Share
## https://sploitus.com/exploit?id=6F6F7366-4A2C-5356-BF3E-056AA994675F
# Security Anti-Patterns for Java

AI coding agents write insecure code. Not maliciously - they just optimize for "works" over "safe." This skill fixes that.

## The problem

Ask Claude, Codex, or any AI to query a database. You'll probably get something like:

```java
// AI-generated code - looks fine, isn't
String query = "SELECT * FROM users WHERE email = '" + email + "'";
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(query);  // SQL injection waiting to happen
```

The AI didn't know better. It generated statistically likely Java code. Unfortunately, statistically likely often means copied from tutorials circa 2010.

This skill teaches the AI to catch these patterns and fix them before they hit your codebase.

## What it catches

11 modules covering OWASP Top 10 Web and API vulnerabilities:

| Module | What it prevents |
|--------|------------------|
| injection.md | SQL injection, command injection, JPQL/HQL injection, LDAP injection |
| deserialization.md | ObjectInputStream attacks, XXE, unsafe YAML |
| xss-output.md | Cross-site scripting, missing template escaping in JSP/Thymeleaf |
| auth-access.md | Broken access control, BOLA, session issues, JWT misuse |
| crypto-secrets.md | Weak hashing, hardcoded secrets, bad randomness |
| input-validation.md | Missing Bean Validation, file upload attacks, mass assignment |
| file-operations.md | Path traversal, insecure temp file creation |
| spring-security.md | CSRF bypass, permissive CORS, exposed actuators |
| jakarta-ee.md | Servlet security, EJB patterns, JAX-RS issues |
| dependencies.md | Supply chain attacks, vulnerable Log4j, typosquatting |
| java-runtime.md | Reflection dangers, ReDoS, ScriptEngine abuse |

## The short version

- Never string concatenation in SQL. Use `PreparedStatement` or JPA named parameters.
- Never `ObjectInputStream.readObject()` on untrusted data. Use JSON.
- Never `Runtime.exec()` with user input. Use `ProcessBuilder` with argument list.
- Never `java.util.Random` for security. Use `SecureRandom`.
- Never MD5/SHA1 for passwords. Use BCrypt or Argon2.
- Never `th:utext` in Thymeleaf. Use `th:text`.

Each module has BAD and GOOD examples so you can see exactly what to avoid.

## Supported platforms

| Platform | Status |
|----------|--------|
| Claude Code | Works |
| OpenAI Codex | Works |
| Google Antigravity | Works |
| Warp | Works |
| VS Code Copilot | Works |

This skill follows the [Agent Skills open standard](https://agentskills.io/). If your AI tool supports skills, this works.

## Installation

### Claude Code

Clone to your skills directory:

```bash
git clone https://github.com/subhashdasyam/security-antipatterns-java ~/.claude/skills/security-antipatterns-java
```

Or for a specific project, clone to `.claude/skills/` in the repo.

### OpenAI Codex CLI

```bash
mkdir -p ~/.codex/skills
ln -s $(pwd) ~/.codex/skills/security-antipatterns-java
```

### Google Antigravity

```bash
mkdir -p ~/.antigravity/skills
ln -s $(pwd) ~/.antigravity/skills/security-antipatterns-java
```

### Warp Terminal

Copy to `~/.warp/skills/` or configure the skill path in Warp settings.

### VS Code Copilot

Copy the skill folder to `.github/skills/` in your project.

### Any other tool

Copy or symlink this folder to wherever your AI tool looks for skills. The format is standard - it should just work.

## When it activates

The skill kicks in when you're generating:

- Spring Boot controllers or services
- JPA/Hibernate entity operations
- JDBC queries
- Jakarta EE servlets or JAX-RS endpoints
- File handling code
- Authentication or session logic
- Anything deserializing external data

## Java version support

- **Java 17** (primary target - most widely used LTS)
- **Java 11** (secondary - still common in enterprise)
- **Java 21** (latest LTS - modern features)

Patterns work across all three. Version-specific features (sealed classes, records, virtual threads) are noted where relevant.

## License

MIT