PyPI - GuardianUnivalle-Benito-Yucra - Versions diffs - 0.1.60__tar.gz → 0.1.62__tar.gz - Mend

GuardianUnivalle-Benito-Yucra 0.1.60tar.gz → 0.1.62tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of GuardianUnivalle-Benito-Yucra might be problematic. Click here for more details.

Files changed (26) hide show

guardianunivalle_benito_yucra-0.1.62/GuardianUnivalle_Benito_Yucra/detectores/detector_sql.py ADDED Viewed

@@ -0,0 +1,254 @@
+# sql_defense.py
+# GuardianUnivalle_Benito_Yucra/detectores/detector_sql.py
+import json
+import logging
+import re
+from django.utils.deprecation import MiddlewareMixin
+from django.conf import settings
+import urllib.parse
+import html
+from typing import List, Tuple, Dict
+# ----------------------------
+# Configuración del logger
+# ----------------------------
+logger = logging.getLogger("sqlidefense")
+logger.setLevel(logging.INFO)
+if not logger.handlers:
+    handler = logging.StreamHandler()
+    handler.setFormatter(logging.Formatter("%(asctime)s - %(levelname)s - %(message)s"))
+    logger.addHandler(handler)
+# =====================================================
+# ===        PATRONES DE ATAQUE SQL DEFINIDOS       ===
+# =====================================================
+SQL_PATTERNS: List[Tuple[re.Pattern, str, float]] = [
+    # ------------------ In‑Band / Exfiltration (muy alto) ------------------
+    (re.compile(r"\bunion\b\s+(all\s+)?\bselect\b", re.I), "UNION SELECT (exfiltración)", 0.95),
+    (re.compile(r"\bselect\b\s+.*\bfrom\b\s+.+\bwhere\b", re.I | re.S), "SELECT ... FROM ... WHERE (consulta completa)", 0.7),
+    (re.compile(r"\binto\s+outfile\b|\binto\s+dumpfile\b", re.I), "INTO OUTFILE / INTO DUMPFILE (volcado a fichero)", 0.98),
+    (re.compile(r"\bload_file\s*\(", re.I), "LOAD_FILE() (lectura fichero MySQL)", 0.95),
+    (re.compile(r"\b(pg_read_file|pg_read_binary_file|pg_ls_dir)\s*\(", re.I), "pg_read_file / funciones lectura Postgres", 0.95),
+    (re.compile(r"\bfile_read\b|\bfile_get_contents\b", re.I), "Indicadores de lectura de fichero en código", 0.85),
+    # ------------------ Time‑based / Blind (muy alto) ------------------
+    (re.compile(r"\b(sleep|benchmark|pg_sleep|dbms_lock\.sleep|waitfor\s+delay)\b\s*\(", re.I), "SLEEP/pg_sleep/WAITFOR DELAY (time‑based blind)", 0.98),
+    (re.compile(r"\bbenchmark\s*\(", re.I), "BENCHMARK() MySQL (time/DoS)", 0.9),
+    # ------------------ Error‑based extraction (muy alto) ------------------
+    (re.compile(r"\b(updatexml|extractvalue|xmltype|utl_http\.request|dbms_xmlquery)\b\s*\(", re.I), "Funciones que devuelven errores con contenido (error‑based)", 0.95),
+    (re.compile(r"\bconvert\(\s*.*\s+using\s+.*\)", re.I), "CONVERT ... USING (encoding conversions potenciales)", 0.7),
+    # ------------------ OOB / Callbacks / Exfiltration (muy alto) ------------------
+    (re.compile(r"\b(nslookup|dnslookup|xp_dirtree|xp_dirtree\(|xp_regread|xp\w+)\b", re.I),
+     "Funciones/procs que pueden generar exfiltración OOB (DNS/SMB/SMB callbacks)", 0.95),
+    (re.compile(r"\b(utl_http\.request|utl_tcp\.socket|http_client|apex_web_service\.make_rest_request)\b", re.I),
+     "UTL_HTTP/HTTP callbacks (Oracle/PLSQL HTTP OOB)", 0.95),
+    # ------------------ Execution / OS commands (muy alto) ------------------
+    (re.compile(r"\bxp_cmdshell\b|\bexec\s+xp\w+|\bsp_oacreate\b", re.I), "xp_cmdshell / sp_oacreate (ejecución OS MSSQL/Oracle)", 0.98),
+    (re.compile(r"\b(exec\s+master\..*xp\w+|sp_executesql|execute\s+immediate|EXEC\s+UTE)\b", re.I), "Ejecución dinámica / sp_executesql / EXECUTE IMMEDIATE", 0.95),
