Python 安全编程指南<\/h1>

输入函数安全<\/h2>

Python2 中的 input() 危险<\/h3>
在 Python2 中，input()<\/code> 函数会将输入内容作为 Python 代码执行，存在严重安全隐患：<\/p>
>>><\/span> input()
<\/span><\/span>dir()  # 执行任意代码<\/span>
<\/span><\/span>['__builtins__'<\/span>, '__doc__'<\/span>, '__name__'<\/span>, '__package__'<\/span>]
<\/span><\/span>>>><\/span> input()
<\/span><\/span>__import__('sys'<\/span>).<\/span>exit()  # 可执行系统命令<\/span>
<\/span><\/span><\/code><\/pre>解决方案<\/strong>：<\/p>

Python2 中使用 raw_input()<\/code> 替代<\/li>
Python3 中的 input()<\/code> 已修复此问题，等同于 Python2 的 raw_input()<\/code><\/li>
<\/ul>
断言语句的误用<\/h2>
assert<\/code> 语句不应用于安全控制，因为在优化模式下(python -O<\/code>)会被忽略：<\/p>
def<\/span> foo<\/span>(user):
<\/span><\/span>    assert<\/span> user.<\/span>is_admin, "user does not have access"<\/span>  # 优化模式下不执行<\/span>
<\/span><\/span>    print("# 敏感代码..."<\/span>)
<\/span><\/span><\/code><\/pre>最佳实践<\/strong>：<\/p>

仅将 assert<\/code> 用于测试目的<\/li>
生产环境使用显式的权限检查<\/li>
<\/ul>
数值比较陷阱<\/h2>
整数重用问题(Python2)<\/h3>
Python2 中整数比较使用 is<\/code> 运算符不可靠：<\/p>
>>><\/span> 999<\/span>+<\/span>1<\/span> is<\/span> 1000<\/span>  # False<\/span>
<\/span><\/span>>>><\/span> 1<\/span>+<\/span>1<\/span> is<\/span> 2<\/span>  # True<\/span>
<\/span><\/span><\/code><\/pre>解决方案<\/strong>：<\/p>

始终使用 ==<\/code> 进行值比较<\/li>
is<\/code> 仅用于对象标识比较<\/li>
<\/ul>
浮点数精度问题<\/h3>
浮点数比较可能因精度问题产生意外结果：<\/p>
>>><\/span> 2.2<\/span>*<\/span>3.0<\/span> ==<\/span> 3.3<\/span>*<\/span>2.0<\/span>  # False<\/span>
<\/span><\/span><\/code><\/pre>解决方案<\/strong>：<\/p>

使用 decimal<\/code> 模块处理精确计算<\/li>
或转换为整数运算<\/li>
<\/ul>
私有属性机制<\/h2>
Python 的双下划线名称改写机制：<\/p>
class<\/span> X<\/span>:
<\/span><\/span>    def<\/span> __init__(self):
<\/span><\/span>        self.<\/span>__private =<\/span> 1<\/span>  # 实际存储为 _X__private<\/span>
<\/span><\/span>
<\/span><\/span>x =<\/span> X()
<\/span><\/span>hasattr(x, '__private'<\/span>)  # False<\/span>
<\/span><\/span>hasattr(x, '_X__private'<\/span>)  # True<\/span>
<\/span><\/span><\/code><\/pre>风险<\/strong>：<\/p>

通过字符串常量访问时名称不变<\/li>
可被动态添加同名属性覆盖<\/li>
<\/ul>
模块导入安全<\/h2>
模块注入风险<\/h3>
Python 通过 sys.path<\/code> 搜索模块，攻击者可注入恶意模块：<\/p>
import<\/span> sys
<\/span><\/span>sys.<\/span>path.<\/span>append('\/malicious\/path'<\/span>)  # 可能导入恶意代码<\/span>
<\/span><\/span><\/code><\/pre>防护措施<\/strong>：<\/p>

确保搜索路径目录不可被非特权用户写入<\/li>
使用 -E<\/code> 选项忽略 PYTHONPATH<\/code><\/li>
运行前显式设置安全的工作目录<\/li>
<\/ul>
导入时代码执行<\/h3>
导入模块时会执行其中的代码：<\/p>
# malicious.py<\/span>
<\/span><\/span>import<\/span> os
<\/span><\/span>os.<\/span>system('malicious_command'<\/span>)
<\/span><\/span><\/code><\/pre>防护<\/strong>：<\/p>

仅导入可信来源的模块<\/li>
审核第三方依赖<\/li>
<\/ul>
Monkey Patching 风险<\/h2>
运行时修改对象属性可能导致安全问题：<\/p>
import<\/span> builtins
<\/span><\/span>
<\/span><\/span>def<\/span> malicious_open<\/span>(*<\/span>args, **<\/span>kwargs):
<\/span><\/span>    if<\/span> 'w'<\/span> in<\/span> kwargs.<\/span>get('mode'<\/span>, ''<\/span>):
<\/span><\/span>        args =<\/span> ('\/dev\/null'<\/span>,) +<\/span> args[1<\/span>:]
<\/span><\/span>    return<\/span> original_open(*<\/span>args, **<\/span>kwargs)
<\/span><\/span>
<\/span><\/span>original_open, builtins.<\/span>open =<\/span> builtins.<\/span>open, malicious_open
<\/span><\/span><\/code><\/pre>其他攻击方式<\/strong>：<\/p>

