code-abyss 1.5.1

package/skills/tests/test_security_scanner.py

@@ -0,0 +1,426 @@
+#!/usr/bin/env python3
+"""
+verify-security 单元测试
+测试代码安全扫描器功能
+"""
+
+import unittest
+import tempfile
+import sys
+from pathlib import Path
+from unittest.mock import patch, MagicMock
+
+# 添加 skills 目录到 Python 路径
+sys.path.insert(0, str(Path(__file__).parent.parent / "verify-security" / "scripts"))
+
+from security_scanner import (
+    Severity, Finding, ScanResult, scan_file, scan_directory,
+    format_report, SECURITY_RULES
+)
+
+
+class TestSecurityScanner(unittest.TestCase):
+    """安全扫描器测试"""
+
+    def setUp(self):
+        """测试前准备"""
+        self.temp_dir = tempfile.TemporaryDirectory()
+        self.temp_path = Path(self.temp_dir.name)
+
+    def tearDown(self):
+        """测试后清理"""
+        self.temp_dir.cleanup()
+
+    def test_scan_file_with_sql_injection(self):
+        """测试 SQL 注入检测"""
+        test_file = self.temp_path / "test.py"
+        test_file.write_text('cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        self.assertTrue(len(findings) > 0)
+        self.assertTrue(any(f.severity == Severity.CRITICAL for f in findings))
+        self.assertTrue(any("SQL" in f.message for f in findings))
+
+    def test_scan_file_without_sql_context_not_flagged(self):
+        """测试非 SQL 场景不应误报 SQL 注入"""
+        test_file = self.temp_path / "non_sql.py"
+        test_file.write_text('long_line = "x = \"" + "a" * 10000 + "\""')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        self.assertFalse(any("SQL" in f.message for f in findings))
+
+    def test_scan_file_with_hardcoded_secret(self):
+        """测试硬编码密钥检测"""
+        test_file = self.temp_path / "config.py"
+        test_file.write_text('password = "super_secret_password_12345"')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        self.assertTrue(len(findings) > 0)
+        self.assertTrue(any(f.severity == Severity.HIGH for f in findings))
+
+    def test_scan_file_with_command_injection(self):
+        """测试命令注入检测"""
+        test_file = self.temp_path / "shell.py"
+        test_file.write_text('os.system(cmd, shell=True)')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        self.assertTrue(len(findings) > 0)
+        self.assertTrue(any("shell=True" in f.message for f in findings))
+
+    def test_scan_file_with_xss_vulnerability(self):
+        """测试 XSS 漏洞检测"""
+        test_file = self.temp_path / "app.js"
+        test_file.write_text('element.innerHTML = userInput;')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        self.assertTrue(len(findings) > 0)
+        self.assertTrue(any("innerHTML" in f.message for f in findings))
+
+    def test_scan_file_with_unsafe_pickle(self):
+        """测试不安全反序列化检测"""
+        test_file = self.temp_path / "data.py"
+        test_file.write_text('data = pickle.loads(user_data)')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        self.assertTrue(len(findings) > 0)
+        self.assertTrue(any("反序列化" in f.message for f in findings))
+
+    def test_scan_file_with_weak_crypto(self):
+        """测试弱加密算法检测"""
+        test_file = self.temp_path / "crypto.py"
+        test_file.write_text('hash_obj = hashlib.md5(password)')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        self.assertTrue(len(findings) > 0)
+        self.assertTrue(any("MD5" in f.message for f in findings))
+
+    def test_scan_file_with_debug_code(self):
+        """测试调试代码检测"""
+        test_file = self.temp_path / "main.py"
+        test_file.write_text('print("debug info")\npdb.set_trace()')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        self.assertTrue(len(findings) > 0)
+        self.assertTrue(any("调试" in f.message for f in findings))
+
+    def test_scan_file_print_not_marked_debug(self):
+        """测试普通 print 不应被判定调试代码"""
+        test_file = self.temp_path / "main.py"
+        test_file.write_text('print("normal output")')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        self.assertFalse(any("调试" in f.message for f in findings))
