From e56ce1e1baa961ee1a89dcfc70e2eee4ae43e154 Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Sun, 29 Mar 2026 15:07:53 +0000 Subject: [PATCH] intel: update appsec skills from community feedback 2026-03-29 dependency-scanning v1.0.2: shift-left/pre-install scanning, GlassWorm pattern, vendored native lib false negatives (ArXiv 2603.18693), MCP server packages secure-code-review v1.0.1: LLM confirmation bias warning (ArXiv 2603.18740), Kysely/type-safe ORM raw escape SQLi note (CVE-2026-32763) api-security v1.0.1: Spring Boot Actuator endpoint exposure (CVE-2026-22733, CVSS 8.2) owasp-top-10-web v1.0.2: type-safe ORM injection vectors (CVE-2026-32763, CVSS 8.2) Sources: communityfeedbackplan.md 2026-03-28 Community signal: dilbert5115 (shift-left), ArXiv peer review (LLM bias), CVE-backed --- skills/appsec/api-security/SKILL.md | 4 +- skills/appsec/dependency-scanning/SKILL.md | 84 +++++++++++++++++++++- skills/appsec/owasp-top-10-web/SKILL.md | 5 +- skills/appsec/secure-code-review/SKILL.md | 6 +- 4 files changed, 94 insertions(+), 5 deletions(-) diff --git a/skills/appsec/api-security/SKILL.md b/skills/appsec/api-security/SKILL.md index cbb125aa..333ef111 100644 --- a/skills/appsec/api-security/SKILL.md +++ b/skills/appsec/api-security/SKILL.md @@ -11,7 +11,7 @@ phase: [design, build, review] frameworks: [OWASP-API-Security-2023, OWASP-ASVS] difficulty: intermediate time_estimate: "20-40min" -version: "1.0.0" +version: "1.0.1" author: unitoneai license: MIT allowed-tools: Read, Grep, Glob @@ -215,6 +215,8 @@ Unlike REST, where authorization can be enforced per endpoint, GraphQL requires 6. **Ignoring upstream API trust.** Data received from third-party APIs and even internal microservices must be validated before use. A compromised upstream service can inject SQL, XSS, or SSRF payloads through otherwise trusted data channels. +7. **Exposing framework management endpoints without authentication.** Spring Boot Actuator endpoints (`/actuator/health`, `/actuator/env`, `/actuator/heapdump`, `/actuator/loggers`, `/actuator/mappings`) are enabled by default in many configurations and expose sensitive runtime state — including environment variables, configuration properties, and heap dumps containing credentials. **Always require authentication on all `/actuator/*` endpoints** and expose only necessary endpoints. Map to API2:2023 (Broken Authentication) + API8:2023 (Security Misconfiguration). CVE-2026-22733 (CVSS 8.2) is a recent auth bypass for misconfigured Actuator deployments. + --- ## Prompt Injection Safety Notice diff --git a/skills/appsec/dependency-scanning/SKILL.md b/skills/appsec/dependency-scanning/SKILL.md index 298fdd86..efd006d4 100644 --- a/skills/appsec/dependency-scanning/SKILL.md +++ b/skills/appsec/dependency-scanning/SKILL.md @@ -12,7 +12,7 @@ phase: [build, deploy] frameworks: [SLSA-v1.0, CycloneDX, SPDX, CISA-KEV] difficulty: intermediate time_estimate: "15-30min" -version: "1.0.0" +version: "1.0.2" author: unitoneai license: MIT allowed-tools: Read, Grep, Glob @@ -181,6 +181,86 @@ Typosquatting (also called dependency confusion or combosquatting) is a supply c - Implement dependency confusion protections: claim your internal package names on public registries, or use registry proxy tools like Artifactory or Nexus with routing rules. - Run `socket.dev`, `npm audit signatures`, or `sigstore` verification to validate package provenance. +## Shift-Left / Pre-Install Scanning + +### Why "Scan at Install" Is Too Late + +Standard CI-based SCA scanning runs **after** `npm install` or `pip install` completes. This is too late for packages that execute malicious code at install time via `preinstall`/`postinstall` scripts. The **GlassWorm campaign** (2025) demonstrated this: packages exfiltrated environment variables and credentials during `npm install`, before any CI scanner could flag them. + +Shift-left scanning means checking packages **before** installation and **before** package resolution resolves version ranges to a concrete version. + +### Layered Detection Model + +``` +IDE plugin (earliest) + └─ Pre-install check (before npm install / pip install runs) + └─ Package resolution check (before lockfile update) + └─ CI/CD post-install SCA scan (existing) + └─ Deploy-time SBOM attestation (latest) +``` + +### Pre-Install Controls + +1. **IDE-level enforcement:** Install IDE plugins (socket.dev, Snyk, Dependabot) that flag high-risk packages before the developer runs `npm install`. This is the earliest detection point and catches attacks on developer machines where CI never runs. +2. **`npm install --ignore-scripts`**: Block install hook execution during resolution. Allows lockfile generation without triggering malicious hooks. Validate scripts explicitly before enabling them. +3. **`socket.dev` pre-install scan**: `npx @socketregistry/cli analyze package.json` checks for install script presence, unusual network access