+    # ------------------ Metadata / Recon (alto) ------------------
+    (re.compile(r"\binformation_schema\b", re.I), "INFORMATION_SCHEMA (recon meta‑datos)", 0.92),
+    (re.compile(r"\b(information_schema\.tables|information_schema\.columns)\b", re.I), "INFORMATION_SCHEMA.tables/columns", 0.92),
+    (re.compile(r"\b(sys\.tables|sys\.objects|sys\.databases|pg_catalog|pg_tables|pg_user)\b", re.I), "Catálogos del sistema (MSSQL/Postgres)", 0.9),
+    # ------------------ DML/DDL Destructivo (alto) ------------------
+    (re.compile(r"\b(drop\s+table|truncate\s+table|drop\s+database|drop\s+schema)\b", re.I), "DROP/TRUNCATE (DDL destructivo)", 0.95),
+    (re.compile(r"\b(delete\s+from|update\s+.+\s+set|insert\s+into)\b", re.I), "DML (DELETE/UPDATE/INSERT potencialmente destructivo)", 0.85),
+    # ------------------ Stacked queries (medio‑alto) ------------------
+    (re.compile(r";\s*(select|insert|update|delete|drop|create|truncate)\b", re.I), "Stacked queries (uso de ';' para apilar)", 0.88),
+    # ------------------ Tautologías / Boolean Blind (medio‑alto) ------------------
+    (re.compile(r"\b(or|and)\b\s+(['\"]?\d+['\"]?)\s*=\s*\1", re.I), "Tautología OR/AND 'x'='x' o 1=1", 0.85),
+    (re.compile(r"(['\"]).{0,10}\1\s*or\s*['\"][^']*['\"]\s*=\s*['\"][^']*['\"]", re.I), "Tautología clásica en cadenas (OR '1'='1')", 0.8),
+    # ------------------ Blind‑boolean extraction functions (medio) ------------------
+    (re.compile(r"\b(substring|substr|mid|left|right)\b\s*\(", re.I), "SUBSTRING/SUBSTR/LEFT/RIGHT (blind extraction)", 0.82),
+    (re.compile(r"\b(ascii|char|chr|nchr)\b\s*\(", re.I), "ASCII/CHAR/CHR (byte/char extraction)", 0.8),
+    # ------------------ Error / XPATH / XML (alto) ------------------
+    (re.compile(r"\b(updatexml|extractvalue|xmltype|xmlelement)\b\s*\(", re.I), "updatexml/extractvalue/xmltype (error/XPath leaks)", 0.93),
+    # ------------------ File system / I/O (alto) ------------------
+    (re.compile(r"\binto\s+outfile\b|\binto\s+dumpfile\b", re.I), "INTO OUTFILE / DUMPFILE (escritura en servidor)", 0.97),
+    (re.compile(r"\bopenrowset\b|\bbulk\s+insert\b|\bcopy\s+to\b", re.I), "OPENROWSET / BULK INSERT / COPY TO (exportación)", 0.92),
+    # ------------------ Encoding / Obfuscation (medio) ------------------
+    (re.compile(r"0x[0-9a-fA-F]+", re.I), "Hex literal (0x...) (ofuscación)", 0.6),
+    (re.compile(r"\\x[0-9a-fA-F]{2}", re.I), "Escapes hex tipo \\xNN (ofuscación)", 0.6),
+    (re.compile(r"&#x[0-9a-fA-F]+;|&#\d+;", re.I), "Entidades HTML / entidades numéricas (ofuscación)", 0.6),
+    (re.compile(r"\bchar\s*\(\s*\d+\s*\)", re.I), "CHAR(n) usado para construir cadenas (ofuscación)", 0.65),
+    (re.compile(r"\bconcat\(", re.I), "CONCAT() (construcción dinámica de strings)", 0.6),
+    # ------------------ SQL in attributes / URL encoded (medio) ------------------
+    (re.compile(r"%3[dD]|%27|%22|%3C|%3E|%3B", re.I), "URL encoding típico (%27, %3C, etc.)", 0.4),
+    # ------------------ Comments / terminators (informativo) ------------------
+    (re.compile(r"(--\s|#\s|/\*[\s\S]*\*/)", re.I), "Comentarios SQL (--) o /* */ o #", 0.45),
+    # ------------------ ORM / NonSQL indicators (informativo) ------------------
+    (re.compile(r"\b\$where\b|\b\$ne\b|\b\$regex\b", re.I), "NoSQL / MongoDB indicators ($where/$ne/$regex)", 0.5),
+    # ------------------ Tool fingerprints (informativo) ------------------
