security-pattern-check

# Security Pattern Check

Identify security vulnerabilities and anti-patterns in code, providing immediate feedback on security issues.

## Security Issue Categories

### 1. Injection Vulnerabilities
- **SQL Injection**: Unparameterized queries with user input
- **NoSQL Injection**: Unsanitized MongoDB queries
- **Command Injection**: Shell commands with user input
- **LDAP Injection**: Unescaped LDAP queries
- **XPath Injection**: Dynamic XPath expressions

### 2. Authentication & Authorization
- **Missing Authentication**: Unprotected endpoints
- **Weak Passwords**: No password strength requirements
- **Hardcoded Credentials**: Passwords/keys in code
- **Insecure Password Storage**: Plaintext or weak hashing (MD5, SHA1)
- **Missing Authorization**: No permission checks
- **Broken Access Control**: Users accessing resources they shouldn't

### 3. Sensitive Data Exposure
- **Logging Sensitive Data**: Passwords, tokens in logs
- **Insecure Storage**: Unencrypted sensitive data
- **Missing Encryption**: No TLS/SSL
- **Weak Encryption**: DES, RC4, custom crypto
- **Exposed Secrets**: API keys, tokens in code/config
- **Information Disclosure**: Stack traces, verbose errors to users

### 4. Cross-Site Scripting (XSS)
- **Reflected XSS**: Echoing user input in HTML
- **Stored XSS**: Saving unsanitized input to database
- **DOM XSS**: Client-side script injection
- **Missing Output Encoding**: Not escaping HTML/JavaScript

### 5. Cross-Site Request Forgery (CSRF)
- **Missing CSRF Tokens**: State-changing requests without tokens
- **Incorrect Token Validation**: Weak or missing validation
- **GET for State Changes**: Using GET for mutations

### 6. Security Misconfiguration
- **Debug Mode in Production**: Verbose error messages
- **Default Credentials**: Using default admin/admin
- **Unnecessary Services**: Unused endpoints or features enabled
- **Missing Security Headers**: No CSP, X-Frame-Options, etc.
- **Directory Listing**: Exposing file structure
- **Improper Error H