Flask Python代码审计全面指南<\/h1>

1. SQL注入审计与防御<\/h2>

1.1 危险模式识别<\/h3>
使用字符串拼接方式构造SQL语句：
"SELECT * FROM table WHERE id="<\/span> +<\/span> value
<\/span><\/span>"SELECT * FROM table WHERE id=<\/span>%s<\/span>"<\/span> %<\/span> value
<\/span><\/span>"SELECT * FROM table WHERE id=<\/span>{0}<\/span>"<\/span>.<\/span>format(value)
<\/span><\/span><\/code><\/pre><\/li>
SQLAlchemy的text()<\/code>函数未参数化：
from<\/span> sqlalchemy import<\/span> text
<\/span><\/span>stmt =<\/span> text(f<\/span>"SELECT * FROM users WHERE name = '<\/span>{<\/span>username}<\/span>'"<\/span>)  # 危险<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
1.2 安全实践<\/h3>

使用参数化查询：
stmt =<\/span> "SELECT * FROM table WHERE id=?"<\/span>
<\/span><\/span>connection.<\/span>execute(stmt, (value,))
<\/span><\/span><\/code><\/pre><\/li>
SQLAlchemy安全用法：
stmt =<\/span> text("SELECT * FROM users WHERE name = :username"<\/span>).<\/span>bindparams(username=<\/span>username)
<\/span><\/span><\/code><\/pre><\/li>
优先使用ORM方法：
User.<\/span>query.<\/span>filter_by(username=<\/span>username).<\/span>first()
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2. 命令\/代码执行漏洞审计<\/h2>
2.1 危险函数检查<\/h3>

popen<\/code>, system<\/code>, commands<\/code>, subprocess<\/code>, exec<\/code>, eval<\/code><\/li>
示例漏洞：
import<\/span> subprocess
<\/span><\/span>@app<\/span>.<\/span>route('\/ping'<\/span>)
<\/span><\/span>def<\/span> ping<\/span>():
<\/span><\/span>    ip =<\/span> request.<\/span>args.<\/span>get('ip'<\/span>)
<\/span><\/span>    result =<\/span> subprocess.<\/span>run(["ping"<\/span>, "-c"<\/span>, "1"<\/span>, ip], capture_output=<\/span>True<\/span>, text=<\/span>True<\/span>)
<\/span><\/span>    return<\/span> f<\/span>"<pre><\/span>{<\/span>result.<\/span>stdout}<\/span><\/pre>"<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2.2 第三方库风险<\/h3>

PyYAML不安全用法：
import<\/span> yaml
<\/span><\/span>data =<\/span> yaml.<\/span>load(user_input, Loader=<\/span>yaml.<\/span>Loader)  # 可触发任意代码执行<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2.3 防御措施<\/h3>

使用安全的YAML加载方式：
data =<\/span> yaml.<\/span>load(user_input, Loader=<\/span>yaml.<\/span>SafeLoader)
<\/span><\/span><\/code><\/pre><\/li>
限制子进程参数：
import<\/span> shlex
<\/span><\/span>safe_ip =<\/span> shlex.<\/span>quote(ip)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
3. 反序列化漏洞审计<\/h2>
3.1 危险模块<\/h3>

pickle<\/code>, marshal<\/code>, PyYAML<\/code>等<\/li>
<\/ul>
3.2 漏洞示例<\/h3>
import<\/span> pickle
<\/span><\/span>data =<\/span> request.<\/span>get_data()
<\/span><\/span>obj =<\/span> pickle.<\/span>loads(data)  # 攻击者可构造恶意序列化对象<\/span>
<\/span><\/span><\/code><\/pre>3.3 安全实践<\/h3>

优先使用JSON代替pickle<\/li>
pickle安全使用：
import<\/span> hmac,<\/span> pickle
<\/span><\/span>key =<\/span> b<\/span>'secret_key'<\/span>
<\/span><\/span>data =<\/span> request.<\/span>get_data()
<\/span><\/span>if<\/span> not<\/span> hmac.<\/span>compare_digest(hmac.<\/span>new(key, data).<\/span>digest(), request.<\/span>headers.<\/span>get('Signature'<\/span>)):
<\/span><\/span>    abort(403<\/span>)
<\/span><\/span>obj =<\/span> pickle.<\/span>loads(data)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
4. 文件操作安全<\/h2>
4.1 危险函数<\/h3>

file()<\/code>, file.save()<\/code>, open()<\/code>, codecs.open()<\/code><\/li>
<\/ul>
4.2 安全文件上传<\/h3>

