feat: 添加性能和安全测试，完善部署文档

阶段五：性能和安全测试 - 创建负载测试脚本：模拟正常用户访问模式 - 创建压力测试脚本：测试系统极限性能 - 创建SQL注入测试脚本：验证SQL注入防护 - 创建XSS防护测试脚本：验证XSS防护 - 添加测试脚本到package.json 阶段六：文档和培训 - 更新README.md：添加监控和告警文档 - 添加性能测试文档和命令 - 添加安全测试文档和命令 - 添加Docker部署文档 - 添加生产环境配置文档 - 添加备份和恢复文档
2026-03-09 11:12:26 +08:00
parent 4897c6e11c
commit 261c45b4d9
7 changed files with 603 additions and 2 deletions
@@ -0,0 +1,83 @@
+import http from 'k6/http';
+import { check } from 'k6';
+
+export const options = {
+  thresholds: {
+    checks: ['rate==1.0'],  // 所有安全检查必须通过
+  },
+};
+
+const BASE_URL = __ENV.BASE_URL || 'http://localhost:3000';
+
+const sqlInjectionPayloads = [
+  "' OR '1'='1",
+  "' OR '1'='1' --",
+  "' OR '1'='1' /*",
+  "' OR 1=1 --",
+  "admin'--",
+  "admin'/*",
+  "' UNION SELECT NULL--",
+  "1' ORDER BY 1--",
+  "'; DROP TABLE users--",
+  "'; INSERT INTO users--",
+  "' OR SLEEP(5)--",
+  "1' AND SLEEP(5)--",
+  "'; WAITFOR DELAY '0:0:5'--",
+  "1'; EXEC xp_cmdshell('dir')--",
+  "'; EXEC master..xp_cmdshell 'dir'--",
+];
+
+export default function () {
+  let allPassed = true;
+
+  sqlInjectionPayloads.forEach((payload) => {
+    const testCases = [
+      {
+        name: 'Contact Form - SQL Injection',
+        url: `${BASE_URL}/api/contact`,
+        method: 'POST',
+        body: JSON.stringify({
+          name: payload,
+          email: 'test@example.com',
+          phone: '13800138000',
+          message: 'Test message',
+        }),
+      },
+      {
+        name: 'Search - SQL Injection',
+        url: `${BASE_URL}/api/search?q=${encodeURIComponent(payload)}`,
+        method: 'GET',
+      },
+    ];
+
+    testCases.forEach((testCase) => {
+      let res;
+      if (testCase.method === 'POST') {
+        res = http.post(testCase.url, testCase.body, {
+          headers: { 'Content-Type': 'application/json' },
+          tags: { name: testCase.name },
+        });
+      } else {
+        res = http.get(testCase.url, {
+          tags: { name: testCase.name },
+        });
+      }
+
+      const passed = check(res, {
+        'status is 200 or 400 or 422': (r) => [200, 400, 422].includes(r.status),
+        'no SQL error in response': (r) => !r.body.includes('SQL') && !r.body.includes('syntax error'),
+        'no database error in response': (r) => !r.body.includes('database') && !r.body.includes('mysql'),
+        'no stack trace in response': (r) => !r.body.includes('stack trace') && !r.body.includes('Error:'),
+      });
+
+      if (!passed) {
+        allPassed = false;
+        console.error(`SQL Injection test failed for payload: ${payload}`);
+      }
+    });
+  });
+
+  if (!allPassed) {
+    throw new Error('SQL Injection tests failed');
+  }
+}