Security-critical code review

Changes to security-sensitive areas like authentication, input validation, and business logic require extra scrutiny and thorough review. These modifications can introduce vulnerabilities if not properly validated.

Key areas requiring heightened security review:

• Authentication and authorization logic changes
• Input processing and data sanitization
• Business operations that could be financially abused
• API endpoints and service layer security controls

When reviewing such changes, verify that:

• Security implications are thoroughly understood and documented
• Input validation prevents injection attacks (SQL, CSV, XSS, etc.)
• Business logic prevents abuse scenarios (e.g., credit manipulation)
• Changes don’t weaken existing security controls

Example of proper input sanitization:

// Prevent CSV injection by prefixing dangerous formulas
const sanitizedValue = value.startsWith('=') || value.startsWith('+') 
  ? `${CSV_INJECTION_PREVENTION_ZWJ}${value}` 
  : value;

For authentication changes, consider reverting risky modifications if the security impact cannot be clearly demonstrated as safe. As one reviewer noted: “This change is risky. What you’re checking now is not the same as what was checked before.”