安全修复：加固CSRF与凭证保护并修复越权风险

2026-02-16 01:19:43 +08:00
parent 14b506e8a1
commit 1389ec7434
22 changed files with 375 additions and 83 deletions
--- a/tests/test_security_hardening.py
+++ b/tests/test_security_hardening.py
@@ -3,7 +3,7 @@ import sys
 from pathlib import Path

 import pytest
-from flask import Flask
+from flask import Flask, session

 PROJECT_ROOT = Path(__file__).resolve().parents[1]
 if str(PROJECT_ROOT) not in sys.path:
@@ -56,3 +56,24 @@ def test_get_encryption_key_refuses_regeneration_when_encrypted_data_exists(monk

    with pytest.raises(RuntimeError):
        crypto_utils.get_encryption_key()
+
+
+def test_validate_csrf_token_requires_matching_session_token():
+    app = Flask(__name__)
+    app.secret_key = "test-secret-key"
+
+    with app.test_request_context("/", method="POST"):
+        session["csrf_token"] = "fixed-token"
+        assert app_security.validate_csrf_token("fixed-token") is True
+        assert app_security.validate_csrf_token("wrong-token") is False
+        assert app_security.validate_csrf_token("") is False
+
+
+def test_decrypt_password_returns_empty_for_unreadable_encrypted_payload(monkeypatch):
+    class BrokenFernet:
+        def decrypt(self, *_args, **_kwargs):
+            raise ValueError("bad token")
+
+    monkeypatch.setattr(crypto_utils, "_get_fernet", lambda: BrokenFernet())
+    encrypted_like_value = "gAAAAABrokenPayload"
+    assert crypto_utils.decrypt_password(encrypted_like_value) == ""