+    (re.compile(r"sqlmap", re.I), "Indicador de herramienta sqlmap en payload", 0.5),
+    (re.compile(r"hydra|nmap|nikto", re.I), "Indicador de herramientas de auditoría/scan", 0.3),
+    # ------------------ Misc risky tokens (informativo) ------------------
+    (re.compile(r"\bexecute\b\s*\(", re.I), "execute(...) (ejecución dinámica)", 0.7),
+    (re.compile(r"\bdeclare\b\s+@?\w+", re.I), "DECLARE variable (MSSQL/PLSQL declarations)", 0.7),
+    # ------------------ Low‑level heuristics (bajo) ------------------
+    (re.compile(r"\bselect\b\s+.*\bfrom\b", re.I), "Estructura SELECT FROM (heurístico)", 0.25),
+    (re.compile(r"\binsert\b\s+into\b", re.I), "INSERT INTO (heurístico)", 0.3),
+    # ------------------ Catch‑all aggressive patterns (usar con cuidado) ------------------
+    (re.compile(r"(['\"]).*?;\s*(drop|truncate|delete|update|insert)\b", re.I | re.S), "Cadena con terminador y DDL/DML (potencial ataque)", 0.9),
+    (re.compile(r"\b(or)\b\s+1\s*=\s*1\b", re.I), "OR 1=1 tautology", 0.85),
+]
+IGNORED_FIELDS = ["password", "csrfmiddlewaretoken", "token", "auth"]
+# ----------------------------
+# Obtener IP real del cliente
+# ----------------------------
+def get_client_ip(request):
+    x_forwarded_for = request.META.get("HTTP_X_FORWARDED_FOR")
+    if x_forwarded_for:
+        ips = [ip.strip() for ip in x_forwarded_for.split(",") if ip.strip()]
+        if ips:
+            return ips[0]
+    return request.META.get("REMOTE_ADDR", "")
+# ----------------------------
+# Extraer payload de la solicitud
+# ----------------------------
+def extract_payload(request):
+    parts = []
+    try:
+        if "application/json" in request.META.get("CONTENT_TYPE", ""):
+            data = json.loads(request.body.decode("utf-8") or "{}")
+            parts.append(json.dumps(data))
+        else:
+            body = request.body.decode("utf-8", errors="ignore")
+            if body:
+                parts.append(body)
+    except Exception:
+        pass
+    qs = request.META.get("QUERY_STRING", "")
+    if qs:
+        parts.append(qs)
+    return " ".join(parts)
+# ----------------------------
+# Normalización / preprocesamiento
+# ----------------------------
+def normalize_input(s: str) -> str:
+    if not s:
+        return ""
+    try:
+        s_dec = urllib.parse.unquote_plus(s)
+    except Exception:
+        s_dec = s
+    try:
+        s_dec = html.unescape(s_dec)
+    except Exception:
+        pass
+    # Reemplazo seguro de secuencias \xNN
+    s_dec = re.sub(r"\\x([0-9a-fA-F]{2})", r"\\x\g<1>", s_dec)
+    s_dec = re.sub(r"\s+", " ", s_dec)
+    return s_dec.strip()
+# ----------------------------
+# Detector SQLi
+# ----------------------------
+def detect_sql_injection(text: str) -> Dict:
+    norm = normalize_input(text or "")
+    score = 0.0
+    matches = []
+    descriptions = []
+    for pattern, desc, weight in SQL_PATTERNS:
+        if pattern.search(norm):
+            score += weight
+            matches.append((desc, pattern.pattern, weight))
+            descriptions.append(desc)
+    return {
+        "score": round(score, 3),
+        "matches": matches,
+        "descriptions": list(dict.fromkeys(descriptions)),
+        "sample": norm[:1200],
+    }
+DEFAULT_THRESHOLDS = {
+    "HIGH": 1.8,
+    "MEDIUM": 1.0,
+    "LOW": 0.5,
+}
+# ----------------------------
+# Middleware SQLi
+# ----------------------------
+class SQLIDefenseMiddleware(MiddlewareMixin):
+    def process_request(self, request):
+        client_ip = get_client_ip(request)
