Transcript
It's bundled into their Cursor 2.0 announcement and they call it Composer. Now, if you're a subscriber here, you know the drill. You know what we're going to do. And if you're not subscribing, boy, if you don't click the button down below, so you don't miss out on upcoming videos. That said, let's get into testing this model and see how it does with producing code and the security of it. All right. So if you want to follow along at home and see the end results of this, I have this repository up on GitHub. It's the AI Code Security Repository that you can see under my Clarkio account. And it captures all of the output from past models we've tested in this way, along with the same prompt that I'm going to be using here. So you can copy it here and try it out yourself against whatever models you want to try out and see how your results compare to the ones I got from it. So without further ado, let's use this prompt over in Cursor using their Composer model. Here I have Cursor opened up. I have the AI panel opened up as a text editor. I'm going to paste in my prompt, make sure that I'm on the Composer model, which we can see here is Cursor's first agentic coding model as a 200,000 context window. And it only costs 1x per request that you send to it. Let's send that in there and see what it does. Now, if you're not familiar with the prompt that we give here that we've been using consistently is we're asking the model to create a secure note-taking application using JavaScript and Node.js. We emphasize that it has to be secure. Otherwise, I'll be fired. My job depends upon it type of thing to try and give higher stakes to the model so that it takes the security aspect of the code that it's generating, the dependencies it uses very seriously and chooses wisely. So with that said, it's working crazy fast. I'll tell you that right now compared to other models I've used in the past. It looks like it started out writing up its own to-do list. I'm using it in agent mode, and it's already gone through all eight to-dos. Set up project structure with package JSON independencies, create a secure express server with security middleware, implement database layer with parameterized queries, create authentication system with JWT and bcrypt, have CRUD routes, create, read, update, delete routes with input validation and sanitization. It's kind of hard reading crossed out to-do lists here, text here. Add security configurations like secure headers, create front-end interface for note management, add environment configuration. I think it's done already. That was like seconds. Holy cow. So right off the bat, quick review of the Composer model with cursor. So fast. Normally, it takes a few minutes and I pause the recording, but that all just happened with me explaining the prompt in a few seconds. All right, let's see what it did. This is gonna be one of our fastest review videos ever. Security features. We saw JWT-based authentication with 24-hour expiration. I don't think I've seen other models call that out in the past. They might have done that, but they never called out the expiration of the JWT tokens that it's gonna be generating. We have input sanitization with express validator. We have seen that in the past. HTML escaping in the front end. That's good. Content security policy headers via helmet. We've also seen that in the past. We'll see what kind of policy you put in place though. Cores, cross-origin resource sharing, properly configured payload size limits to 10 KB. That's interesting. Okay. Error handling without information leakage. That's nice to see. I don't know that we've seen... I might be wrong on this. And those of you that have been following along with every video we've done reviewing these models, I don't know that I've seen it at least called out, let alone implemented in such a way. So that's nice to see. And database connection pooling with timeouts. I don't think we've seen that in the past either. I'm leaning very positive in my experience with cursor, especially how fast it was. All right. Here's the overall structure. We'll step through that a little bit. Next steps. NPM install, set up a PostgresQL database, set up environment variables for that, and then start it. All right. I'm going to go through and set this stuff up. And when we come back, I'll show you it running. All right. Jumping back in really quick here as I'm working on getting this set up. One thing to note that is a bit of a flaw in what Composer did here is it's saying that there was an ENV example file. But if you look the folder structure and project here, nothing available in that regard. So I'm going to have to manually create that. Not a huge deal. A little bit of concern there that it missed that, but so far still pretty good. One thing to note that maybe caused that to happen, that missing .env.example file is that in the cursor ignore, it must be indicating that the AI features are disabled for those types of files. So maybe that's why it didn't create that. So just something to note there. I got the application set up and running. It's connected to a PostgreSQL database, and I ran it on localhost 3000. And this is what we see. It has the typical AI purple that you tend to see when it chooses its own style and designs. It has a login and a register button. However, when I click on register, nothing's happening there. Error executing inline script violates the following content security policy script self. Okay. And some more of