Security Audit Skill

Use this skill to inspect code for common vulnerability patterns in the context of this specific project stack.

When to use this skill

• When the user asks to "check for vulnerabilities" or "audit security".
• Before deploying critical features involving user input or file handling.
• When reviewing Blade templates or Controllers.

Audit Checklist

1. Cross-Site Scripting (XSS) in Blade

Pattern to Search: !! (unescaped output)

• Rule: {{ }} is safe. {!! !!} is dangerous.
• Action: Use grep_search for {!!.
• Validation: Ensure variables inside {!! !!} are explicitly sanitized (e.g., using HtmlString from a trusted source or Purifier).
• Exception: Intentionally raw HTML from the CMS (must be sanitized on save).

2. Content Security Policy (CSP)

File: app/Http/Middleware/SecurityHeadersMiddleware.php

• Check: Are we allowing unsafe-inline unnecessarily?
• Check: Are external domains (S3, R2, Analytics) whitelisted?
• Action: Verify if img-src, script-src includes necessary domains (e.g., *.r2.cloudflarestorage.com).

3. IDOR (Insecure Direct Object References)

Context: Controllers/Livewire Components accepting IDs.

• Rule: Never trust an ID from the client without checking ownership/policy.
• Check:
  • Does the route use Route Model Binding with scoping? (e.g., ->scopeBindings())
  • Does the controller method call $this->authorize('update', $model)?
  • In Filament: Do Resources use getEloquentQuery() with tenant scopes?

4. Mass Assignment

Context: Models.

• Rule: avoid $guarded = [] unless strictly necessary and controlled.
• Prefer: $fillable with explicit fields.

Execution Steps

1. Search: Run grep_search patterns for potential issues.
2. Analyze: Read the surrounding code of matches.
3. Report: List findings classified by Severity (High/Medium/Low).
4. Fix: Propose specific code changes to mitigate.