白名单限制文件类型：
ALLOWED_EXTENSIONS =<\/span> {'png'<\/span>, 'jpg'<\/span>, 'jpeg'<\/span>}
<\/span><\/span>def<\/span> allowed_file<\/span>(filename):
<\/span><\/span>    return<\/span> '.'<\/span> in<\/span> filename and<\/span> filename.<\/span>rsplit('.'<\/span>, 1<\/span>)[1<\/span>].<\/span>lower() in<\/span> ALLOWED_EXTENSIONS
<\/span><\/span><\/code><\/pre><\/li>
文件内容验证：
import<\/span> magic
<\/span><\/span>mime =<\/span> magic.<\/span>from_buffer(file.<\/span>read(1024<\/span>), mime=<\/span>True<\/span>)
<\/span><\/span>if<\/span> mime not<\/span> in<\/span> ['image\/png'<\/span>, 'image\/jpeg'<\/span>, 'image\/gif'<\/span>]:
<\/span><\/span>    abort(400<\/span>, "Invalid file type"<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
4.3 防止路径遍历<\/h3>
from<\/span> werkzeug.utils import<\/span> secure_filename
<\/span><\/span>import<\/span> os
<\/span><\/span>filename =<\/span> secure_filename(request.<\/span>form['filename'<\/span>])
<\/span><\/span>base_dir =<\/span> os.<\/span>path.<\/span>abspath("\/var\/data"<\/span>)
<\/span><\/span>target_path =<\/span> os.<\/span>path.<\/span>join(base_dir, filename)
<\/span><\/span>if<\/span> not<\/span> os.<\/span>path.<\/span>commonprefix([base_dir, target_path]) ==<\/span> base_dir:
<\/span><\/span>    abort(403<\/span>, "Invalid path"<\/span>)
<\/span><\/span><\/code><\/pre>5. XXE漏洞审计<\/h2>
5.1 危险用法<\/h3>
from<\/span> lxml import<\/span> etree
<\/span><\/span>xml_data=<\/span>'''<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:\/\/\/c:\/cc.txt">]><data>&xxe;<\/data>'''<\/span>
<\/span><\/span>root =<\/span> etree.<\/span>fromstring(xml_data)  # 允许解析外部实体<\/span>
<\/span><\/span><\/code><\/pre>5.2 防御措施<\/h3>

使用defusedxml：
from<\/span> defusedxml.ElementTree import<\/span> parse
<\/span><\/span>tree =<\/span> parse(xml_file)  # 默认禁用外部实体<\/span>
<\/span><\/span><\/code><\/pre><\/li>
禁用外部实体：
parser =<\/span> etree.<\/span>XMLParser(resolve_entities=<\/span>False<\/span>)
<\/span><\/span>root =<\/span> etree.<\/span>fromstring(xml_data, parser=<\/span>parser)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
6. SSRF漏洞审计<\/h2>
6.1 危险模式<\/h3>
url =<\/span> request.<\/span>form['url'<\/span>]
<\/span><\/span>response =<\/span> requests.<\/span>get(url)  # 可能访问内部服务<\/span>
<\/span><\/span><\/code><\/pre>6.2 防御措施<\/h3>

域名白名单：
ALLOWED_DOMAINS =<\/span> {'example.com'<\/span>, 'cdn.example.net'<\/span>}
<\/span><\/span>from<\/span> urllib.parse import<\/span> urlparse
<\/span><\/span>def<\/span> is_allowed_url<\/span>(url):
<\/span><\/span>    parsed =<\/span> urlparse(url)
<\/span><\/span>    return<\/span> parsed.<\/span>hostname in<\/span> ALLOWED_DOMAINS
<\/span><\/span><\/code><\/pre><\/li>
防止DNS重绑定：
import<\/span> socket
<\/span><\/span>from<\/span> urllib.parse import<\/span> urlparse
<\/span><\/span>parsed =<\/span> urlparse(url)
<\/span><\/span>resolved_ip =<\/span> socket.<\/span>gethostbyname(parsed.<\/span>hostname)
<\/span><\/span>if<\/span> resolved_ip in<\/span> ['127.0.0.1'<\/span>, '169.254.169.254'<\/span>]:
<\/span><\/span>    abort(403<\/span>, "Forbidden IP"<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
7. XSS漏洞审计<\/h2>
7.1 危险模式<\/h3>

使用|safe<\/code>过滤器或Markup<\/code>类<\/li>
直接渲染未转义的用户输入<\/li>
示例：
from<\/span> flask import<\/span> Markup
<\/span><\/span>user_input =<\/span> request.<\/span>args.<\/span>get('q'<\/span>)
<\/span><\/span>return<\/span> render_template('search.html'<\/span>, result=<\/span>Markup(user_input))
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
7.2 常见payload<\/h3>
<svg<\/span>><script<\/span>>alert<\/span>&<\/span>#<\/span>40<\/span>;1<\/span>&<\/span>#<\/span>41<\/span>;<\/script<\/span>><\/svg<\/span>>
<\/span><\/span>
<\/span><\/span>
<\/span><\/span><\/code><\/pre>7.3 防御措施<\/h3>

