#!/usr/bin/env python3 """ 安全测试模块演示脚本展示安全测试的核心功能。 """ from core.security import ( SQLInjectionDetector, XSSDetector, CSRFProtector, InputSanitizer, PasswordStrengthChecker, SecurityHeaders, SecurityAuditLogger, SecurityScanner, ) def demo_sql_injection_detection(): """演示SQL注入检测""" print("\n" + "="*60) print("演示1: SQL注入检测") print("="*60) detector = SQLInjectionDetector() test_cases = [ ("' OR '1'='1", True), ("'; DROP TABLE users; --", True), ("1' AND 1=1 --", True), ("normal_username", False), ("user@example.com", False), ] for input_str, expected in test_cases: result = detector.detect(input_str) status = "✅" if result.is_injection == expected else "❌" print(f"{status} 输入: {input_str[:30]:<30} -> 检测: {result.is_injection}") def demo_xss_detection(): """演示XSS检测""" print("\n" + "="*60) print("演示2: XSS检测") print("="*60) detector = XSSDetector() test_cases = [ ("", True), ("

", True), ("javascript:alert('xss')", True), ("

正常内容

", False), ("普通文本", False), ] for input_str, expected in test_cases: result = detector.detect(input_str) status = "✅" if result.is_xss == expected else "❌" print(f"{status} 输入: {input_str[:30]:<30} -> 检测: {result.is_xss}") def demo_csrf_protection(): """演示CSRF防护""" print("\n" + "="*60) print("演示3: CSRF防护") print("="*60) protector = CSRFProtector() # 生成Token token = protector.generate_token("user123") print(f"✅ 生成Token: {token[:30]}...") # 验证有效Token is_valid = protector.validate_token("user123", token) print(f"✅ 验证有效Token: {is_valid}") # 验证无效Token is_valid = protector.validate_token("user123", "invalid_token") print(f"✅ 验证无效Token: {is_valid}") def demo_input_sanitization(): """演示输入净化""" print("\n" + "="*60) print("演示4: 输入净化") print("="*60) sanitizer = InputSanitizer() test_cases = [ "", "

正常段落

", "

", ] for input_str in test_cases: result = sanitizer.sanitize_html(input_str) print(f"✅ 输入: {input_str[:35]:<35}") print(f" 输出: {result[:35]:<35}") def demo_password_strength(): """演示密码强度检查""" print("\n" + "="*60) print("演示5: 密码强度检查") print("="*60) checker = PasswordStrengthChecker() passwords = [ "123", "password", "Password123", "P@ssw0rd!2024", ] for password in passwords: result = checker.check(password) print(f"✅ 密码: {password:<20} -> 强度: {result.strength:<10} 评分: {result.score}") def demo_security_headers(): """演示安全头部""" print("\n" + "="*60) print("演示6: 安全HTTP头部") print("="*60) headers = SecurityHeaders() security_headers = headers.get_headers() for key, value in security_headers.items(): print(f"✅ {key}: {value}") def demo_security_audit_log(): """演示安全审计日志""" print("\n" + "="*60) print("演示7: 安全审计日志") print("="*60) logger = SecurityAuditLogger() # 记录安全事件 logger.log_event( event_type="SQL_INJECTION_ATTEMPT", source_ip="192.168.1.1", details={"input": "' OR '1'='1"} ) logger.log_event( event_type="XSS_ATTEMPT", source_ip="192.168.1.2", details={"input": ""} ) print("✅ 记录2个安全事件") # 查询安全事件 events = logger.get_events() print(f"✅ 事件数量: {len(events)}") # 获取统计 stats = logger.get_stats() print(f"✅ 统计: {stats}") def demo_security_scanner(): """演示综合安全扫描""" print("\n" + "="*60) print("演示8: 综合安全扫描") print("="*60) scanner = SecurityScanner() test_data = { "username": "' OR '1'='1", "comment": "", "email": "test@example.com", } report = scanner.scan(test_data) print(f"✅ 扫描数据项: {report.total_scanned}") print(f"✅ 发现威胁: {len(report.threats)}") print(f"✅ 扫描耗时: {report.scan_time:.4f}s") for threat in report.threats: print(f" - {threat.threat_type}: {threat.level.value}") def main(): """主函数""" print("\n" + "="*60) print("安全测试模块演示") print("="*60) demo_sql_injection_detection() demo_xss_detection() demo_csrf_protection() demo_input_sanitization() demo_password_strength() demo_security_headers() demo_security_audit_log() demo_security_scanner() print("\n" + "="*60) print("✅ 所有演示完成!") print("="*60) if __name__ == "__main__": main()