+        trusted_ips = getattr(settings, "SQLI_DEFENSE_TRUSTED_IPS", [])
+        trusted_urls = getattr(settings, "SQLI_DEFENSE_TRUSTED_URLS", [])
+        if client_ip in trusted_ips:
+            return None
+        referer = request.META.get("HTTP_REFERER", "")
+        host = request.get_host()
+        if any(url in referer for url in trusted_urls) or any(url in host for url in trusted_urls):
+            return None
+        payload = extract_payload(request)
+        result = detect_sql_injection(payload)
+        score = result["score"]
+        descripciones = result["descriptions"]
+        if score == 0:
+            return None
+        # Registrar ataque
+        logger.warning(
+            f"[SQLiDetect] IP={client_ip} Host={host} Referer={referer} "
+            f"Score={score:.2f} Desc={descripciones} Payload={payload[:500]}"
+        )
+        # Guardar info en request
+        request.sql_attack_info = {
+            "ip": client_ip,
+            "tipos": ["SQLi"],
+            "descripcion": descripciones,
+            "payload": payload[:1000],
+            "score": round(score, 2),
+            "url": request.build_absolute_uri(),
+        }
+        return None
+# =====================================================
+# ===              INFORMACIÓN EXTRA                ===
+# =====================================================
+r"""
+Algoritmos relacionados:
+    - Se recomienda almacenar logs SQLi cifrados (AES-GCM)
+      para proteger evidencia de intentos maliciosos.
+Cálculo de puntaje de amenaza:
+    S_sqli = w_sqli * detecciones_sqli
+    Ejemplo: S_sqli = 0.4 * 3 = 1.2
+Integración:
+    Este middleware puede combinarse con:
+        - CSRFDefenseMiddleware
+        - XSSDefenseMiddleware
+    para calcular un score total de amenaza y decidir bloqueo.
+"""

{guardianunivalle_benito_yucra-0.1.60 → guardianunivalle_benito_yucra-0.1.62}/GuardianUnivalle_Benito_Yucra/detectores/detector_xss.py RENAMED Viewed

@@ -33,17 +33,67 @@ except Exception:
 # - pesos mayores = más severo (por ejemplo <script> o javascript:)
 # - esto permite un scoring acumulativo y menos falsos positivos
 # -------------------------------------------------
 XSS_PATTERNS: List[Tuple[re.Pattern, str, float]] = [
-    (re.compile(r"<\s*script\b", re.I), "Etiqueta <script>", 0.8),
-    (re.compile(r"javascript\s*:", re.I), "URI javascript:", 0.7),
-    (re.compile(r"<\s*iframe\b", re.I), "Etiqueta <iframe>", 0.7),
-    (re.compile(r"<\s*embed\b", re.I), "Etiqueta <embed>", 0.7),
-    (re.compile(r"<\s*object\b", re.I), "Etiqueta <object>", 0.7),
-    (re.compile(r"on\w+\s*=", re.I), "Atributo de evento (on*)", 0.5),
-    (re.compile(r"document\.cookie", re.I), "Acceso a document.cookie", 0.6),
-    (re.compile(r"alert\s*\(", re.I), "Uso de alert() potencial", 0.4),
-    # patrón para imágenes con onerror u onload (caso común)
-    (re.compile(r"<\s*img\b[^>]*on\w+\s*=", re.I), "Imagen con evento on*", 0.6),
+    # ---------- Máxima severidad / ejecución directa ----------
+    (re.compile(r"<\s*script\b", re.I), "Etiqueta <script> (directa)", 0.95),
+    (re.compile(r"<\s*s\s*c\s*r\s*i\s*p\s*t\b", re.I), "Etiqueta <script> ofuscada", 0.90),
+    (re.compile(r"\b(document\.cookie|document\.write|document\.location|location\.href|window\.location)\b", re.I),
+     "Acceso a document / location (cookie/location/write)", 0.90),
+    (re.compile(r"\b(eval|setTimeout|setInterval|Function|new Function)\s*\(", re.I),
+     "Ejecución dinámica (eval/Function/setTimeout)", 0.88),