+
+    def test_scan_file_ignores_comments(self):
+        """测试注释行被忽略"""
+        test_file = self.temp_path / "test.py"
+        test_file.write_text('# cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        # 注释行应该被忽略
+        self.assertEqual(len(findings), 0)
+
+    def test_scan_file_empty_file(self):
+        """测试空文件扫描"""
+        test_file = self.temp_path / "empty.py"
+        test_file.write_text('')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        self.assertEqual(len(findings), 0)
+
+    def test_scan_file_nonexistent(self):
+        """测试不存在的文件"""
+        nonexistent = self.temp_path / "nonexistent.py"
+
+        findings = scan_file(nonexistent, SECURITY_RULES)
+
+        self.assertEqual(len(findings), 0)
+
+    def test_scan_directory_basic(self):
+        """测试目录扫描基本功能"""
+        # 创建测试文件
+        (self.temp_path / "safe.py").write_text('x = 1')
+        (self.temp_path / "unsafe.py").write_text('password = "secret123456"')
+
+        result = scan_directory(str(self.temp_path))
+
+        self.assertIsInstance(result, ScanResult)
+        self.assertEqual(result.files_scanned, 2)
+        self.assertTrue(len(result.findings) > 0)
+
+    def test_scan_directory_empty(self):
+        """测试空目录扫描"""
+        result = scan_directory(str(self.temp_path))
+
+        self.assertEqual(result.files_scanned, 0)
+        self.assertEqual(len(result.findings), 0)
+
+    def test_scan_directory_nonexistent(self):
+        """测试不存在的目录"""
+        nonexistent = self.temp_path / "nonexistent"
+
+        result = scan_directory(str(nonexistent))
+
+        self.assertEqual(result.files_scanned, 0)
+
+    def test_scan_directory_excludes_dirs(self):
+        """测试目录排除功能"""
+        # 创建被排除的目录
+        node_modules = self.temp_path / "node_modules"
+        node_modules.mkdir()
+        (node_modules / "unsafe.py").write_text('password = "secret123456"')
+
+        # 创建不被排除的文件
+        (self.temp_path / "safe.py").write_text('x = 1')
+
+        result = scan_directory(str(self.temp_path), exclude_dirs=['node_modules'])
+
+        self.assertEqual(result.files_scanned, 1)
+
+    def test_scan_directory_default_excludes_tests(self):
+        """测试默认排除测试目录"""
+        tests_dir = self.temp_path / "tests"
+        tests_dir.mkdir()
+        (tests_dir / "test_unsafe.py").write_text('password = "secret123456"')
+        (self.temp_path / "app.py").write_text('x = 1')
+
+        result = scan_directory(str(self.temp_path))
+
+        self.assertEqual(result.files_scanned, 1)
+        self.assertFalse(any("test_unsafe.py" in f.file_path for f in result.findings))
+
+    def test_scan_result_passed_property(self):
+        """测试 ScanResult.passed 属性"""
+        result = ScanResult(scan_path="/test")
+
+        # 没有发现时应该通过
+        self.assertTrue(result.passed)
+
+        # 添加低危发现
+        result.findings.append(Finding(
+            severity=Severity.LOW,
+            category="test",
+            message="test",
+            file_path="test.py",
+            line_number=1,
+            line_content="test",
+            recommendation="test"
+        ))
+        self.assertTrue(result.passed)
+
+        # 添加高危发现
+        result.findings.append(Finding(
+            severity=Severity.HIGH,
+            category="test",
+            message="test",
+            file_path="test.py",
+            line_number=2,
+            line_content="test",
+            recommendation="test"
+        ))
+        self.assertFalse(result.passed)
+
+    def test_scan_result_count_by_severity(self):
+        """测试按严重程度计数"""
+        result = ScanResult(scan_path="/test")
+
+        result.findings.append(Finding(
+            severity=Severity.CRITICAL,
+            category="test",
+            message="test",
+            file_path="test.py",
+            line_number=1,
+            line_content="test",
+            recommendation="test"
+        ))
