Enhance existing skills and add one about email address validation.

Author: righettod

.claude/skills/secure-csv-generation/SKILL.md

@@ -16,44 +16,44 @@ Apply **all** rules below when generating or reviewing any code related to Comma
 
 ```java
 // BAD: Content of fields are not validated to detect and disable any CSV injection
-  String     filePath = "output.csv";
-  String[][] rows     = {{"Name", "=CMD|' /C calc'!A0"}, {"Bob", "+1234"}};
-  try (PrintWriter writer = new PrintWriter(new FileWriter(filePath))) {
-          for (String[] row : rows) {
-              StringBuilder sb = new StringBuilder();
-              for (int i = 0; i < row.length; i++) {
-                  String field = row[i] == null ? "" : row[i];
-                  if (field.contains(",") || field.contains("\"") || field.contains("\n"))
-                      field = "\"" + field.replace("\"", "\"\"") + "\"";
-                  if (i > 0) sb.append(",");
-                  sb.append(field);
-              }
-              writer.println(sb);
-          }
-      }
+String     filePath = "output.csv";
+String[][] rows     = {{"Name", "=CMD|' /C calc'!A0"}, {"Bob", "+1234"}};
+try (PrintWriter writer = new PrintWriter(new FileWriter(filePath))) {
+    for (String[] row : rows) {
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < row.length; i++) {
+            String field = row[i] == null ? "" : row[i];
+            if (field.contains(",") || field.contains("\"") || field.contains("\n"))
+                field = "\"" + field.replace("\"", "\"\"") + "\"";
+            if (i > 0) sb.append(",");
+            sb.append(field);
+        }
+        writer.println(sb);
+    }
+}
 
 // GOOD: Dangerous characters used in CSV injection are prefixed to disable the injection
-  String     filePath = "output.csv";
-  String[][] rows     = {{"Name", "=CMD|' /C calc'!A0"}, {"Bob", "+1234"}};
-  try (PrintWriter writer = new PrintWriter(new FileWriter(filePath))) {
-            for (String[] row : rows) {
-                StringBuilder sb = new StringBuilder();
-                for (int i = 0; i < row.length; i++) {
-                    String field = row[i] == null ? "" : row[i];
+String     filePath = "output.csv";
+String[][] rows     = {{"Name", "=CMD|' /C calc'!A0"}, {"Bob", "+1234"}};
+try (PrintWriter writer = new PrintWriter(new FileWriter(filePath))) {
+    for (String[] row : rows) {
+        StringBuilder sb = new StringBuilder();
+        for (int i = 0; i < row.length; i++) {
+            String field = row[i] == null ? "" : row[i];
 
-                    // Prepend single quote to disable CSV injection
-                    if (!field.isEmpty() && "=+-@\t\r".indexOf(field.charAt(0)) >= 0)
-                        field = "'" + field;
+            // Prepend single quote to disable CSV injection
+            if (!field.isEmpty() && "=+-@\t\r".indexOf(field.charAt(0)) >= 0)
+                field = "'" + field;
 
-                    if (field.contains(",") || field.contains("\"") || field.contains("\n"))
-                        field = "\"" + field.replace("\"", "\"\"") + "\"";
+            if (field.contains(",") || field.contains("\"") || field.contains("\n"))
+                field = "\"" + field.replace("\"", "\"\"") + "\"";
 
-                    if (i > 0) sb.append(",");
-                    sb.append(field);
-                }
-                writer.println(sb);
-            }
+            if (i > 0) sb.append(",");
+            sb.append(field);
         }
+        writer.println(sb);
+    }
+}
 ```
 
