focuses on FastAPI admin APIs, SQLAlchemy data access, SSH operations, file manager boundaries, logging redaction, and regression tests.
|
|
---
|
|
|
|
# Nexus Security Review
|
|
|
|
Use this skill before changing Nexus backend/API code or doing a security pass.
|
|
|
|
## Required workflow
|
|
|
|
1. Identify entrypoints: FastAPI router, service method, DB model/session, Redis/lock usage, SSH/BT panel call.
|
|
2. Draw the request path in notes: API -> schema -> service -> DB/Redis/SSH/external.
|
|
3. Check auth first: admin-only endpoints must depend on the current admin dependency; background/admin tools must still preserve audit logs.
|
|
4. Validate every user-controlled value at the schema/API boundary and again before shell/path-sensitive sinks.
|
|
5. For every fix, add pytest coverage for the dangerous case and the allowed case.
|
|
6. Run focused tests, then full pytest when practical, then git diff --check.
|
|
7. Update the Nexus Markdown report with changed files, tests, and residual risks.
|
|
|
|
## Nexus-specific rules
|
|
|
|
- Do not print secrets: passwords, SSH keys, tokens, cookies, API keys, .env values, BT panel credentials.
|
|
- script_service is an intentional administrator remote shell. Do not report arbitrary shell execution there as a vulnerability. Review only auth, audit trail, timeout, output truncation, and redaction.
|
|
- File manager APIs must not unexpectedly operate outside the target path/server chosen by the admin UI.
|
|
- Any remote shell command must use shlex.quote; add -- where command options can be confused with filenames.
|
|
- Archive extraction must list and validate members before extraction; reject absolute paths, .., backslashes, and special file types.
|
|
- Error responses must not expose stack traces or secrets.
|
|
- DB access should use SQLAlchemy parameters/query builder, not raw string interpolation.
|
|
|
|
## Review output
|
|
|
|
For each finding record:
|
|
|
|
- Severity: Critical/High/Medium/Low/Hardening
|
|
- Call chain
|
|
- Evidence file/function
|
|
- Exploit or failure boundary
|
|
- Fix summary
|
|
- Test command/result
|
|
- Commit hash if committed
|