opencode-api-security-testing 3.0.8 → 3.0.10

package/core/analyzers/response_analyzer.py

@@ -1,212 +0,0 @@
-"""
-响应类型分析 - 识别响应是真实API还是WAF/路由/错误页
-输入: {response, expected_type}
-输出: {type, is_suspicious, suspicious_reasons, sensitive_fields, is_valid_json, parsed_json}
-"""
-
-import re
-import json
-
-
-def response_analyzer(config):
-    """
-    分析HTTP响应类型和内容
-    
-    输入:
-        response: {
-            status: number,
-            headers: dict,
-            body: string,
-            content_type: string
-        }
-        expected_type?: "json" | "html" | "any"
-    
-    输出:
-        type: "json" | "html" | "empty" | "redirect"
-        is_suspicious: boolean
-        suspicious_reasons: string[]
-        sensitive_fields: string[]
-        is_valid_json: boolean
-        parsed_json?: object
-    """
-    response = config.get('response', {})
-    expected_type = config.get('expected_type', 'any')
-    
-    status = response.get('status', 0)
-    body = response.get('body', '')
-    headers = response.get('headers', {})
-    content_type = response.get('content_type', '') or headers.get('Content-Type', '')
-    
-    result = {
-        'type': 'unknown',
-        'is_suspicious': False,
-        'suspicious_reasons': [],
-        'sensitive_fields': [],
-        'is_valid_json': False,
-        'parsed_json': None
-    }
-    
-    # 判断响应类型
-    if status in [301, 302, 303, 307, 308]:
-        result['type'] = 'redirect'
-        result['is_suspicious'] = True
-        result['suspicious_reasons'].append('redirect')
-        return result
-    
-    body_lower = body.lower()
-    body_len = len(body)
-    
-    # 检查是否是HTML
-    is_html = (
-        '<!doctype html>' in body_lower or
-        '<html' in body_lower or
-        'text/html' in content_type.lower()
-    )
-    
-    # 检查是否包含DOCTYPE
-    hasdoctype = '<!doctype' in body_lower
-    
-    # 检查是否是JSON
-    is_json = False
-    parsed_json = None
-    
-    if 'application/json' in content_type.lower():
-        try:
-            parsed_json = json.loads(body)
-            is_json = True
-            result['is_valid_json'] = True
-            result['parsed_json'] = parsed_json
-        except:
-            pass
-    
-    # 也尝试直接解析body
-    if not is_json and body.strip().startswith('{'):
-        try:
-            parsed_json = json.loads(body)
-            is_json = True
-            result['is_valid_json'] = True
-            result['parsed_json'] = parsed_json
-        except:
-            pass
-    
-    # 分类响应类型
-    if body_len < 50:
-        result['type'] = 'empty'
-        if status == 200:
-            result['is_suspicious'] = True
-            result['suspicious_reasons'].append('empty_response')
-    elif is_html:
-        result['type'] = 'html'
-        # HTML可能是WAF、SPA路由或错误页
-        if 'waf' in body_lower or '安全' in body_lower or '拦截' in body_lower:
-            result['suspicious_reasons'].append('waf_block')
-        if 'not found' in body_lower or '404' in body_lower:
-            result['suspicious_reasons'].append('not_found')
-        if hasdoctype and 'vue' in body_lower or 'react' in body_lower:
-            result['suspicious_reasons'].append('spa_route')
-    elif is_json:
-        result['type'] = 'json'
-    else:
-        result['type'] = 'other'
-    
-    # 检查敏感字段
-    sensitive_patterns = {
-        'password': r'password["\']?\s*[:=]\s*["\']([^"\']+)',
-        'token': r'(?:token|Token|TOKEN)["\']?\s*[:=]\s*["\']([^"\']{10,})',
-        'secret': r'secret["\']?\s*[:=]\s*["\']([^"\']+)',
-        'api_key': r'api[_-]?key["\']?\s*[:=]\s*["\']([^"\']+)',
-        'jwt': r'eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+',
-    }
-    
-    if parsed_json:
-        body_str = json.dumps(parsed_json)
-    else:
-        body_str = body
-    
-    for field_name, pattern in sensitive_patterns.items():
-        matches = re.findall(pattern, body_str, re.I)
-        if matches:
-            result['sensitive_fields'].append({
-                'field': field_name,
