‹ 首页

critical-interval-security-checker

@arabelatso · 收录于 1 周前

Analyzes code to identify security-critical time intervals and timing vulnerabilities in authentication, authorization, and time-sensitive security operations. Use this skill when reviewing code for proper timeout enforcement, token expiration, session management, rate limiting, password reset validity, or any time-sensitive security mechanism. Detects missing expiration checks, excessive timeout values, lack of rate limiting, client-side only validation, hardcoded timeouts, and timing attack vulnerabilities. Triggers when users ask to check security timeouts, verify token expiration handling, audit session timeout implementation, review rate limiting, or analyze time-based security controls.

适合你,如果需要在代码中排查认证超时、令牌过期等时间相关安全风险。

/ 下载安装
critical-interval-security-checker.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add arabelatso/skills-4-se/critical-interval-security-checker
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- arabelatso/skills-4-se/critical-interval-security-checker
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify arabelatso/skills-4-se/critical-interval-security-checker
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
137GitHub stars
~1.4K最小装载
~7.7K含声明引用
~7.7K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · Apache-2.0 · 0f00a4f

Critical Interval Security Checker

Analyze code to identify security-critical time intervals and timing vulnerabilities that could compromise security.

Workflow
1. Identify Security-Critical Operations

Look for code that handles:

  • Authentication: Login, logout, token generation
  • Session management: Session creation, validation, expiration
  • Password operations: Reset tokens, change requests
  • Rate limiting: Login attempts, API calls, password resets
  • Token operations: JWT, OAuth tokens, API keys
  • MFA: OTP codes, push notifications, backup codes
2. Check for Common Vulnerabilities

See [vulnerability_patterns.md](references/vulnerability_patterns.md) for detailed patterns.

Critical checks:

  • Missing expiration validation
  • Excessive timeout values
  • No rate limiting on sensitive endpoints
  • Client-side only expiration checks
  • Race conditions in expiration logic
  • Hardcoded timeout values
  • Inconsistent timeout enforcement
  • Timezone handling issues
  • Timing attack vulnerabilities
3. Use Automated Checker

Run the automated checker script:

# Check single file
python scripts/check_intervals.py path/to/file.py

# Check entire directory
python scripts/check_intervals.py src/

# Specify language
python scripts/check_intervals.py src/ --language python

The script detects:

  • 🔴 Critical: JWT decode without verification, timing attacks
  • 🟠 High: Missing expiration checks, no rate limiting
  • 🟡 Medium: Excessive timeouts, inconsistent enforcement
  • 🔵 Low: Hardcoded timeouts, magic numbers
4. Manual Code Review

For each security-critical operation, verify:

Expiration is set:

# Good: Expiration set
token_expiry = datetime.utcnow() + timedelta(hours=1)

Expiration is checked:

# Good: Expiration validated
if datetime.utcnow() > token_expiry:
    raise TokenExpiredError()

Timeout is reasonable:

# Good: 1-hour reset token
RESET_TOKEN_EXPIRY = timedelta(hours=1)

# Bad: 7-day reset token (too long!)
RESET_TOKEN_EXPIRY = timedelta(days=7)

Rate limiting exists:

# Good: Rate limited
@limiter.limit("5 per 15 minutes")
def login():
    pass

Server-side enforcement:

# Good: Server validates expiration
decoded = jwt.decode(token, SECRET_KEY)  # Checks exp

# Bad: Client-side only
decoded = jwt.decode(token, options={"verify_signature": False})
5. Verify Against Standards

Consult [time_intervals.md](references/time_intervals.md) for recommended values:

Common intervals:

  • JWT access token: 5-15 minutes
  • JWT refresh token: 7-30 days
  • Session timeout: 15-30 minutes (idle), 8-12 hours (absolute)
  • Password reset token: 15-60 minutes
  • Login rate limit: 5 attempts per 15 minutes
  • TOTP code: 30 seconds
  • SMS/Email OTP: 5-10 minutes

Check if intervals match use case:

  • High-security apps need shorter timeouts
  • User-facing apps balance security and UX
  • API tokens can be shorter-lived with refresh tokens
6. Document Findings

For each issue found, document:

Issue: Missing expiration check on password reset token
Location: auth/reset_password.py:45
Severity: High
Current: Token created with expiry but never validated
Recommendation: Add expiration check before using token
Code fix:
  if datetime.utcnow() > token.expires_at:
      raise TokenExpiredError("Reset token expired")
7. Propose Fixes

Fix missing expiration checks:

# Before
def validate_token(token):
    decoded = jwt.decode(token, SECRET_KEY, options={"verify_signature": False})
    return decoded['user_id']

# After
def validate_token(token):
    try:
        decoded = jwt.decode(token, SECRET_KEY)  # Verifies exp automatically
        return decoded['user_id']
    except jwt.ExpiredSignatureError:
        raise AuthenticationError("Token expired")

Fix excessive timeouts:

# Before
RESET_TOKEN_EXPIRY = timedelta(days=7)  # Too long!

# After
RESET_TOKEN_EXPIRY = timedelta(hours=1)  # Appropriate

Add rate limiting:

# Before
@app.route('/login', methods=['POST'])
def login():
    pass

# After
@app.route('/login', methods=['POST'])
@limiter.limit("5 per 15 minutes")
def login():
    pass

Fix hardcoded timeouts:

# Before
expiry = datetime.utcnow() + timedelta(seconds=3600)  # Magic number

# After
SESSION_TIMEOUT = timedelta(hours=1)  # Named constant
expiry = datetime.utcnow() + SESSION_TIMEOUT
Quick Reference
Critical Vulnerabilities

Missing expiration check:

  • Token/session has expiry field but it's never validated
  • High risk: Expired tokens still work

No rate limiting:

  • Authentication endpoints without throttling
  • High risk: Brute force attacks

Client-side only validation:

  • Expiration checked in frontend but not backend
  • Critical risk: Easily bypassed

Excessive timeouts:

  • Reset tokens valid for days
  • Sessions never expire
  • Medium risk: Extended attack window
Detection Patterns

Python:

# Look for
jwt.decode(..., verify=False)  # Bad
timedelta(days=7)  # Check context
@limiter.limit  # Good
datetime.now() vs datetime.utcnow()  # Timezone issue

JavaScript:

// Look for
jwt.decode(...)  // Check if expiration validated
Date.now() < exp  // Client-side check
rateLimit(...)  // Good
setTimeout(..., 86400000)  // Magic number

Java:

// Look for
Jwts.parser()  // Check if expiration validated
Duration.ofDays(30)  // Check context
@RateLimit  // Good
Helper Script

The check_intervals.py script automates detection:

# Check Python code
python scripts/check_intervals.py src/ --language python

# Check JavaScript code
python scripts/check_intervals.py src/ --language javascript

# Auto-detect language
python scripts/check_intervals.py src/

Output provides:

  • Categorized issues by severity
  • File and line number
  • Issue description
  • Fix recommendation
Best Practices

Always:

  • Set expiration times for all security tokens
  • Validate expiration server-side
  • Use reasonable timeout values
  • Implement rate limiting on auth endpoints
  • Use UTC for all timestamps
  • Use named constants for timeouts
  • Document timeout decisions

Never:

  • Skip expiration validation
  • Use client-side only checks
  • Set excessive timeout values
  • Use magic number timeouts
  • Mix timezone-aware and naive datetimes
  • Use non-constant-time comparisons for secrets
按 Apache-2.0 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。