Back to Details

secure-code-review

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

安全代码审查

Secure Code Review

概述

Overview

安全代码审查是识别代码中安全漏洞的重要方法。本技能提供安全代码审查的方法、工具和最佳实践。
Secure code review is an important method to identify security vulnerabilities in code. This skill provides methods, tools, and best practices for secure code review.

审查范围

Review Scope

1. 输入验证

1. Input Validation

检查项目:
  • 用户输入验证
  • 参数验证
  • 数据过滤
  • 边界检查
Check Items:
  • User input validation
  • Parameter validation
  • Data filtering
  • Boundary checks

2. 输出编码

2. Output Encoding

检查项目:
  • XSS防护
  • 输出编码
  • 内容安全策略
  • 响应头设置
Check Items:
  • XSS protection
  • Output encoding
  • Content Security Policy
  • Response header configuration

3. 认证授权

3. Authentication & Authorization

检查项目:
  • 认证机制
  • 会话管理
  • 权限控制
  • 密码处理
Check Items:
  • Authentication mechanism
  • Session management
  • Access control
  • Password handling

4. 加密和密钥

4. Encryption & Key Management

检查项目:
  • 数据加密
  • 密钥管理
  • 哈希算法
  • 随机数生成
Check Items:
  • Data encryption
  • Key management
  • Hash algorithms
  • Random number generation

审查方法

Review Methods

1. 静态分析

1. Static Analysis

使用SAST工具:
bash
undefined
Use SAST Tools:
bash
undefined

SonarQube

SonarQube

sonar-scanner
sonar-scanner

Checkmarx

Checkmarx

使用Web界面

使用Web界面

Fortify

Fortify

sourceanalyzer -b project build.sh sourceanalyzer -b project -scan
sourceanalyzer -b project build.sh sourceanalyzer -b project -scan

Semgrep

Semgrep

semgrep --config=auto .
undefined
semgrep --config=auto .
undefined

2. 手动审查

2. Manual Review

审查清单:
  • 输入验证
  • 输出编码
  • SQL注入
  • XSS漏洞
  • 认证授权
  • 加密使用
  • 错误处理
  • 日志记录
Review Checklist:
  • Input validation
  • Output encoding
  • SQL injection
  • XSS vulnerabilities
  • Authentication & authorization
  • Encryption usage
  • Error handling
  • Logging

3. 代码模式识别

3. Code Pattern Recognition

危险函数:
python
undefined
Dangerous Functions:
python
undefined

Python危险函数

Python危险函数

eval() exec() pickle.loads() os.system() subprocess.call()

```java
// Java危险函数
Runtime.exec()
ProcessBuilder()
Class.forName()
php
// PHP危险函数
eval()
exec()
system()
passthru()
eval() exec() pickle.loads() os.system() subprocess.call()

```java
// Java危险函数
Runtime.exec()
ProcessBuilder()
Class.forName()
php
// PHP危险函数
eval()
exec()
system()
passthru()

常见漏洞模式

Common Vulnerability Patterns

SQL注入

SQL Injection

危险代码:
java
String query = "SELECT * FROM users WHERE id = " + userId;
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);
安全代码:
java
String query = "SELECT * FROM users WHERE id = ?";
PreparedStatement stmt = connection.prepareStatement(query);
stmt.setInt(1, userId);
ResultSet rs = stmt.executeQuery();
Dangerous Code:
java
String query = "SELECT * FROM users WHERE id = " + userId;
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);
Secure Code:
java
String query = "SELECT * FROM users WHERE id = ?";
PreparedStatement stmt = connection.prepareStatement(query);
stmt.setInt(1, userId);
ResultSet rs = stmt.executeQuery();

XSS漏洞

XSS Vulnerabilities

危险代码:
javascript
document.innerHTML = userInput;
element.innerHTML = "<div>" + userInput + "</div>";
安全代码:
javascript
element.textContent = userInput;
element.setAttribute("data-value", userInput);
// 或使用编码库
element.innerHTML = escapeHtml(userInput);
Dangerous Code:
javascript
document.innerHTML = userInput;
element.innerHTML = "<div>" + userInput + "</div>";
Secure Code:
javascript
element.textContent = userInput;
element.setAttribute("data-value", userInput);
// 或使用编码库
element.innerHTML = escapeHtml(userInput);

命令注入

Command Injection

危险代码:
python
import os
os.system("ping " + user_input)
安全代码:
python
import subprocess
subprocess.run(["ping", "-c", "1", validated_input])
Dangerous Code:
python
import os
os.system("ping " + user_input)
Secure Code:
python
import subprocess
subprocess.run(["ping", "-c", "1", validated_input])