+    # ---------- URIs peligrosas ----------
+    (re.compile(r"\bjavascript\s*:", re.I), "URI javascript:", 0.85),
+    (re.compile(r"\bdata\s*:\s*text\/html\b", re.I), "URI data:text/html", 0.82),
+    (re.compile(r"\bdata\s*:\s*text\/html;base64\b", re.I), "URI data:text/html;base64", 0.82),
+    (re.compile(r"\bvbscript\s*:", re.I), "URI vbscript:", 0.7),
+    # ---------- Etiquetas y vectores alternativos ----------
+    (re.compile(r"<\s*(iframe|embed|object|svg|math|meta)\b", re.I), "IFrame/Embed/Object/SVG/Meta", 0.88),
+    (re.compile(r"<\s*img\b[^>]*\bonerror\b", re.I), "<img ... onerror>", 0.86),
+    (re.compile(r"<\s*svg\b[^>]*\bonload\b", re.I), "SVG con onload/on* (SVG vector)", 0.84),
+    # ---------- Atributos de evento (on*) ----------
+    (re.compile(r"\s+on[a-zA-Z]+\s*=", re.I), "Atributo de evento (on*)", 0.80),
+    (re.compile(r"<\s*(a|img|body|div|span|form|input|button)\b[^>]*on[a-zA-Z]+\s*=", re.I),
+     "Elemento con evento on* (a,img,body,...)", 0.82),
+    # ---------- Inyección en contextos JS / JSON / script ----------
+    (re.compile(r"<\s*script[^>]*>.*?</\s*script\s*>", re.I | re.S), "Script inline completo", 0.92),
+    (re.compile(r"'\s*;\s*alert\s*\(|\"\s*;\s*alert\s*\(", re.I), "Inyección en cadenas JS (breakout + alert)", 0.78),
+    (re.compile(r"\bJSON\.parse\(|\beval\(\s*JSON", re.I), "JSON parse/eval inseguro", 0.75),
+    # ---------- Encodings, entidades y mutaciones ----------
+    (re.compile(r"&#x[0-9a-fA-F]+;|&#\d+;", re.I), "Entidades HTML / encoding (posible bypass)", 0.70),
+    (re.compile(r"%3C\s*script|%3Cscript%3E", re.I), "Tags URL-encoded (%3Cscript)", 0.68),
+    (re.compile(r"(?:\\x3C|\\u003C)\s*script", re.I), "Escapes JS/Unicode que forman <script>", 0.68),
+    # ---------- DOM clobbering / nombres reservados ----------
+    (re.compile(r'\bid\s*=\s*"(?:form|image|submit|action|location|name)"', re.I), "IDs que causan DOM clobbering", 0.65),
+    (re.compile(r'\bname\s*=\s*"(?:form|submit|action|location)"', re.I), "Names que pueden clobber", 0.65),
+    # ---------- Atributos URI en tags (href/src) ----------
+    (re.compile(r'<\s*a\b[^>]*\bhref\s*=\s*[\'"]\s*javascript\s*:', re.I), "<a href=\"javascript:...\">", 0.84),
+    (re.compile(r'<\s*(img|script|iframe)\b[^>]*\bsrc\s*=\s*[\'"]\s*javascript\s*:', re.I),
+     "src=javascript: en tags", 0.84),
+    # ---------- Vectores en CSS / style ----------
+    (re.compile(r"\bstyle\s*=\s*[\"'][^\"']*(expression\s*\(|url\s*\(\s*javascript:)", re.I), "Estilo con expression() o url(javascript:)", 0.66),
+    (re.compile(r"@import\s+url\s*\(", re.I), "CSS @import posibles vectores", 0.45),
+    # ---------- Comentarios y CDATA para evasión ----------
+    (re.compile(r"<!\[CDATA\[|\/\/\s*<\s*!\s*\[CDATA\[", re.I), "CDATA o comentarios para evasión", 0.48),
+    (re.compile(r"<!--|-->", re.I), "Comentarios HTML (posible ofuscación/evitación)", 0.30),
+    # ---------- Polyglot / mutation / browser quirks ----------
+    (re.compile(r"(?:<\s*svg[^>]*>.*?<\s*/\s*svg\s*>)|(?:<\s*math[^>]*>)", re.I | re.S),
+     "SVG/MathML polyglot (vectores mutables)", 0.75),
+    (re.compile(r"(?:\balert\s*\(|\bconsole\.log\s*\()", re.I), "Indicadores de prueba (alert/console.log)", 0.40),
+    # ---------- Heurísticos de baja severidad (informativo) ----------
+    (re.compile(r"<\s*form\b", re.I), "Form (posible vector de ataque relacionado)", 0.25),
+    (re.compile(r"(onmouseover|onfocus|onmouseenter|onmouseleave)\b", re.I), "Eventos UI (mouseover/focus)", 0.45),