+        result.findings.append(Finding(
+            severity=Severity.HIGH,
+            category="test",
+            message="test",
+            file_path="test.py",
+            line_number=2,
+            line_content="test",
+            recommendation="test"
+        ))
+
+        counts = result.count_by_severity()
+
+        self.assertEqual(counts['critical'], 1)
+        self.assertEqual(counts['high'], 1)
+        self.assertEqual(counts['medium'], 0)
+
+    def test_format_report_basic(self):
+        """测试报告格式化"""
+        result = ScanResult(scan_path="/test", files_scanned=5)
+
+        report = format_report(result)
+
+        self.assertIn("代码安全扫描报告", report)
+        self.assertIn("/test", report)
+        self.assertIn("5", report)
+
+    def test_format_report_with_findings(self):
+        """测试包含发现的报告格式化"""
+        result = ScanResult(scan_path="/test", files_scanned=1)
+        result.findings.append(Finding(
+            severity=Severity.CRITICAL,
+            category="注入",
+            message="SQL 注入风险",
+            file_path="test.py",
+            line_number=10,
+            line_content="cursor.execute(f'...')",
+            recommendation="使用参数化查询"
+        ))
+
+        report = format_report(result, verbose=True)
+
+        self.assertIn("SQL 注入风险", report)
+        self.assertIn("test.py:10", report)
+        self.assertIn("使用参数化查询", report)
+
+    def test_finding_dataclass(self):
+        """测试 Finding 数据类"""
+        finding = Finding(
+            severity=Severity.HIGH,
+            category="敏感信息",
+            message="硬编码密钥",
+            file_path="config.py",
+            line_number=5,
+            line_content='password = "secret"',
+            recommendation="使用环境变量"
+        )
+
+        self.assertEqual(finding.severity, Severity.HIGH)
+        self.assertEqual(finding.category, "敏感信息")
+        self.assertEqual(finding.line_number, 5)
+
+    def test_severity_enum(self):
+        """测试 Severity 枚举"""
+        self.assertEqual(Severity.CRITICAL.value, "critical")
+        self.assertEqual(Severity.HIGH.value, "high")
+        self.assertEqual(Severity.MEDIUM.value, "medium")
+        self.assertEqual(Severity.LOW.value, "low")
+        self.assertEqual(Severity.INFO.value, "info")
+
+    def test_scan_file_with_multiple_issues(self):
+        """测试单个文件中的多个问题"""
+        test_file = self.temp_path / "multi.py"
+        test_file.write_text('''
+password = "secret123456"
+cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
+os.system(cmd, shell=True)
+''')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        self.assertTrue(len(findings) >= 3)
+
+    def test_scan_directory_with_multiple_extensions(self):
+        """测试多种文件类型扫描"""
+        (self.temp_path / "test.py").write_text('password = "secret123456"')
+        (self.temp_path / "test.js").write_text('element.innerHTML = userInput;')
+        (self.temp_path / "test.go").write_text('password := "secret123456"')
+
+        result = scan_directory(str(self.temp_path))
+
+        self.assertEqual(result.files_scanned, 3)
+        self.assertTrue(len(result.findings) > 0)
+
+    def test_scan_file_with_encoding_error(self):
+        """测试处理编码错误的文件"""
+        test_file = self.temp_path / "binary.bin"
+        # 写入二进制数据
+        test_file.write_bytes(b'\x80\x81\x82\x83')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        # 应该优雅地处理编码错误
+        self.assertIsInstance(findings, list)
+
+
+class TestSecurityScannerEdgeCases(unittest.TestCase):
+    """安全扫描器边界条件测试"""
+
+    def setUp(self):
+        """测试前准备"""
+        self.temp_dir = tempfile.TemporaryDirectory()
+        self.temp_path = Path(self.temp_dir.name)
+
+    def tearDown(self):
+        """测试后清理"""
+        self.temp_dir.cleanup()
+
+    def test_scan_deeply_nested_directories(self):
+        """测试深层嵌套目录"""
+        deep_path = self.temp_path / "a" / "b" / "c" / "d" / "e"
+        deep_path.mkdir(parents=True)
