Python代码审计与安全开发指南<\/h1>

1. 命令注入漏洞<\/h2>

危险函数列表<\/h3>
os.system()<\/code><\/li>
os.popen()<\/code><\/li>
subprocess.Popen()<\/code><\/li>
platform.popen()<\/code><\/li>
commands<\/code>模块方法<\/li>
pty.spawn()<\/code><\/li>
importlib.import_module()<\/code><\/li>
<\/ul>
典型漏洞示例<\/h3>
def<\/span> myserve<\/span>(request, fullname):
<\/span><\/span>    os.<\/span>system("sudo rm -f <\/span>%s<\/span>"<\/span> %<\/span> fullname)  # 用户可控的fullname可导致命令注入<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h3>

避免使用shell=True<\/code>参数<\/li>
使用转义函数：

Python 2.x: pipes.quote()<\/code><\/li>
Python 3.3+: shlex.quote()<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
2. 代码注入漏洞<\/h2>
危险函数<\/h3>

eval()<\/code><\/li>
exec()<\/code><\/li>
execfile()<\/code><\/li>
compile()<\/code><\/li>
timeit.timeit()<\/code><\/li>
timeit.repeat()<\/code><\/li>
<\/ul>
漏洞示例<\/h3>
def<\/span> eval_test<\/span>(request, login):
<\/span><\/span>    login =<\/span> eval(login)  # 用户可控的login可导致代码执行<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h3>

使用ast.literal_eval()<\/code>替代eval()<\/code><\/li>
限制可执行代码范围<\/li>
使用类型转换函数如int()<\/code>, float()<\/code><\/li>
<\/ol>
3. 不安全的反序列化<\/h2>
危险模块<\/h3>

marshal<\/code><\/li>
PyYAML<\/code>的yaml.load()<\/code><\/li>
pickle<\/code>\/cPickle<\/code><\/li>
shelve<\/code><\/li>
PIL<\/code><\/li>
Unzip<\/code><\/li>
<\/ul>
漏洞示例<\/h3>
import<\/span> pickle
<\/span><\/span>pickle.<\/span>loads("cos<\/span>\n<\/span>system<\/span>\n<\/span>(S'uname -a'<\/span>\n<\/span>tR."<\/span>)  # 可执行任意命令<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h3>

使用yaml.safe_load()<\/code>替代yaml.load()<\/code><\/li>
避免反序列化不可信数据<\/li>
使用JSON等更安全的序列化格式<\/li>
<\/ol>
4. SQL注入<\/h2>
错误用法<\/h3>
def<\/span> getUsers<\/span>(user_id):
<\/span><\/span>    sql =<\/span> 'select * from auth_user where id =<\/span>%s<\/span>'<\/span> %<\/span> user_id
<\/span><\/span>    res =<\/span> cur.<\/span>execute(sql)  # 直接拼接SQL语句<\/span>
<\/span><\/span><\/code><\/pre>正确用法<\/h3>
args =<\/span> (id, type)
<\/span><\/span>cur.<\/span>execute('select id,name from user_table where id = <\/span>%s<\/span> and name = <\/span>%s<\/span>'<\/span>, args)
<\/span><\/span><\/code><\/pre>防御措施<\/h3>

使用参数化查询<\/li>
使用ORM框架<\/li>
避免直接拼接SQL语句<\/li>
<\/ol>
5. 任意文件下载\/操作漏洞<\/h2>
危险函数<\/h3>

file()<\/code><\/li>
file.save()<\/code><\/li>
open()<\/code><\/li>
codecs.open()<\/code><\/li>
<\/ul>
漏洞示例<\/h3>
def<\/span> export_task<\/span>(request, filename):
<\/span><\/span>    return<\/span> HttpResponse(fullname)  # 未验证的文件路径可导致任意文件下载<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h3>

验证文件路径<\/li>
限制访问目录<\/li>
检查文件类型<\/li>
<\/ol>
6. XXE漏洞<\/h2>
危险模块<\/h3>

xml.dom.*<\/code><\/li>
xml.etree.ElementTree<\/code><\/li>
xml.sax.*<\/code><\/li>
<\/ul>
防御措施<\/h3>

禁用外部实体解析<\/li>
使用更安全的XML解析器<\/li>
验证XML输入<\/li>
<\/ol>
7. SSRF漏洞<\/h2>
危险函数<\/h3>

requests.get()<\/code><\/li>
urllib.urlopen()<\/code><\/li>
urllib2.urlopen()<\/code><\/li>
<\/ul>
漏洞示例<\/h3>
url =<\/span> request.<\/span>GET['url'<\/span>]
<\/span><\/span>handle =<\/span> urllib.<\/span>urlopen(url)  # 用户可控的URL可导致SSRF<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h3>