 ]
 # -------------------------------------------------

{guardianunivalle_benito_yucra-0.1.60 → guardianunivalle_benito_yucra-0.1.62}/GuardianUnivalle_Benito_Yucra.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: GuardianUnivalle-Benito-Yucra
-Version: 0.1.60
+Version: 0.1.62
 Summary: Middleware y detectores de seguridad (SQLi, XSS, CSRF, DoS, Keylogger) para Django/Flask
 Author-email: Andres Benito Calle Yucra <benitoandrescalle035@gmail.com>
 License: MIT

{guardianunivalle_benito_yucra-0.1.60 → guardianunivalle_benito_yucra-0.1.62}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: GuardianUnivalle-Benito-Yucra
-Version: 0.1.60
+Version: 0.1.62
 Summary: Middleware y detectores de seguridad (SQLi, XSS, CSRF, DoS, Keylogger) para Django/Flask
 Author-email: Andres Benito Calle Yucra <benitoandrescalle035@gmail.com>
 License: MIT

{guardianunivalle_benito_yucra-0.1.60 → guardianunivalle_benito_yucra-0.1.62}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "GuardianUnivalle-Benito-Yucra"  # usar mayúsculas consistente
-version = "0.1.60"
+version = "0.1.62"
 description = "Middleware y detectores de seguridad (SQLi, XSS, CSRF, DoS, Keylogger) para Django/Flask"
 authors = [
     { name = "Andres Benito Calle Yucra", email = "benitoandrescalle035@gmail.com" }

guardianunivalle_benito_yucra-0.1.60/GuardianUnivalle_Benito_Yucra/detectores/detector_sql.py DELETED Viewed

@@ -1,147 +0,0 @@
-# sql_defense.py
-# GuardianUnivalle_Benito_Yucra/detectores/detector_sql.py
-import json
-import logging
-import re
-from django.utils.deprecation import MiddlewareMixin
-from django.conf import settings
-logger = logging.getLogger("sqlidefense")
-logger.setLevel(logging.INFO)
-if not logger.handlers:
-    handler = logging.StreamHandler()
-    handler.setFormatter(logging.Formatter("%(asctime)s - %(levelname)s - %(message)s"))
-    logger.addHandler(handler)
-# =====================================================
-# ===        PATRONES DE ATAQUE SQL DEFINIDOS       ===
-# =====================================================
-SQL_PATTERNS = [
-    # Patrones de Extracción de Datos y Evasión (Alto Peso)
-    (re.compile(r"\bunion\b\s+(all\s+)?\bselect\b", re.I), "Uso de UNION SELECT", 0.7),
-    (re.compile(r"\bor\b\s+['\"]?\d+['\"]?\s*=\s*['\"]?\d+['\"]?", re.I), "Tautología OR X=X", 0.6), # Mejorado
-    (re.compile(r"\b(sleep|benchmark|waitfor\s+delay)\b\s*\(", re.I), "Función de Tiempo (SQL Ciega)", 0.8), # Muy peligroso
-    (re.compile(r"\b(extractvalue|updatexml|convert)\b\s*\(", re.I), "Extracción Basada en Errores/Funciones", 0.75),
-    # Patrones de Control y Destrucción (Peso Medio)
-    (re.compile(r"\b(drop\s+table|truncate\s+table|delete\s+from|insert\s+into|update\s+set)\b", re.I), "Manipulación DML/DDL", 0.5),
-    (re.compile(r"\b(exec|execute|xp_cmdshell)\b", re.I), "Ejecución de Comando (OS o Stored Proc)", 0.6),
-    (re.compile(r";\s*(select|drop|insert|update)\b", re.I), "Apilamiento de Consultas (Separador ;)", 0.55), # Nuevo
-    # Patrones de Detección e Información (Bajo Peso)
-    (re.compile(r"(--|#|/\*|;)", re.I), "Comentario SQL o Separador de Consulta", 0.4),
-    (re.compile(r"\b(substring|substr|mid)\b\s*\(", re.I), "Función de Cadena (SQL Ciega Booleana)", 0.45), # Nuevo
-    (re.compile(r"\b(select)\b.+\b(from|where)\b", re.I), "Estructura SELECT-FROM-WHERE", 0.4), # Más específico
-]
-IGNORED_FIELDS = ["password", "csrfmiddlewaretoken", "token", "auth"]
-def get_client_ip(request):
-    """
-    Obtiene la IP real del cliente.
