get to prod tasks
This commit is contained in:
62
tasks/web-production/03-input-validation-xss.md
Normal file
62
tasks/web-production/03-input-validation-xss.md
Normal file
@@ -0,0 +1,62 @@
|
||||
# 03. Input Validation & XSS Prevention Audit
|
||||
|
||||
meta:
|
||||
id: web-production-03
|
||||
feature: web-production
|
||||
priority: P1
|
||||
depends_on: []
|
||||
tags: [security, validation, production]
|
||||
|
||||
objective:
|
||||
- Audit and harden all input validation to prevent XSS, injection attacks, and malformed data
|
||||
|
||||
deliverables:
|
||||
- XSS prevention audit report
|
||||
- Input sanitization layer
|
||||
- HTML escaping on all user-generated content
|
||||
- SQL injection protection verification
|
||||
|
||||
steps:
|
||||
1. Audit all tRPC routers for input validation gaps:
|
||||
- Check web/src/server/api/routers/*.ts for missing valibot schemas
|
||||
- Ensure all user inputs have strict type validation
|
||||
- Add maxLength constraints to all string inputs
|
||||
2. Implement output escaping for user-generated content:
|
||||
- Blog posts, user names, alert messages
|
||||
- Use DOMPurify or similar on client-side rendering
|
||||
- Escape HTML entities server-side before DB storage
|
||||
3. Audit database queries for SQL injection:
|
||||
- Verify all queries use Drizzle parameterized queries
|
||||
- Check raw SQL usage in jobs and services
|
||||
- Ensure no string concatenation in SQL
|
||||
4. Add content validation for file uploads (if any):
|
||||
- MIME type verification
|
||||
- File size limits
|
||||
- Scan for malware
|
||||
5. Implement request body size limits:
|
||||
- 1MB max for JSON payloads
|
||||
- 10MB max for file uploads
|
||||
6. Add tests for malformed input handling
|
||||
|
||||
tests:
|
||||
- Unit: Test each router with XSS payloads, SQL injection attempts
|
||||
- Integration: Submit malicious inputs via API, verify safe handling
|
||||
- Security: Run OWASP ZAP or Burp Suite against app
|
||||
|
||||
acceptance_criteria:
|
||||
- All tRPC inputs have strict valibot validation with bounds
|
||||
- User-generated content escaped before rendering
|
||||
- No SQL injection vectors in any query
|
||||
- XSS payloads rendered as plain text, not executed
|
||||
- Request body size limits enforced
|
||||
- OWASP ZAP scan shows no high/critical vulnerabilities
|
||||
|
||||
validation:
|
||||
- Submit `<script>alert('xss')</script>` in all text fields → rendered safely
|
||||
- Submit SQL injection in search fields → no database errors
|
||||
- Run `npm audit` and address all high severity issues
|
||||
|
||||
notes:
|
||||
- Valibot schemas already in use — expand them with stricter bounds
|
||||
- Consider using zod for more complex validation if valibot is limiting
|
||||
- Sanitize inputs at API boundary, not just client-side
|
||||
Reference in New Issue
Block a user