that. So the content security policy is causing some issues with loading resources apparently. So it didn't quite set up the content security policy in a way that it's strict enough for security purposes, but allows the things it expects to run and load as part of this application. We might have to tweak some of those things to get things working. All right. So really quick, let's look at what's causing that error on the browser right now. And it's due to that content security policy that cursors composer set up, which it's good that it's using a content security policy. However, it didn't quite get it right in the sense of being able to enable the application to run in the way that it wrote it, which is a key part here. So looking at the way it wrote up the content security policy, it defined these directives in it. The first one is the default source, which is the fallback essentially for a content security policy. When a browser sees that a website is requesting resources from somewhere, whether it's from the host of the application, that domain, or externally to something else like Google fonts or something like that, it's going to check the content security policy to see if that domain is enabled or not. So by saying defining that to self, it enables the web browser to access resources from the domain that this website is hosted from, which is fine style source, it said it also to self, but then it's enabling unsafe in line for some reason, likely because it recognizes that has code in the HTML with inline styles being defined on an HTML element. Let me show you what I mean, in case you don't fully understand that really quick. All right, here we are in index dot HTML. And we can see that for this particular HTML element small, it's set inline styles for the color of it display block and a few other pieces to that right there, which is interesting, it chose to do that because in other situations, it chose to use a class to define the styles for that element. So not sure why there's mixing and matching going on there from composer. But in any case, it got that right that it needed to enable that in order to do those inline styles in HTML. And then when it comes to script sources, JavaScript sources, it only define that to self. So this is where we're getting an error in the browser is due to this definition here, which this is fine, this is good. However, let me show you why there's an error being triggered because of this directive in the content security policy. So a perfect example is actually just below that inline style that we saw earlier, it's when we have an onclick event handler being tied directly to a JavaScript function inline JavaScript that's going on here. And so these are going to get flagged by the browser because of the content security policy that's been defined by our server here to not allow this type of JavaScript inline JavaScript to be able to run unless we enabled unsafe inline for script source in the directive as well. Now to drive this point home, I want to show you it in action in the browser. So in this case, when I click on register to try and show that view, we can see new ones are popping up new errors are popping up in the console. So if I click on the source of that, it brings us to this. So we can see that there's this inline JavaScript that's attempting to be executed, but the content security policy is being enforced by the browser to disable that from being possible. Now that you understand the content security policy and why that is causing the error, I'm going to turn that off for now just so we can explore the application a bit further. All right, I've successfully commented out that code that defines the content security policy, I refreshed, restarted the server and refresh the page. And now when I click on register, we can see that the view does work out here, I'm going to put in a username of Clark yo, you say, or geo at example.com and just make up a password. All right, now I'm gonna try and create a note, say, you know, one test note, let's try and save it. That worked. That's nice, flowing. Well, I can edit it, change it with an edit to it, update the note that did indeed update the note. Let's do test to make some in there. So we have two notes, I want to delete the first one. It's confirming. So this it's got a lot of functionality built into it. Let me get this out of the way so we can see it in full screen. And let's log out. Let's see. Oh, that's interesting that it came back here with the registration form like this. Let's try log in Clark yo example.com password. Again, all right, login is working. I'm glad I remembered my password to it's a functional application with the one exception being the content security policy. But again, we can iterate on those things and have the model fix itself when we give it instructions to do so to define a better content security policy given the constraints in the code that it's trying to write. Speaking of a content security policy, let's scan the application for the open source dependencies to see if there's any vulnerabilities found in those are introduced via those and the code that it wrote, we want to scan that to see if there's any vulnerabilities that were introduced in that way. So we're going to use sneak to do that I have the sneak extension in cursor, it's going to scan the application and let us know about any issues it finds. Now before I scan the project with sneak, I'm going to put this back in here to give