-    Primero revisa 'X-Forwarded-For', luego 'REMOTE_ADDR'.
-    """
-    x_forwarded_for = request.META.get("HTTP_X_FORWARDED_FOR")
-    if x_forwarded_for:
-        # Render y otros proxies envían múltiples IPs separados por coma
-        ips = [ip.strip() for ip in x_forwarded_for.split(",") if ip.strip()]
-        if ips:
-            return ips[0]  # la primera IP es la IP real del cliente
-    # Si no hay X-Forwarded-For, tomar REMOTE_ADDR
-    return request.META.get("REMOTE_ADDR", "")
-def extract_payload(request):
-    """Extrae datos útiles de la solicitud para análisis."""
-    parts = []
-    try:
-        if "application/json" in request.META.get("CONTENT_TYPE", ""):
-            data = json.loads(request.body.decode("utf-8") or "{}")
-            parts.append(json.dumps(data))
-        else:
-            body = request.body.decode("utf-8", errors="ignore")
-            if body:
-                parts.append(body)
-    except Exception:
-        pass
-    qs = request.META.get("QUERY_STRING", "")
-    if qs:
-        parts.append(qs)
-    return " ".join(parts)
-def detect_sql_injection(value):
-    """Detecta patrones sospechosos en una cadena."""
-    score = 0.0
-    descripciones = []
-    for pattern, desc, weight in SQL_PATTERNS:
-        if pattern.search(value):
-            score += weight
-            descripciones.append(desc)
-    return score, descripciones
-class SQLIDefenseMiddleware(MiddlewareMixin):
-    """Middleware de detección SQL Injection."""
-    def process_request(self, request):
-        client_ip = get_client_ip(request)
-        trusted_ips = getattr(settings, "SQLI_DEFENSE_TRUSTED_IPS", [])
-        trusted_urls = getattr(settings, "SQLI_DEFENSE_TRUSTED_URLS", [])
-        if client_ip in trusted_ips:
-            return None
-        referer = request.META.get("HTTP_REFERER", "")
-        host = request.get_host()
-        if any(url in referer for url in trusted_urls) or any(url in host for url in trusted_urls):
-            return None
-        payload = extract_payload(request)
-        score, descripciones = detect_sql_injection(payload)
-        if score == 0:
-            return None
-        # Registrar ataque completo
-        logger.warning(
-            f"[SQLiDetect] IP={client_ip} Host={host} Referer={referer} "
-            f"Score={score:.2f} Desc={descripciones} Payload={payload[:500]}"
-        )
-        # Guardar información del ataque en el request
-        request.sql_attack_info = {
-            "ip": client_ip,
-            "tipos": ["SQLi"],
-            "descripcion": descripciones,
-            "payload": payload[:1000],  # guardar hasta 1000 caracteres
-            "score": round(score, 2),
-            "url": request.build_absolute_uri(),  # registrar URL completa
-        }
-        return None
-# =====================================================
-# ===              INFORMACIÓN EXTRA                ===
-# =====================================================
-"""
-Algoritmos relacionados:
-    - Se recomienda almacenar logs SQLi cifrados (AES-GCM)
-      para proteger evidencia de intentos maliciosos.
-Cálculo de puntaje de amenaza:
-    S_sqli = w_sqli * detecciones_sqli
-    Ejemplo: S_sqli = 0.4 * 3 = 1.2
-Integración:
-    Este middleware puede combinarse con:
-        - CSRFDefenseMiddleware
-        - XSSDefenseMiddleware
-    para calcular un score total de amenaza y decidir bloqueo.
-"""