路径遍历

Path Traversal

危险代码:
java
String filePath = "/uploads/" + fileName;
File file = new File(filePath);
安全代码:
java
String basePath = "/uploads/";
String fileName = Paths.get(fileName).getFileName().toString();
String filePath = basePath + fileName;
File file = new File(filePath);
if (!file.getCanonicalPath().startsWith(basePath)) {
    throw new SecurityException("Invalid path");
}
Dangerous Code:
java
String filePath = "/uploads/" + fileName;
File file = new File(filePath);
Secure Code:
java
String basePath = "/uploads/";
String fileName = Paths.get(fileName).getFileName().toString();
String filePath = basePath + fileName;
File file = new File(filePath);
if (!file.getCanonicalPath().startsWith(basePath)) {
    throw new SecurityException("Invalid path");
}

硬编码密钥

Hardcoded Secrets

危险代码:
java
String apiKey = "1234567890abcdef";
String password = "admin123";
安全代码:
java
String apiKey = System.getenv("API_KEY");
String password = keyStore.getPassword("db_password");
Dangerous Code:
java
String apiKey = "1234567890abcdef";
String password = "admin123";
Secure Code:
java
String apiKey = System.getenv("API_KEY");
String password = keyStore.getPassword("db_password");

工具使用

Tool Usage

SonarQube

SonarQube

bash
undefined
bash
undefined

启动SonarQube

启动SonarQube

docker run -d -p 9000:9000 sonarqube
docker run -d -p 9000:9000 sonarqube

运行扫描

运行扫描

sonar-scanner
-Dsonar.projectKey=myproject
-Dsonar.sources=.
-Dsonar.host.url=http://localhost:9000
undefined
sonar-scanner
-Dsonar.projectKey=myproject
-Dsonar.sources=.
-Dsonar.host.url=http://localhost:9000
undefined

Semgrep

Semgrep

bash
undefined
bash
undefined

安装

安装

pip install semgrep
pip install semgrep

运行扫描

运行扫描

semgrep --config=auto .
semgrep --config=auto .

使用规则

使用规则

semgrep --config=p/security-audit .
undefined
semgrep --config=p/security-audit .
undefined

CodeQL

CodeQL

bash
undefined
bash
undefined

创建数据库

创建数据库

codeql database create database --language=java --source-root=.
codeql database create database --language=java --source-root=.

运行查询

运行查询

codeql database analyze database security-and-quality.qls --format=sarif-latest
undefined
codeql database analyze database security-and-quality.qls --format=sarif-latest
undefined

审查清单

Review Checklist

输入验证

Input Validation

  • 所有用户输入都经过验证
  • 使用白名单验证
  • 验证数据类型和范围
  • 处理特殊字符
  • All user inputs are validated
  • Use whitelist validation
  • Validate data types and ranges
  • Handle special characters

输出编码

Output Encoding

  • HTML输出编码
  • URL编码
  • JavaScript编码
  • SQL参数化
  • HTML output encoding
  • URL encoding
  • JavaScript encoding
  • SQL parameterization

认证授权

Authentication & Authorization

  • 强密码策略
  • 安全的会话管理
  • 权限验证
  • 多因素认证
  • Strong password policy
  • Secure session management
  • Access permission validation
  • Multi-factor authentication

加密

Encryption

  • 使用强加密算法
  • 密钥安全存储
  • 传输加密
  • 存储加密
  • Use strong encryption algorithms
  • Secure key storage
  • Transport encryption
  • Storage encryption

错误处理

Error Handling

  • 不泄露敏感信息
  • 统一错误响应
  • 记录错误日志
  • 异常处理
  • Do not leak sensitive information
  • Unified error responses
  • Log error information
  • Exception handling

最佳实践

Best Practices

1. 安全编码规范

1. Secure Coding Standards

  • 遵循OWASP Top 10
  • 使用安全编码指南
  • 代码审查流程
  • 安全培训
  • Follow OWASP Top 10
  • Use secure coding guidelines
  • Code review process
  • Security training

2. 自动化工具

2. Automation Tools

  • 集成SAST工具
  • CI/CD安全检查
  • 自动化扫描
  • 结果分析
  • Integrate SAST tools
  • CI/CD security checks
  • Automated scanning
  • Result analysis

3. 代码审查流程

3. Code Review Process

  • 同行审查
  • 安全专家审查
  • 定期审查
  • 记录问题
  • Peer review
  • Security expert review
  • Regular review
  • Document issues

注意事项

Notes

  • 结合工具和人工审查
  • 关注业务逻辑漏洞
  • 定期更新工具规则
  • 建立安全编码文化
  • Combine tool and manual review
  • Focus on business logic vulnerabilities
  • Regularly update tool rules
  • Establish a secure coding culture