Initial commit from template

2025-12-23 04:19:57 +01:00
commit b3d8fe8dfe
76 changed files with 10491 additions and 0 deletions
--- a/.claude/skills/semgrep-security/rules/next-security.yaml
+++ b/.claude/skills/semgrep-security/rules/next-security.yaml
@@ -0,0 +1,91 @@
+# Custom Semgrep Rules fuer Next.js Security
+
+rules:
+  # Verhindere dangerouslySetInnerHTML ohne Sanitization
+  - id: next-xss-dangerous-html
+    patterns:
+      - pattern: dangerouslySetInnerHTML={{ __html: $VAR }}
+      - pattern-not: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize($VAR) }}
+      - pattern-not: dangerouslySetInnerHTML={{ __html: sanitize($VAR) }}
+    message: "XSS Risiko: Verwende DOMPurify.sanitize() bevor du dangerouslySetInnerHTML nutzt"
+    severity: ERROR
+    languages: [typescript, javascript]
+
+  # Verhindere hardcoded API Keys
+  - id: next-hardcoded-api-key
+    patterns:
+      - pattern-either:
+          - pattern: |
+              $KEY = "sk-..."
+          - pattern: |
+              $KEY = "pk_..."
+          - pattern: |
+              apiKey: "..."
+          - pattern: |
+              api_key = "..."
+    message: "Hardcoded API Key gefunden. Verwende Environment Variables."
+    severity: ERROR
+    languages: [typescript, javascript]
+
+  # Verhindere ungeschuetzte API Routes
+  - id: next-unprotected-api-route
+    patterns:
+      - pattern: |
+          export async function $METHOD(request: NextRequest) {
+            ...
+            $DB.$OPERATION(...)
+            ...
+          }
+      - pattern-not: |
+          export async function $METHOD(request: NextRequest) {
+            ...
+            auth.getUser()
+            ...
+          }
+      - pattern-not: |
+          export async function $METHOD(request: NextRequest) {
+            ...
+            getSession()
+            ...
+          }
+    message: "API Route ohne Authentication. Fuege Auth-Check hinzu."
+    severity: WARNING
+    languages: [typescript]
+    paths:
+      include:
+        - "app/api/**"
+
+  # Verhindere Secrets in Client Components
+  - id: next-secret-in-client
+    patterns:
+      - pattern-inside: |
+          "use client"
+          ...
+      - pattern-either:
+          - pattern: process.env.SUPABASE_SERVICE_ROLE_KEY
+          - pattern: process.env.DATABASE_URL
+          - pattern: process.env.$SECRET_KEY
+    message: "Server-only Secret in Client Component. Verschiebe in Server Component oder API Route."
+    severity: ERROR
+    languages: [typescript, javascript]
+
+  # Verhindere eval und new Function
+  - id: next-no-eval
+    patterns:
+      - pattern-either:
+          - pattern: eval(...)
+          - pattern: new Function(...)
+    message: "eval() und new Function() sind Sicherheitsrisiken. Finde eine Alternative."
+    severity: ERROR
+    languages: [typescript, javascript]
+
+  # Supabase RLS Check
+  - id: supabase-rls-bypass
+    patterns:
+      - pattern: supabaseAdmin.from($TABLE)
+      - pattern-not-inside: |
+          // RLS bypassed intentionally
+          ...
+    message: "supabaseAdmin umgeht RLS. Stelle sicher dass dies beabsichtigt ist."
+    severity: WARNING
+    languages: [typescript, javascript]