|
194 | 194 | "coreProcesses": { |
195 | 195 | "name": "Core Processes", |
196 | 196 | "prompts": { |
197 | | - "mainFlow": "Please describe the typical processing steps and key function call sequence from frontend to backend when a user performs a main operation." |
| 197 | + "mainFlow": "Please describe the typical processing steps and key function call sequence from frontend to backend when a user performs a main operation.", |
| 198 | + "inputValidation": "For user inputs (such as URL parameters, form fields, HTTP headers), how does the system process and filter them? Are there any unvalidated or insufficiently sanitized input points that could lead to injection vulnerabilities (such as XSS, SQL injection, command injection)?", |
| 199 | + "authMechanism": "How are the system's authentication and authorization mechanisms implemented? Are there potential risk points for bypassing authentication, privilege escalation, or unauthorized access (IDOR)?", |
| 200 | + "sessionManagement": "How are sessions managed? Are there risks of session fixation, session hijacking, or cross-site request forgery (CSRF)?", |
| 201 | + "dependencySecurity": "Do third-party libraries or components used in the project have known public vulnerabilities (CVEs)? How are these dependencies checked and updated?", |
| 202 | + "sensitiveInfoExposure": "Are there hardcoded credentials, API keys, or other sensitive information in the code, configuration files, or logs? Do error messages reveal too much system detail?", |
| 203 | + "fileUploadHandling": "If the project supports file uploads, how are the type, size, and content of uploaded files validated? Is there a risk of uploading arbitrary files or path traversal?", |
| 204 | + "apiSecurity": "Do the project's API interfaces have access control? Are there risks of data leakage, unauthorized access, or abuse (such as unlimited retries, data traversal)?", |
| 205 | + "businessLogicVulnerabilities": "In core business processes, are there logical defects that could be maliciously exploited, such as bypassing payment, order fraud, or data tampering?", |
| 206 | + "configSecurity": "Are there security vulnerabilities in server, database, or middleware configurations, such as default credentials, unnecessary open ports, or insecure default settings?", |
| 207 | + "passwordPolicy": "How are user passwords stored (e.g., are they salted and hashed)? Are there weaknesses in password complexity, reset, and recovery mechanisms?", |
| 208 | + "clickjackingRisk": "Have front-end pages taken measures to prevent clickjacking (such as X-Frame-Options header)?", |
| 209 | + "ssrfRisk": "Are there functionality points in the system that allow users to control requests sent to internal or other servers, potentially leading to Server-Side Request Forgery (SSRF) vulnerabilities?", |
| 210 | + "xxeRisk": "If the project processes XML data, is the XML parser configured securely to prevent XML External Entity (XXE) attacks?", |
| 211 | + "deserializationVulnerabilities": "If the project uses object serialization and deserialization, is the input data trustworthy? Is there a risk of executing arbitrary code through deserialization?", |
| 212 | + "debuggingFunctions": "Are there debugging functions, interfaces, or backdoors in the production environment that should not exist?", |
| 213 | + "httpSecurityHeaders": "Does the web application use recommended HTTP security headers, such as CSP (Content Security Policy), HSTS (HTTP Strict Transport Security), etc.?", |
| 214 | + "rateLimiting": "Are there appropriate rate limits for sensitive operations such as login attempts and API calls to prevent brute force attacks or resource exhaustion attacks?", |
| 215 | + "unsafeRedirects": "Can URL redirection or request forwarding functions in the system be controlled by malicious users, leading to phishing or directing users to malicious sites?", |
| 216 | + "errorHandling": "How does the system handle errors or exceptions? Does it expose too many internal implementation details or stack trace information to users?", |
| 217 | + "securityAuditing": "Does the system record sufficient security-related logs (such as login attempts, permission changes, key operations) for post-event auditing and tracking suspicious behavior?" |
198 | 218 | } |
199 | 219 | }, |
200 | 220 | "components": { |
|
312 | 332 | } |
313 | 333 | }, |
314 | 334 | "performance": { |
315 | | - "name": "Performance Critical Paths", |
316 | | - "prompts": { |
317 | | - "bottlenecks": "In typical operations, which code paths or computational links may have the greatest impact on performance? Does the project have targeted optimizations?" |
| 335 | + "name": "Performance", |
| 336 | + "prompts": { |
| 337 | + "bottleneckIdentification": "Which parts or operations in the project are most likely to become performance bottlenecks? What methods or tools are typically used to locate them?", |
| 338 | + "keyPerformanceIndicators": "What key performance indicators (KPIs) does the project focus on (such as response time, throughput, concurrent users)? What are the target values for these indicators?", |
| 339 | + "databasePerformance": "How efficient are database queries? Are there slow queries, unreasonable indexes, or excessive database interactions affecting performance?", |
| 340 | + "memoryUsage": "How is the application's memory usage? Are there memory leaks, unreasonable memory allocations, or frequent garbage collection (GC) issues?", |
| 341 | + "cpuUsageAnalysis": "Which types of calculations or operations consume the most CPU resources? Are there specific optimizations to reduce CPU load?", |
| 342 | + "networkIO": "How do network requests (such as API calls, resource loading) latency and throughput affect overall performance? Are there optimization measures (such as compression, CDN)?", |
| 343 | + "cachingStrategies": "What caching strategies (such as data caching, page caching, CDN caching) are used in the project to improve performance? How are cache hit rates and update mechanisms implemented?", |
| 344 | + "asyncConcurrentProcessing": "How are asynchronous processing and concurrency mechanisms (such as thread pools, coroutines, message queues) used to optimize response speed and improve system throughput?", |
| 345 | + "algorithmEfficiency": "Are there inefficient algorithms or data structures in the code that could become performance bottlenecks?", |
| 346 | + "frontendOptimization": "In terms of frontend performance, such as page loading speed (FCP, LCP), rendering efficiency, resource size, and user interaction response, what are the main optimization approaches and focus areas?", |
| 347 | + "codeLevelOptimization": "At the code writing level, has the project adopted some common performance optimization techniques (such as reducing loop nesting, avoiding unnecessary calculations, lazy loading)?", |
| 348 | + "performanceTesting": "How does the project conduct performance testing (such as stress testing, load testing, benchmark testing)? How do test results guide optimization?", |
| 349 | + "scalabilityDesign": "How does the current architecture perform and scale horizontally/vertically when load increases?", |
| 350 | + "resourceManagement": "Is the management of key system resources (such as database connection pools, thread pools) efficient to avoid resource exhaustion or contention?", |
| 351 | + "thirdPartyDependencies": "How do external API calls or third-party libraries' performance affect overall system performance? Are there monitoring and response strategies?", |
| 352 | + "startupTime": "How does the application's startup time and initialization process affect user-perceived performance or system availability? Is there room for optimization?", |
| 353 | + "loggingImpact": "Do the level and method of logging significantly affect performance? Does the performance monitoring system itself introduce non-negligible overhead?", |
| 354 | + "specificScenarioTuning": "Has specialized performance tuning been done for specific high-concurrency or large data volume scenarios in the project?", |
| 355 | + "performanceRegression": "Are there mechanisms to prevent regression of optimized performance points? How are potential performance issues detected early in the development process?", |
| 356 | + "configurationImpact": "In the project's configuration files, which parameters have direct or indirect important impacts on performance (such as thread count, cache size, timeout settings)?" |
318 | 357 | } |
319 | 358 | }, |
320 | 359 | "codeReuse": { |
|
0 commit comments