97ced1b5e6
Key features implemented: - Updated package metadata and dependencies in PKG-INFO, setup files - Added main.py entry point for backward compatibility with README launch method - Enhanced CLI with config options, system info command, and proper signal handling - Implemented minimal PluginManager loading only plugin-loader core plugin - Refactored PluginLoader to follow minimal core design, removed sandbox/isolation complexity - Updated auto-dependency plugin with safer PL injection mechanism and disabled pl_injection - Removed legacy plugin files (firewall, frp_proxy, ftp_server, multi_lang_deploy, ops_toolbox, security_gateway) as functionality moved to core plugin system - Improved gitignore with comprehensive ignore patterns The changes implement a minimal core framework design where only the plugin-loader is directly loaded by the core, with all other plugins managed through the PL injection mechanism, significantly simplifying the architecture.
86 lines
2.9 KiB
Python
86 lines
2.9 KiB
Python
"""安全检查器"""
|
|
|
|
|
|
class SecurityChecker:
|
|
"""安全检查器"""
|
|
|
|
def check(self, filepath: str, content: str) -> list:
|
|
"""执行安全检查"""
|
|
issues = []
|
|
|
|
# 检查硬编码密钥
|
|
issues.extend(self._check_secrets(filepath, content))
|
|
|
|
# 检查危险函数
|
|
issues.extend(self._check_dangerous_functions(filepath, content))
|
|
|
|
# 检查路径穿越
|
|
issues.extend(self._check_path_traversal(filepath, content))
|
|
|
|
return issues
|
|
|
|
def _check_secrets(self, filepath: str, content: str) -> list:
|
|
"""检查硬编码密钥"""
|
|
issues = []
|
|
patterns = ['password', 'secret', 'token', 'api_key', 'access_token']
|
|
|
|
for i, line in enumerate(content.split('\n'), 1):
|
|
stripped = line.strip()
|
|
# 跳过注释和模式定义行
|
|
if stripped.startswith('#') or stripped.startswith('patterns') or "'" in stripped[:20]:
|
|
continue
|
|
|
|
for pattern in patterns:
|
|
if pattern + ' = "' in line.lower() or pattern + " = '" in line.lower():
|
|
issues.append({
|
|
"file": filepath,
|
|
"line": i,
|
|
"severity": "critical",
|
|
"type": "hardcoded_secret",
|
|
"message": f"发现硬编码密钥: {line.strip()[:50]}"
|
|
})
|
|
|
|
return issues
|
|
|
|
def _check_dangerous_functions(self, filepath: str, content: str) -> list:
|
|
"""检查危险函数"""
|
|
issues = []
|
|
dangerous = ['eval(', 'exec(', 'os.system(', 'subprocess.call(', 'subprocess.run(']
|
|
|
|
# 跳过检查安全检查器自身
|
|
if 'code-reviewer/checks/security.py' in filepath:
|
|
return []
|
|
|
|
for i, line in enumerate(content.split('\n'), 1):
|
|
# 跳过注释和模式定义行
|
|
stripped = line.strip()
|
|
if stripped.startswith('#') or 'dangerous' in stripped.lower() or "['" in stripped[:30]:
|
|
continue
|
|
|
|
for func in dangerous:
|
|
if func in line:
|
|
issues.append({
|
|
"file": filepath,
|
|
"line": i,
|
|
"severity": "warning",
|
|
"type": "dangerous_function",
|
|
"message": f"使用危险函数: {func.strip()}"
|
|
})
|
|
|
|
return issues
|
|
|
|
def _check_path_traversal(self, filepath: str, content: str) -> list:
|
|
"""检查路径穿越风险"""
|
|
issues = []
|
|
|
|
if '../' in content and 'open(' in content:
|
|
issues.append({
|
|
"file": filepath,
|
|
"line": 0,
|
|
"severity": "warning",
|
|
"type": "path_traversal_risk",
|
|
"message": "可能存在路径穿越漏洞"
|
|
})
|
|
|
|
return issues
|