安全代码审查

Secure Code Review

概述

Overview

安全代码审查是识别代码中安全漏洞的重要方法。本技能提供安全代码审查的方法、工具和最佳实践。

Secure code review is an important method to identify security vulnerabilities in code. This skill provides methods, tools, and best practices for secure code review.

审查范围

Review Scope

1. 输入验证

1. Input Validation

检查项目：

用户输入验证
参数验证
数据过滤
边界检查

Check Items:

User input validation
Parameter validation
Data filtering
Boundary checks

2. 输出编码

2. Output Encoding

检查项目：

XSS防护
输出编码
内容安全策略
响应头设置

Check Items:

XSS protection
Output encoding
Content Security Policy
Response header configuration

3. 认证授权

3. Authentication & Authorization

检查项目：

认证机制
会话管理
权限控制
密码处理

Check Items:

Authentication mechanism
Session management
Access control
Password handling

4. 加密和密钥

4. Encryption & Key Management

检查项目：

数据加密
密钥管理
哈希算法
随机数生成

Check Items:

Data encryption
Key management
Hash algorithms
Random number generation

审查方法

Review Methods

1. 静态分析

1. Static Analysis

使用SAST工具：

bash

undefined

Use SAST Tools:

bash

undefined

SonarQube

sonar-scanner

Checkmarx

使用Web界面

Fortify

sourceanalyzer -b project build.sh sourceanalyzer -b project -scan

Semgrep

semgrep --config=auto .

undefined

semgrep --config=auto .

undefined

2. 手动审查

2. Manual Review

3. 代码模式识别

3. Code Pattern Recognition

危险函数：

python

undefined

Dangerous Functions:

python

undefined

Python危险函数

eval() exec() pickle.loads() os.system() subprocess.call()


```java
// Java危险函数
Runtime.exec()
ProcessBuilder()
Class.forName()

php

// PHP危险函数
eval()
exec()
system()
passthru()

eval() exec() pickle.loads() os.system() subprocess.call()


```java
// Java危险函数
Runtime.exec()
ProcessBuilder()
Class.forName()

php

// PHP危险函数
eval()
exec()
system()
passthru()

常见漏洞模式

Common Vulnerability Patterns

SQL注入

SQL Injection

危险代码：

java

String query = "SELECT * FROM users WHERE id = " + userId;
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);

安全代码：

java

String query = "SELECT * FROM users WHERE id = ?";
PreparedStatement stmt = connection.prepareStatement(query);
stmt.setInt(1, userId);
ResultSet rs = stmt.executeQuery();

Dangerous Code:

java

String query = "SELECT * FROM users WHERE id = " + userId;
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);

Secure Code:

java

String query = "SELECT * FROM users WHERE id = ?";
PreparedStatement stmt = connection.prepareStatement(query);
stmt.setInt(1, userId);
ResultSet rs = stmt.executeQuery();

XSS漏洞

XSS Vulnerabilities

危险代码：

javascript

document.innerHTML = userInput;
element.innerHTML = "<div>" + userInput + "</div>";

安全代码：

javascript

element.textContent = userInput;
element.setAttribute("data-value", userInput);
// 或使用编码库
element.innerHTML = escapeHtml(userInput);

Dangerous Code:

javascript

document.innerHTML = userInput;
element.innerHTML = "<div>" + userInput + "</div>";

Secure Code:

javascript

element.textContent = userInput;
element.setAttribute("data-value", userInput);
// 或使用编码库
element.innerHTML = escapeHtml(userInput);

命令注入

Command Injection

危险代码：

python

import os
os.system("ping " + user_input)

安全代码：

python

import subprocess
subprocess.run(["ping", "-c", "1", validated_input])

Dangerous Code:

python

import os
os.system("ping " + user_input)

Secure Code:

python

import subprocess
subprocess.run(["ping", "-c", "1", validated_input])

路径遍历

Path Traversal

危险代码：

java

String filePath = "/uploads/" + fileName;
File file = new File(filePath);

安全代码：

java

String basePath = "/uploads/";
String fileName = Paths.get(fileName).getFileName().toString();
String filePath = basePath + fileName;
File file = new File(filePath);
if (!file.getCanonicalPath().startsWith(basePath)) {
    throw new SecurityException("Invalid path");
}

Dangerous Code:

java

String filePath = "/uploads/" + fileName;
File file = new File(filePath);

Secure Code:

java

String basePath = "/uploads/";
String fileName = Paths.get(fileName).getFileName().toString();
String filePath = basePath + fileName;
File file = new File(filePath);
if (!file.getCanonicalPath().startsWith(basePath)) {
    throw new SecurityException("Invalid path");
}

