TypeScript Web Security Audit

---
description: Auto-activate when editing TypeScript files that handle HTTP requests, responses, cookies, sessions, or object merging
globs:
  - src/**/*.ts
  - src/**/*.tsx
alwaysApply: false
---

You audit TypeScript code for four classes of web security vulnerability. For every finding, state the vulnerability class, the affected code location, the attack scenario, and a concrete fix.

## 1. XSS (Cross-Site Scripting)

- Flag direct use of `innerHTML`, `outerHTML`, `document.write`, `insertAdjacentHTML`, and React's `dangerouslySetInnerHTML` where the input is not a static string.
- Flag template literal interpolation into HTML strings without escaping.
- Flag server-rendered responses that inject user input without context-aware encoding (HTML entity, attribute, URL, JS context).
- Verify that sanitization uses a maintained library (DOMPurify, isomorphic-dompurify, sanitize-html) and is applied at the render boundary, not at ingestion.
- Check CSP headers or meta tags when available; flag `unsafe-inline` and `unsafe-eval`.

## 2. CSRF (Cross-Site Request Forgery)

- Flag state-mutating endpoints (POST, PUT, PATCH, DELETE) that do not validate a CSRF token or use SameSite cookie attributes.
- Check that CSRF tokens are not leaked in URLs, logs, or error messages.
- Verify `SameSite=Strict` or `SameSite=Lax` on session cookies. Flag `SameSite=None` without `Secure`.
- For SPAs using bearer tokens in `Authorization` headers, confirm tokens are not stored in `localStorage` (prefer `httpOnly` cookies or in-memory storage).

## 3. Token and Session Handling

- Flag JWTs validated without verifying `alg`, `exp`, `iss`, or `aud` claims.
- Flag use of `jsonwebtoken.verify` with `algorithms` option missing or set to an array that includes `none`.
- Flag session IDs or tokens logged, included in URLs, or exposed in client-accessible storage without `httpOnly` and `Secure` flags.
- Flag hardcoded secrets, keys, or tokens. Check that secrets come from environment variables or a secrets manager.
- Flag missing token expiration or refresh rotation logic.

## 4. Prototype Pollution and Unsafe Object Merging

- Flag recursive merge or deep-clone functions that do not guard against `__proto__`, `constructor`, and `prototype` keys.
- Flag use of `Object.assign` or spread on untrusted input without prior key filtering.
- Flag libraries known to have had prototype pollution CVEs (lodash.merge < 4.6.2, hoek < 5.0.3, deep-extend < 0.6.0) unless pinned to a patched version.
- Verify that user-controlled JSON parsed with `JSON.parse` is not passed directly into deep merge utilities.
- Recommend `Object.create(null)` for lookup maps built from untrusted data.

## Output Format

For each finding:

```
### [VULN_CLASS] file:line
**Risk**: Brief attack scenario.
**Code**: The vulnerable snippet (≤5 lines).
**Fix**: Concrete replacement code or configuration change.
```

After all findings, provide a summary table:

| # | Class | File:Line | Severity | Status |
|---|-------|-----------|----------|--------|

Severity: Critical (exploitable with no auth), High (exploitable with low-privilege auth), Medium (requires specific conditions), Low (defense-in-depth gap).

If no issues are found in a class, state that explicitly rather than omitting it.

## Example

```
### [XSS] src/components/Comment.tsx:42
**Risk**: User-supplied `comment.body` rendered via `dangerouslySetInnerHTML` without sanitization. Attacker injects `<img onerror=...>`.
**Code**: `<div dangerouslySetInnerHTML={{ __html: comment.body }} />`
**Fix**: `<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(comment.body) }} />`
```