修改函数的 __code__<\/code> 属性<\/li>
改变对象的 __class__<\/code> 属性<\/li>
<\/ul>
子进程调用安全<\/h2>
Shell 注入风险<\/h3>
使用 shell=True<\/code> 时未过滤输入会导致命令注入：<\/p>
from<\/span> subprocess import<\/span> call
<\/span><\/span>user_input =<\/span> '\/bin\/true; cat \/etc\/passwd'<\/span>
<\/span><\/span>call(user_input, shell=<\/span>True<\/span>)  # 执行额外命令<\/span>
<\/span><\/span><\/code><\/pre>安全实践<\/strong>：<\/p>

避免使用 shell=True<\/code><\/li>
使用列表形式传递命令和参数：
call(['\/bin\/ls'<\/span>, '\/safe\/dir'<\/span>])
<\/span><\/span><\/code><\/pre><\/li>
必须使用 shell 时，用 shlex.quote()<\/code> 过滤<\/li>
<\/ul>
临时文件安全<\/h2>
不安全创建临时文件的常见错误：<\/p>
import<\/span> tempfile
<\/span><\/span>import<\/span> os
<\/span><\/span>
<\/span><\/span># 不安全方式<\/span>
<\/span><\/span>tmp =<\/span> tempfile.<\/span>mktemp()  # 已弃用<\/span>
<\/span><\/span>open(tmp, 'w'<\/span>)
<\/span><\/span>
<\/span><\/span># 安全方式<\/span>
<\/span><\/span>with<\/span> tempfile.<\/span>NamedTemporaryFile(delete=<\/span>True<\/span>) as<\/span> f:
<\/span><\/span>    f.<\/span>write(b<\/span>'data'<\/span>)
<\/span><\/span><\/code><\/pre>最佳实践<\/strong>：<\/p>

使用 tempfile.NamedTemporaryFile<\/code> 或 tempfile.mkstemp<\/code><\/li>
避免 tempfile.mktemp<\/code><\/li>
注意 shutil.move<\/code> 跨文件系统时的降级风险<\/li>
<\/ul>
反序列化安全<\/h2>
Pickle 风险<\/h3>
Pickle 反序列化可执行任意代码：<\/p>
import<\/span> pickle
<\/span><\/span>pickle.<\/span>loads(b<\/span>"cos<\/span>\n<\/span>system<\/span>\n<\/span>(S'rm \/tmp\/file'<\/span>\n<\/span>tR."<\/span>)  # 执行系统命令<\/span>
<\/span><\/span><\/code><\/pre>YAML 风险<\/h3>
PyYAML 的 yaml.load<\/code> 同样危险：<\/p>
import<\/span> yaml
<\/span><\/span>yaml.<\/span>load("""
<\/span><\/span><\/span>some_option: !!python\/object\/apply:subprocess.call
<\/span><\/span><\/span>  args: [malicious command]
<\/span><\/span><\/span>  kwds: {shell: true}
<\/span><\/span><\/span>"""<\/span>)
<\/span><\/span><\/code><\/pre>安全实践<\/strong>：<\/p>

使用 yaml.safe_load<\/code><\/li>
避免反序列化不可信数据<\/li>
考虑使用 JSON 等更安全的格式<\/li>
<\/ul>
模板引擎安全<\/h2>
XSS 风险<\/h3>
模板变量未转义可能导致 XSS：<\/p>
from<\/span> jinja2 import<\/span> Environment
<\/span><\/span>
<\/span><\/span>template =<\/span> Environment().<\/span>from_string('{{ variable }}'<\/span>)
<\/span><\/span>template.<\/span>render(variable=<\/span>'<script>alert(1)<\/script>'<\/span>)  # 输出原始 HTML<\/span>
<\/span><\/span><\/code><\/pre>防护措施<\/strong>：<\/p>

启用自动转义：
Environment(autoescape=<\/span>True<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
显式转义变量：{{ variable | e }}<\/code><\/li>
白名单过滤危险 HTML<\/li>
<\/ul>
其他安全实践<\/h2>


敏感操作权限检查<\/strong>：<\/p>

文件操作前验证路径<\/li>
数据库操作前验证权限<\/li>
<\/ul>
<\/li>

密码处理<\/strong>：<\/p>

使用 hashlib<\/code> 存储密码哈希<\/li>
避免明文存储敏感信息<\/li>
<\/ul>
<\/li>

HTTPS 验证<\/strong>：<\/p>
import<\/span> requests
<\/span><\/span>requests.<\/span>get('https:\/\/example.com'<\/span>, verify=<\/span>True<\/span>)  # 启用证书验证<\/span>
<\/span><\/span><\/code><\/pre><\/li>

内存安全<\/strong>：<\/p>

及时清理敏感内存<\/li>
使用 secure_delete<\/code> 等工具<\/li>
<\/ul>
<\/li>

日志安全<\/strong>：<\/p>

避免记录敏感信息<\/li>
设置适当的日志权限<\/li>
<\/ul>
<\/li>
<\/ol>
通过遵循这些安全实践，可以显著降低 Python 应用程序的安全风险。<\/p>