Security Review

When reviewing code for security issues, check each category below. Reference the detailed checklist in references/security-checklist.md.

Injection Vulnerabilities

• SQL injection: Look for string concatenation in database queries
• Command injection: Check for unsanitized input passed to shell commands (exec, spawn)
• XSS: Look for unsanitized user input rendered in HTML/templates
• Path traversal: Check for user input in file paths without sanitization

Authentication & Authorization

• Verify authentication checks on protected routes/endpoints
• Ensure authorization checks match the required access level
• Look for privilege escalation paths (e.g., user can modify other users' data)
• Check that password/token comparison uses constant-time comparison

Secrets & Credentials