使用escape()<\/code>过滤：
from<\/span> markupsafe import<\/span> escape
<\/span><\/span>username =<\/span> escape(request.<\/span>args.<\/span>get('username'<\/span>))
<\/span><\/span><\/code><\/pre><\/li>
设置CSP策略<\/li>
安全处理文件上传：
return<\/span> send_from_directory(UPLOAD_FOLDER, filename, as_attachment=<\/span>True<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
8. 其他安全考虑<\/h2>
8.1 CSRF防护<\/h3>
from<\/span> flask_wtf.csrf import<\/span> CSRFProtect
<\/span><\/span>csrf =<\/span> CSRFProtect(app)
<\/span><\/span><\/code><\/pre>8.2 权限校验<\/h3>
from<\/span> flask_login import<\/span> current_user
<\/span><\/span>user =<\/span> User.<\/span>query.<\/span>get(user_id)
<\/span><\/span>if<\/span> user.<\/span>id !=<\/span> current_user.<\/span>id:
<\/span><\/span>    abort(403<\/span>)
<\/span><\/span><\/code><\/pre>8.3 并发控制<\/h3>
try<\/span>:
<\/span><\/span>    db.<\/span>session.<\/span>add(new_user)
<\/span><\/span>    db.<\/span>session.<\/span>commit()
<\/span><\/span>except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>    db.<\/span>session.<\/span>rollback()
<\/span><\/span>    print(f<\/span>"Error: <\/span>{<\/span>e}<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre>8.4 最小权限原则<\/h3>
CREATE<\/span> USER<\/span> 'appuser'<\/span>@<\/span>'localhost'<\/span> IDENTIFIED BY<\/span> 'strongpassword'<\/span>;
<\/span><\/span>GRANT<\/span> SELECT<\/span>, INSERT<\/span>, UPDATE<\/span> ON<\/span> mydb.*<\/span> TO<\/span> 'appuser'<\/span>@<\/span>'localhost'<\/span>;
<\/span><\/span><\/code><\/pre>8.5 缓存安全<\/h3>
app.<\/span>config['CACHE_TYPE'<\/span>] =<\/span> 'RedisCache'<\/span>
<\/span><\/span>app.<\/span>config['CACHE_REDIS_HOST'<\/span>] =<\/span> '10.0.0.5'<\/span>
<\/span><\/span>app.<\/span>config['CACHE_REDIS_PASSWORD'<\/span>] =<\/span> 'strong_redis_password'<\/span>
<\/span><\/span>app.<\/span>config['CACHE_KEY_PREFIX'<\/span>] =<\/span> 'myapp:'<\/span>
<\/span><\/span><\/code><\/pre>9. 实战审计案例<\/h2>
9.1 存储型XSS漏洞<\/h3>

查找模板中的|safe<\/code>关键词<\/li>
发现render_recommendations<\/code>上下文函数：
def<\/span> render_recommendations<\/span>():
<\/span><\/span>    template_path =<\/span> os.<\/span>path.<\/span>join(os.<\/span>path.<\/span>dirname(__file__), 'templates'<\/span>, 'recommendations.html'<\/span>)
<\/span><\/span>    if<\/span> os.<\/span>path.<\/span>exists(template_path):
<\/span><\/span>        with<\/span> open(template_path, 'r'<\/span>, encoding=<\/span>'utf-8'<\/span>) as<\/span> f:
<\/span><\/span>            template =<\/span> f.<\/span>read()
<\/span><\/span>        return<\/span> Markup(render_template_string(template))
<\/span><\/span>    return<\/span> ''<\/span>
<\/span><\/span><\/code><\/pre><\/li>
利用点：title<\/code>、category<\/code>、tags<\/code>三处未过滤用户输入<\/li>
提交payload：``<\/li>
<\/ol>
10. 参考资源<\/h2>

Flask安全最佳实践<\/a><\/li>
FreeBuf Flask安全文章<\/a><\/li>
Python Web应用代码审计<\/a><\/li>
<\/ol>
Flask Python代码审计全面指南<\/h1>

1. SQL注入审计与防御<\/h2>

2. 命令\/代码执行漏洞审计<\/h2>

3. 反序列化漏洞审计<\/h2>

4. 文件操作安全<\/h2>

5. XXE漏洞审计<\/h2>

6. SSRF漏洞审计<\/h2>

7. XSS漏洞审计<\/h2>

8. 其他安全考虑<\/h2>

9. 实战审计案例<\/h2>

10. 参考资源<\/h2> Flask安全最佳实践<\/a><\/li> FreeBuf Flask安全文章<\/a><\/li> Python Web应用代码审计<\/a><\/li> <\/ol>

10. 参考资源<\/h2>

Flask安全最佳实践<\/a><\/li>
FreeBuf Flask安全文章<\/a><\/li>
Python Web应用代码审计<\/a><\/li> <\/ol>
