sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
83af32eb8879cfed455179fcd4059cd7fa52745a
orion/.security-rules/injection.yaml
Samir Boulahtit 26b3dc9e3b feat: add unified code quality dashboard with multiple validators 
- Add validator_type field to scans and violations (architecture,
  security, performance)
- Create security validator with SEC-xxx rules
- Create performance validator with PERF-xxx rules
- Add base validator class for shared functionality
- Add validate_all.py script to run all validators
- Update code quality service with validator type filtering
- Add validator type tabs to dashboard UI
- Add validator type filter to violations list
- Update stats response with per-validator breakdown
- Add security and performance rules documentation
- Add chat-bubble icons to icon library

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-21 20:57:47 +01:00

71 lines
1.7 KiB
YAML
Raw Blame History

# Injection Prevention Rules
# ==========================
injection_rules:
- id: SEC-011
name: No raw SQL queries
severity: error
description: >
Use SQLAlchemy ORM or parameterized queries only.
Never concatenate user input into SQL strings.
- id: SEC-012
name: No shell command injection
severity: error
description: >
Never use shell=True with subprocess.
Use subprocess with list arguments.
- id: SEC-013
name: No code execution
severity: error
description: >
Never use eval() or exec() with user input.
- id: SEC-014
name: Path traversal prevention
severity: error
description: >
Validate file paths to prevent directory traversal.
Use secure_filename() for uploads.
- id: SEC-015
name: XSS prevention in templates
severity: error
description: >
Use safe output methods in templates.
Prefer x-text over x-html.
- id: SEC-016
name: LDAP injection prevention
severity: error
description: >
Escape special characters in LDAP queries.
- id: SEC-017
name: XML external entity prevention
severity: error
description: >
Disable external entities when parsing XML.
Use defusedxml.
- id: SEC-018
name: Template injection prevention
severity: error
description: >
Never render user input as template code.
- id: SEC-019
name: SSRF prevention
severity: warning
description: >
Validate URLs before making external requests.
Whitelist allowed domains.
- id: SEC-020
name: Deserialization safety
severity: error
description: >
Never deserialize untrusted data with pickle.
Use yaml.safe_load() instead of yaml.load().
Reference in New Issue View Git Blame Copy Permalink