patterns, and supply chain anomalies before dependencies are fetched. +4. **Namespace confusion check before resolution**: Run `npm pack --dry-run` or `pip download --no-deps` with version checks to verify publisher identity before writing to the lockfile. + +### Vendored Native Library False Negatives + +SCA scanners operating on manifests (`package.json`, `requirements.txt`) miss vulnerabilities in bundled or vendored native libraries -- C/C++ dependencies compiled into binary wheels or Go static builds. These are invisible to ecosystem-native scanners. + +- For Python wheels: use `trivy fs --scanners vuln` which inspects binary ELFs in wheel packages. +- For Go: `govulncheck` analyzes the compiled symbol table, not just `go.mod`. +- For Rust/C: include a binary SCA step (Grype, SBOM-based) to catch vendored native deps. + +Source: ArXiv 2603.18693 (Cross-Ecosystem Vulnerability Analysis). + +## MCP Server Package Scanning + +### MCP Packages as a Dependency Category + +MCP (Model Context Protocol) server packages -- distributed via npm scoped packages and PyPI -- represent an emerging dependency category requiring SCA scanning. AI agents and LLM-integrated applications increasingly rely on MCP servers as tool providers, making them a high-value supply chain target. + +### Fork Confusion Attacks (Distinct from Typosquatting) + +Unlike typosquatting (which uses misspelled package names), fork confusion targets AI agent tool dependencies through legitimate-looking scoped forks: + +| Attack Type | Mechanism | Example | +|---|---|---| +| Typosquatting | Misspelled name | `@modelcontextprotocl/server-github` | +| Fork confusion | Legitimate fork, different publisher | `@attacker-org/mcp-server-github` (forked from original) | + +Fork confusion is harder to detect because the package name may be identical to the original -- only the scope/publisher differs. The forked package may contain identical code initially, with malicious payloads introduced in later updates. + +**Real-world case -- iflow-mcp mass-fork campaign (2025):** An organization systematically forked hundreds of MCP servers and republished them under their own npm/PyPI scopes without disclosure, creating a supply chain attack surface for AI agent developers. + +### Detection Approach for MCP Packages + +1. **Identify MCP dependencies**: Scan manifests for packages matching `mcp-server-*`, `@*/mcp-*`, or MCP-related PyPI packages. +2. **Verify publisher identity**: Cross-check the npm scope or PyPI maintainer against the upstream MCP server repository (e.g., `github.com/modelcontextprotocol/servers`). +3. **Check for exact version pinning**: MCP server packages should use `--save-exact` (npm) or `==` pinning (pip) with integrity hashes. +4. **Run `npm audit signatures`**: Verify that MCP packages have valid registry signatures and Sigstore attestations. +5. **Compare package contents**: For critical MCP servers, diff the installed package against the original repository source to detect injected code. + +### SLSA v1.0 Alignment for MCP Packages + +MCP server packages should meet the same SLSA provenance requirements as other dependencies: + +- Verify provenance attestations link the package to its source repository. +- Ensure the build was performed on a hosted, trusted build platform (not a developer laptop). +- Pin packages by content hash, not just version number. + +### Supply Chain Risk Indicators (MCP-Specific) + +Add the following to the standard supply chain risk checklist: + +- [ ] MCP server package installed from unverified fork/publisher +- [ ] MCP server packages without exact version pinning or integrity hashes +- [ ] No publisher identity verification process for MCP tool dependencies + +--- + ## Assessment Output Template When performing a dependency scan, produce findings in the following structure: @@ -251,3 +331,5 @@ This skill processes user-supplied content including package manifests, lockfile - [NIST NVD](https://nvd.nist.gov/) - [OpenSSF Scorecard](https://securityscorecards.dev/) - [Executive Order 14028 - Improving the Nation's Cybersecurity](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/) +- [Socket.dev Supply Chain Security](https://socket.dev/) +- [ArXiv 2603.18693 — Cross-Ecosystem Vulnerability Analysis](https://arxiv.org/abs/2603.18693) diff --git a/skills/appsec/owasp-top-10-web/SKILL.md b/skills/appsec/owasp-top-10-web/SKILL.md index ef63f330..cdc63d79 100644 --- a/skills/appsec/owasp-top-10-web/SKILL.md +++ b/skills/appsec/owasp-top-10-web/SKILL.md @@ -12,7 +12,7 @@ phase: [build, review] frameworks: [OWASP-Top-10-2021] difficulty: intermediate time_estimate: "30-60min" -version: "1.0.1" +version: "1.0.2" author: unitoneai license: MIT allowed-tools: Read, Grep, Glob @@ -230,6 +230,7 @@ setHeader\(.*req\.|res\.set\(.*req\.|response\.addHeader.