 ## 2. Output Checklist

.claude/skills/secure-email-validation/SKILL.md

@@ -0,0 +1,142 @@
+---
+name: secure-email-validation
+description: Generate secure email address validation code. Enforces secure generation of code validating an email address. Invoke when writing any email address validation related code.
+allowed-tools: Read Grep Glob
+metadata:
+  category: security
+---
+
+# Secure Email Address Validation Code Generation Rules
+
+Apply **all** rules below when generating or reviewing any code related to validation of an email address.
+
+## 1. Email address validation (CRITICAL)
+
+- ALWAYS ensure that the email address is a valid email address, from a parser perspective, following RFCs on email addresses.
+- ALWAYS ensure that the email address is not using "Encoded-word" format.
+- ALWAYS ensure that the email address is not using comment format.
+- ALWAYS ensure that the email address is not using "Punycode" format.
+- ALWAYS ensure that the email address is not using UUCP style addresses.
+- ALWAYS ensure that the email address is not using address literals.
+- ALWAYS ensure that the email address is not using source routes.
+- ALWAYS ensure that the email address is not using the "percent hack".
+- ALWAYS enforce RFC 5321 length limits: local part ≤ 64 characters, domain ≤ 255 characters, total address ≤ 320 characters.
+- ALWAYS ensure that the email address does not contain newline or carriage-return characters (CRLF injection prevention).
+- ALWAYS ensure that the domain part contains at least one dot (reject single-label domains such as localhost or internal hostnames).
+- ALWAYS ensure that the local part is not a quoted string (i.e. not wrapped in double quotes).
+
+```java
+// BAD: No validation is applied
+import jakarta.mail.internet.InternetAddress;
+
+public static InternetAddress readEmailInsecure(String address) throws AddressException {
+    return new InternetAddress(address);
+}
+
+// GOOD: All points are applied
+import jakarta.mail.internet.AddressException;
+import jakarta.mail.internet.InternetAddress;
+
+public static InternetAddress readEmailSecure(String email) throws AddressException {
+    if (email == null || email.isBlank()) {
+        throw new AddressException("Email address must not be null or blank");
+    }
+
+    // 1. Parse and validate via RFC-compliant parser
+    InternetAddress address = new InternetAddress(email, true);
+    address.validate();
+
+    String raw = address.getAddress();
+
+    // 2. No encoded-word format: =?charset?encoding?text?=
+    if (email.contains("=?") && email.contains("?=")) {
+        throw new AddressException("Encoded-word format is not allowed: " + email);
+    }
+
+    // 3. No comment format: parentheses ( )
+    if (raw.contains("(") || raw.contains(")")) {
+        throw new AddressException("Comment format is not allowed: " + email);
+    }
+
+    // 4. No Punycode format: xn-- in domain
+    String domain = raw.substring(raw.lastIndexOf('@') + 1);
+    if (domain.toLowerCase().contains("xn--")) {
+        throw new AddressException("Punycode format is not allowed: " + email);
+    }
+
+    // 5. No UUCP style addresses: bang paths using !
+    if (raw.contains("!")) {
+        throw new AddressException("UUCP-style addresses are not allowed: " + email);
+    }
+
+    // 6. No address literals: domain in square brackets [...]
+    if (domain.startsWith("[") && domain.endsWith("]")) {
+        throw new AddressException("Address literals are not allowed: " + email);
+    }
+
+    // 7. No source routes: input starts with @ (e.g. @relay:user@domain or @r1,@r2:user@domain)
+    if (email.startsWith("@")) {
+        throw new AddressException("Source routes are not allowed: " + email);
+    }
+
+    // 8. No percent hack: % in the local part
+    String localPart = raw.substring(0, raw.lastIndexOf('@'));
+    if (localPart.contains("%")) {
+        throw new AddressException("Percent hack is not allowed: " + email);
+    }
+
+    // 9. RFC 5321 length limits
+    if (localPart.length() > 64) {
+        throw new AddressException("Local part exceeds 64 characters: " + email);
+    }
+    if (domain.length() > 255) {
+        throw new AddressException("Domain exceeds 255 characters: " + email);
+    }
+    if (raw.length() > 320) {
+        throw new AddressException("Email address exceeds 320 characters: " + email);
+    }
+
+    // 10. No CRLF injection: newline or carriage-return characters
+    if (email.contains("\n") || email.contains("\r")) {
+        throw new AddressException("Newline characters are not allowed: " + email);
+    }
+
+    // 11. No single-label domain: domain must contain at least one dot
+    if (!domain.contains(".")) {
+        throw new AddressException("Single-label domains are not allowed: " + email);
+    }
+
+    // 12. No quoted local part: local part must not be wrapped in double quotes
+    if (localPart.startsWith("\"") && localPart.endsWith("\"")) {
+        throw new AddressException("Quoted local parts are not allowed: " + email);
+    }
+
+    return address;
+}
+```
+
+## 2. Output Checklist
+
+Before finalizing generated code, verify:
+
+- [ ] The email address is a valid email address, from a parser perspective, following RFCs on email addresses.
+- [ ] The email address is not using "Encoded-word" format.
+- [ ] The email address is not using comment format.
+- [ ] The email address is not using "Punycode" format.
+- [ ] The email address is not using UUCP style addresses.
+- [ ] The email address is not using address literals.
+- [ ] The email address is not using source routes.
+- [ ] The email address is not using the "percent hack".
+- [ ] The local part is ≤ 64 characters, the domain is ≤ 255 characters, and the total address is ≤ 320 characters (RFC 5321).
+- [ ] The email address does not contain newline or carriage-return characters.
+- [ ] The domain part contains at least one dot (no single-label domains).
+- [ ] The local part is not a quoted string (not wrapped in double quotes).
+
+## References
+
+- [Research on email address parser bypass from PortSwigger](https://portswigger.net/research/splitting-the-email-atom).
+- [MIME (Multipurpose Internet Mail Extensions) part three:Message Header extensions for Non-ASCII text from IETF](https://datatracker.ietf.org/doc/html/rfc2047).
+- [Syntax of encoded-words from IETF](https://datatracker.ietf.org/doc/html/rfc2047#section-2).
+- [Anatomy of an email address from Jochen Topf](https://www.jochentopf.com/email/address.html).
+- [Email address from Wikipedia](https://en.wikipedia.org/wiki/Email_address).
+- [RFC 5321 - Simple Mail Transfer Protocol (size limits) from IETF](https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.3).