验证URL<\/li>
限制访问内网<\/li>
使用白名单机制<\/li>
<\/ol>
8. XSS漏洞<\/h2>
漏洞示例<\/h3>
return<\/span> HttpResponse('hello <\/span>%s<\/span>'<\/span> %<\/span> (name))  # 未转义的输出可导致XSS<\/span>
<\/span><\/span><\/code><\/pre>安全写法<\/h3>
return<\/span> render_to_response('hello.html'<\/span>, {'name'<\/span>: name})
<\/span><\/span><\/code><\/pre>防御措施<\/h3>

对所有输出进行HTML转义<\/li>
使用模板引擎的自动转义功能<\/li>
设置Content Security Policy<\/li>
<\/ol>
9. 直接重定向漏洞<\/h2>
漏洞示例<\/h3>
strDest =<\/span> request.<\/span>field("dest"<\/span>)
<\/span><\/span>redirect(strDest)  # 未验证的重定向目标<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h3>

验证重定向URL<\/li>
使用白名单机制<\/li>
避免使用用户提供的重定向目标<\/li>
<\/ol>
10. 日志伪造漏洞<\/h2>
关注点<\/h3>

logging()<\/code>函数<\/li>
LOGGER<\/code>关键字<\/li>
敏感信息输出<\/li>
<\/ul>
防御措施<\/h3>

避免记录敏感信息<\/li>
对日志内容进行过滤<\/li>
使用安全的日志框架<\/li>
<\/ol>
11. 模板注入(SSTI)<\/h2>
危险函数<\/h3>

render_template_string<\/code><\/li>
<\/ul>
漏洞示例<\/h3>
@app<\/span>.<\/span>route('\/'<\/span>)
<\/span><\/span>def<\/span> index<\/span>():
<\/span><\/span>    name =<\/span> request.<\/span>args.<\/span>get('name'<\/span>, 'Guest'<\/span>)
<\/span><\/span>    return<\/span> render_template_string('Hello, {{ name }}!'<\/span>, name=<\/span>name)
<\/span><\/span><\/code><\/pre>攻击示例<\/h3>
http:\/\/your-app.com\/?name={{ config.__class__.__init__.__globals__['os'].popen('whoami').read() }}
<\/code><\/pre>
防御策略<\/h3>

使用render_template<\/code>替代render_template_string<\/code><\/li>
验证和过滤输入<\/li>
使用ORM框架<\/li>
保持框架和库更新<\/li>
<\/ol>
12. 不安全的随机数<\/h2>
不安全用法<\/h3>
random.<\/span>randint(0<\/span>, 100<\/span>)  # 不适用于安全加密用途<\/span>
<\/span><\/span><\/code><\/pre>安全用法<\/h3>

Linux\/Unix: 使用\/dev\/random<\/code><\/li>
Windows: 使用random.SystemRandom<\/code><\/li>
<\/ul>
13. 格式化字符串漏洞<\/h2>
漏洞示例<\/h3>
"My name is <\/span>%s<\/span>"<\/span> %<\/span> ('jayway'<\/span>, )
<\/span><\/span>"My name is <\/span>{}<\/span>"<\/span>.<\/span>format('jayway'<\/span>)
<\/span><\/span>"My name is <\/span>%(name)%<\/span>"<\/span> %<\/span> {'name'<\/span>: 'jayway'<\/span>}
<\/span><\/span><\/code><\/pre>防御措施<\/h3>

避免使用用户控制的格式化字符串<\/li>
对输出进行转义<\/li>
<\/ol>
14. 代码审计工具 - Bandit<\/h2>
安装与使用<\/h3>
pip install bandit
<\/span><\/span>bandit -r \/path\/to\/code\/ -f html -o report.html
<\/span><\/span><\/code><\/pre>参数说明<\/h3>

-r<\/code>: 扫描的源码目录<\/li>
-f<\/code>: 报告格式(html, csv, json等)<\/li>
-o<\/code>: 输出文件名<\/li>
<\/ul>
总结<\/h2>
Python代码安全审计需要关注多个方面，从命令注入到模板注入，每种漏洞都有其特定的防御策略。开发者应当：<\/p>

了解各种危险函数和模块<\/li>
遵循安全编码实践<\/li>
使用安全工具进行代码审计<\/li>
保持框架和库的更新<\/li>
对所有用户输入进行验证和过滤<\/li>
<\/ol>
通过全面的安全意识和实践，可以显著降低Python应用程序的安全风险。<\/p>