From 25228fd80db8e13f4d9cb5003424e294f5597f05 Mon Sep 17 00:00:00 2001 From: vwieczorek Date: Mon, 9 Jun 2025 10:35:56 -0400 Subject: [PATCH] fix: enhance security focus in tool prompts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Prioritized security analysis in all tool prompts - Fixed REVIEW_CHANGES_PROMPT to apply security checks to ALL code, not just new additions - Added comprehensive security categories to REVIEW_CODE_PROMPT including: - Authentication/authorization flaws - Input validation vulnerabilities - Injection risks (SQL, NoSQL, Command, XSS, etc.) - Sensitive data exposure - Cryptographic weaknesses - API security issues - Reordered THINK_DEEPER_PROMPT priorities to emphasize security first - Added security impact assessment to DEBUG_ISSUE_PROMPT format - Prioritized security considerations in ANALYZE_PROMPT These changes ensure that all tools properly emphasize security analysis as a critical priority rather than minimizing or limiting security focus. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- prompts/tool_prompts.py | 73 +++++++++++++++++++++++++++++++---------- 1 file changed, 56 insertions(+), 17 deletions(-) diff --git a/prompts/tool_prompts.py b/prompts/tool_prompts.py index b5993e7..83bf444 100644 --- a/prompts/tool_prompts.py +++ b/prompts/tool_prompts.py @@ -16,14 +16,19 @@ Your role is to: 4. Focus on aspects Claude might have missed or couldn't fully explore 5. Suggest implementation strategies and architectural improvements -Key areas to consider: -- Edge cases and failure modes Claude might have overlooked -- Performance implications at scale -- Security vulnerabilities or attack vectors -- Maintainability and technical debt considerations -- Alternative approaches or design patterns -- Integration challenges with existing systems -- Testing strategies for complex scenarios +Key areas to consider (in priority order): +1. **Security vulnerabilities and attack vectors** - This is paramount. Consider: + - Authentication/authorization flaws + - Input validation gaps + - Data exposure risks + - Injection vulnerabilities + - Cryptographic weaknesses +2. Edge cases and failure modes Claude might have overlooked +3. Performance implications at scale +4. Maintainability and technical debt considerations +5. Alternative approaches or design patterns +6. Integration challenges with existing systems +7. Testing strategies for complex scenarios Be direct and technical. Assume Claude and the user are experienced developers who want deep, nuanced analysis rather than basic explanations. Your goal is to be the perfect @@ -44,7 +49,16 @@ Your review approach: 5. Be constructive but thorough - don't sugarcoat serious issues Review categories: -- 🔴 CRITICAL: Security vulnerabilities, data loss risks, crashes +- 🔴 CRITICAL: Security vulnerabilities (including but not limited to): + - Authentication/authorization flaws + - Input validation vulnerabilities + - SQL/NoSQL/Command injection risks + - Cross-site scripting (XSS) vulnerabilities + - Sensitive data exposure or leakage + - Insecure cryptographic practices + - API security issues + - Session management flaws + - Data loss risks, crashes - 🟠 HIGH: Bugs, performance issues, bad practices - 🟡 MEDIUM: Code smells, maintainability issues - 🟢 LOW: Style issues, minor improvements @@ -73,6 +87,13 @@ Use this format for structured debugging analysis: ## Summary Brief description of the issue and its impact. +## Security Impact Assessment +Evaluate if this issue could lead to security vulnerabilities: +- Could this expose sensitive data? +- Could this be exploited by an attacker? +- Are there authentication/authorization implications? +- Could this lead to injection vulnerabilities? + ## Hypotheses (Ranked by Likelihood) ### 1. [HYPOTHESIS NAME] (Confidence: High/Medium/Low) @@ -104,13 +125,19 @@ Your analysis should: 4. Find potential issues or improvements 5. Provide actionable insights -Focus on: -- Code structure and organization -- Design patterns and architectural decisions -- Performance characteristics -- Security considerations -- Testing coverage and quality -- Documentation completeness +Focus on (in priority order): +1. **Security considerations:** + - Authentication and authorization patterns + - Input validation and sanitization + - Data handling and exposure risks + - Dependency vulnerabilities + - Cryptographic implementations + - API security design +2. Code structure and organization +3. Design patterns and architectural decisions +4. Performance characteristics +5. Testing coverage and quality +6. Documentation completeness Be thorough but concise. Prioritize the most important findings and always provide concrete examples and suggestions for improvement.""" @@ -152,8 +179,20 @@ You will receive: Your review MUST focus on: ## Core Analysis (Standard Review) +- **Security Vulnerabilities (CRITICAL PRIORITY FOR ALL CODE):** + - Injection flaws (SQL, NoSQL, OS command, LDAP, XPath, etc.) + - Authentication and authorization weaknesses + - Sensitive data exposure (passwords, tokens, PII) + - XML/XXE vulnerabilities + - Broken access control + - Security misconfiguration + - Cross-site scripting (XSS) + - Insecure deserialization + - Using components with known vulnerabilities + - Insufficient logging and monitoring + - API security issues + - **Review ALL code changes, not just new additions** - **Bugs & Logic Errors:** Off-by-one errors, null references, race conditions, incorrect assumptions -- **Security Vulnerabilities:** Injection flaws, authentication issues, exposed secrets (CRITICAL for new additions) - **Performance Issues:** N+1 queries, inefficient algorithms introduced in changes - **Code Quality:** DRY violations, SOLID principle adherence, complexity of new code