.claude/skills/secure-image-validation/SKILL.md

@@ -17,6 +17,15 @@ Apply **all** rules below when generating or reviewing any code related to valid
 - ALWAYS resize the image by removing 1px in width and 1px in height to remove any embedded code.
 
 ```java
+import java.awt.image.BufferedImage;
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Arrays;
+import javax.imageio.ImageIO;
+
 // BAD: No validation is applied
 File          file  = new File("image.png");
 BufferedImage image = ImageIO.read(file);

.claude/skills/secure-log-entry-generation/SKILL.md

@@ -19,9 +19,11 @@ Apply **all** rules below when generating or reviewing any code related to gener
 
 ```java
 // BAD: No validation is applied
-String userControlledContent = request.getParameter("input");
-Logger logger                = Logger.getLogger(Main.class.getName());
-logger.info(userControlledContent);
+void handleRequest(HttpServletRequest request) {
+    String userControlledContent = request.getParameter("input");
+    Logger logger                = Logger.getLogger(Main.class.getName());
+    logger.info(userControlledContent);
+}
 
 // GOOD: All points are applied
 public class LogHelper {

.claude/skills/secure-message-digest-generation/SKILL.md

@@ -20,8 +20,13 @@ Apply **all** rules below when generating or reviewing any code related to messa
 - ALWAYS encode the raw digest bytes as a lowercase hexadecimal string — never return raw bytes or use Base64, as hex is the canonical, human-readable, and interoperable representation for message digests.
 
 ```java
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.HexFormat;
+
 // BAD: Weak algorithm, platform charset, no separator, raw bytes returned
-public byte[] computeDigestInsecure(Object[] values) {
+public byte[] computeDigestInsecure(Object[] values) throws NoSuchAlgorithmException {
     StringBuilder combined = new StringBuilder();
     for (Object value : values) {
         combined.append(value != null ? value.toString() : ""); // no separator — hash collision risk
@@ -32,7 +37,7 @@ public byte[] computeDigestInsecure(Object[] values) {
 }
 
 // GOOD: All rules applied
-public String computeDigestSecure(Object[] values) {
+public String computeDigestSecure(Object[] values) throws NoSuchAlgorithmException {
     StringBuilder combined = new StringBuilder();
     for (Object value : values) {
         // Rule 5: explicit empty string for null/empty — never skip

.claude/skills/secure-xml-parsing/SKILL.md

@@ -16,27 +16,45 @@ Apply **all** rules below when generating or reviewing any code related to xml c
 - ALWAYS disable resolution of XML External Entity.
 - ALWAYS disable expansion/replacement of XML Internal Entity.
 - ALWAYS disable XInclude support.
+- ALWAYS limit the size of the XML input to prevent memory exhaustion (reject inputs larger than 1 MB).
 
 ```java
-// BAD: DTD and External Entities are resolved / Internal Entities are replaced / XInclude support is left to default configuration
+// BAD: DTD and External Entities are resolved / Internal Entities are replaced / XInclude support is left to default / no size limit
+import org.w3c.dom.Document;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import java.io.File;
+
 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-DocumentBuilder builder = factory.newDocumentBuilder();
-Document doc = builder.parse(new File("data.xml"));
+DocumentBuilder        builder = factory.newDocumentBuilder();
+Document               doc     = builder.parse(new File("data.xml"));
+
+// GOOD: DTD and External Entities are not resolved / Internal Entities are not replaced / XInclude disabled / input size limited
+import org.w3c.dom.Document;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import java.io.*;
+import java.nio.file.*;
+
+int    MAX_XML_SIZE_BYTES = 1 * 1024 * 1024; // 1 MB
+byte[] xmlBytes           = Files.readAllBytes(Path.of("data.xml"));
+if (xmlBytes.length > MAX_XML_SIZE_BYTES) {
+    throw new IOException("XML input exceeds maximum allowed size of 1 MB");
+}
 
-// GOOD: DTD and External Entities are not resolved / Internal Entities are not replaced / XInclude support is explicitly disabled
 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
 // Disable DTD resolution entirely
 factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-//Disable XML External Entity (XXE) resolution
+// Disable XML External Entity (XXE) resolution
 factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
 factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
 factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-//Disable replacement of XML Internal Entities
+// Disable replacement of XML Internal Entities
 factory.setExpandEntityReferences(false);
-// Process namespaces safely
+// Disable XInclude support
 factory.setXIncludeAware(false);
 DocumentBuilder builder = factory.newDocumentBuilder();
-Document doc = builder.parse(new File("data.xml"));
+Document        doc     = builder.parse(new ByteArrayInputStream(xmlBytes));
 ```
 
 ## 2. Output Checklist
@@ -47,6 +65,7 @@ Before finalizing generated code, verify:
 - [ ] External Entities (general and parameter) are NOT resolved.
 - [ ] Internal Entities are NOT replaced.
 - [ ] XInclude support is explicitly disabled.
+- [ ] XML input size is limited to 1 MB before parsing.
 
 ## References