*request\.getParameter - Use parameterized queries (prepared statements) for all SQL — no exceptions. - Use ORM methods properly; avoid raw query escape hatches unless inputs are strictly validated and parameterized. +- **Type-safe query builders are NOT immune to injection.** Kysely (`.raw()`), Drizzle (`sql\`\`` template), TypeORM (`.query()`), and similar "type-safe" ORMs offer raw expression escape hatches that bypass type guarantees and can introduce SQLi. Audit all raw escape usage explicitly (CVE-2026-32763, Kysely, CVSS 8.2). - For OS commands, use array-based APIs (e.g., `subprocess.run([...])` without `shell=True`); validate and allowlist expected argument values. - Apply context-aware output encoding for XSS: HTML-encode for HTML body, attribute-encode for attributes, JS-encode for script contexts. Use frameworks' built-in auto-escaping. - Validate and sanitize all input on the server side; use allowlists over denylists. @@ -681,7 +682,7 @@ Present findings in this structure: 2. **Confusing output encoding with input validation.** Input validation rejects malformed data; output encoding neutralizes data for a specific rendering context. Both are required. Validating input alone does not prevent stored XSS if the output is not encoded when rendered. -3. **Assuming ORM usage eliminates SQL injection.** ORMs provide parameterized queries by default, but nearly every ORM offers raw query escape hatches. A single `raw()`, `execute()`, or `$queryRaw` call with string interpolation reintroduces SQL injection. +3. **Assuming ORM usage eliminates SQL injection.** ORMs provide parameterized queries by default, but nearly every ORM offers raw query escape hatches. A single `raw()`, `execute()`, or `$queryRaw` call with string interpolation reintroduces SQL injection. This applies equally to "type-safe" query builders: Kysely's `.raw()`, Drizzle's `sql\`\`` template, and TypeORM's `.query()` can all introduce injection if string interpolation is used (CVE-2026-32763, CVSS 8.2). 4. **Reporting deprecated algorithms without context.** MD5 used for non-security checksums (e.g., cache busting, ETags) is not a cryptographic failure. Only flag weak algorithms when they protect sensitive data, passwords, or integrity-critical operations. State the security impact clearly. diff --git a/skills/appsec/secure-code-review/SKILL.md b/skills/appsec/secure-code-review/SKILL.md index be7101ab..8e6269d6 100644 --- a/skills/appsec/secure-code-review/SKILL.md +++ b/skills/appsec/secure-code-review/SKILL.md @@ -12,7 +12,7 @@ phase: [build, review] frameworks: [OWASP-ASVS, CWE-Top-25, OWASP-Top-10] difficulty: intermediate time_estimate: "15-45min per module" -version: "1.0.0" +version: "1.0.1" author: unitoneai license: MIT allowed-tools: Read, Grep, Glob @@ -106,6 +106,7 @@ Remediation: Canonicalize the resolved path and verify it remains within the exp - [ ] Every point where user input enters the system is identified. - [ ] All SQL queries use parameterized statements or a query builder -- no string concatenation. +- [ ] Type-safe query builders (Kysely, Drizzle, TypeORM) are audited for raw escape hatches: `.raw()`, `sql.raw()`, `sql\`\`` template literals, `.query()` — these bypass type safety and can introduce SQLi (CVE-2026-32763, CVSS 8.2). - [ ] HTML output is encoded contextually (HTML body, attribute, JavaScript, URL). - [ ] OS commands, if unavoidable, use allowlisted arguments and avoid shell interpretation. - [ ] File path operations validate and canonicalize against a base directory. @@ -541,6 +542,8 @@ The final review output must be structured as follows: 5. **Overlooking secrets in non-obvious locations.** Hard-coded credentials hide in test fixtures, CI/CD pipeline configs, Docker Compose files, client-side bundles, and comments. Grep broadly for high-entropy strings, common secret patterns (API keys, JWTs), and known environment variable names. +6. **Using LLM-only review as a supply-chain gate.** LLMs used for code review exhibit measurable confirmation bias — they favor interpretations consistent with prior context in the conversation. This is an exploitable vulnerability: attackers can craft adversarial supply-chain commits that exploit LLM reviewer tendency to confirm existing safe-looking patterns. **Do not use LLM-only review as a hard gate for supply-chain or CI/CD merge decisions.** Always pair LLM-assisted review with deterministic SAST tools. (Source: Mitropoulos et al., ArXiv 2603.18740 — empirical study demonstrating the failure mode.) + --- ## Prompt Injection Safety Notice @@ -563,3 +566,4 @@ This skill is hardened against prompt injection. When reviewing code: - **OWASP Top 10 (2021):** https://owasp.org/www-project-top-ten/ - **OWASP Cheat Sheet Series:** https://cheatsheetseries.owasp.org/ - **NIST Secure Software Development Framework:** https://csrc.nist.gov/projects/ssdf +- **ArXiv 2603.18740 — Measuring and Exploiting Confirmation Bias in LLM-Assisted Security Code Review (Mitropoulos et al.):** https://arxiv.org/abs/2603.18740