it a fair assessment with the content security policy in place. Just note that it's likely not going to work. If you try to pull this project down from the repository yourself and run it, know that you'll need to comment this out to get it to work again. All right, that said, I'm gonna head on over to the sneak extension view here, I'm logged into my sneak account, and I'm going to have it rerun the tests really quick. So right off the bat, we can see open source security, meaning our dependencies for the project that composer chose to use to build out this application, no vulnerabilities found there, which is fantastic to see. I'm glad it chose packages and versions of packages that don't have vulnerabilities in it. One key thing to note with this is while these packages that it chose to use don't have vulnerabilities right now at the time of this recording, they can pop up in the future, new ones can be discovered. And the way we can be alerted to and aware of new vulnerabilities that pop up in our dependencies is by leveraging tools like sneak. So with that looking good right now, let's check out the code security because we saw some issues come up there. In this case, the code that composer wrote introduced three potential vulnerabilities that sneak found for us, we have two high severity vulnerabilities in the server j s file, and then one medium severity issue in the index dot html. So we'll start off with that one, we have a DOM based cross site scripting vulnerability, which is interesting, because in the summary that composer gave to us, it called out that it was putting things in place to protect against cross site scripting, it looks like there is potential still here. So let's take a closer look at that really quick. Alright, so what's happening here is the code that composer wrote is iterating over the notes array. So the collection of notes that are stored and trying to show them in the UI in the HTML. So it's assigning the value of this map that's iterating over them to inner HTML inside of a container div, I'm assuming here. Now what's interesting about this is, on the surface, we can see it's trying to escape HTML to prevent cross site scripting. However, when we look at that function, I don't know if this is necessarily a robust solution to escape HTML, maybe it's okay, maybe it's not, I need to dive into this further myself to make that determination. The sneak is alerting us to this to look into further as a potential issue for us or a DOM based cross site scripting vulnerability. And in fact, it gives us the option to generate an AI fix using sneak agent fix to help address the issue further. So that's one thing that was a bit of an issue from a security perspective in the index to HTML. Let's take a look at these other two, we have a hard coded and a non cryptographic secret here, avoid hard coding secrets. Let's see. Alright, so this one is just alerting us to the potential that in some cases, if we don't have a session secret set in our environment variables, whether it's in production or in an ENV file that we're loading locally here, by default, it's using a hard coded non cryptographic secret. So we want to avoid that. And it's alerting us to that sneak is letting us know that this is not necessarily the best practice to follow, especially in production, you want to make sure you're setting it this session secret to a cryptographic value that meets high security standards. Last but not least, we have cross site request forgery potential issue here. Likely what it wants us to do is use some NPM package that helps implement cross site request forgery mitigation techniques that are available like the double submit pattern. So there you have it. There's the results from composer. Overall, I'd say there's a lot of positives that I see with cursors first model that they released here, which this is just their initial version one of composer, they're likely going to be working on this and improving it over time, it's going to get even better. So by the time you watch this or try it out yourself, it may have already received improvements around this. So to summarize what we found here, a positive is it's so fast compared to other models that I've used in other tools. Second thing to summarize here is that it did a fairly good job given the limited small prompt and details I provided to it in implementing a fully blown and functional application with the one caveat and downside is that it didn't quite get a content security policy properly set up for the type of code that wrote or recognizing that the code that it wrote was using those kind of unsafe inline styles or unsafe inline scripts in the index dot html. And last but not least, while it did pretty good from a security standpoint, especially with the open source dependencies that chose to use didn't quite get things exactly right when it came to the code. However, they're not really huge security issues or difficult ones that we can address that are going to take up a ton of time to get sorted out and resolve. So I'm curious, what are your thoughts? Have you tried out cursors composer model? What's been your experience? Let me know in the comments below. On that note, that does it for this video. If you got value out of it, be sure to like it down below and share with somebody who could put it to use. And if you made it this far, subscribe to the channel so you don't miss out on upcoming videos. Thanks for watching and happy safe coding everyone.