+        (deep_path / "test.py").write_text('password = "secret123456"')
+
+        result = scan_directory(str(self.temp_path))
+
+        self.assertEqual(result.files_scanned, 1)
+        self.assertTrue(len(result.findings) > 0)
+
+    def test_scan_file_with_very_long_line(self):
+        """测试包含超长行的文件"""
+        test_file = self.temp_path / "long.py"
+        long_line = 'x = "' + 'a' * 10000 + '"'
+        test_file.write_text(long_line)
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        # 应该能处理超长行
+        self.assertIsInstance(findings, list)
+
+    def test_scan_file_with_special_characters(self):
+        """测试包含特殊字符的文件"""
+        test_file = self.temp_path / "special.py"
+        test_file.write_text('# 中文注释\npassword = "secret123456"  # 密码')
+
+        findings = scan_file(test_file, SECURITY_RULES)
+
+        self.assertTrue(len(findings) > 0)
+
+    def test_scan_result_sorting(self):
+        """测试发现按严重程度排序"""
+        result = ScanResult(scan_path="/test")
+
+        # 添加不同严重程度的发现
+        result.findings.append(Finding(
+            severity=Severity.LOW,
+            category="test",
+            message="low",
+            file_path="test.py",
+            line_number=1,
+            line_content="test",
+            recommendation="test"
+        ))
+        result.findings.append(Finding(
+            severity=Severity.CRITICAL,
+            category="test",
+            message="critical",
+            file_path="test.py",
+            line_number=2,
+            line_content="test",
+            recommendation="test"
+        ))
+
+        # 扫描会自动排序
+        result2 = scan_directory(str(self.temp_path))
+        # 验证排序逻辑存在
+        self.assertIsInstance(result2, ScanResult)
+
+
+if __name__ == '__main__':
+    unittest.main()

package/skills/verify-change/SKILL.md

@@ -0,0 +1,138 @@
+---
+name: verify-change
+description: 变更校验关卡。分析代码变更，检测文档同步状态，评估变更影响范围。当魔尊提到变更检查、文档同步、代码审查、提交前检查、diff分析时使用。在设计级变更、重构完成时自动触发。
+user-invocable: true
+disable-model-invocation: false
+allowed-tools: Bash, Read, Grep
+argument-hint: [--mode working|staged|committed]
+---
+
+# ⚖ 校验关卡 · 变更校验
+
+
+## 核心原则
+
+```
+变更 = 代码改动 + 文档更新 + 理由记录
+无理由的变更是隐患，无记录的变更是灾难
+每一次变更都是历史，每一个决策都要留痕
+```
+
+## 自动分析
+
+运行变更分析脚本（跨平台）：
+
+```bash
+# 在 skill 目录下运行
+python scripts/change_analyzer.py                    # 分析工作区变更（默认）
+python scripts/change_analyzer.py --mode staged      # 分析暂存区变更
+python scripts/change_analyzer.py --mode committed   # 分析已提交变更
+python scripts/change_analyzer.py -v                 # 详细模式
+python scripts/change_analyzer.py --json             # JSON 输出
+```
+
+## 检测能力
+
+### 自动检测项
+
+| 检测项 | 说明 |
+|--------|------|
+| **文件分类** | 自动识别代码/文档/测试/配置文件 |
+| **模块识别** | 识别受影响的模块 |
+| **文档同步** | 检测代码变更是否同步更新文档 |
+| **测试覆盖** | 检测代码变更是否有对应测试 |
+| **影响评估** | 评估变更规模和影响范围 |
+
+### 触发警告的情况
+
+- ⚠️ 代码变更 > 50 行但 DESIGN.md 未更新
+- ⚠️ 代码变更 > 30 行但无测试更新
+- ⚠️ 新增文件但 README.md 未更新
+- ⚠️ 配置文件变更未记录
+- ℹ️ 删除文件需确认引用已清理
+
+## 变更前置检查
+
+在修改任何模块前，必须：
+
+1. **读取 README.md** — 理解模块定位
+2. **读取 DESIGN.md** — 理解现有决策
+3. **评估影响范围** — 此变更影响哪些部分
+4. **确认变更理由** — 为什么要改
+
+## 变更后置检查
+
+代码修改完成后，必须：
+
+### README.md 更新检查
+
+- [ ] 模块职责是否变化 → 更新职责描述
+- [ ] 依赖关系是否变化 → 更新依赖说明
+- [ ] 使用方式是否变化 → 更新示例代码
+
+### DESIGN.md 更新检查
+
+- [ ] 新增设计决策 → 记录决策及理由
+- [ ] 修改现有设计 → 记录变更及原因
+- [ ] 引入新限制 → 更新已知限制
+- [ ] 添加变更记录 → 更新变更历史
+
+## 变更记录格式
+
+在 DESIGN.md 的变更历史中添加：
+
+```markdown
+## 变更历史
+
+### [日期] - [变更标题]
+
+**变更内容**: 简述改了什么
+
+**变更理由**: 为什么要改
+
+**影响范围**: 影响哪些功能/模块
+
+**决策依据**: 为何选择此方案（如适用）
+```
+
+## 自动触发时机
+
+| 场景 | 触发条件 |
+|------|----------|
+| 设计级变更 | 修改架构、接口、数据结构 |
+| 重构完成 | 重构任务完成时 |
+| 代码变更 > 30 行 | 较大规模代码修改 |
+| 提交前 | 代码提交前检查 |
+
+## 校验流程
+
+```
+1. 运行 change_analyzer.py 自动分析
+2. 识别变更文件和受影响模块
+3. 检查文档同步状态
+4. 评估变更影响
+5. 输出变更校验报告
+```
+
+## 校验报告格式
+
+```
+## 变更校验报告
+
+### 变更概览
+- 变更文件数: N
+- 代码变更行数: +X / -Y
+- 受影响模块: [模块列表]
+
+### 文档同步状态
+- README.md: ✓ 已同步 / ⚠️ 需更新
+- DESIGN.md: ✓ 已同步 / ⚠️ 需更新
+
+### 测试覆盖
+- 测试文件变更: ✓ 有 / ⚠️ 无
+
+### 结论
+可提交 / 需补充文档后提交
+```
+
+---