singularity/singularity-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
singularity-forge/src/resources/skills/code-optimizer/references/security-performance.md

69 lines
2.8 KiB
Markdown
Raw Normal View History

feat: add 10 bundled skills for UI, quality, and code optimization (#999) Add community-sourced skills covering: Coding & Quality: - code-optimizer: 13-domain parallel optimization audit - react-best-practices: 57 React/Next.js performance rules (Vercel) - best-practices: Web security, CSP, HTTPS, HTML validity UI & Design: - userinterface-wiki: 152 UI/UX rules (animations, springs, UX laws, typography) - make-interfaces-feel-better: 16 practical polish principles Testing & Audit: - web-quality-audit: Lighthouse-style 150+ checks - accessibility: WCAG guidelines and ARIA patterns - core-web-vitals: LCP/CLS/INP deep dive - web-design-guidelines: Vercel Web Interface Guidelines Tooling: - agent-browser: Browser automation CLI for testing and scraping
2026-03-17 20:23:39 -03:00
# Security-Related Performance Issues
## Grep/Glob Patterns to Detect
### Cryptographic Misuse
```
md5\( (MD5 is fast but broken - use bcrypt/argon2 for passwords)
sha1\( (SHA1 is weak)
\.hashSync\(.*rounds.*[1-5]\b (bcrypt with low rounds)
DES\b (DES is obsolete)
Math\.random\(\).*token (Math.random for security tokens)
Math\.random\(\).*password (Math.random for password generation)
random\.random\(\).*secret (Python: insecure random for secrets)
```
### Expensive Security Operations in Hot Paths
```
bcrypt.*inside.*loop (hashing in loop - expensive by design)
jwt\.verify\(.*inside.*loop (JWT verification in loop)
encrypt\(.*inside.*loop (encryption in loop)
\.hash\(.*inside.*loop (hashing in loop)
```
### Missing Rate Limiting
```
app\.(get|post|put|delete)\( (routes without rate limiting)
@app\.route\( (Flask routes without rate limiting)
router\.(get|post|put|delete)\( (Express routes without rate limiting)
```
### SQL Injection Vectors (Also Performance)
```
f"SELECT.*\{ (Python f-string SQL)
f"INSERT.*\{ (Python f-string SQL)
`SELECT.*\$\{ (JS template literal SQL)
"SELECT.*" \+ \w+ (string concat SQL)
'SELECT.*' \+ \w+ (string concat SQL)
\.raw\(.*\+ (raw query with concatenation)
\.execute\(.*%.*% (Python format string SQL)
```
### ReDoS Vulnerable Patterns
```
\(\.\*\)\+ (catastrophic backtracking)
\(\.\+\)\+ (catastrophic backtracking)
\([^)]*\|[^)]*\)\+ (alternation with repetition)
\(\[.*\]\+\)\+ (nested quantifiers)
new RegExp\(.*user (user input in regex)
re\.compile\(.*user (Python: user input in regex)
```
### N+1 Auth Checks
```
# Checking permissions inside loops
\.can\(.*inside.*loop (permission check in loop)
\.authorize\(.*inside.*loop (authorization in loop)
isAllowed\(.*inside.*loop (permission check in loop)
hasPermission\(.*inside.*loop (permission check in loop)
```
## Improvement Strategies
1. **Crypto**: Use bcrypt/argon2 for passwords, SHA-256+ for hashing, crypto.randomBytes for tokens
2. **Hot path crypto**: Cache JWT verification results, batch encrypt/decrypt
3. **Rate limiting**: Add rate limiters (express-rate-limit, django-ratelimit, etc.)
4. **SQL injection**: Use parameterized queries/prepared statements (also faster due to query plan caching)
5. **ReDoS**: Audit regex patterns, use RE2 engine, set regex timeouts
6. **Auth batching**: Batch permission checks, pre-load permissions per request
Reference in a new issue Copy permalink