-                'count': len(matches),
-                'preview': matches[0][:50] if matches else ''
-            })
-    
-    # 判断是否可疑
-    if 'waf_block' in result['suspicious_reasons']:
-        result['is_suspicious'] = True
-    if 'spa_route' in result['suspicious_reasons']:
-        result['is_suspicious'] = True
-    if result['type'] == 'html' and expected_type == 'json':
-        result['is_suspicious'] = True
-    
-    return result
-
-
-def compare_responses(baseline, test):
-    """
-    对比两个响应的差异
-    
-    输入:
-        baseline: response - 正常响应
-        test: response - 测试响应
-    
-    输出:
-        identical: boolean
-        differences: Array<{field, baseline_value, test_value, significance}>
-    """
-    differences = []
-    
-    # 比较状态码
-    if baseline.get('status') != test.get('status'):
-        differences.append({
-            'field': 'status',
-            'baseline_value': baseline.get('status'),
-            'test_value': test.get('status'),
-            'significance': 'high'
-        })
-    
-    # 比较响应长度
-    baseline_len = len(baseline.get('body', ''))
-    test_len = len(test.get('body', ''))
-    
-    if baseline_len != test_len:
-        diff_ratio = abs(baseline_len - test_len) / max(baseline_len, test_len)
-        significance = 'high' if diff_ratio > 0.5 else 'low'
-        differences.append({
-            'field': 'body_length',
-            'baseline_value': baseline_len,
-            'test_value': test_len,
-            'significance': significance
-        })
-    
-    # 比较响应类型
-    baseline_type = response_analyzer({'response': baseline}).get('type')
-    test_type = response_analyzer({'response': test}).get('type')
-    
-    if baseline_type != test_type:
-        differences.append({
-            'field': 'response_type',
-            'baseline_value': baseline_type,
-            'test_value': test_type,
-            'significance': 'high'
-        })
-    
-    identical = len(differences) == 0
-    
-    return {
-        'identical': identical,
-        'differences': differences
-    }
-
-
-if __name__ == '__main__':
-    # 测试
-    result = response_analyzer({
-        'response': {
-            'status': 200,
-            'headers': {'Content-Type': 'application/json'},
-            'body': '{"code": 200, "data": {"userId": 1}}'
-        }
-    })
-    print(f"Type: {result['type']}, Suspicious: {result['is_suspicious']}")

package/core/analyzers/sensitive_finder.py

@@ -1,184 +0,0 @@
-"""
-敏感信息发现 - 从响应/源码中提取敏感信息
-输入: {content, check_fields}
-输出: {found: [{field, value, position}], severity}
-"""
-
-import re
-import json
-
-
-def sensitive_finder(config):
-    """
-    发现敏感信息
-    
-    输入:
-        content: string - 响应body或JS内容
-        check_fields?: string[] - 自定义敏感字段
-    
-    输出:
-        found: Array<{field, value, position}>
-        severity: "high" | "medium" | "low"
-    """
-    content = str(content)
-    check_fields = config.get('check_fields', [])
-    
-    # 默认敏感字段
-    default_fields = [
-        'password', 'passwd', 'pwd',
-        'token', 'access_token', 'refresh_token',
-        'secret', 'secret_key', 'app_secret',
-        'api_key', 'apikey', 'api_secret',
-        'private_key',
-        'aws_access_key', 'aws_secret_key',
-        'phone', 'mobile',
-        'email',
-        'id_card', 'idcard', '身份证',
-        'balance', 'account', '余额'
-    ]
-    
-    # 合并字段
-    all_fields = set(default_fields + check_fields)
-    
-    found = []
-    
-    # 通用敏感信息模式
-    patterns = {
-        'password': [
-            r'password["\']?\s*[:=]\s*["\']([^"\']{1,100})["\']',
-            r'"pwd"\s*:\s*"([^"]+)"',
-            r'"passwd"\s*:\s*"([^"]+)"',
-        ],
-        'token': [
-            r'(?:token|Token|TOKEN)["\']?\s*[:=]\s*["\']([^"\']{10,200})["\']',
-            r'Bearer\s+([a-zA-Z0-9\-_\.]+)',
-        ],
-        'jwt': [
-            r'eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+',
-        ],
-        'phone': [
-            r'1[3-9]\d{9}',
-            r'\d{3}-?\d{4}-?\d{4}',
-        ],