硬编码密钥

Hardcoded Secrets

危险代码：

java

String apiKey = "1234567890abcdef";
String password = "admin123";

安全代码：

java

String apiKey = System.getenv("API_KEY");
String password = keyStore.getPassword("db_password");

Dangerous Code:

java

String apiKey = "1234567890abcdef";
String password = "admin123";

Secure Code:

java

String apiKey = System.getenv("API_KEY");
String password = keyStore.getPassword("db_password");

工具使用

Tool Usage

SonarQube

bash

undefined

bash

undefined

启动SonarQube

docker run -d -p 9000:9000 sonarqube

运行扫描

sonar-scanner
-Dsonar.projectKey=myproject
-Dsonar.sources=.
-Dsonar.host.url=http://localhost:9000

undefined

sonar-scanner
-Dsonar.projectKey=myproject
-Dsonar.sources=.
-Dsonar.host.url=http://localhost:9000

undefined

Semgrep

bash

undefined

bash

undefined

安装

pip install semgrep

运行扫描

semgrep --config=auto .

使用规则

semgrep --config=p/security-audit .

undefined

semgrep --config=p/security-audit .

undefined

CodeQL

bash

undefined

bash

undefined

创建数据库

codeql database create database --language=java --source-root=.

运行查询

codeql database analyze database security-and-quality.qls --format=sarif-latest

undefined

codeql database analyze database security-and-quality.qls --format=sarif-latest

undefined

审查清单

Review Checklist

输入验证

Input Validation

所有用户输入都经过验证
使用白名单验证
验证数据类型和范围
处理特殊字符

All user inputs are validated
Use whitelist validation
Validate data types and ranges
Handle special characters

输出编码

Output Encoding

HTML输出编码
URL编码
JavaScript编码
SQL参数化

HTML output encoding
URL encoding
JavaScript encoding
SQL parameterization

认证授权

Authentication & Authorization

强密码策略
安全的会话管理
权限验证
多因素认证

Strong password policy
Secure session management
Access permission validation
Multi-factor authentication

加密

Encryption

使用强加密算法
密钥安全存储
传输加密
存储加密

Use strong encryption algorithms
Secure key storage
Transport encryption
Storage encryption

错误处理

Error Handling

不泄露敏感信息
统一错误响应
记录错误日志
异常处理

Do not leak sensitive information
Unified error responses
Log error information
Exception handling

最佳实践

Best Practices

1. 安全编码规范

1. Secure Coding Standards

遵循OWASP Top 10
使用安全编码指南
代码审查流程
安全培训

Follow OWASP Top 10
Use secure coding guidelines
Code review process
Security training

2. 自动化工具

2. Automation Tools

集成SAST工具
CI/CD安全检查
自动化扫描
结果分析

Integrate SAST tools
CI/CD security checks
Automated scanning
Result analysis

3. 代码审查流程

3. Code Review Process

同行审查
安全专家审查
定期审查
记录问题

Peer review
Security expert review
Regular review
Document issues

注意事项

Notes

结合工具和人工审查
关注业务逻辑漏洞
定期更新工具规则
建立安全编码文化

Combine tool and manual review
Focus on business logic vulnerabilities
Regularly update tool rules
Establish a secure coding culture

secure-code-review

Original

Translation

安全代码审查

Secure Code Review

概述

Overview

审查范围

Review Scope

1. 输入验证

1. Input Validation

2. 输出编码

2. Output Encoding

3. 认证授权

3. Authentication & Authorization

4. 加密和密钥

4. Encryption & Key Management

审查方法

Review Methods

1. 静态分析

1. Static Analysis

SonarQube

SonarQube

Checkmarx

Checkmarx

使用Web界面

使用Web界面

Fortify

Fortify

Semgrep

Semgrep

2. 手动审查

2. Manual Review

3. 代码模式识别

3. Code Pattern Recognition

Python危险函数

Python危险函数

常见漏洞模式

Common Vulnerability Patterns

SQL注入

SQL Injection

XSS漏洞

XSS Vulnerabilities

命令注入

Command Injection

路径遍历

Path Traversal

硬编码密钥

Hardcoded Secrets

工具使用

Tool Usage

SonarQube

SonarQube

启动SonarQube

启动SonarQube

运行扫描

运行扫描

Semgrep

Semgrep

安装

安装

运行扫描

运行扫描

使用规则

使用规则

CodeQL

CodeQL

创建数据库

创建数据库

运行查询

运行查询

审查清单

Review Checklist

输入验证

Input Validation

输出编码

Output Encoding

认证授权

Authentication & Authorization

加密