singularity-forge/src/resources/skills/code-optimizer/references/security-performance.md at 7000373e8843325da324b320c20b3bfd7ccdce59

Juan Francisco Lebrero 7868761ca0 feat: add 10 bundled skills for UI, quality, and code optimization (#999 )

Add community-sourced skills covering:

Coding & Quality:
- code-optimizer: 13-domain parallel optimization audit
- react-best-practices: 57 React/Next.js performance rules (Vercel)
- best-practices: Web security, CSP, HTTPS, HTML validity

UI & Design:
- userinterface-wiki: 152 UI/UX rules (animations, springs, UX laws, typography)
- make-interfaces-feel-better: 16 practical polish principles

Testing & Audit:
- web-quality-audit: Lighthouse-style 150+ checks
- accessibility: WCAG guidelines and ARIA patterns
- core-web-vitals: LCP/CLS/INP deep dive
- web-design-guidelines: Vercel Web Interface Guidelines

Tooling:
- agent-browser: Browser automation CLI for testing and scraping

2026-03-17 17:23:39 -06:00

2.8 KiB

Raw Blame History

Grep/Glob Patterns to Detect

Cryptographic Misuse

md5\(                              (MD5 is fast but broken - use bcrypt/argon2 for passwords)
sha1\(                             (SHA1 is weak)
\.hashSync\(.*rounds.*[1-5]\b     (bcrypt with low rounds)
DES\b                              (DES is obsolete)
Math\.random\(\).*token            (Math.random for security tokens)
Math\.random\(\).*password         (Math.random for password generation)
random\.random\(\).*secret         (Python: insecure random for secrets)

Expensive Security Operations in Hot Paths

bcrypt.*inside.*loop               (hashing in loop - expensive by design)
jwt\.verify\(.*inside.*loop        (JWT verification in loop)
encrypt\(.*inside.*loop            (encryption in loop)
\.hash\(.*inside.*loop             (hashing in loop)

Missing Rate Limiting

app\.(get|post|put|delete)\(       (routes without rate limiting)
@app\.route\(                      (Flask routes without rate limiting)
router\.(get|post|put|delete)\(    (Express routes without rate limiting)

SQL Injection Vectors (Also Performance)

f"SELECT.*\{                       (Python f-string SQL)
f"INSERT.*\{                       (Python f-string SQL)
`SELECT.*\$\{                      (JS template literal SQL)
"SELECT.*" \+ \w+                  (string concat SQL)
'SELECT.*' \+ \w+                  (string concat SQL)
\.raw\(.*\+                        (raw query with concatenation)
\.execute\(.*%.*%                  (Python format string SQL)

ReDoS Vulnerable Patterns

\(\.\*\)\+                         (catastrophic backtracking)
\(\.\+\)\+                         (catastrophic backtracking)
\([^)]*\|[^)]*\)\+                (alternation with repetition)
\(\[.*\]\+\)\+                    (nested quantifiers)
new RegExp\(.*user                 (user input in regex)
re\.compile\(.*user                (Python: user input in regex)

N+1 Auth Checks

# Checking permissions inside loops
\.can\(.*inside.*loop             (permission check in loop)
\.authorize\(.*inside.*loop       (authorization in loop)
isAllowed\(.*inside.*loop         (permission check in loop)
hasPermission\(.*inside.*loop     (permission check in loop)

Improvement Strategies

Crypto: Use bcrypt/argon2 for passwords, SHA-256+ for hashing, crypto.randomBytes for tokens
Hot path crypto: Cache JWT verification results, batch encrypt/decrypt
Rate limiting: Add rate limiters (express-rate-limit, django-ratelimit, etc.)
SQL injection: Use parameterized queries/prepared statements (also faster due to query plan caching)
ReDoS: Audit regex patterns, use RE2 engine, set regex timeouts
Auth batching: Batch permission checks, pre-load permissions per request

2.8 KiB Raw Blame History

Security-Related Performance Issues

Grep/Glob Patterns to Detect

Cryptographic Misuse

Expensive Security Operations in Hot Paths

Missing Rate Limiting

SQL Injection Vectors (Also Performance)

ReDoS Vulnerable Patterns

N+1 Auth Checks

Improvement Strategies

2.8 KiB

Raw Blame History