-        'email': [
-            r'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}',
-        ],
-        'secret': [
-            r'secret["\']?\s*[:=]\s*["\']([^"\']{1,100})["\']',
-            r'appSecret["\']?\s*[:=]\s*["\']([^"\']{1,100})["\']',
-        ],
-        'api_key': [
-            r'apiKey["\']?\s*[:=]\s*["\']([^"\']{1,100})["\']',
-            r'api[_-]?key["\']?\s*[:=]\s*["\']([^"\']{1,100})["\']',
-        ],
-        'aws_key': [
-            r'AKIA[0-9A-Z]{16}',
-        ],
-        'private_key': [
-            r'-----BEGIN[ A-Z]*PRIVATE KEY-----',
-        ]
-    }
-    
-    # 搜索敏感信息
-    for field_name, field_patterns in patterns.items():
-        for pattern in field_patterns:
-            matches = re.finditer(pattern, content, re.I)
-            for match in matches:
-                value = match.group(0)
-                # 过滤掉太长的值
-                if len(value) > 200:
-                    continue
-                # 过滤掉测试数据
-                if is_test_data(value):
-                    continue
-                found.append({
-                    'field': field_name,
-                    'value': value[:100],
-                    'position': match.start()
-                })
-    
-    # 搜索用户定义的字段
-    for field in all_fields:
-        if field.lower() in ['password', 'token', 'secret', 'api_key']:
-            continue  # 已处理
-        pattern = rf'{field}["\']?\s*[:=]\s*["\']([^"\']{{1,100}})["\']'
-        matches = re.finditer(pattern, content, re.I)
-        for match in matches:
-            value = match.group(1)
-            if len(value) > 100:
-                continue
-            if is_test_data(value):
-                continue
-            found.append({
-                'field': field,
-                'value': value[:50],
-                'position': match.start()
-            })
-    
-    # 判断严重性
-    severity = 'low'
-    high_severity = ['password', 'token', 'jwt', 'secret', 'api_key', 'aws_key', 'private_key']
-    medium_severity = ['phone', 'email', 'id_card']
-    
-    found_fields = [f['field'].lower() for f in found]
-    if any(f in found_fields for f in high_severity):
-        severity = 'high'
-    elif any(f in found_fields for f in medium_severity):
-        severity = 'medium'
-    
-    return {
-        'found': found,
-        'severity': severity,
-        'count': len(found)
-    }
-
-
-def is_test_data(value):
-    """判断是否是测试数据"""
-    test_patterns = [
-        'test', 'TEST', 'Test',
-        'xxx', 'xxx.xxx',
-        'null', 'undefined',
-        'example', 'sample',
-        'placeholder'
-    ]
-    value_lower = value.lower()
-    return any(t in value_lower for t in test_patterns)
-
-
-def extract_secrets_from_json(data, path=''):
-    """从JSON中递归提取敏感信息"""
-    secrets = []
-    
-    if isinstance(data, dict):
-        for key, value in data.items():
-            current_path = f"{path}.{key}" if path else key
-            
-            sensitive_keys = ['password', 'token', 'secret', 'key', 'api', 'credential']
-            if any(s in key.lower() for s in sensitive_keys):
-                if isinstance(value, str) and len(value) > 0:
-                    secrets.append({
-                        'path': current_path,
-                        'value': value[:50],
-                        'key': key
-                    })
-            
-            if isinstance(value, (dict, list)):
-                secrets.extend(extract_secrets_from_json(value, current_path))
-    
-    elif isinstance(data, list):
-        for i, item in enumerate(data):
-            current_path = f"{path}[{i}]"
-            if isinstance(item, (dict, list)):
-                secrets.extend(extract_secrets_from_json(item, current_path))
-    
-    return secrets
-
-
-if __name__ == '__main__':
-    # 测试
-    result = sensitive_finder({
-        'content': '{"token": "eyJhbGciOiJIUzI1NiJ9", "password": "admin123"}',
-        'check_fields': ['custom_field']
-    })
-    print(f"Found: {result['count']}, Severity: {result['severity']}")